[CentOS] SELinux and access across 'similar types'

Daniel J Walsh dwalsh at redhat.com
Mon Jan 9 17:08:53 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/07/2012 09:21 PM, Gordon Messmer wrote:
> On 01/05/2012 01:36 PM, Bennett Haselton wrote:
>> http://wiki.centos.org/HowTos/SELinux says: "Access is only
>> allowed between similar types, so Apache running as httpd_t can
>> read /var/www/html/index.html of type httpd_sys_content_t."
>> 
>> however the doc doesn't define what "similar types" means.
> 
> That is a gross oversimplification.  Access is allowed based on a 
> policy, and no "similarity" between types is required.
> 
> If you'd like to see what is allowed, you'll have to get the 
> selinux-policy src.rpm and unpack it to examine the source for the
>  policy.  It sucks, but as far as I know, no more user-friendly
> method exists.
> 
>> and the robots.txt file has type file_t: [root at peacefire04 -
>> /root # ls -lZ /var/www/html/robots.txt -rw-rw-rw-  root root
>> system_u:object_r:file_t:s0 /var/www/html/robots.txt
>> 
>> but Apache can of course access that file.
> 
> If apache can access a mislabeled file, then either SELinux is
> disabled or in permissive mode.  Use "getenforce" to determine
> which. _______________________________________________ CentOS
> mailing list CentOS at centos.org 
> http://lists.centos.org/mailman/listinfo/centos
man sesearch

sesearch -A -s httpd_t -C

WIll show you all the allow rules for the apache service.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8LHyUACgkQrlYvE4MpobMoFwCfd5nnzdufMGqnJV00Fniad0wf
nhYAnjgy+jNcNiZ8QYH38k9VMb5U7TP7
=5PkJ
-----END PGP SIGNATURE-----



More information about the CentOS mailing list