68
Chapter 5. Controlling and Maintaining SELinux
What is the target object? The
path=
and the
tclass=
tell you where and what the object is.
You get it's context from
tcontext=
. You may need the
ino=
to find an object if it's path is
not evident. This may happen because SELinux reports the path as relative to the device node
dev=
.
What is the permission attempted?
2. Knowing these essential who, what, where, and how questions should help you in determining the
why. At this point it may be obvious, such as the
tcontext=
being set to a context the process
clearly should not be writing to. This may point back to troubles in the application or script, or
troubles in the type for the subject or object.
3. If you need to analyze the policy further, you can try using the source and target contexts as search
parameters with the apol tool. You can learn more about how to do this in Section 6.3 Using apol
for Policy Analysis.
4. If you think the interaction should be allowed and represents a policy bug, you can insert policy to
allow it. Read Chapter 8 Customizing and Writing Policy for information on doing this, and file a
bug report at http://bugzilla.redhat.com.
5.2.12. Read an
avc: denied
Message
For information on how to read an AVC message, read Section 2.8.1 Understanding an
avc: denied
Message.
5.2.13. Specifying the Security Context of Entire File Systems
Using the
mount o context=
command you can set a single context for an entire file system. This
might be an already mounted file system that supports xattrs, or a network file system that obtains a
genfs label such as
cifs_t
or
nfs_t
. This is explained in Section 2.4 File System Security Contexts
For example, if you need to have Apache HTTP read from a mounted directory or loopback file
system, you need to set the type to
httpd_sys_content_t
:
mount t nfs o context=system_u:object_r:httpd_sys_content_t \
server1.example.com:/shared/scripts /var/www/cgi
Tip
When troubleshooting httpd and SELinux problems, reduce the complexity of your situation. For
example, if you have the file system mounted at /mnt and then symlinked to /var/www/html/foo,
you have two security contexts to be concerned with. Since one is of the object class file and the
other lnk_file, they are treated differently by the policy and unexpected behavior may occur.
5.2.14. Run a Command in a Specified Security Context
This is useful for scripting or testing policy, although it can be tricky to do correctly. The
runcon
command lets you specify the domain that you want to run a program or script in. For example, you
could
runcon t httpd_t /path/to/script
for a script that tested for mislabeled content.
# The arguments that appear after the command are considered to
# be part of the command being run
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved