[CentOS] SELinux and access across 'similar types'

Daniel J Walsh dwalsh at redhat.com
Mon Jan 9 20:20:53 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/09/2012 03:00 PM, Marko Vojinovic wrote:
> On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote:
>> SELinux has no idea what the labels are in /tmp, so restorecon
>> will not change the labels.  It would be best to just remove the
>> content from /tmp and allow new content to be created.  If you
>> want the content to be accessible from apache, you could change
>> it to httpd_tmp_t
>> 
>> chcon -t httpd_tmp_t /tmp/PATH
> 
> But isn't there a policy for default labelling of arbitrary files
> put in /tmp? I mean, when apache puts a file in /tmp, it should be
> labelled *somehow*, according to the rules for apache and/or the
> /tmp directory, right? This should happen in both enforcing and
> permissive modes.
> 
> So is the default type label for such a case file_t? If it is, it's
> a bug, since SELinux would deny subsequent access to that file, per
> policy, right?
> 
> If I understood the OP correctly, he enabled SELinux (into
> permissive mode), relabeled the whole filesystem, rebooted several
> times, and after all that apache creates a file in /tmp with a
> label file_t. AFAIK, this should *never* happen, with the default
> policy.
> 
> Or am I missing something?
> 
> The only way I can understand how this can happen is to conjecture
> that the OP has turned on SELinux and --- *before* proper
> relabelling of the filesystem --- customized the policy (using
> audit2allow) to allow apache to read/write files of type file_t
> (this was neither confirmed nor denied by the OP). Since this is 
> inconsistent with other rules in the policy, my suggestion was to
> "reset" the policy to CentOS default and relabel everything again
> before making any further customizations. However, I don't know how
> to actually do the "reset the policy" step, since I never needed
> it. :-)
> 
> Is there an alternative explanation to the whole mess?
> 
> Best, :-) Marko
> 
> 
> _______________________________________________ CentOS mailing
> list CentOS at centos.org 
> http://lists.centos.org/mailman/listinfo/centos

If you look at the file_context file you will see <<none>>  which
means the default label has no idea what to put in this directory

/tmp/.*	<<none>>

This tells restorecon to ignore any files that match this label, to
prevent it from doing the wrong thing.  restorecon does not understand
the difference between file_t or shadow_t or user_home_t.  So it does
nothing.

So the real problem here is the fact the machine booted with SELinux
disabled and them kept files in /tmp.  Newer versions of fixfiles
attempt to delete these files if it finds them in /tmp.

UNDEFINED=`get_undefined_type` || exit $?
UNLABELED=`get_unlabeled_type` || exit $?
find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*"
\) \( -type s -o -type p \) -delete
find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*"
\) -exec chcon --reference /tmp {} \;
find /var/tmp \( -context "*:${UNLABELED}*" -o -context
"*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \;
find /var/run \( -context "*:${UNLABELED}*" -o -context
"*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \;
[ -e /var/lib/debug ] && find /var/lib/debug \( -context
"*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon
- --reference /lib {} \;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8LTCUACgkQrlYvE4MpobOA3QCgj+B+ujz+aWl2ShEi7MmmrMlu
wRkAoIZ12wN6w8C6bKt4ul3wjWU9h6OB
=D0by
-----END PGP SIGNATURE-----



More information about the CentOS mailing list