Denials are assigned IDs, as seen in /var/log/messages
. The following is an example AVC denial (logged to messages
) that occurred when the Apache HTTP Server (running in the httpd_t
domain) attempted to access the /var/www/html/file1
file (labeled with the samba_share_t
type):
hostname
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
As suggested, run the sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
command to view the complete message. This command only works on the local machine, and presents the same information as the sealert
GUI:
$ sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
Summary:
SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1
(samba_share_t).
Detailed Description:
SELinux denied access to /var/www/html/file1 requested by httpd.
/var/www/html/file1 has a context used for sharing by different program. If you
would like to share /var/www/html/file1 from httpd also, you need to change its
file context to public_content_t. If you did not intend to this access, this
could signal a intrusion attempt.
Allowing Access:
You can alter the file context by executing chcon -t public_content_t
'/var/www/html/file1'
Fix Command:
chcon -t public_content_t '/var/www/html/file1'
Additional Information:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:samba_share_t:s0
Target Objects /var/www/html/file1 [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host hostname
Source RPM Packages httpd-2.2.10-2
Target RPM Packages
Policy RPM selinux-policy-3.5.13-11.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name public_content
Host Name hostname
Platform Linux hostname 2.6.27.4-68.fc12.i686 #1 SMP Thu Oct
30 00:49:42 EDT 2008 i686 i686
Alert Count 4
First Seen Wed Nov 5 18:53:05 2008
Last Seen Wed Nov 5 01:22:58 2008
Local ID 84e0b04d-d0ad-4347-8317-22e74f6cd020
Line Numbers
Raw Audit Messages
node=hostname
type=AVC msg=audit(1225812178.788:101): avc: denied { getattr } for pid=2441 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
node=hostname
type=SYSCALL msg=audit(1225812178.788:101): arch=40000003 syscall=196 success=no exit=-13 a0=b8e97188 a1=bf87aaac a2=54dff4 a3=2008171 items=0 ppid=2439 pid=2441 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
- Summary
-
A brief summary of the denied action. This is the same as the denial in /var/log/messages
. In this example, the httpd
process was denied access to a file (file1
), which is labeled with the samba_share_t
type.
- Detailed Description
-
A more verbose description. In this example, file1
is labeled with the samba_share_t
type. This type is used for files and directories that you want to export via Samba. The description suggests changing the type to a type that can be accessed by the Apache HTTP Server and Samba, if such access is desired.
- Allowing Access
-
A suggestion for how to allow access. This may be relabeling files, turning a Boolean on, or making a local policy module. In this case, the suggestion is to label the file with a type accessible to both the Apache HTTP Server and Samba.
- Fix Command
-
A suggested command to allow access and resolve the denial. In this example, it gives the command to change the file1
type to public_content_t
, which is accessible to the Apache HTTP Server and Samba.
- Additional Information
-
Information that is useful in bug reports, such as the policy package name and version (selinux-policy-3.5.13-11.fc12
), but may not help towards solving why the denial occurred.
- Raw Audit Messages
-
The raw audit messages from
/var/log/audit/audit.log
that are associated with the denial. Refer to
Section 8.3.6, “Raw Audit Messages” for information about each item in the AVC denial.