Daniel J Walsh wrote:
> On 11/15/2013 11:28 AM, m.roth@xxxxxxxxx wrote:
>> Dominick Grift wrote:
>>> On Fri, 2013-11-15 at 10:46 -0500, m.roth@xxxxxxxxx wrote:
>>>
>>>> Good thought. NOW I'm *really* confused. ll -Z of the file gives me
>>>> -rw-r--r--. <user> <group> system_u:system_r:httpd_sys_content_t:s0
>>>> <file>
>>>>
>>>> Meanwhile, grep avc /var/log/audit/audit.log | grep <filename> gets
>>>> me: <...> type=AVC msg=audit(1384527075.382:7606586): avc: denied {
>>>> read } for pid=1329 comm="httpd" name="<filename>" dev=sdc1
>>>> ino=66691074 scontext=unconfined_u:system_r:httpd_t:s0
>>>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
>>>>
>>>> "Unlabeled_t"?
<snip>
>> And here's my complaint: why should it tell me that it's unlabeled_t,
>> rather than telling me "system_r is an invalid role"?
>>
>> One more detail - I made a typo, and managed chcon -R -r system_u,
>> rather than -u... and chcon accepted it. Isn't there any parm checking, to
>> match what you're changing to the context?
<snip>
> I have a request into the kernel guys to give us the real label in the
> AVC, so we could have setroubleshoot attempt to tell you what is wrong,
Currently
> the kernel gives you unlebaled_t no matter what.
Thank you - I don't want to bitch and moan, I'd rather get things fixed,
so I can go on to new and more interesting problems.
mark
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
