[CentOS] SELinux and access across 'similar types'

Sun Jan 8 23:19:39 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/8/2012 7:28 AM, Ljubomir Ljubojevic wrote:
> On 01/08/2012 03:15 PM, Bennett Haselton wrote:
>> It's a file created by one of my CGI scripts.  (The web server is
>> accessed by several hostnames which are dynamically assigned to it, and
>> I need a quick way of determining all hostnames that were recently used
>> to access the server.  So when someone accesses the server using
>> HOSTNAME, the file /tmp/hostname_<hostname>   is created.  Then another
>> script just pulls the names of all of those files in order to find all
>> recently used hostnames.)
>>> My suggestion:
>>>
>>> stop apache
>>> run relabeling again (if file continues to exists)
>>> start apache
>>> check
>> Well when I was doing the relabeling I was doing:
>> # touch /.autorelabel
>> # reboot
>>
>> So when I'm rebooting apache stops and starts anyway, doesn't it?
>> Doesn't the auto-relabel occur before other services are started up?  So
>> I'm not sure what I would actually do differently to follow this
>> suggestion...
> Ah, you are write, sorry. Well you might need to apply proper (httpd_)
> SELinux label for that file. At the time of creation? \
> Maybe move it to another location where it will get automatic label for
> what you want?

Well the warning messages say that file_t files should *never* get 
created if the filesystem is labeled properly.  So I didn't think it was 
just a matter of creating files where the default filetype would be 
different, because the default filetype should not be file_t anywhere.

I could create a world-writeable directory somewhere else and have all 
the scripts write to that but it would be a pain to re-write and re-test 
everything as a workaround for this one bug...

Well, one other theory: /tmp is a different partition, right?  So maybe 
when I do
# touch /.autorelabel
# reboot

it's only re-labeling the / partition and not the /tmp one?  
Unfortunately in that case I don't know how to make it re-label the /tmp 
filesystem as well.  I tried creating /tmp/.autorelabel and rebooting, 
but that didn't work; /tmp/hostname_SKYSLICE.INFO and other files still 
had type file_t.

Bennett