LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SELinux not sending some log message? (https://www.linuxquestions.org/questions/linux-newbie-8/selinux-not-sending-some-log-message-4175600400/)

fanoflq 02-22-2017 09:45 PM
SELinux not sending some log message?
 
I created this directory for anynomous upload.
Code:
[root@server1 ~]# ls -alZd /var/ftp/uploads/
drwxr-x---. root root unconfined_u:object_r:public_content_t:s0 /var/ftp/uploads/
Now I use lftp to access and put a file in the upload subdirectory.
Then, on another terminal, I attempt to put a file like so:
Code:
[user1@server1 ~]$ lftp server1                                                                                         
lftp server1:~> ls             
drwxr-xr-x    2 0        0              6 Nov 05 19:43 pub
drwxr-x---    2 0        0              6 Feb 23 02:36 uploads
lftp server1:/> put /etc/hosts 
put: [Access failed: 553 Could not create file. (hosts)
lftp server1:/>

This should cause a SELinux log to be sent to audit.log, correct?
So I decided to look for what is happening in audit.log.

Quote:
[root@server1 ~]# grep -i AVC /var/log/audit/audit.log
type=USER_AVC msg=audit(1484850001.270:507): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1484928001.515:694): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

...
...


type=USER_AVC msg=audit(1485928330.770:255): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=1000 uid=0 gid=0 cmdline="systemctl -t service mask all" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1487819347.532:243): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[root@server1 ~]#
But there is no such SELinux log message related to denial of access to copy a file into /var/ftp/uploads.
Why?

Thank you.

rknichols 02-23-2017 09:19 AM
It might be that this denial has a "dontaudit" rule, though offhand that doesn't seem likely to me. You can disable all of the "dontaudit" rules by running "semodule -DB". Then see if your expected AVC denial shows up. Run "semodule -B" to turn the "dontaudit" rules back on and stop the flood.

fanoflq 02-23-2017 10:00 AM
Thanks.


All times are GMT -5. The time now is 07:10 PM.