Re: denied despite allow rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Apr 2, 2012, at 11:43 AM, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/02/2012 10:42 AM, Maria Iano wrote:
I'm confused about a situation where I'm getting denied avc messages even
though there is an allow rule in place. What am I missing?

This is on RHEL 5.8 using the targeted policy. Here's an example. I have
this avc message from this morning:

type=AVC msg=audit(1333372681.227:20002): avc: denied { append } for
pid=3480 comm="vsftpd"
path="/LTS/eng-ng/snip/2012/03/20/ STORY_Letters_for_Sun._3-4_1_66_610389Z/ IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/ IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml"


dev=dm-8 ino=227640612 scontext=system_u:system_r:ftpd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=file

but when I do sesearch it shows a matching allow rule:

# sesearch -s ftpd_t -t public_content_t -c file -p append -a Found 1 av
rules: allow ftpd_t public_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename };

Found 5 role allow rules: allow system_r sysadm_r ; allow user_r sysadm_r ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r system_r
;

Thanks for any help you can give, Maria

-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux

If you want to make this work, you should label the content as
public_content_rw_t and then turn on allow_ftpd_anon_write boolean.

/SHARING

I actually already had those two in place (the boolean on and the files set to public_content_rw_t). What had happened was that at some point new file context rules had been generated for the relevant files and directories in file_context.homedirs and some of them were more specific than my custom rules.

I'm not sure why this didn't trip me up before. My guess is that the file_context.homedirs was generated some time after the server had been up and running for a while, because some older directories and files did have my customized contexts despite the more specific rules in file_context.homedirs.

For the moment, I have resolved the problem by creating more specific rules using semange and running fixfiles, and I'm no longer getting denials. What I'm concerned about is how do I keep an eye out for this in the future?

Thanks!
Maria

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux