20
Chapter 2. SELinux Policy Overview
not affecting the application doing its tasks. This AV lets you silently deny and ignore the access
violation. For example, this
dontaudit
rule says to ignore when the
named_t
domain attempts to
read or get attributes on a file with the
root_t
type. Denial of this access attempt does not effect
named
doing its job, so the denial is ignored to keep the logs clean:
dontaudit named_t root_t:file { getattr read };
There
is
one
additional
AV
rule,
neverallow
.
This
AV
assertion,
defined
in
$SELINUX_SRC/assert.te
, is not part of the regular permission checking. The purpose of this
rule is to declare access vectors that must never be allowed. These are used to protect against policy
writing mistakes, especially where macros can provide unexpected rights. These assertions are
checked by the policy compiler,
checkpolicy
, when the policy is built, but after the entire policy
has been evaluated, and are not part of the runtime access vector cache.
Here is the syntax and an example. In practice, a wildcard character
*
is often used to cover all
instances possible in a rule field. The syntax is different in that it is possible to use
ifdef()
statements
as sources or targets:
# Syntax for AV assertion
neverallow
source_name(s)
target_name(s)
: \
-
.*-
.
class(es)
permission(s)
-
./-
.
In this example from
assert.te
, the
neverallow
rule verifies that every type that a domain can
enter into has the attribute
domain
. This prevents a rule from elsewhere in the policy allowing a
domain to transition to a type that is not a process type. The tilde in front,
~domain
, means "anything
that is not a domain":
# Verify that every type that can be entered by
# a domain is also tagged as a domain.
#
neverallow domain ~domain:process transition;
2.8.1. Understanding an
avc: denied
Message
When SELinux disallows an operation, a denial message is generated for the audit logs. In Red Hat
Enterprise Linux,
$AUDIT_LOG
is
/var/log/messages
. This section explains the format of these
log messages. For suggestions on using an
avc: denied
message for troubleshooting, refer to Sec 
tion 5.2.11 Troubleshoot User Problems With SELinux.
Example 2 1 shows a denial generated when a user's Web content residing in
~/public_html
does
not have the correct label.
Jan 14 19:10:04 hostname kernel: audit(1105758604.519:420):
\
avc:
denied
{ getattr } for
pid=5962 exe=/usr/sbin/httpd \
path=/home/auser/public_html dev=hdb2 ino=921135 \
scontext=root:system_r:httpd_t \
tcontext=user_u:object_r:user_home_t tclass=dir
Example 2 1. AVC Denial Message
This shows the message parts and an explanation of what the part means:
avc: denied
Message Explained
Jan 14 19:10:04
Timestamp on the audit message.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved