[CentOS] SELinux and access across 'similar types'
Tony Molloy
tony.molloy at ul.ie
Mon Jan 9 13:08:36 UTC 2012
On Monday 09 January 2012 12:06:04 Bennett Haselton wrote:
> On 1/9/2012 3:41 AM, Tony Molloy wrote:
> > First I'm no SELinux expert ;-( but I've ben following this
> > thread with interest. It apears to be going around in circles.
> >
> > The only time I've come across a file_t type is when I have
> > something on a machine that SELinux doesn't know about. That is
> > SELinux has no policy for it. An example would be if I create a
> > new top level directory when I install a machine. SELinux knows
> > nothing about that directory name and has no preset type for it
> > so it gets a label of file_t or default_t. Doing a relabel in
> > that case will have no affect on the file label as SELinux still
> > doesn't have a policy for it.
> >
> > So the question is how did your file get the file_t type in the
> > first place. You say it is generated from a cgi script run from
> > apache.
> >
> > So is this the default apache which comes with CentOS
> >
> > What is the context of the apache executable. It should be
> > -rwxr-xr-x root root system_u:object_r:httpd_exec_t
> > /usr/sbin/httpd
>
> Yes that's what I've got.
>
Ok so apache is corectly labelled.
> > Where in the filesystem is the cgi script located. How did it get
> > there.
> >
> > What is the context of the cgi script
> >
> > What is the context of the directory the cgi script is in.
>
> [root at g6950-21025 ~]# ls -lZ /var/www/cgi-bin/capture.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> /var/www/cgi-bin/capture.cgi
> [root at g6950-21025 ~]# ls -ldZ /var/www/cgi-bin/
> drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> /var/www/cgi-bin/
>
> The script got there because I uploaded it there.
The reason I asked that was because how the script got there can
determine it's context.
For instance:
cp: gives it the correct context of the directory it was copied into
mv: does not, it preserves the original context
But the above context(s) look ok
>
> > What is the context of /tmp. It should be
> > drwxrwxrwt root root system_u:object_r:tmp_t /tmp
>
> Yep.
> [root at g6950-21025 ~]# ls -ldZ /tmp
> drwxrwxrwt root root system_u:object_r:tmp_t /tmp
>
Ok that's fine.
> > Regards
> >
> > Tony
Now try a little experiment
# touch /tmp/x.x
# ls -alZ /tmp/x.x
should have the following context
-rw-r--r-- root root root:object_r:tmp_t x.x
You can also try copying and moving a file to /tmp and check the
context after each to see the difference.
Then delete the file created by your script from /tmp and run your cgi
script by hand.
What is the context of the file now created.
Regards,
Tony
More information about the CentOS
mailing list