[CentOS] SELinux and access across 'similar types'
Tony Molloy
tony.molloy at ul.ie
Mon Jan 9 20:24:28 UTC 2012
On Monday 09 January 2012 20:00:29 Marko Vojinovic wrote:
> On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote:
> > SELinux has no idea what the labels are in /tmp, so restorecon
> > will not change the labels. It would be best to just remove the
> > content from /tmp and allow new content to be created. If you
> > want the content to be accessible from apache, you could change
> > it to httpd_tmp_t
> >
> > chcon -t httpd_tmp_t /tmp/PATH
>
> But isn't there a policy for default labelling of arbitrary files
> put in /tmp? I mean, when apache puts a file in /tmp, it should be
> labelled *somehow*, according to the rules for apache and/or the
> /tmp directory, right? This should happen in both enforcing and
> permissive modes.
>
> So is the default type label for such a case file_t? If it is, it's
> a bug, since SELinux would deny subsequent access to that file,
> per policy, right?
>
> If I understood the OP correctly, he enabled SELinux (into
> permissive mode), relabeled the whole filesystem, rebooted several
> times, and after all that apache creates a file in /tmp with a
> label file_t. AFAIK, this should *never* happen, with the default
> policy.
>
Exactly as I thought. If I touch a file or cp a file into /tmp then it's
labelled as tmp_t not file_t. On the other hand if I mv a file in it
retains it's original type. So how could a file created in /tmp get a
file_t type.
That's why I asked the OP to delete the file and run the script which
creates the file by hand.
Tony
More information about the CentOS
mailing list