back to svn]
Daniel J Walsh
dwalsh at redhat.com
Fri Nov 15 21:09:46 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/15/2013 11:28 AM, m.roth at 5-cent.us wrote:
> Dominick Grift wrote:
>> On Fri, 2013-11-15 at 10:46 -0500, m.roth at 5-cent.us wrote:
>>
>>> Good thought. NOW I'm *really* confused. ll -Z of the file gives me
>>> -rw-r--r--. <user> <group> system_u:system_r:httpd_sys_content_t:s0
>>> <file>
>>>
>>> Meanwhile, grep avc /var/log/audit/audit.log | grep <filename> gets
>>> me: <...> type=AVC msg=audit(1384527075.382:7606586): avc: denied {
>>> read } for pid=1329 comm="httpd" name="<filename>" dev=sdc1
>>> ino=66691074 scontext=unconfined_u:system_r:httpd_t:s0
>>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
>>>
>>> "Unlabeled_t"?
>>
>> You should probably watch some of my videos on youtube (1)
>
> I'm not really big, most of the time, on instructional videos - I'd rather
> read. This email was just what I needed.
>>
>> Because in some of those videos i explain what it means if you see
>> entities with the unlabeled_t type security identifier
>>
>> But i will give you a run-down of it here:
>>
>> There is this concept of "initial security identifiers" in SELinux.
>> Initial security identifiers are security identifiers that are hard-coded
>> into SELinux
>>
>> Initial security identifiers are used to address three security
>> challenges:
>>
>> 1. deal with system initialization 2. deal with fixed resources 3. deal
>> with fail-over
>>
>> I will touch on the third challenge, because this is related to your
>> issue
>>
>> Basically, SELinux uses initial sids for fail-over because:
>>
>> SELinux needs a way to deal with mislabeled, and unlabeled files on
>> running systems.
>>
>> The unlabeled initial sid is associated to entities by SELinux if a
>> entity has one or more invalid security indentifiers
>
> And here's my complaint: why should it tell me that it's unlabeled_t,
> rather than telling me "system_r is an invalid role"?
>
> One more detail - I made a typo, and managed chcon -R -r system_u, rather
> than -u... and chcon accepted it. Isn't there any parm checking, to match
> what you're changing to the context?
>
> Thanks, again, for the clear explanation.
>
> mark
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
I have a request into the kernel guys to give us the real label in the AVC, so
we could have setroubleshoot attempt to tell you what is wrong, Currently the
kernel gives you unlebaled_t no matter what.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKGjZoACgkQrlYvE4MpobPj0ACfaBcEZslHZ/Rx5J10/129XLr4
bpAAn2Tr3gKCtorU80SmnPfB2gW2ejHy
=gC+X
-----END PGP SIGNATURE-----
More information about the selinux
mailing list