On Fri, 2013-11-15 at 10:46 -0500, m.roth@5-cent.us wrote:
Good thought. NOW I'm *really* confused. ll -Z of the file gives me -rw-r--r--. <user> <group> system_u:system_r:httpd_sys_content_t:s0 <file>
Meanwhile, grep avc /var/log/audit/audit.log | grep <filename> gets me: <...> type=AVC msg=audit(1384527075.382:7606586): avc: denied { read } for pid=1329 comm="httpd" name="<filename>" dev=sdc1 ino=66691074 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
"Unlabeled_t"?
You should probably watch some of my videos on youtube (1)
Because in some of those videos i explain what it means if you see entities with the unlabeled_t type security identifier
But i will give you a run-down of it here:
There is this concept of "initial security identifiers" in SELinux. Initial security identifiers are security identifiers that are hard-coded into SELinux
Initial security identifiers are used to address three security challenges:
1. deal with system initialization 2. deal with fixed resources 3. deal with fail-over
I will touch on the third challenge, because this is related to your issue
Basically, SELinux uses initial sids for fail-over because:
SELinux needs a way to deal with mislabeled, and unlabeled files on running systems.
The unlabeled initial sid is associated to entities by SELinux if a entity has one or more invalid security indentifiers
The unlabeled_t security identifier is associated to the unlabeled initial security identifier
So lets put that into context of your issue
You have the following denial:
avc: denied { read } for pid=1329 comm="httpd" name="<filename>" dev=sdc1 ino=66691074 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
You have the "<filename>" file labeled as follows:
system_u:system_r:httpd_sys_content_t:s0
We know that SELinux associates the unlabeled_t security identifier to entities if the entity has one or more invalid security identifier
So we know the file has one or more invalid security identifier
The invalid security identifier in this case is the system_r role security identifier.
On file system objects like files only the object_r role security identifier is valid (if you want to know why watch my "selinux explained" video on you tube (1)
So to get rid of the unlabeled_t issue you need to change the role security identifier of the file called "<filename>"
for example: chcon -r object_r "<filename>"
..And remember, on file system objects the role sid should always be object_r