FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-02-2012, 02:42 PM
Maria Iano
 
Default denied despite allow rule

I'm confused about a situation where I'm getting denied avc messages
even though there is an allow rule in place. What am I missing?


This is on RHEL 5.8 using the targeted policy. Here's an example. I
have this avc message from this morning:


type=AVC msg=audit(1333372681.227:20002): avc: denied { append }
for pid=3480 comm="vsftpd" path="/LTS/eng-ng/snip/2012/03/20/
STORY_Letters_for_Sun._3-4_1_66_610389Z/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml" dev=dm-8 ino=227640612
scontext=system_u:system_r:ftpd_t:s0
tcontext=system_ubject_rublic_content_t:s0 tclass=file


but when I do sesearch it shows a matching allow rule:

# sesearch -s ftpd_t -t public_content_t -c file -p append -a
Found 1 av rules:
allow ftpd_t public_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename };


Found 5 role allow rules:
allow system_r sysadm_r ;
allow user_r sysadm_r ;
allow user_r system_r ;
allow sysadm_r user_r ;
allow sysadm_r system_r ;

Thanks for any help you can give,
Maria

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-02-2012, 03:41 PM
Daniel J Walsh
 
Default denied despite allow rule

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/02/2012 10:42 AM, Maria Iano wrote:
> I'm confused about a situation where I'm getting denied avc messages even
> though there is an allow rule in place. What am I missing?
>
> This is on RHEL 5.8 using the targeted policy. Here's an example. I have
> this avc message from this morning:
>
> type=AVC msg=audit(1333372681.227:20002): avc: denied { append } for
> pid=3480 comm="vsftpd"
> path="/LTS/eng-ng/snip/2012/03/20/STORY_Letters_for_Sun._3-4_1_66_610389Z/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml"
>
>
dev=dm-8 ino=227640612 scontext=system_u:system_r:ftpd_t:s0
> tcontext=system_ubject_rublic_content_t:s0 tclass=file
>
> but when I do sesearch it shows a matching allow rule:
>
> # sesearch -s ftpd_t -t public_content_t -c file -p append -a Found 1 av
> rules: allow ftpd_t public_content_t : file { ioctl read write create
> getattr setattr lock append unlink link rename };
>
> Found 5 role allow rules: allow system_r sysadm_r ; allow user_r sysadm_r
> ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r system_r
> ;
>
> Thanks for any help you can give, Maria
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

sesearch -A -s ftpd_t -t public_content_t -c file -p append -C
Found 1 semantic av rules:
DT allow ftpd_t non_security_file_type : file { ioctl read write create
getattr setattr lock append unlink link rename open } ; [ allow_ftpd_full_access ]

Always use the -C to show you if this is allowed or denied via a boolean.

In this case you need to turn on the allow_ftpd_full_access boolean.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk95yMMACgkQrlYvE4MpobNI9gCdGT/Uo9fkuyi5OWNhylW4gpUB
wZkAnR5MtS02w/zCAjT5OIVb4jTYLj+H
=nYfg
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-02-2012, 03:43 PM
Daniel J Walsh
 
Default denied despite allow rule

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/02/2012 10:42 AM, Maria Iano wrote:
> I'm confused about a situation where I'm getting denied avc messages even
> though there is an allow rule in place. What am I missing?
>
> This is on RHEL 5.8 using the targeted policy. Here's an example. I have
> this avc message from this morning:
>
> type=AVC msg=audit(1333372681.227:20002): avc: denied { append } for
> pid=3480 comm="vsftpd"
> path="/LTS/eng-ng/snip/2012/03/20/STORY_Letters_for_Sun._3-4_1_66_610389Z/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml"
>
>
dev=dm-8 ino=227640612 scontext=system_u:system_r:ftpd_t:s0
> tcontext=system_ubject_rublic_content_t:s0 tclass=file
>
> but when I do sesearch it shows a matching allow rule:
>
> # sesearch -s ftpd_t -t public_content_t -c file -p append -a Found 1 av
> rules: allow ftpd_t public_content_t : file { ioctl read write create
> getattr setattr lock append unlink link rename };
>
> Found 5 role allow rules: allow system_r sysadm_r ; allow user_r sysadm_r
> ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r system_r
> ;
>
> Thanks for any help you can give, Maria
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

If you want to make this work, you should label the content as
public_content_rw_t and then turn on allow_ftpd_anon_write boolean.

man ftpd_selinux
/SHARING
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk95yRAACgkQrlYvE4MpobMegQCg4/xlgVh8EQwhleE6O8e5n3VN
PKYAoL8la9SAVDzkNcHNvhYOjMkWTky/
=LOFt
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-02-2012, 03:49 PM
Maria Iano
 
Default denied despite allow rule

On Apr 2, 2012, at 11:43 AM, Daniel J Walsh wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/02/2012 10:42 AM, Maria Iano wrote:
I'm confused about a situation where I'm getting denied avc
messages even

though there is an allow rule in place. What am I missing?

This is on RHEL 5.8 using the targeted policy. Here's an example. I
have

this avc message from this morning:

type=AVC msg=audit(1333372681.227:20002): avc: denied { append }
for

pid=3480 comm="vsftpd"
path="/LTS/eng-ng/snip/2012/03/20/
STORY_Letters_for_Sun._3-4_1_66_610389Z/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml"




dev=dm-8 ino=227640612 scontext=system_u:system_r:ftpd_t:s0

tcontext=system_ubject_rublic_content_t:s0 tclass=file

but when I do sesearch it shows a matching allow rule:

# sesearch -s ftpd_t -t public_content_t -c file -p append -a Found
1 av

rules: allow ftpd_t public_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename };

Found 5 role allow rules: allow system_r sysadm_r ; allow user_r
sysadm_r
; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r
system_r

;

Thanks for any help you can give, Maria

-- selinux mailing list selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


If you want to make this work, you should label the content as
public_content_rw_t and then turn on allow_ftpd_anon_write boolean.

man ftpd_selinux
/SHARING


Thank you and will do!


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-06-2012, 04:53 PM
Maria Iano
 
Default denied despite allow rule

On Apr 2, 2012, at 11:43 AM, Daniel J Walsh wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/02/2012 10:42 AM, Maria Iano wrote:
I'm confused about a situation where I'm getting denied avc
messages even

though there is an allow rule in place. What am I missing?

This is on RHEL 5.8 using the targeted policy. Here's an example. I
have

this avc message from this morning:

type=AVC msg=audit(1333372681.227:20002): avc: denied { append }
for

pid=3480 comm="vsftpd"
path="/LTS/eng-ng/snip/2012/03/20/
STORY_Letters_for_Sun._3-4_1_66_610389Z/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml"




dev=dm-8 ino=227640612 scontext=system_u:system_r:ftpd_t:s0

tcontext=system_ubject_rublic_content_t:s0 tclass=file

but when I do sesearch it shows a matching allow rule:

# sesearch -s ftpd_t -t public_content_t -c file -p append -a Found
1 av

rules: allow ftpd_t public_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename };

Found 5 role allow rules: allow system_r sysadm_r ; allow user_r
sysadm_r
; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r
system_r

;

Thanks for any help you can give, Maria

-- selinux mailing list selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


If you want to make this work, you should label the content as
public_content_rw_t and then turn on allow_ftpd_anon_write boolean.

/SHARING


I actually already had those two in place (the boolean on and the
files set to public_content_rw_t). What had happened was that at some
point new file context rules had been generated for the relevant files
and directories in file_context.homedirs and some of them were more
specific than my custom rules.


I'm not sure why this didn't trip me up before. My guess is that the
file_context.homedirs was generated some time after the server had
been up and running for a while, because some older directories and
files did have my customized contexts despite the more specific rules
in file_context.homedirs.


For the moment, I have resolved the problem by creating more specific
rules using semange and running fixfiles, and I'm no longer getting
denials. What I'm concerned about is how do I keep an eye out for this
in the future?


Thanks!
Maria

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org