[CentOS] SELinux and access across 'similar types'
vvmarko at gmail.com
Mon Jan 9 20:00:29 UTC 2012
On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote:
> SELinux has no idea what the labels are in /tmp, so restorecon will
> not change the labels. It would be best to just remove the content
> from /tmp and allow new content to be created. If you want the
> content to be accessible from apache, you could change it to httpd_tmp_t
> chcon -t httpd_tmp_t /tmp/PATH
But isn't there a policy for default labelling of arbitrary files put in /tmp?
I mean, when apache puts a file in /tmp, it should be labelled *somehow*,
according to the rules for apache and/or the /tmp directory, right? This
should happen in both enforcing and permissive modes.
So is the default type label for such a case file_t? If it is, it's a bug,
since SELinux would deny subsequent access to that file, per policy, right?
If I understood the OP correctly, he enabled SELinux (into permissive mode),
relabeled the whole filesystem, rebooted several times, and after all that
apache creates a file in /tmp with a label file_t. AFAIK, this should *never*
happen, with the default policy.
Or am I missing something?
The only way I can understand how this can happen is to conjecture that the OP
has turned on SELinux and --- *before* proper relabelling of the filesystem ---
customized the policy (using audit2allow) to allow apache to read/write files
of type file_t (this was neither confirmed nor denied by the OP). Since this is
inconsistent with other rules in the policy, my suggestion was to "reset" the
policy to CentOS default and relabel everything again before making any
further customizations. However, I don't know how to actually do the "reset
the policy" step, since I never needed it. :-)
Is there an alternative explanation to the whole mess?
More information about the CentOS