[CentOS] SELinux and access across 'similar types'

Mon Jan 9 20:24:28 UTC 2012
Tony Molloy <tony.molloy at ul.ie>

On Monday 09 January 2012 20:00:29 Marko Vojinovic wrote:
> On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote:
> > SELinux has no idea what the labels are in /tmp, so restorecon
> > will not change the labels.  It would be best to just remove the
> > content from /tmp and allow new content to be created.  If you
> > want the content to be accessible from apache, you could change
> > it to httpd_tmp_t
> > 
> > chcon -t httpd_tmp_t /tmp/PATH
> 
> But isn't there a policy for default labelling of arbitrary files
> put in /tmp? I mean, when apache puts a file in /tmp, it should be
> labelled *somehow*, according to the rules for apache and/or the
> /tmp directory, right? This should happen in both enforcing and
> permissive modes.
> 
> So is the default type label for such a case file_t? If it is, it's
> a bug, since SELinux would deny subsequent access to that file,
> per policy, right?
> 
> If I understood the OP correctly, he enabled SELinux (into
> permissive mode), relabeled the whole filesystem, rebooted several
> times, and after all that apache creates a file in /tmp with a
> label file_t. AFAIK, this should *never* happen, with the default
> policy.
> 

Exactly as I thought. If I touch a file or cp a file into /tmp then it's 
labelled as tmp_t not file_t. On the other hand if I mv a file in it 
retains it's original type. So how could a file created in /tmp get a 
file_t type.

That's why I asked the OP to delete the file and run the script which 
creates the file by hand.

Tony