[CentOS] SELinux and access across 'similar types'

Tue Jan 10 13:47:25 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/10/2012 08:37 AM, Bennett Haselton wrote:
> On 1/9/2012 8:05 PM, Marko Vojinovic wrote:
>> On Monday 09 January 2012 15:29:59 Daniel J Walsh wrote:
>>> file_t means the file has no label, so the only way to create
>>> this type of file would be to remove the security attributes on
>>> the file. On an SELinux system, file_t should never be created,
>>> they are only created on a disabled SELinux system.  I guess
>>> you could try to use chcon -t file_t on a file, but I believe
>>> the kernel will block that. Or you could attempt to delete the
>>> SELinux label, but that might also be denied.
>> Ok, now I think I understand. The OP has stale files in /tmp
>> which are not labelled, due to not purging /tmp on reboot.
>> SELinux doesn't know how these files should be labelled, so it
>> doesn't even try, and gives them the type file_t, which is a
>> synonym for "this file doesn't have a type".
>> 
>> So the answer for the OP is to use chcon on this file to label it
>> somehow. If that doesn't work, he should delete the file and
>> recreate it (while SELinux is active), so that it gets properly
>> labelled.
> 
> OK, I did delete the files in the /tmp/ directory, and as the
> running apache process re-created them, it created them with the
> correct type: [root at g6950-21025 tmp]# ls -lZ * -rw-r--r--  apache
> apache system_u:object_r:httpd_sys_script_rw_t 
> hostname_ICECOOK.INFO -rw-r--r--  apache apache
> system_u:object_r:httpd_sys_script_rw_t hostname_LAZYFROG.INFO 
> etc.
> 
> So the documentation is missing something about clearing files out
> of /tmp/ (or they won't get relabeled properly and processes won't
> be able to access them under SELinux), but at least it's working
> now.
> 
> Bennett
> 
>> I learned something new today. :-) Thanks for the explanation!
>> 
>> Best, :-) Marko
>> 
>> 
>> _______________________________________________ CentOS mailing
>> list CentOS at centos.org 
>> http://lists.centos.org/mailman/listinfo/centos
> 
> _______________________________________________ CentOS mailing
> list CentOS at centos.org 
> http://lists.centos.org/mailman/listinfo/centos


Now if only more people used RHEL we could further enhance the
products.  :^)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8MQW0ACgkQrlYvE4MpobPciQCgoohOteHLbwzG1m9t5Okc3eFi
YZ0AoIVKKb3ckO9eKDKAiItfWl/XM4R5
=TqSo
-----END PGP SIGNATURE-----