Linux Archive - denied despite allow rule

Linux Archive (http://www.linux-archive.org/)

- Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)

- - denied despite allow rule (http://www.linux-archive.org/fedora-selinux-support/651755-denied-despite-allow-rule.html)

denied despite allow rule

I'm confused about a situation where I'm getting denied avc messages
even though there is an allow rule in place. What am I missing?

This is on RHEL 5.8 using the targeted policy. Here's an example. I
have this avc message from this morning:

type=AVC msg=audit(1333372681.227:20002): avc: denied { append }
for pid=3480 comm="vsftpd" path="/LTS/eng-ng/snip/2012/03/20/
STORY_Letters_for_Sun._3-4_1_66_610389Z/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml" dev=dm-8 ino=227640612
scontext=system_u:system_r:ftpd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=file

but when I do sesearch it shows a matching allow rule:

# sesearch -s ftpd_t -t public_content_t -c file -p append -a
Found 1 av rules:
allow ftpd_t public_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename };

Found 5 role allow rules:
allow system_r sysadm_r ;
allow user_r sysadm_r ;
allow user_r system_r ;
allow sysadm_r user_r ;
allow sysadm_r system_r ;

Thanks for any help you can give,
Maria

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

denied despite allow rule

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/02/2012 10:42 AM, Maria Iano wrote:
> I'm confused about a situation where I'm getting denied avc messages even
> though there is an allow rule in place. What am I missing?
>
> This is on RHEL 5.8 using the targeted policy. Here's an example. I have
> this avc message from this morning:
>
> type=AVC msg=audit(1333372681.227:20002): avc: denied { append } for
> pid=3480 comm="vsftpd"
> path="/LTS/eng-ng/snip/2012/03/20/STORY_Letters_for_Sun._3-4_1_66_610389Z/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml"
>
>
dev=dm-8 ino=227640612 scontext=system_u:system_r:ftpd_t:s0
> tcontext=system_u:object_r:public_content_t:s0 tclass=file
>
> but when I do sesearch it shows a matching allow rule:
>
> # sesearch -s ftpd_t -t public_content_t -c file -p append -a Found 1 av
> rules: allow ftpd_t public_content_t : file { ioctl read write create
> getattr setattr lock append unlink link rename };
>
> Found 5 role allow rules: allow system_r sysadm_r ; allow user_r sysadm_r
> ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r system_r
> ;
>
> Thanks for any help you can give, Maria
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

sesearch -A -s ftpd_t -t public_content_t -c file -p append -C
Found 1 semantic av rules:
DT allow ftpd_t non_security_file_type : file { ioctl read write create
getattr setattr lock append unlink link rename open } ; [ allow_ftpd_full_access ]

Always use the -C to show you if this is allowed or denied via a boolean.

In this case you need to turn on the allow_ftpd_full_access boolean.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk95yMMACgkQrlYvE4MpobNI9gCdGT/Uo9fkuyi5OWNhylW4gpUB
wZkAnR5MtS02w/zCAjT5OIVb4jTYLj+H
=nYfg
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

denied despite allow rule

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/02/2012 10:42 AM, Maria Iano wrote:
> I'm confused about a situation where I'm getting denied avc messages even
> though there is an allow rule in place. What am I missing?
>
> This is on RHEL 5.8 using the targeted policy. Here's an example. I have
> this avc message from this morning:
>
> type=AVC msg=audit(1333372681.227:20002): avc: denied { append } for
> pid=3480 comm="vsftpd"
> path="/LTS/eng-ng/snip/2012/03/20/STORY_Letters_for_Sun._3-4_1_66_610389Z/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml"
>
>
dev=dm-8 ino=227640612 scontext=system_u:system_r:ftpd_t:s0
> tcontext=system_u:object_r:public_content_t:s0 tclass=file
>
> but when I do sesearch it shows a matching allow rule:
>
> # sesearch -s ftpd_t -t public_content_t -c file -p append -a Found 1 av
> rules: allow ftpd_t public_content_t : file { ioctl read write create
> getattr setattr lock append unlink link rename };
>
> Found 5 role allow rules: allow system_r sysadm_r ; allow user_r sysadm_r
> ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r system_r
> ;
>
> Thanks for any help you can give, Maria
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

If you want to make this work, you should label the content as
public_content_rw_t and then turn on allow_ftpd_anon_write boolean.

man ftpd_selinux
/SHARING
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk95yRAACgkQrlYvE4MpobMegQCg4/xlgVh8EQwhleE6O8e5n3VN
PKYAoL8la9SAVDzkNcHNvhYOjMkWTky/
=LOFt
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

denied despite allow rule

On Apr 2, 2012, at 11:43 AM, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/02/2012 10:42 AM, Maria Iano wrote:
I'm confused about a situation where I'm getting denied avc
messages even

though there is an allow rule in place. What am I missing?

This is on RHEL 5.8 using the targeted policy. Here's an example. I
have

this avc message from this morning:

type=AVC msg=audit(1333372681.227:20002): avc: denied { append }
for

pid=3480 comm="vsftpd"
path="/LTS/eng-ng/snip/2012/03/20/
STORY_Letters_for_Sun._3-4_1_66_610389Z/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml"

dev=dm-8 ino=227640612 scontext=system_u:system_r:ftpd_t:s0

tcontext=system_u:object_r:public_content_t:s0 tclass=file

but when I do sesearch it shows a matching allow rule:

# sesearch -s ftpd_t -t public_content_t -c file -p append -a Found
1 av

rules: allow ftpd_t public_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename };

Found 5 role allow rules: allow system_r sysadm_r ; allow user_r
sysadm_r
; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r
system_r

;

Thanks for any help you can give, Maria

-- selinux mailing list selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

If you want to make this work, you should label the content as
public_content_rw_t and then turn on allow_ftpd_anon_write boolean.

/SHARING

I actually already had those two in place (the boolean on and the
files set to public_content_rw_t). What had happened was that at some
point new file context rules had been generated for the relevant files
and directories in file_context.homedirs and some of them were more
specific than my custom rules.

I'm not sure why this didn't trip me up before. My guess is that the
file_context.homedirs was generated some time after the server had
been up and running for a while, because some older directories and
files did have my customized contexts despite the more specific rules
in file_context.homedirs.

For the moment, I have resolved the problem by creating more specific
rules using semange and running fixfiles, and I'm no longer getting
denials. What I'm concerned about is how do I keep an eye out for this
in the future?

Thanks!
Maria

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux