SELinux: avc: denied { associate }
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 21 16:35:15 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/21/2013 04:13 AM, Dominick Grift wrote:
> On Fri, 2013-01-18 at 20:48 +0000, Napoleon Quashie wrote:
>> This has been "doing my head in" as the British will say. I've been
>> battling it for days now. A post to Fedora forums and irc hasn't helped.
>> You guys are my last resort. It goes like so:
>>
>
> I am not sure what you are trying to achieve here.
>
> httpd_sys_content_t is a file type and not a file system type
>
> Did you specify the following and if so, why?
>
> auto context="system_u:object_r:httpd_sys_content_t:s0"
>
>>
>> 1. type=AVC msg=audit(1358529889.481:315): avc: denied { associate }
>> for pid=1522 comm="httpd"name="access.log" scontext
>> =system_u:object_r:httpd_sys_rw_content_t:s0tcontext
>> =system_u:object_r:httpd_sys_content_t:s0 tclass=filesystem 2. 3.
>> Was caused by: 4. Unknown - would be allowed by active
>> policy 5. Possible mismatch between this policy and the
>> one under which the audit message was generated. 6. 7.
>> Possible mismatch between current in-memory boolean settings vs.
>> permanent ones. 8.
>> ------------------------------------------------------------------------------------------------
>>
>>
9.
>> 10. <VirtualHost *:80> 11. ServerAdmin webmaster at localhost 12.
>> ServerName lab.dev 13. 14. DocumentRoot /shared/www/lab/public 15.
>> 16. <Directory /shared/www/lab/public/> 17. Options Indexes
>> FollowSymLinks 18. AllowOverride All 19. Order
>> allow,deny 20. Allow from all 21. </Directory> 22. 23. #
>> Custom log file locations 24. LogLevel warn 25. ErrorLog
>> /shared/www/lab/logs/error.log 26. CustomLog
>> /shared/www/lab/access.log combined 27. 28. </VirtualHost> 29.
>> ------------------------------------------------------------------------------------------
>>
>>
30. /etc/fstab
>> 31. ---------- 32. # 33. # /etc/fstab 34. # Created by anaconda on Tue
>> Jan 15 21:01:00 2013 35. # 36. # Accessible filesystems, by reference,
>> are maintained under '/dev/disk' 37. # See man pages fstab(5), findfs(8),
>> mount(8) and/or blkid(8) for more info 38. # 39. /dev/mapper/fedora-root
>> / ext4 defaults 1 1 40.
>> UUID=f92ec976-f49c-496d-be24-2bd7391eec2e /boot ext4 defaults 1
>> 2 41. /dev/mapper/fedora-home /home ext4 defaults 1
>> 2 42. /dev/mapper/fedora-swap swap swap defaults 0
>> 0 43. /dev/disk/by-uuid/E0D8317FD83154CE /windows auto
>> nosuid,nodev,nofail,x-gvfs-show,x-gvfs-name=Windows 0 0 44.
>> /dev/disk/by-uuid/D0D6BF93D6BF7874 /shared auto context=
>> "system_u:object_r:httpd_sys_content_t:s0" 0 0 45.
>> =======================================================================================================
>>
>>
46.
>> 47. /shared is an ntfs partition and /shared/www/public is the root of
>> the site lab.dev
>>
>> Thanks for any assistance. This has been "doing my head in" as the
>> British will say. I've been battling it for days now. A post to Fedora
>> forums and irc hasn't helped. You guys are my last resort. It goes like
>> so:
>>
>> type=AVC msg=audit(1358529889.481:315): avc: denied { associate } for
>> pid=1522 comm="httpd"name="access.log"
>> scontext=system_u:object_r:httpd_sys_rw_content_t:s0tcontext=system_u:object_r:httpd_sys_content_t:s0
>> tclass=filesystem
>>
>> Was caused by: Unknown - would be allowed by active policy Possible
>> mismatch between this policy and the one under which the audit message
>> was generated.
>>
>> Possible mismatch between current in-memory boolean settings vs.
>> permanent ones.
>> ------------------------------------------------------------------------------------------------
>>
>> <VirtualHost *:80> ServerAdmin webmaster at localhost ServerName lab.dev
>>
>> DocumentRoot /shared/www/lab/public
>>
>> <Directory /shared/www/lab/public/> Options Indexes FollowSymLinks
>> AllowOverride All Order allow,deny Allow from all </Directory>
>>
>> # Custom log file locations LogLevel warn ErrorLog
>> /shared/www/lab/logs/error.log CustomLog /shared/www/lab/access.log
>> combined
>>
>> </VirtualHost>
>> ------------------------------------------------------------------------------------------
>>
>>
/etc/fstab
>> ---------- # # /etc/fstab # Created by anaconda on Tue Jan 15 21:01:00
>> 2013 # # Accessible filesystems, by reference, are maintained under
>> '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or
>> blkid(8) for more info # /dev/mapper/fedora-root /
>> ext4 defaults 1 1 UUID=f92ec976-f49c-496d-be24-2bd7391eec2e /boot
>> ext4 defaults 1 2 /dev/mapper/fedora-home /home
>> ext4 defaults 1 2 /dev/mapper/fedora-swap swap
>> swap defaults 0 0 /dev/disk/by-uuid/E0D8317FD83154CE /windows
>> auto nosuid,nodev,nofail,x-gvfs-show,x-gvfs-name=Windows 0 0
>> /dev/disk/by-uuid/D0D6BF93D6BF7874 /shared auto
>> context="system_u:object_r:httpd_sys_content_t:s0" 0 0
>> =======================================================================================================
>>
>> /shared is an ntfs partition and /shared/www/public is the root of the
>> site lab.dev
>>
>> Thanks for any assistance.
>>
>>
>> --
>> selinux mailing list selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Yes this looks like he mounted a file system with a specific type and then is
trying to associate a type to that type. Which maybe we should allow by defualt.
allow file_type self:filesytem associate;
Having tools like cp -a fail seems a little silly here.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD9bkMACgkQrlYvE4MpobNQFACghn++lez8D0e6coGDZiDr09Ld
uLEAn3L95kpR/lWyE/VyJZmGFKIF12S5
=8XCH
-----END PGP SIGNATURE-----
More information about the selinux
mailing list