Re: SELinux: avc: denied { associate }

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2013 04:13 AM, Dominick Grift wrote:
> On Fri, 2013-01-18 at 20:48 +0000, Napoleon Quashie wrote:
>> This has been "doing my head in" as the British will say. I've been 
>> battling it for days now. A post to Fedora forums and irc hasn't helped. 
>> You guys are my last resort. It goes like so:
>> 
> 
> I am not sure what you are trying to achieve here.
> 
> httpd_sys_content_t is a file type and not a file system type
> 
> Did you specify the following and if so, why?
> 
> auto context="system_u:object_r:httpd_sys_content_t:s0"
> 
>> 
>> 1. type=AVC msg=audit(1358529889.481:315): avc:  denied  { associate } 
>> for  pid=1522 comm="httpd"name="access.log" scontext 
>> =system_u:object_r:httpd_sys_rw_content_t:s0tcontext 
>> =system_u:object_r:httpd_sys_content_t:s0 tclass=filesystem 2. 3.
>> Was caused by: 4.                 Unknown - would be allowed by active
>> policy 5.                 Possible mismatch between this policy and the
>> one under which the audit message was generated. 6. 7.
>> Possible mismatch between current in-memory boolean settings vs.
>> permanent ones. 8. 
>> ------------------------------------------------------------------------------------------------
>>
>> 
9.
>> 10. <VirtualHost *:80> 11.     ServerAdmin webmaster@localhost 12.
>> ServerName lab.dev 13. 14.     DocumentRoot /shared/www/lab/public 15. 
>> 16.     <Directory /shared/www/lab/public/> 17.         Options Indexes
>> FollowSymLinks 18.         AllowOverride All 19.         Order
>> allow,deny 20.         Allow from all 21.     </Directory> 22. 23.     #
>> Custom log file locations 24.     LogLevel warn 25.     ErrorLog
>> /shared/www/lab/logs/error.log 26.     CustomLog
>> /shared/www/lab/access.log combined 27. 28. </VirtualHost> 29. 
>> ------------------------------------------------------------------------------------------
>>
>> 
30. /etc/fstab
>> 31. ---------- 32. # 33. # /etc/fstab 34. # Created by anaconda on Tue
>> Jan 15 21:01:00 2013 35. # 36. # Accessible filesystems, by reference,
>> are maintained under '/dev/disk' 37. # See man pages fstab(5), findfs(8),
>> mount(8) and/or blkid(8) for more info 38. # 39. /dev/mapper/fedora-root
>> /                       ext4    defaults 1 1 40.
>> UUID=f92ec976-f49c-496d-be24-2bd7391eec2e /boot ext4    defaults        1
>> 2 41. /dev/mapper/fedora-home /home                   ext4    defaults 1
>> 2 42. /dev/mapper/fedora-swap swap                    swap    defaults 0
>> 0 43. /dev/disk/by-uuid/E0D8317FD83154CE /windows auto 
>> nosuid,nodev,nofail,x-gvfs-show,x-gvfs-name=Windows 0 0 44.
>> /dev/disk/by-uuid/D0D6BF93D6BF7874 /shared auto context= 
>> "system_u:object_r:httpd_sys_content_t:s0" 0 0 45. 
>> =======================================================================================================
>>
>> 
46.
>> 47. /shared is an ntfs partition and /shared/www/public is the root of 
>> the site lab.dev
>> 
>> Thanks for any assistance. This has been "doing my head in" as the
>> British will say. I've been battling it for days now. A post to Fedora
>> forums and irc hasn't helped. You guys are my last resort. It goes like
>> so:
>> 
>> type=AVC msg=audit(1358529889.481:315): avc:  denied { associate } for
>> pid=1522 comm="httpd"name="access.log"
>> scontext=system_u:object_r:httpd_sys_rw_content_t:s0tcontext=system_u:object_r:httpd_sys_content_t:s0
>> tclass=filesystem
>> 
>> Was caused by: Unknown - would be allowed by active policy Possible
>> mismatch between this policy and the one under which the audit message
>> was generated.
>> 
>> Possible mismatch between current in-memory boolean settings vs.
>> permanent ones. 
>> ------------------------------------------------------------------------------------------------
>>
>>  <VirtualHost *:80> ServerAdmin webmaster@localhost ServerName lab.dev
>> 
>> DocumentRoot /shared/www/lab/public
>> 
>> <Directory /shared/www/lab/public/> Options Indexes FollowSymLinks 
>> AllowOverride All Order allow,deny Allow from all </Directory>
>> 
>> # Custom log file locations LogLevel warn ErrorLog
>> /shared/www/lab/logs/error.log CustomLog /shared/www/lab/access.log
>> combined
>> 
>> </VirtualHost> 
>> ------------------------------------------------------------------------------------------
>>
>> 
/etc/fstab
>> ---------- # # /etc/fstab # Created by anaconda on Tue Jan 15 21:01:00
>> 2013 # # Accessible filesystems, by reference, are maintained under 
>> '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or
>> blkid(8) for more info # /dev/mapper/fedora-root /
>> ext4 defaults        1 1 UUID=f92ec976-f49c-496d-be24-2bd7391eec2e /boot 
>> ext4    defaults        1 2 /dev/mapper/fedora-home /home
>> ext4 defaults        1 2 /dev/mapper/fedora-swap swap
>> swap defaults        0 0 /dev/disk/by-uuid/E0D8317FD83154CE /windows
>> auto nosuid,nodev,nofail,x-gvfs-show,x-gvfs-name=Windows 0 0 
>> /dev/disk/by-uuid/D0D6BF93D6BF7874 /shared auto
>> context="system_u:object_r:httpd_sys_content_t:s0" 0 0 
>> =======================================================================================================
>>
>>  /shared is an ntfs partition and /shared/www/public is the root of the
>> site lab.dev
>> 
>> Thanks for any assistance.
>> 
>> 
>> --

>> selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
Yes this looks like he mounted a file system with a specific type and then is
trying to associate a type to that type.  Which maybe we should allow by defualt.

allow file_type self:filesytem associate;

Having tools like cp -a fail seems a little silly here.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlD9bkMACgkQrlYvE4MpobNQFACghn++lez8D0e6coGDZiDr09Ld
uLEAn3L95kpR/lWyE/VyJZmGFKIF12S5
=8XCH
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux