selinux Missing type enforcement (TE) allow rule

linux selinux security
7,613

Solution 1

It appears that you are trying to have your web server write to a user's home directory. There are no SELinux reference policies to permit this behavior. You should think carefully about whether you should be serving content from users' home directories at all.

If you really need this access, you can use the audit2allow utility to generate a local policy module that you can load in and permit the access.

Solution 2

Already An error occurs when different security context is given to the port you want to add. If you are using Tomcat The fundamental HTTP port 8080, the port is http_cache_port_t type. If you are using nginx was built 8081 and it transproxy_port_t or both context apache web server generates an error because it can not connect. If you need to change the security context, and without additional use of the -m option instead of the -a option.

~# semanage port -l |grep 8081
transproxy_port_t   tcp      8081

and then 

~# semanage port -l |grep http_port_t
http_port_t   tcp      80, 443, 488, 8008, 8009, 8443

Add 

# semanage port -m -p tcp -t http_port_t  8081

Solution 3

I'm confused is the FTP via apache or just plain old FTP?

If it is plain old FTP check the SELinux context of where you are trying to make a new directory. It could be set incorrectly.

If it is via Apache:

You can enable Apache to use home directories via a command like:

setsebool -P httpd_enable_homedirs
chcon -R -t httpd_sys_content_t ~user/public_html

Reference: http://fedoraproject.org/wiki/SELinux/apache

Share:
7,613

Related videos on Youtube

usa ims
Author by

usa ims

Upright/electric bass player from West Palm Beach, Florida I'm into Ray Charles, Nat King Cole, Charles Brown.

Updated on September 18, 2022

Comments

  • usa ims
    usa ims almost 2 years

    When I run my FTP test to test for full functionality, I'm concerned on why am I getting an avc denial error on such a popular command, such as 'mkdir'?

    Here is the AVC denial message:

    type=AVC msg=audit(1365021919.400:283): avc:  denied  { create } for  pid=2210     comm="mkdir" name="64F77DCE-9C9F-11E2-90A8-39AEF085A14A"   scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir
    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

    According to Fedora's web site, Missing Type Enforcement rules are usually caused by bugs in SELinux policy. So, is this a truly a bug?

  • Matthew Ife
    Matthew Ife over 11 years
    Writing into users home directories as a web server really is pretty anomalous behaviour. SELinux is doing the right thing here by flagging this.
  • Andrew B
    Andrew B over 11 years
    When you have enough reputation to leave comments, please use those to request additional details. Helps to keep things nice and tidy around here.
  • Michael Hampton
    Michael Hampton over 11 years
    This does not allow writing to the user home directories.
  • user167729
    user167729 over 11 years
    It may not, but I wasn't exactly sure what was going on in the backend. Depending on his setup he may need to turn on one or more SELinux bools suchas allow_httpd_anon_write or allow_httpd_sys_script_anon_write. Audit2allow will allow you to create a policy. However, I would argue that should be a last resort and not "the go to solution" for SELinux issues.
  • Elijah Lynn
    Elijah Lynn about 7 years
    Example needed.
  • Michael Hampton
    Michael Hampton about 7 years
    @ElijahLynn Example of what?
  • Elijah Lynn
    Elijah Lynn about 7 years
    Example of generating a local policy module with audit2allow and loading it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

selinux permissive and type targeted
/bin/su permission denied after SELinux is enabled - not resolved by manual creation of SELinux policies
selinux avc: denied issue
SELinux permissions for LogRotate and Apache
Why do we need SELinux?
How can I query for all selinux rules/default file contexts/etc affecting a type
Reasons to disable / enable SELinux
Create a SELinux policy for a custom systemd service
SELinux: allow a process to create any file in a certain directory
how to create a custom SELinux label