[CentOS] SELinux and access across 'similar types'

Marko Vojinovic vvmarko at gmail.com
Mon Jan 9 20:00:29 UTC 2012


On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote:
> SELinux has no idea what the labels are in /tmp, so restorecon will
> not change the labels.  It would be best to just remove the content
> from /tmp and allow new content to be created.  If you want the
> content to be accessible from apache, you could change it to httpd_tmp_t
> 
> chcon -t httpd_tmp_t /tmp/PATH

But isn't there a policy for default labelling of arbitrary files put in /tmp? 
I mean, when apache puts a file in /tmp, it should be labelled *somehow*, 
according to the rules for apache and/or the /tmp directory, right? This 
should happen in both enforcing and permissive modes.

So is the default type label for such a case file_t? If it is, it's a bug, 
since SELinux would deny subsequent access to that file, per policy, right?

If I understood the OP correctly, he enabled SELinux (into permissive mode), 
relabeled the whole filesystem, rebooted several times, and after all that 
apache creates a file in /tmp with a label file_t. AFAIK, this should *never* 
happen, with the default policy. 

Or am I missing something?

The only way I can understand how this can happen is to conjecture that the OP 
has turned on SELinux and --- *before* proper relabelling of the filesystem --- 
customized the policy (using audit2allow) to allow apache to read/write files 
of type file_t (this was neither confirmed nor denied by the OP). Since this is 
inconsistent with other rules in the policy, my suggestion was to "reset" the 
policy to CentOS default and relabel everything again before making any 
further customizations. However, I don't know how to actually do the "reset 
the policy" step, since I never needed it. :-)

Is there an alternative explanation to the whole mess?

Best, :-)
Marko





More information about the CentOS mailing list