[CentOS] SELinux and access across 'similar types'

Gordon Messmer yinyang at eburg.com
Sun Jan 8 02:21:12 UTC 2012


On 01/05/2012 01:36 PM, Bennett Haselton wrote:
> http://wiki.centos.org/HowTos/SELinux
> says:
> "Access is only allowed between similar types, so Apache running as
> httpd_t can read /var/www/html/index.html of type httpd_sys_content_t."
>
> however the doc doesn't define what "similar types" means.

That is a gross oversimplification.  Access is allowed based on a 
policy, and no "similarity" between types is required.

If you'd like to see what is allowed, you'll have to get the 
selinux-policy src.rpm and unpack it to examine the source for the 
policy.  It sucks, but as far as I know, no more user-friendly method 
exists.

> and the robots.txt file has type file_t:
> [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt
> -rw-rw-rw-  root root system_u:object_r:file_t:s0
> /var/www/html/robots.txt
>
> but Apache can of course access that file.

If apache can access a mislabeled file, then either SELinux is disabled 
or in permissive mode.  Use "getenforce" to determine which.



More information about the CentOS mailing list