[CentOS] SELinux and access across 'similar types'

Mon Jan 9 12:06:04 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/9/2012 3:41 AM, Tony Molloy wrote:
> On Sunday 08 January 2012 23:19:39 Bennett Haselton wrote:
>> On 1/8/2012 7:28 AM, Ljubomir Ljubojevic wrote:
>>> On 01/08/2012 03:15 PM, Bennett Haselton wrote:
>>>> It's a file created by one of my CGI scripts.  (The web server
>>>> is accessed by several hostnames which are dynamically assigned
>>>> to it, and I need a quick way of determining all hostnames that
>>>> were recently used to access the server.  So when someone
>>>> accesses the server using HOSTNAME, the file
>>>> /tmp/hostname_<hostname>    is created.  Then another script
>>>> just pulls the names of all of those files in order to find all
>>>> recently used hostnames.)
>>>>
>>>>> My suggestion:
>>>>>
>>>>> stop apache
>>>>> run relabeling again (if file continues to exists)
>>>>> start apache
>>>>> check
>>>> Well when I was doing the relabeling I was doing:
>>>> # touch /.autorelabel
>>>> # reboot
>>>>
>>>> So when I'm rebooting apache stops and starts anyway, doesn't
>>>> it? Doesn't the auto-relabel occur before other services are
>>>> started up?  So I'm not sure what I would actually do
>>>> differently to follow this suggestion...
>>> Ah, you are write, sorry. Well you might need to apply proper
>>> (httpd_) SELinux label for that file. At the time of creation? \
>>> Maybe move it to another location where it will get automatic
>>> label for what you want?
>> Well the warning messages say that file_t files should *never* get
>> created if the filesystem is labeled properly.  So I didn't think
>> it was just a matter of creating files where the default filetype
>> would be different, because the default filetype should not be
>> file_t anywhere.
>>
>> I could create a world-writeable directory somewhere else and have
>> all the scripts write to that but it would be a pain to re-write
>> and re-test everything as a workaround for this one bug...
>>
>> Well, one other theory: /tmp is a different partition, right?  So
>> maybe when I do
>> # touch /.autorelabel
>> # reboot
>>
>> it's only re-labeling the / partition and not the /tmp one?
>> Unfortunately in that case I don't know how to make it re-label the
>> /tmp filesystem as well.  I tried creating /tmp/.autorelabel and
>> rebooting, but that didn't work; /tmp/hostname_SKYSLICE.INFO and
>> other files still had type file_t.
>>
>> Bennett
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> First I'm no SELinux expert ;-( but I've ben following this thread
> with interest. It apears to be going around in circles.
>
> The only time I've come across a file_t type is when I have something
> on a machine that SELinux doesn't know about. That is SELinux has no
> policy for it. An example would be if I create a new top level
> directory when I install a machine. SELinux knows nothing about that
> directory name and has no preset type for it so it gets a label of
> file_t or default_t. Doing a relabel in that case will have no affect on
> the file label as SELinux still doesn't have a policy for it.
>
> So the question is how did your file get the file_t type in the first
> place. You say it is generated from a cgi script run from apache.
>
> So is this the default apache which comes with CentOS
>
> What is the context of the apache executable. It should be
> -rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd
Yes that's what I've got.
> Where in the filesystem is the cgi script located. How did it get
> there.
>
> What is the context of the cgi script
>
> What is the context of the directory the cgi script is in.
[root at g6950-21025 ~]# ls -lZ /var/www/cgi-bin/capture.cgi
-rwxr-xr-x  root root system_u:object_r:httpd_sys_script_exec_t 
/var/www/cgi-bin/capture.cgi
[root at g6950-21025 ~]# ls -ldZ /var/www/cgi-bin/
drwxr-xr-x  root root system_u:object_r:httpd_sys_script_exec_t 
/var/www/cgi-bin/

The script got there because I uploaded it there.
> What is the context of /tmp. It should be
> drwxrwxrwt  root root system_u:object_r:tmp_t          /tmp
Yep.
[root at g6950-21025 ~]# ls -ldZ /tmp
drwxrwxrwt  root root system_u:object_r:tmp_t          /tmp
> Regards
>
> Tony
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos