back to svn]

Dominick Grift dominick.grift at gmail.com
Fri Nov 15 16:06:43 UTC 2013 

On Fri, 2013-11-15 at 10:46 -0500, m.roth at 5-cent.us wrote:

> Good thought. NOW I'm *really* confused.
> ll -Z of the file gives me
> -rw-r--r--. <user> <group> system_u:system_r:httpd_sys_content_t:s0 <file>
> 
> Meanwhile,
> grep avc /var/log/audit/audit.log | grep <filename>
> gets me:
> <...>
> type=AVC msg=audit(1384527075.382:7606586): avc:  denied  { read } for 
> pid=1329 comm="httpd" name="<filename>" dev=sdc1 ino=66691074
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
> 
> "Unlabeled_t"?

You should probably watch some of my videos on youtube (1)

Because in some of those videos i explain what it means if you see
entities with the unlabeled_t type security identifier

But i will give you a run-down of it here:

There is this concept of "initial security identifiers" in SELinux.
Initial security identifiers are security identifiers that are
hard-coded into SELinux

Initial security identifiers are used to address three security
challenges:

1. deal with system initialization
2. deal with fixed resources
3. deal with fail-over

I will touch on the third challenge, because this is related to your
issue

Basically, SELinux uses initial sids for fail-over because:

SELinux needs a way to deal with mislabeled, and unlabeled files on
running systems.

The unlabeled initial sid is associated to entities by SELinux if a
entity has one or more invalid security indentifiers

The unlabeled_t security identifier is associated to the unlabeled
initial security identifier

So lets put that into context of your issue

You have the following denial:

> avc:  denied  { read } for 
> pid=1329 comm="httpd" name="<filename>" dev=sdc1 ino=66691074
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

You have the "<filename>" file labeled as follows:

system_u:system_r:httpd_sys_content_t:s0

We know that SELinux associates the unlabeled_t security identifier to
entities if the entity has one or more invalid security identifier

So we know the file has one or more invalid security identifier

The invalid security identifier in this case is the system_r role
security identifier.

On file system objects like files only the object_r role security
identifier is valid (if you want to know why watch my "selinux
explained" video on you tube (1)

So to get rid of the unlabeled_t issue you need to change the role
security identifier of the file called "<filename>"

for example: chcon -r object_r "<filename>"

..And remember, on file system objects the role sid should always be
object_r

(1) https://www.youtube.com/watch?v=1Jqcp3EhaqQ

More information about the selinux mailing list