[CentOS] SELinux and access across 'similar types'

Mon Jan 9 11:41:49 UTC 2012
Tony Molloy <tony.molloy at ul.ie>

On Sunday 08 January 2012 23:19:39 Bennett Haselton wrote:
> On 1/8/2012 7:28 AM, Ljubomir Ljubojevic wrote:
> > On 01/08/2012 03:15 PM, Bennett Haselton wrote:
> >> It's a file created by one of my CGI scripts.  (The web server
> >> is accessed by several hostnames which are dynamically assigned
> >> to it, and I need a quick way of determining all hostnames that
> >> were recently used to access the server.  So when someone
> >> accesses the server using HOSTNAME, the file
> >> /tmp/hostname_<hostname>   is created.  Then another script
> >> just pulls the names of all of those files in order to find all
> >> recently used hostnames.)
> >> 
> >>> My suggestion:
> >>> 
> >>> stop apache
> >>> run relabeling again (if file continues to exists)
> >>> start apache
> >>> check
> >> 
> >> Well when I was doing the relabeling I was doing:
> >> # touch /.autorelabel
> >> # reboot
> >> 
> >> So when I'm rebooting apache stops and starts anyway, doesn't
> >> it? Doesn't the auto-relabel occur before other services are
> >> started up?  So I'm not sure what I would actually do
> >> differently to follow this suggestion...
> > 
> > Ah, you are write, sorry. Well you might need to apply proper
> > (httpd_) SELinux label for that file. At the time of creation? \
> > Maybe move it to another location where it will get automatic
> > label for what you want?
> 
> Well the warning messages say that file_t files should *never* get
> created if the filesystem is labeled properly.  So I didn't think
> it was just a matter of creating files where the default filetype
> would be different, because the default filetype should not be
> file_t anywhere.
> 
> I could create a world-writeable directory somewhere else and have
> all the scripts write to that but it would be a pain to re-write
> and re-test everything as a workaround for this one bug...
> 
> Well, one other theory: /tmp is a different partition, right?  So
> maybe when I do
> # touch /.autorelabel
> # reboot
> 
> it's only re-labeling the / partition and not the /tmp one?
> Unfortunately in that case I don't know how to make it re-label the
> /tmp filesystem as well.  I tried creating /tmp/.autorelabel and
> rebooting, but that didn't work; /tmp/hostname_SKYSLICE.INFO and
> other files still had type file_t.
> 
> Bennett
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

First I'm no SELinux expert ;-( but I've ben following this thread 
with interest. It apears to be going around in circles.

The only time I've come across a file_t type is when I have something 
on a machine that SELinux doesn't know about. That is SELinux has no 
policy for it. An example would be if I create a new top level 
directory when I install a machine. SELinux knows nothing about that 
directory name and has no preset type for it so it gets a label of 
file_t or default_t. Doing a relabel in that case will have no affect on 
the file label as SELinux still doesn't have a policy for it.

So the question is how did your file get the file_t type in the first 
place. You say it is generated from a cgi script run from apache.

So is this the default apache which comes with CentOS

What is the context of the apache executable. It should be
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd

Where in the filesystem is the cgi script located. How did it get 
there.

What is the context of the cgi script

What is the context of the directory the cgi script is in.

What is the context of /tmp. It should be
drwxrwxrwt  root root system_u:object_r:tmp_t          /tmp

Regards 

Tony