selinux Missing type enforcement (TE) allow rule

Question

When I run my FTP test to test for full functionality, I'm concerned on why am I getting an avc denial error on such a popular command, such as 'mkdir'?

Here is the AVC denial message:

type=AVC msg=audit(1365021919.400:283): avc:  denied  { create } for  pid=2210     comm="mkdir" name="64F77DCE-9C9F-11E2-90A8-39AEF085A14A"   scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir
    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

According to Fedora's web site, Missing Type Enforcement rules are usually caused by bugs in SELinux policy. So, is this a truly a bug?

score 3 · Answer 1 · answered Apr 03 '13 at 21:29

3

It appears that you are trying to have your web server write to a user's home directory. There are no SELinux reference policies to permit this behavior. You should think carefully about whether you should be serving content from users' home directories at all.

If you really need this access, you can use the audit2allow utility to generate a local policy module that you can load in and permit the access.

answered Apr 03 '13 at 21:29

Michael Hampton

244,070
43
506
972

1

Writing into users home directories as a web server really is pretty anomalous behaviour. SELinux is doing the right thing here by flagging this. – Matthew Ife Apr 03 '13 at 21:38
Example needed. – Elijah Lynn Apr 17 '17 at 02:46
@ElijahLynn Example of what? – Michael Hampton Apr 18 '17 at 09:11
Example of generating a local policy module with audit2allow and loading it. – Elijah Lynn Apr 18 '17 at 15:29

score 1 · Answer 2 · edited Apr 04 '13 at 00:28

1

I'm confused is the FTP via apache or just plain old FTP?

If it is plain old FTP check the SELinux context of where you are trying to make a new directory. It could be set incorrectly.

If it is via Apache:

You can enable Apache to use home directories via a command like:

setsebool -P httpd_enable_homedirs
chcon -R -t httpd_sys_content_t ~user/public_html

Reference: http://fedoraproject.org/wiki/SELinux/apache

edited Apr 04 '13 at 00:28

Andrew B

32,588
12
93
131

answered Apr 03 '13 at 23:33

user167729

11
1

When you have enough reputation to leave comments, please use those to request additional details. Helps to keep things nice and tidy around here. – Andrew B Apr 03 '13 at 23:53
1

This does not allow _writing_ to the user home directories. – Michael Hampton Apr 04 '13 at 00:22
It may not, but I wasn't exactly sure what was going on in the backend. Depending on his setup he may need to turn on one or more SELinux bools suchas allow_httpd_anon_write or allow_httpd_sys_script_anon_write. Audit2allow will allow you to create a policy. However, I would argue that should be a last resort and not "the go to solution" for SELinux issues. – user167729 Apr 04 '13 at 18:44

score 1 · Answer 3 · answered Dec 29 '14 at 11:39

Already An error occurs when different security context is given to the port you want to add. If you are using Tomcat The fundamental HTTP port 8080, the port is http_cache_port_t type. If you are using nginx was built 8081 and it transproxy_port_t or both context apache web server generates an error because it can not connect. If you need to change the security context, and without additional use of the -m option instead of the -a option.

~# semanage port -l |grep 8081
transproxy_port_t   tcp      8081

and then

~# semanage port -l |grep http_port_t
http_port_t   tcp      80, 443, 488, 8008, 8009, 8443

Add

# semanage port -m -p tcp -t http_port_t  8081

selinux Missing type enforcement (TE) allow rule

3 Answers3