[CentOS] SELinux and access across 'similar types'

Fri Jan 6 10:00:27 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/5/2012 1:36 PM, Bennett Haselton wrote:
> http://wiki.centos.org/HowTos/SELinux
> says:
> "Access is only allowed between similar types, so Apache running as 
> httpd_t can read /var/www/html/index.html of type httpd_sys_content_t."
>
> however the doc doesn't define what "similar types" means.  I assumed 
> it just meant "beginning with the same prefix".  However that can't be 
> right because on my system with SELinux turned on, httpd runs as type 
> init_t:
>
> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
> system_u:system_r:init_t:s0     root      2521  0.1  0.4  21680  8820 
> ?        Ss   05:05   0:00 /usr/sbin/httpd
> system_u:system_r:init_t:s0     apache    2550  0.0  0.4  23364  8920 
> ?        S    05:05   0:00 /usr/sbin/httpd
> system_u:system_r:init_t:s0     apache    2551  0.1  0.4  22736  8212 
> ?        S    05:05   0:00 /usr/sbin/httpd
>
> and the robots.txt file has type file_t:
> [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt
> -rw-rw-rw-  root root system_u:object_r:file_t:s0      
> /var/www/html/robots.txt
>
> but Apache can of course access that file.  So in Type Enforcement, 
> what determines what process type can access what file type?

OK, notwithstanding the fact that the filesystem on the above machine 
needs to be re-labeled and I don't know why that's failing --

I have another CentOS 5.7 machine where I've enabled SELinux (permissive 
mode) and relabeled the filesystem and it actually worked, so that the 
above commands are now giving the expected outputs:

[root at g6950-21025 ~]# ps awuxZ | grep httpd | head -n 3
system_u:system_r:init_t        root      2302  0.0  1.0 253056 10576 
?        Ss   00:12   0:00 /usr/sbin/httpd
system_u:system_r:init_t        apache    4201  0.1  2.0 274804 20968 
?        S    01:26   0:02 /usr/sbin/httpd
system_u:system_r:init_t        apache    4392  0.2  1.2 257308 12512 
?        S    01:39   0:01 /usr/sbin/httpd
[root at g6950-21025 ~]# ls -lZ /var/www/html/robots.txt
-rw-rw-rw-  root root system_u:object_r:httpd_sys_content_t 
/var/www/html/robots.txt
[root at g6950-21025 ~]#

So, same question -- the documentation says "Access is only allowed 
between similar types", but what does "similar" mean?  What determines 
that the httpd process, running under the "init_t" domain, can access 
the robots.txt file, which has type "httpd_sys_content_t"?