How do I find what's being denied by SELinux?
Another issue with working on SELinux...
We have a somewhat legacy server running Apache and I'm getting the following AVC denials in the audit log:
type=SYSCALL msg=audit(1354504450.788:403059): arch=40000003 syscall=221 success=yes exit=0 a0=20 a1=7 a2=e3b718 a3=e3b718 items=0 ppid=3206 pid=25561 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354504450.788:403059): avc: denied { lock } for pid=25561 comm="httpd" path=2F617070732F6C6F67732F73736C2F73736C5F6D75746578202864656C6574656429 dev=dm-0 ino=391711 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
We're getting quite a few of these, but I'm not sure how to track down what is actually being denied. I'm thinking that, whatever it is, the default_t context probably isn't correct, but I don't know what to change the context on because it doesn't refer to a file.
Any ideas?
Responses
I would first look in httpd log for the url that trigger this AVC. Then once you have the url and that you can trigger it as often as you want, I would try to use strace on httpd, at least to see if the application is trying to open a file, or something like that.
default_t is the label of any directory created in /. Since SELinux does not know what content is in a default_t directory, it does not allow any confined domains to read/write in these directories.
If you want to place apache content into a new directory under /, you should label the content as apache content.
# semanage fcontext -a -t httpd_sys_content_t '/mydir(/.*)?'
# restorecon -R -v /mydir
Would cause all of the content in /mydir to be labeled permanantly as apache read/only content. If you have some r/w content under there you could use the httpd_sys_rw_content_t flag.
man apache_selinux
Will have some useful info also.
Looking at your avc with ausearch -if /tmp/avc -i
Shows:
type=AVC msg=audit(12/02/2012 22:14:10.788:403059) : avc: denied { lock } for pid=25561 comm=httpd path=/apps/logs/ssl/ssl_mutex (deleted) dev=dm-0 ino=391711 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=SYSCALL msg=audit(12/02/2012 22:14:10.788:403059) : arch=i386 syscall=fcntl64 success=yes exit=0 a0=0x20 a1=F_SETLKW a2=0xe3b718 a3=0xe3b718 items=0 ppid=3206 pid=25561 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Which tells me you created a new directory under / named apps.
I would probably label this with the following commands
# semanage fcontext -a -t usr_t '/apps(/.*)?'
# semanage fcontext -a -t var_log_t '/apps/logs(/.*)?'
If these are only apache logs you could use httpd_log_t.
# restorecon -R -v /apps
If you have binary directories you might want to also label the bin directories as bin_t.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
