SELinux/Troubleshooting/AVCDecisions

From FedoraProject

< SELinux | Troubleshooting
Revision as of 14:13, 24 May 2008 by ImportUser (Talk)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Decision tree for diagnosing AVC Message signatures

file_t

if tcontext.type = file_t --> touch /.autorelabel; reboot

This indicates you have a major Labeling problem. When the SELinux kernel discovers a file that has no security context, it sets it label to file_t. Ordinarly no confined domain has access to file_t. The only way that this file would get created is if the system was booted with selinux=0 (or SELINUX=disabled in /etc/selinux/config). Or if you added a new disk to a machine that was not labeled via SELinux. In the case of the machine was running with selinux=0, it is safest to relabel the system.

touch /.autorelabel
reboot

If you are adding a new disk, you can restorecon -R -v /MOUNTPOINT to fix the labels.

restorecon -R -v MOUNTPOINTPATH

default_t

if tcontext.type = default_t --> touch /.autorelabel; reboot

AVC Messages containing default_t:

This can also indicate a labeling problem, especially if the file being referred to is not a top level file. IE everything under /usr, /var. /dev, /tmp, ... should not be labeled default_t. default_t is the label for files who do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. If you want a confined domain to use these files you will probably need to relabel the directory with chcon. In some cases it is just easier to use the autorelabel command above.

restorecon -R -v MOUNTPOINTPATH

ftpd_t

if scontext.type = ftpd_t && tcontext.type = home_root_t | user_home_dir_t:| user_home_t

This indicates that people are trying to log in to their homedirs via ftp, to allow this

setsebool -P ftp_home_dir=1

ftpd_t | samba_t | httpd_t | rsync_t

if scontext.type = ftpd_t | samba_t | httpd_t | rsync_t && tcontext.type == public_content_t class = dir access = { add_name | write }

This indicates that people are trying to write to a public_content directory this might be a hack or it might indicate you have a directory you want people to upload to.

chcon -t public_content_rw_t DIRNAME
Set the appropriate one of the following
allow_ftpd_anon_write --> off
allow_httpd_anon_write --> off
allow_httpd_sys_script_anon_write --> off
allow_httpd_w3c_script_anon_write --> off
allow_rsync_anon_write --> off
allow_smbd_anon_write --> off

httpd_t

if scontext.type = httpd_t && tcontext.type = user_home_t && class=dir && access = { getattr search }

This indicates that people are trying to read a users homedir if this is intended.

chcon -t httpd_sys_content_t ~/public_html
setsebool -P httpd_enable_homedirs=1

named_t

if scontext.type = named_t && context.type = named_zone_t && class=dir && access = write

Looks like someone is trying to zone transfer to this machines nameserver if yes set the following boolean

setsebool -P named_write_master_zones=1

smbd_t

if scontext.type = smbd_t && class=dir && access = { getattr search read }

If the file context is another location on the disk, you might be able to get it working by using chcon. Each domain has file context that they are able to read and/or write. So if you created a directory like /src and you wanted samba to share it, you would

chcon -R -t samba_share_t DIR

Else

Open a bugzilla