denied despite allow rule
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 2 15:41:55 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/02/2012 10:42 AM, Maria Iano wrote:
> I'm confused about a situation where I'm getting denied avc messages even
> though there is an allow rule in place. What am I missing?
>
> This is on RHEL 5.8 using the targeted policy. Here's an example. I have
> this avc message from this morning:
>
> type=AVC msg=audit(1333372681.227:20002): avc: denied { append } for
> pid=3480 comm="vsftpd"
> path="/LTS/eng-ng/snip/2012/03/20/STORY_Letters_for_Sun._3-4_1_66_610389Z/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml"
>
>
dev=dm-8 ino=227640612 scontext=system_u:system_r:ftpd_t:s0
> tcontext=system_u:object_r:public_content_t:s0 tclass=file
>
> but when I do sesearch it shows a matching allow rule:
>
> # sesearch -s ftpd_t -t public_content_t -c file -p append -a Found 1 av
> rules: allow ftpd_t public_content_t : file { ioctl read write create
> getattr setattr lock append unlink link rename };
>
> Found 5 role allow rules: allow system_r sysadm_r ; allow user_r sysadm_r
> ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r system_r
> ;
>
> Thanks for any help you can give, Maria
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
sesearch -A -s ftpd_t -t public_content_t -c file -p append -C
Found 1 semantic av rules:
DT allow ftpd_t non_security_file_type : file { ioctl read write create
getattr setattr lock append unlink link rename open } ; [ allow_ftpd_full_access ]
Always use the -C to show you if this is allowed or denied via a boolean.
In this case you need to turn on the allow_ftpd_full_access boolean.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk95yMMACgkQrlYvE4MpobNI9gCdGT/Uo9fkuyi5OWNhylW4gpUB
wZkAnR5MtS02w/zCAjT5OIVb4jTYLj+H
=nYfg
-----END PGP SIGNATURE-----
More information about the selinux
mailing list