[CentOS] SELinux and access across 'similar types'

Thu Jan 5 23:14:13 UTC 2012
RILINDO FOSTER <rilindo at me.com>

On Jan 5, 2012, at 4:46 PM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 01/05/2012 04:36 PM, Bennett Haselton wrote:
>> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed
>> between similar types, so Apache running as httpd_t can read
>> /var/www/html/index.html of type httpd_sys_content_t."
>> 
>> however the doc doesn't define what "similar types" means.  I
>> assumed it just meant "beginning with the same prefix".  However
>> that can't be right because on my system with SELinux turned on,
>> httpd runs as type init_t:
>> 
>> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 
>> system_u:system_r:init_t:s0     root      2521  0.1  0.4  21680
>> 8820 ?        Ss   05:05   0:00 /usr/sbin/httpd 
>> system_u:system_r:init_t:s0     apache    2550  0.0  0.4  23364
>> 8920 ?        S    05:05   0:00 /usr/sbin/httpd 
>> system_u:system_r:init_t:s0     apache    2551  0.1  0.4  22736
>> 8212 ?        S    05:05   0:00 /usr/sbin/httpd
>> 
>> and the robots.txt file has type file_t: [root at peacefire04 - /root
>> # ls -lZ /var/www/html/robots.txt -rw-rw-rw-  root root
>> system_u:object_r:file_t:s0 /var/www/html/robots.txt
>> 
>> but Apache can of course access that file.  So in Type Enforcement,
>> what determines what process type can access what file type?
>> 
>> Bennett _______________________________________________ CentOS
>> mailing list CentOS at centos.org 
>> http://lists.centos.org/mailman/listinfo/centos
> 
> 
> Your machine needs to be relabeled.
> 
> touch /.autorelabel
> reboot
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5
> lFkAnjLTi3zphekGomv04ZyMu0sOuopg
> =cIvM
> -----END PGP SIGNATURE-----
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

WARNING: If you have never enabled SELinux for long time, the boot is going to take a while as the system relabels the whole machine. Do not do this unless you can plan for an extend downtime.