[CentOS] SELinux and access across 'similar types'

Sat Jan 7 13:57:25 UTC 2012
Marko Vojinovic <vvmarko at gmail.com>

On Saturday 07 January 2012 04:43:31 Bennett Haselton wrote:
> On 1/7/2012 4:16 AM, Marko Vojinovic wrote:
> > IMHO, if a hosting company does that sort of things (especially turning
> > off SELinux), I wouldn't touch them with a ten-foot pole. Who knows
> > what else they might have customized, in their infinite wisdom... :-)
> > 
> > Care to share the name of that hosting company?
> 
> Virtually every hosting company I've ever bought a CentOS server from
> has had SELinux turned off by default.  (So, a partial list would
> include FDCServers, Superb.net, SiteGenie, SecuredServers (ho, ho),
> AeroVPS (sells dedicated servers despite their name), Netelligent,
> ServerBeach and I don't remember all the others).  Don't hold me to that
> list 100% since some might have changed their policies for new servers
> but it's pretty universal.
> 
> What hosting company sells sub-$100 unmanaged CentOS dedicated servers
> and *doesn't* have SELinux turned off?

I wouldn't know, I don't use such services (typically I have my production 
systems on my own hardware). And now that you say most of them turn SELinux off 
by default, I am discuraged to even consider having my system hosted by such 
companies... ;-)

> >> As for the original question -- when the docs say that access is
> >> allowed
> >> only across "similar types", what determines what counts as "similar
> >> types"?  How do you know for example that httpd running as type
> >> httpd_t
> >> can access /var/www/html/robots.txt which has type
> >> httpd_sys_content_t?
> > 
> > AFAIK, the interactions between various labels (ie. rules "who can
> > access
> > what") are determined by the SELinux targeted policy (the
> > selinux-policy-
> > targeted package). These rules evolve over time (the package sometimes
> > gets updated and your filesystem autorelabeled to match), and IIRC they
> > can get pretty complicated. You want to look inside that package to
> > find all the rules.
>
> OK.  Is it easy to "look inside the package" and where would I look?

Well, a "rpm -ql selinux-policy-targeted" lists a whole bunch of files, mostly 
all residing under /etc/selinux/targeted/ directory. So you can take a look at 
what is in there. If that is not enough (ie. if you want to look "inside" the 
binary modules), you'll probably want to read the corresponding srpm. Use the 
Source, Luke! ;-)

Btw, your question is about some quite low-level-inside-guts of the SELinux 
policy. I cannot imagine why you would want to know the detailed relationships 
between labels, unless you are a SELinux developer. Or is it just curiosity?

HTH, :-)
Marko