On Fri, 2013-11-15 at 10:46 -0500, m.roth@xxxxxxxxx wrote:
> Good thought. NOW I'm *really* confused.
> ll -Z of the file gives me
> -rw-r--r--. <user> <group> system_u:system_r:httpd_sys_content_t:s0 <file>
>
> Meanwhile,
> grep avc /var/log/audit/audit.log | grep <filename>
> gets me:
> <...>
> type=AVC msg=audit(1384527075.382:7606586): avc: denied { read } for
> pid=1329 comm="httpd" name="<filename>" dev=sdc1 ino=66691074
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
>
> "Unlabeled_t"?
You should probably watch some of my videos on youtube (1)
Because in some of those videos i explain what it means if you see
entities with the unlabeled_t type security identifier
But i will give you a run-down of it here:
There is this concept of "initial security identifiers" in SELinux.
Initial security identifiers are security identifiers that are
hard-coded into SELinux
Initial security identifiers are used to address three security
challenges:
1. deal with system initialization
2. deal with fixed resources
3. deal with fail-over
I will touch on the third challenge, because this is related to your
issue
Basically, SELinux uses initial sids for fail-over because:
SELinux needs a way to deal with mislabeled, and unlabeled files on
running systems.
The unlabeled initial sid is associated to entities by SELinux if a
entity has one or more invalid security indentifiers
The unlabeled_t security identifier is associated to the unlabeled
initial security identifier
So lets put that into context of your issue
You have the following denial:
> avc: denied { read } for
> pid=1329 comm="httpd" name="<filename>" dev=sdc1 ino=66691074
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
You have the "<filename>" file labeled as follows:
system_u:system_r:httpd_sys_content_t:s0
We know that SELinux associates the unlabeled_t security identifier to
entities if the entity has one or more invalid security identifier
So we know the file has one or more invalid security identifier
The invalid security identifier in this case is the system_r role
security identifier.
On file system objects like files only the object_r role security
identifier is valid (if you want to know why watch my "selinux
explained" video on you tube (1)
So to get rid of the unlabeled_t issue you need to change the role
security identifier of the file called "<filename>"
for example: chcon -r object_r "<filename>"
..And remember, on file system objects the role sid should always be
object_r
(1) https://www.youtube.com/watch?v=1Jqcp3EhaqQ
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
