[CentOS] SELinux and access across 'similar types'

Tony Molloy tony.molloy at ul.ie
Mon Jan 9 13:08:36 UTC 2012

On Monday 09 January 2012 12:06:04 Bennett Haselton wrote:
> On 1/9/2012 3:41 AM, Tony Molloy wrote:
> > First I'm no SELinux expert ;-( but I've ben following this
> > thread with interest. It apears to be going around in circles.
> > 
> > The only time I've come across a file_t type is when I have
> > something on a machine that SELinux doesn't know about. That is
> > SELinux has no policy for it. An example would be if I create a
> > new top level directory when I install a machine. SELinux knows
> > nothing about that directory name and has no preset type for it
> > so it gets a label of file_t or default_t. Doing a relabel in
> > that case will have no affect on the file label as SELinux still
> > doesn't have a policy for it.
> > 
> > So the question is how did your file get the file_t type in the
> > first place. You say it is generated from a cgi script run from
> > apache.
> > 
> > So is this the default apache which comes with CentOS
> > 
> > What is the context of the apache executable. It should be
> > -rwxr-xr-x  root root system_u:object_r:httpd_exec_t  
> > /usr/sbin/httpd
> Yes that's what I've got.

Ok so apache is corectly labelled.

> > Where in the filesystem is the cgi script located. How did it get
> > there.
> > 
> > What is the context of the cgi script
> > 
> > What is the context of the directory the cgi script is in.
> [root at g6950-21025 ~]# ls -lZ /var/www/cgi-bin/capture.cgi
> -rwxr-xr-x  root root system_u:object_r:httpd_sys_script_exec_t
> /var/www/cgi-bin/capture.cgi
> [root at g6950-21025 ~]# ls -ldZ /var/www/cgi-bin/
> drwxr-xr-x  root root system_u:object_r:httpd_sys_script_exec_t
> /var/www/cgi-bin/
> The script got there because I uploaded it there.

The reason I asked that was because how the script got there can 
determine it's context.

For instance:

cp:   gives it the correct context of the directory it was copied into
mv:  does not, it preserves the original context 

But the above context(s) look ok
> > What is the context of /tmp. It should be
> > drwxrwxrwt  root root system_u:object_r:tmp_t          /tmp
> Yep.
> [root at g6950-21025 ~]# ls -ldZ /tmp
> drwxrwxrwt  root root system_u:object_r:tmp_t          /tmp

Ok that's fine.
> > Regards
> > 
> > Tony

Now try a little experiment

# touch /tmp/x.x

# ls -alZ /tmp/x.x

should have the following context

-rw-r--r--  root root root:object_r:tmp_t              x.x

You can also try copying and moving a file to /tmp and check the 
context after each to see the difference.
Then delete the file created by your script from /tmp and run your cgi 
script by hand.

What is the context of the file now created.


More information about the CentOS mailing list