[CentOS] SELinux and access across 'similar types'
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 9 20:20:53 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/09/2012 03:00 PM, Marko Vojinovic wrote:
> On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote:
>> SELinux has no idea what the labels are in /tmp, so restorecon
>> will not change the labels. It would be best to just remove the
>> content from /tmp and allow new content to be created. If you
>> want the content to be accessible from apache, you could change
>> it to httpd_tmp_t
>>
>> chcon -t httpd_tmp_t /tmp/PATH
>
> But isn't there a policy for default labelling of arbitrary files
> put in /tmp? I mean, when apache puts a file in /tmp, it should be
> labelled *somehow*, according to the rules for apache and/or the
> /tmp directory, right? This should happen in both enforcing and
> permissive modes.
>
> So is the default type label for such a case file_t? If it is, it's
> a bug, since SELinux would deny subsequent access to that file, per
> policy, right?
>
> If I understood the OP correctly, he enabled SELinux (into
> permissive mode), relabeled the whole filesystem, rebooted several
> times, and after all that apache creates a file in /tmp with a
> label file_t. AFAIK, this should *never* happen, with the default
> policy.
>
> Or am I missing something?
>
> The only way I can understand how this can happen is to conjecture
> that the OP has turned on SELinux and --- *before* proper
> relabelling of the filesystem --- customized the policy (using
> audit2allow) to allow apache to read/write files of type file_t
> (this was neither confirmed nor denied by the OP). Since this is
> inconsistent with other rules in the policy, my suggestion was to
> "reset" the policy to CentOS default and relabel everything again
> before making any further customizations. However, I don't know how
> to actually do the "reset the policy" step, since I never needed
> it. :-)
>
> Is there an alternative explanation to the whole mess?
>
> Best, :-) Marko
>
>
> _______________________________________________ CentOS mailing
> list CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
If you look at the file_context file you will see <<none>> which
means the default label has no idea what to put in this directory
/tmp/.* <<none>>
This tells restorecon to ignore any files that match this label, to
prevent it from doing the wrong thing. restorecon does not understand
the difference between file_t or shadow_t or user_home_t. So it does
nothing.
So the real problem here is the fact the machine booted with SELinux
disabled and them kept files in /tmp. Newer versions of fixfiles
attempt to delete these files if it finds them in /tmp.
UNDEFINED=`get_undefined_type` || exit $?
UNLABELED=`get_unlabeled_type` || exit $?
find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*"
\) \( -type s -o -type p \) -delete
find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*"
\) -exec chcon --reference /tmp {} \;
find /var/tmp \( -context "*:${UNLABELED}*" -o -context
"*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \;
find /var/run \( -context "*:${UNLABELED}*" -o -context
"*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \;
[ -e /var/lib/debug ] && find /var/lib/debug \( -context
"*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon
- --reference /lib {} \;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8LTCUACgkQrlYvE4MpobOA3QCgj+B+ujz+aWl2ShEi7MmmrMlu
wRkAoIZ12wN6w8C6bKt4ul3wjWU9h6OB
=D0by
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list