How do I find what's being denied by SELinux?

Latest response

Another issue with working on SELinux...

We have a somewhat legacy server running Apache and I'm getting the following AVC denials in the audit log:

type=SYSCALL msg=audit(1354504450.788:403059): arch=40000003 syscall=221 success=yes exit=0 a0=20 a1=7 a2=e3b718 a3=e3b718 items=0 ppid=3206 pid=25561 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354504450.788:403059): avc:  denied  { lock } for  pid=25561 comm="httpd" path=2F617070732F6C6F67732F73736C2F73736C5F6D75746578202864656C6574656429 dev=dm-0 ino=391711 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
 

We're getting quite a few of these, but I'm not sure how to track down what is actually being denied. I'm thinking that, whatever it is, the default_t context probably isn't correct, but I don't know what to change the context on because it doesn't refer to a file.

Any ideas?

Responses

I would first look in httpd log for the url that trigger this AVC. Then once you have the url and that you can trigger it as often as you want, I would try to use strace on httpd, at least to see if the application is trying to open a file, or something like that.

default_t is the label of any directory created in /.  Since SELinux does not know what content is in a default_t directory, it does not allow any confined domains to read/write in these directories.

 

If you want to place apache content into a new directory under /, you should label the content as apache content.

 

# semanage fcontext -a -t httpd_sys_content_t '/mydir(/.*)?'

# restorecon -R -v /mydir

 

Would cause all of the content in /mydir to be labeled permanantly as apache read/only content.  If you have some r/w content under there you could use the httpd_sys_rw_content_t flag.

man apache_selinux

Will have some useful info also.

Looking at your avc with ausearch -if /tmp/avc -i

 

Shows:

type=AVC msg=audit(12/02/2012 22:14:10.788:403059) : avc:  denied  { lock } for  pid=25561 comm=httpd path=/apps/logs/ssl/ssl_mutex (deleted) dev=dm-0 ino=391711 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=SYSCALL msg=audit(12/02/2012 22:14:10.788:403059) : arch=i386 syscall=fcntl64 success=yes exit=0 a0=0x20 a1=F_SETLKW a2=0xe3b718 a3=0xe3b718 items=0 ppid=3206 pid=25561 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

 

Which tells me you created a new directory under / named apps.

 

I would probably label this with the following commands

 

# semanage fcontext -a -t usr_t '/apps(/.*)?'

# semanage fcontext -a -t var_log_t '/apps/logs(/.*)?'

If these are only apache logs you could use httpd_log_t.

# restorecon -R -v /apps

If you have binary directories you might want to also label the bin directories as bin_t.

Dan,

Based on your response, I can certainly set the /apps/logs directory to httpd_log_t. Currently it is set to httpd_sys_content_t. So, I guess my next question is...how is this ssl_mutex getting a default_t context? I thought it would take on the file context of the directory that it's in. There are two directories under /apps.../apps/log and /apps/www and both of those directories as well as all the files and directories under them have httpd_sys_content_t labels. That's why I don't get how that file is getting a default_t context...unless that's coming from somewhere else?

Forgive my ignorance...trying to learn as much as I can as fast as I can, but there's obviously a LOT to learn.

Maybe this is an older AVC. I do not know.  But make sure you have a label on /apps also.

 

find /apps -context "*:default_t:*"

 

Should find you any files/directories labeled default_t

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.