Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual page 82

68
What is the target object? The
•
You get it's context from
not evident. This may happen because SELinux reports the path as relative to the device node
.
dev=
What is the permission attempted?
•
2. Knowing these essential who, what, where, and how questions should help you in determining the
why. At this point it may be obvious, such as the
clearly should not be writing to. This may point back to troubles in the application or script, or
troubles in the type for the subject or object.
3. If you need to analyze the policy further, you can try using the source and target contexts as search
parameters with the apol tool. You can learn more about how to do this in Section 6.3 Using apol
for Policy Analysis.
4. If you think the interaction should be allowed and represents a policy bug, you can insert policy to
allow it. Read Chapter 8 Customizing and Writing Policy for information on doing this, and file a
bug report at http://bugzilla.redhat.com.
5.2.12. Read an
For information on how to read an AVC message, read Section 2.8.1 Understanding an
Message.
5.2.13. Specifying the Security Context of Entire File Systems
Using the
mount -o context=
might be an already mounted file system that supports xattrs, or a network file system that obtains a
genfs label such as
cifs_t
For example, if you need to have Apache HTTP read from a mounted directory or loopback file
system, you need to set the type to
mount -t nfs -o context=system_u:object_r:httpd_sys_content_t \
server1.example.com:/shared/scripts /var/www/cgi
Tip
When troubleshooting
example, if you have the file system mounted at
you have two security contexts to be concerned with. Since one is of the object class
other , they are treated differently by the policy and unexpected behavior may occur.
lnk_file
5.2.14. Run a Command in a Specified Security Context
This is useful for scripting or testing policy, although it can be tricky to do correctly. The
command lets you specify the domain that you want to run a program or script in. For example, you
could
runcon -t httpd_t /path/to/script
# The arguments that appear after the command are considered to
# be part of the command being run
path=
tcontext=
Message
avc: denied
command you can set a single context for an entire file system. This
or . This is explained in Section 2.4 File System Security Contexts
nfs_t
httpd_sys_content_t
and SELinux problems, reduce the complexity of your situation. For
httpd
Chapter 5. Controlling and Maintaining SELinux
and the tell you where and what the object is.
tclass=
. You may need the
ino=
tcontext=
:
and then symlinked to
/mnt
for a script that tested for mislabeled content.
to find an object if it's path is
being set to a context the process
avc: denied
/var/www/html/foo
,
and the
file
runcon