SE Linux write permission denied

rochitsharma · October 12, 2015, 7:15am

Hi,

In my server I am getting below errors in "/var/log/messages":

Oct  8 14:45:44 LKOGOMEEMM01 kernel: type=1400 audit(1444295744.792:15818): avc:  denied  { write } for  pid=53421 comm="ip" path="/var/VRTSvcs/log/tmp/IPMultiNIC-8" dev=dm-0 ino=2754879 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

When I checked the directory "/var/VRTSvcs/log/tmp/"

-rw-------. 1 root root  0 Aug 22 05:42 IPMultiNIC-1
-rw-------. 1 root root  0 Aug 22 05:42 IPMultiNIC-0
-rw-------. 1 root root  0 Aug 22 05:42 IPMultiNIC-8
-rw-------. 1 root root  0 Aug 22 05:42 IPMultiNIC-7
-rw-------. 1 root root  0 Aug 22 05:42 IPMultiNIC-6
-rw-------. 1 root root  0 Aug 22 05:42 IPMultiNIC-5
-rw-------. 1 root root  0 Aug 22 05:42 IPMultiNIC-4
-rw-------. 1 root root  0 Aug 22 05:42 IPMultiNIC-3
-rw-------. 1 root root  0 Aug 22 05:42 IPMultiNIC-2
-rw-------. 1 root root  0 Aug 22 05:42 IPMultiNIC-9

I couldn't find any problem. One small observation that I could make is that in this problematic server file permission have a "." at end of each file permission "-rw-------." which is not there in any other server.

Thanks in advance.

//BR

Aia · October 13, 2015, 12:11am

That . (dot) at the end of the display of the discretionary access control (DAC) permissions means that the file has SELinux security context.
You may display the mandatory access control (MAC) permissions of SELinux by using the -Z (capital Z) as in ls -Z

The issue you are experiencing is due to the label context of application ip with SELinux security label context of ifconfig_t trying to write to files /var/VRTSvcs/log/tmp/IPMultiNIC-* with SELinux security label context of var_t . This is exactly what SELinux is supposed to do; deny access to mismatched targets. You might need to investigate a bit about SELinux if you what to fix it.

rochitsharma · October 14, 2015, 6:42am

Hi Aia,

Thanks for your reply. I used ls -Z on two of my servers. Following is the output:

Output in the problematic server:

# ls -Z IPMultiNIC-*
-rw-------. root root system_u:object_r:var_t:s0       IPMultiNIC-0
-rw-------. root root system_u:object_r:var_t:s0       IPMultiNIC-1
-rw-------. root root system_u:object_r:var_t:s0       IPMultiNIC-2
-rw-------. root root system_u:object_r:var_t:s0       IPMultiNIC-3
-rw-------. root root system_u:object_r:var_t:s0       IPMultiNIC-4
-rw-------. root root system_u:object_r:var_t:s0       IPMultiNIC-5
-rw-------. root root system_u:object_r:var_t:s0       IPMultiNIC-6
-rw-------. root root system_u:object_r:var_t:s0       IPMultiNIC-7
-rw-------. root root system_u:object_r:var_t:s0       IPMultiNIC-8
-rw-------. root root system_u:object_r:var_t:s0       IPMultiNIC-9

Output in the healthy Server:

ls -Z IPMultiNIC-*
-rw------- root root ?                                IPMultiNIC-0
-rw------- root root ?                                IPMultiNIC-1
-rw------- root root ?                                IPMultiNIC-2
-rw------- root root ?                                IPMultiNIC-3
-rw------- root root ?                                IPMultiNIC-4
-rw------- root root ?                                IPMultiNIC-5
-rw------- root root ?                                IPMultiNIC-6
-rw------- root root ?                                IPMultiNIC-7
-rw------- root root ?                                IPMultiNIC-8
-rw------- root root ?                                IPMultiNIC-9

Can you help me fixing the issue by making the permission in problematic server same as healthy server.

Thanks in advance.

//BR

fpmurphy · October 14, 2015, 7:26am

You can remove the SELINUX context for these files using

semanage fcontext -d

Read up about this command before using it.

Aia · October 15, 2015, 10:44am

rochitsharma:

Output in the healthy Server:

ls -Z IPMultiNIC-*
-rw------- root root ?                                IPMultiNIC-0
-rw------- root root ?                                IPMultiNIC-1
-rw------- root root ?                                IPMultiNIC-2
-rw------- root root ?                                IPMultiNIC-3
-rw------- root root ?                                IPMultiNIC-4
-rw------- root root ?                                IPMultiNIC-5
-rw------- root root ?                                IPMultiNIC-6
-rw------- root root ?                                IPMultiNIC-7
-rw------- root root ?                                IPMultiNIC-8
-rw------- root root ?                                IPMultiNIC-9

Can you help me fixing the issue by making the permission in problematic server same as healthy server.

Thanks in advance.

//BR

The issue has been dealt away in your "healthy server" by disabling SeLinux, completely. New files created after that, do not get any SELinux file context and that's why they show without a . (dot) at the end of the normal Linux permissions and a ? shows instead of the SElinux context.
Security is not convenient and unfortunately it is easier to choose the path of less resistance; in this case disabling SELinux, instead of learning the way that it could be an asset to secure the server.

---------- Post updated 10-15-15 at 08:44 AM ---------- Previous update was 10-14-15 at 10:35 AM ----------

Test this solution based on what you have posted so far.

Install policycoreutils-python if you do not have it yet, from the official repository (it is not installed by default with rhel). This package contains semanage which you'll need to manage SELinux.

Then try:

semanage fcontext -a -t tmp_t "/var/VRTSvcs/log/tmp(/.*)?"
restorecon -Rv /var/VRTSvcs/log/tmp

That would set anything in /var/VRTSvcs/log/tmp to have a file context of tmp_t which is one of the file context that the process ifconfig_t type is allow to use.