[CentOS] SELinux and access across 'similar types'
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 9 17:08:53 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/07/2012 09:21 PM, Gordon Messmer wrote:
> On 01/05/2012 01:36 PM, Bennett Haselton wrote:
>> http://wiki.centos.org/HowTos/SELinux says: "Access is only
>> allowed between similar types, so Apache running as httpd_t can
>> read /var/www/html/index.html of type httpd_sys_content_t."
>>
>> however the doc doesn't define what "similar types" means.
>
> That is a gross oversimplification. Access is allowed based on a
> policy, and no "similarity" between types is required.
>
> If you'd like to see what is allowed, you'll have to get the
> selinux-policy src.rpm and unpack it to examine the source for the
> policy. It sucks, but as far as I know, no more user-friendly
> method exists.
>
>> and the robots.txt file has type file_t: [root at peacefire04 -
>> /root # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root
>> system_u:object_r:file_t:s0 /var/www/html/robots.txt
>>
>> but Apache can of course access that file.
>
> If apache can access a mislabeled file, then either SELinux is
> disabled or in permissive mode. Use "getenforce" to determine
> which. _______________________________________________ CentOS
> mailing list CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
man sesearch
sesearch -A -s httpd_t -C
WIll show you all the allow rules for the apache service.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8LHyUACgkQrlYvE4MpobMoFwCfd5nnzdufMGqnJV00Fniad0wf
nhYAnjgy+jNcNiZ8QYH38k9VMb5U7TP7
=5PkJ
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list