denied despite allow rule
Maria Iano
maria at iano.org
Fri Apr 6 16:53:42 UTC 2012
On Apr 2, 2012, at 11:43 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/02/2012 10:42 AM, Maria Iano wrote:
>> I'm confused about a situation where I'm getting denied avc
>> messages even
>> though there is an allow rule in place. What am I missing?
>>
>> This is on RHEL 5.8 using the targeted policy. Here's an example. I
>> have
>> this avc message from this morning:
>>
>> type=AVC msg=audit(1333372681.227:20002): avc: denied { append }
>> for
>> pid=3480 comm="vsftpd"
>> path="/LTS/eng-ng/snip/2012/03/20/
>> STORY_Letters_for_Sun._3-4_1_66_610389Z/
>> IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/
>> IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml"
>>
>>
> dev=dm-8 ino=227640612 scontext=system_u:system_r:ftpd_t:s0
>> tcontext=system_u:object_r:public_content_t:s0 tclass=file
>>
>> but when I do sesearch it shows a matching allow rule:
>>
>> # sesearch -s ftpd_t -t public_content_t -c file -p append -a Found
>> 1 av
>> rules: allow ftpd_t public_content_t : file { ioctl read write create
>> getattr setattr lock append unlink link rename };
>>
>> Found 5 role allow rules: allow system_r sysadm_r ; allow user_r
>> sysadm_r
>> ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r
>> system_r
>> ;
>>
>> Thanks for any help you can give, Maria
>>
>> -- selinux mailing list selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> If you want to make this work, you should label the content as
> public_content_rw_t and then turn on allow_ftpd_anon_write boolean.
>
> /SHARING
I actually already had those two in place (the boolean on and the
files set to public_content_rw_t). What had happened was that at some
point new file context rules had been generated for the relevant files
and directories in file_context.homedirs and some of them were more
specific than my custom rules.
I'm not sure why this didn't trip me up before. My guess is that the
file_context.homedirs was generated some time after the server had
been up and running for a while, because some older directories and
files did have my customized contexts despite the more specific rules
in file_context.homedirs.
For the moment, I have resolved the problem by creating more specific
rules using semange and running fixfiles, and I'm no longer getting
denials. What I'm concerned about is how do I keep an eye out for this
in the future?
Thanks!
Maria
More information about the selinux
mailing list