From Fedora Project Wiki
fp-wiki>ImportUser
(Imported from MoinMoin)
 
m (1 revision(s))
(No difference)

Revision as of 16:28, 24 May 2008

Analyzing SELinux AVC Messages

  • AVC Messages refering to files labeled *:file_t

This indicates you have a major Labeling problem. When the SELinux kernel discovers a file that has no security context, it sets it label to file_t. Ordinarly no confined domain has access to file_t. The only way that this file would get created is if the system was booted with selinux=0 (or SELINUX=disabled in /etc/selinux/config). Or if you added a new disk to a machine that was not labeled via SELinux. In the case of the machine was running with selinux=0, it is safest to relabel the system.

This command must be run as root:

touch /.autorelabel
reboot


If you are adding a new disk, you can restorecon -R -v /MOUNTPOINT to fix the labels.

  • AVC Messages containing default_t:

This can also indicate a labeling problem, especially if the file being referred to is not a top level file. IE everything under /usr, /var. /dev, /tmp, ... should not be labeled default_t. default_t is the label for files who do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. If you want a confined domain to use these files you will probably need to relabel the directory with chcon. In some cases it is just easier to use the autorelabel command above.

  • AVC Messages indicate that a sharing domain failed to access certain files:

a. Confined sharing domains are httpd, smbd, ftpd, and rsync a. If the files are in a users home dir, user_home_t, then you probably need to turn on a boolean to allow this access. setsebool -P httpd_enable_homedirs=1 would turn on httpd's access to the homedirs. a. If the file context is another location on the disk, you might be able to get it working by using chcon. Each domain has file context that they are able to read and/or write. So if you created a directory like /src and you wanted samba to share it, you would chcon -R -t samba_share_t /src. a. Finally if you want multiple "sharing" domains to have access to the same files you can set the file context to public_context_t, if you want multiple daemons to be able to write the content you can set the context to public_context_rw_t and then set the boolean for all domains that need to write. setsebool -P allow_DOMAIN_anon_write=1 a. Please refer to the selinux man page for most confined domains. man httpd_selinux or man ftpd_selinux...