[CentOS] SELinux and access across 'similar types'
Daniel J Walsh
dwalsh at redhat.com
Tue Jan 10 13:47:25 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/10/2012 08:37 AM, Bennett Haselton wrote:
> On 1/9/2012 8:05 PM, Marko Vojinovic wrote:
>> On Monday 09 January 2012 15:29:59 Daniel J Walsh wrote:
>>> file_t means the file has no label, so the only way to create
>>> this type of file would be to remove the security attributes on
>>> the file. On an SELinux system, file_t should never be created,
>>> they are only created on a disabled SELinux system. I guess
>>> you could try to use chcon -t file_t on a file, but I believe
>>> the kernel will block that. Or you could attempt to delete the
>>> SELinux label, but that might also be denied.
>> Ok, now I think I understand. The OP has stale files in /tmp
>> which are not labelled, due to not purging /tmp on reboot.
>> SELinux doesn't know how these files should be labelled, so it
>> doesn't even try, and gives them the type file_t, which is a
>> synonym for "this file doesn't have a type".
>>
>> So the answer for the OP is to use chcon on this file to label it
>> somehow. If that doesn't work, he should delete the file and
>> recreate it (while SELinux is active), so that it gets properly
>> labelled.
>
> OK, I did delete the files in the /tmp/ directory, and as the
> running apache process re-created them, it created them with the
> correct type: [root at g6950-21025 tmp]# ls -lZ * -rw-r--r-- apache
> apache system_u:object_r:httpd_sys_script_rw_t
> hostname_ICECOOK.INFO -rw-r--r-- apache apache
> system_u:object_r:httpd_sys_script_rw_t hostname_LAZYFROG.INFO
> etc.
>
> So the documentation is missing something about clearing files out
> of /tmp/ (or they won't get relabeled properly and processes won't
> be able to access them under SELinux), but at least it's working
> now.
>
> Bennett
>
>> I learned something new today. :-) Thanks for the explanation!
>>
>> Best, :-) Marko
>>
>>
>> _______________________________________________ CentOS mailing
>> list CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________ CentOS mailing
> list CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Now if only more people used RHEL we could further enhance the
products. :^)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8MQW0ACgkQrlYvE4MpobPciQCgoohOteHLbwzG1m9t5Okc3eFi
YZ0AoIVKKb3ckO9eKDKAiItfWl/XM4R5
=TqSo
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list