m (→file_t) |
m (→named_t) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 5: | Line 5: | ||
if tcontext.type = file_t --> touch /.autorelabel; reboot | if tcontext.type = file_t --> touch /.autorelabel; reboot | ||
This indicates you have a major Labeling problem. When the SELinux kernel discovers a file that has no security context, it sets | This indicates you have a major Labeling problem. When the SELinux kernel discovers a file that has no security context, it sets its label to file_t. Ordinarly no confined domain has access to file_t. The only way that this file would get created is if the system was booted with selinux=0 (or SELINUX=disabled in /etc/selinux/config). Or if you added a new disk to a machine that was not labeled via SELinux. In the case of the machine was running with selinux=0, it is safest to relabel the system. | ||
<pre> | <pre> | ||
Line 71: | Line 71: | ||
if scontext.type = named_t && context.type = named_zone_t && class=dir && access = write | if scontext.type = named_t && context.type = named_zone_t && class=dir && access = write | ||
Looks like someone is trying to zone transfer to this | Looks like someone is trying to zone transfer to this machine's nameserver if yes set the following | ||
boolean | boolean | ||
Line 77: | Line 77: | ||
setsebool -P named_write_master_zones=1 | setsebool -P named_write_master_zones=1 | ||
</pre> | </pre> | ||
== smbd_t == | == smbd_t == | ||
Line 88: | Line 89: | ||
== Else == | == Else == | ||
Open a bugzilla | Open a bugzilla | ||
[[Category:SELinux]] |
Latest revision as of 16:43, 27 July 2020
Decision tree for diagnosing AVC Message signatures
file_t | unlabeled_t
if tcontext.type = file_t --> touch /.autorelabel; reboot
This indicates you have a major Labeling problem. When the SELinux kernel discovers a file that has no security context, it sets its label to file_t. Ordinarly no confined domain has access to file_t. The only way that this file would get created is if the system was booted with selinux=0 (or SELINUX=disabled in /etc/selinux/config). Or if you added a new disk to a machine that was not labeled via SELinux. In the case of the machine was running with selinux=0, it is safest to relabel the system.
touch /.autorelabel reboot
If you are adding a new disk, you can restorecon -R -v /MOUNTPOINT to fix the labels.
restorecon -R -v MOUNTPOINTPATH
default_t
if tcontext.type = default_t --> touch /.autorelabel; reboot
AVC Messages containing default_t:
This can also indicate a labeling problem, especially if the file being referred to is not a top level file. IE everything under /usr, /var. /dev, /tmp, ... should not be labeled default_t. default_t is the label for files who do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. If you want a confined domain to use these files you will probably need to relabel the directory with chcon. In some cases it is just easier to use the autorelabel command above.
restorecon -R -v MOUNTPOINTPATH
ftpd_t
if scontext.type = ftpd_t && tcontext.type = home_root_t | user_home_dir_t:| user_home_t
This indicates that people are trying to log in to their homedirs via ftp, to allow this
setsebool -P ftp_home_dir=1
ftpd_t | samba_t | httpd_t | rsync_t
if scontext.type = ftpd_t | samba_t | httpd_t | rsync_t && tcontext.type == public_content_t class = dir access = { add_name | write }
This indicates that people are trying to write to a public_content directory this might be a hack or it might indicate you have a directory you want people to upload to.
chcon -t public_content_rw_t DIRNAME Set the appropriate one of the following allow_ftpd_anon_write --> off allow_httpd_anon_write --> off allow_httpd_sys_script_anon_write --> off allow_httpd_w3c_script_anon_write --> off allow_rsync_anon_write --> off allow_smbd_anon_write --> off
httpd_t
if scontext.type = httpd_t && tcontext.type = user_home_t && class=dir && access = { getattr search }
This indicates that people are trying to read a users homedir if this is intended.
chcon -t httpd_sys_content_t ~/public_html setsebool -P httpd_enable_homedirs=1
named_t
if scontext.type = named_t && context.type = named_zone_t && class=dir && access = write
Looks like someone is trying to zone transfer to this machine's nameserver if yes set the following boolean
setsebool -P named_write_master_zones=1
smbd_t
if scontext.type = smbd_t && class=dir && access = { getattr search read }
If the file context is another location on the disk, you might be able to get it working by using chcon. Each domain has file context that they are able to read and/or write. So if you created a directory like /src and you wanted samba to share it, you would
chcon -R -t samba_share_t DIR
Else
Open a bugzilla