-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/15/2013 11:28 AM, m.roth@xxxxxxxxx wrote: > Dominick Grift wrote: >> On Fri, 2013-11-15 at 10:46 -0500, m.roth@xxxxxxxxx wrote: >> >>> Good thought. NOW I'm *really* confused. ll -Z of the file gives me >>> -rw-r--r--. <user> <group> system_u:system_r:httpd_sys_content_t:s0 >>> <file> >>> >>> Meanwhile, grep avc /var/log/audit/audit.log | grep <filename> gets >>> me: <...> type=AVC msg=audit(1384527075.382:7606586): avc: denied { >>> read } for pid=1329 comm="httpd" name="<filename>" dev=sdc1 >>> ino=66691074 scontext=unconfined_u:system_r:httpd_t:s0 >>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file >>> >>> "Unlabeled_t"? >> >> You should probably watch some of my videos on youtube (1) > > I'm not really big, most of the time, on instructional videos - I'd rather > read. This email was just what I needed. >> >> Because in some of those videos i explain what it means if you see >> entities with the unlabeled_t type security identifier >> >> But i will give you a run-down of it here: >> >> There is this concept of "initial security identifiers" in SELinux. >> Initial security identifiers are security identifiers that are hard-coded >> into SELinux >> >> Initial security identifiers are used to address three security >> challenges: >> >> 1. deal with system initialization 2. deal with fixed resources 3. deal >> with fail-over >> >> I will touch on the third challenge, because this is related to your >> issue >> >> Basically, SELinux uses initial sids for fail-over because: >> >> SELinux needs a way to deal with mislabeled, and unlabeled files on >> running systems. >> >> The unlabeled initial sid is associated to entities by SELinux if a >> entity has one or more invalid security indentifiers > > And here's my complaint: why should it tell me that it's unlabeled_t, > rather than telling me "system_r is an invalid role"? > > One more detail - I made a typo, and managed chcon -R -r system_u, rather > than -u... and chcon accepted it. Isn't there any parm checking, to match > what you're changing to the context? > > Thanks, again, for the clear explanation. > > mark > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > I have a request into the kernel guys to give us the real label in the AVC, so we could have setroubleshoot attempt to tell you what is wrong, Currently the kernel gives you unlebaled_t no matter what. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKGjZoACgkQrlYvE4MpobPj0ACfaBcEZslHZ/Rx5J10/129XLr4 bpAAn2Tr3gKCtorU80SmnPfB2gW2ejHy =gC+X -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux