denied despite allow rule

Daniel J Walsh dwalsh at redhat.com
Mon Apr 2 15:41:55 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/02/2012 10:42 AM, Maria Iano wrote:
> I'm confused about a situation where I'm getting denied avc messages even
> though there is an allow rule in place. What am I missing?
> 
> This is on RHEL 5.8 using the targeted policy. Here's an example. I have
> this avc message from this morning:
> 
> type=AVC msg=audit(1333372681.227:20002): avc:  denied  { append } for
> pid=3480 comm="vsftpd" 
> path="/LTS/eng-ng/snip/2012/03/20/STORY_Letters_for_Sun._3-4_1_66_610389Z/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml"
>
> 
dev=dm-8 ino=227640612 scontext=system_u:system_r:ftpd_t:s0
> tcontext=system_u:object_r:public_content_t:s0 tclass=file
> 
> but when I do sesearch it shows a matching allow rule:
> 
> # sesearch -s ftpd_t -t public_content_t -c file -p append -a Found 1 av
> rules: allow ftpd_t public_content_t : file { ioctl read write create
> getattr setattr lock append unlink link rename };
> 
> Found 5 role allow rules: allow system_r sysadm_r ; allow user_r sysadm_r
> ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r system_r
> ;
> 
> Thanks for any help you can give, Maria
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux

sesearch -A -s ftpd_t -t public_content_t -c file -p append  -C
Found 1 semantic av rules:
DT allow ftpd_t non_security_file_type : file { ioctl read write create
getattr setattr lock append unlink link rename open } ; [ allow_ftpd_full_access ]

Always use the -C to show you if this is allowed or denied via a boolean.

In this case you need to turn on the allow_ftpd_full_access boolean.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk95yMMACgkQrlYvE4MpobNI9gCdGT/Uo9fkuyi5OWNhylW4gpUB
wZkAnR5MtS02w/zCAjT5OIVb4jTYLj+H
=nYfg
-----END PGP SIGNATURE-----


More information about the selinux mailing list