20


Chapter 2. SELinux Policy Overview


not affecting the application doing its tasks. This AV lets you silently deny and ignore the access


violation. For example, this


dontaudit


rule says to ignore when the


named_t


domain attempts to


read or get attributes on a file with the


root_t


type. Denial of this access attempt does not effect


named


doing its job, so the denial is ignored to keep the logs clean:


dontaudit named_t root_t:file { getattr read };


There


is


one


additional


AV


rule,


neverallow


.


This


AV


assertion,


defined


in


$SELINUX_SRC/assert.te


, is not part of the regular permission checking. The purpose of this


rule is to declare access vectors that must never be allowed. These are used to protect against policy


writing mistakes, especially where macros can provide unexpected rights. These assertions are


checked by the policy compiler,


checkpolicy


, when the policy is built, but after the entire policy


has been evaluated, and are not part of the runtime access vector cache.


Here is the syntax and an example. In practice, a wildcard character


*


is often used to cover all


instances possible in a rule field. The syntax is different in that it is possible to use


ifdef()


statements


as sources or targets:


# Syntax for AV assertion


neverallow


source_name(s)


target_name(s)


: \


-


.*-


.


class(es)


permission(s)


-


./-


.


In this example from


assert.te


, the


neverallow


rule verifies that every type that a domain can


enter into has the attribute


domain


. This prevents a rule from elsewhere in the policy allowing a


domain to transition to a type that is not a process type. The tilde in front,


~domain


, means "anything


that is not a domain":


# Verify that every type that can be entered by


# a domain is also tagged as a domain.


#


neverallow domain ~domain:process transition;


2.8.1. Understanding an


avc: denied


Message


When SELinux disallows an operation, a denial message is generated for the audit logs. In Red Hat


Enterprise Linux,


$AUDIT_LOG


is


/var/log/messages


. This section explains the format of these


log messages. For suggestions on using an


avc: denied


message for troubleshooting, refer to Sec 


tion 5.2.11 Troubleshoot User Problems With SELinux.


Example 2 1 shows a denial generated when a user's Web content residing in


~/public_html


does


not have the correct label.


Jan 14 19:10:04 hostname kernel: audit(1105758604.519:420):


\


avc:


denied


{ getattr } for


pid=5962 exe=/usr/sbin/httpd \


path=/home/auser/public_html dev=hdb2 ino=921135 \


scontext=root:system_r:httpd_t \


tcontext=user_u:object_r:user_home_t tclass=dir


Example 2 1. AVC Denial Message


This shows the message parts and an explanation of what the part means:


avc: denied


Message Explained


Jan 14 19:10:04


Timestamp on the audit message.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved