Those who use SELinux sometimes come across with application with a specific security context type, try to access a resource that belongs to another security context type, this will result in SELinux denying access to the resource even if permissions are set to 777 and you change the owner:group of the resource.
Lets have the following example, the vsftd daemon needs to read index.html that belongs to httpd daemon and is marked as httpd_sys_content_t security context.
-rw-r--r-- userA userA user_u:object_r:httpd_sys_content_t index.html
Doing if you look into the audit log you will find something similar to the following:
type=AVC msg=audit(1297255596.902:49856): avc: denied { search } for pid=4830 comm="vsftpd" name="html" dev=dm-0 ino=13668059 scontext=user_u:system_r:ftpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=dir
At this stage you can use audit2allow to help you creating the vsftpd.te file
#============= ftpd_t ==============
allow ftpd_t httpd_sys_content_t:dir search;
Below is a more complete vsftd.te file, to allow ftpd read, write etc on files and directories, system wide, that belong to the httpd_sys_content_t type.
module vsftpd 1.0; require { type ftpd_t; type httpd_sys_content_t; class dir { read write search getattr add_name remove_name create rmdir}; class file { lock read write getattr create append unlink rename}; } #============= ftpd_t ============== allow ftpd_t httpd_sys_content_t:dir { read write search getattr add_name remove_name create rmdir}; allow ftpd_t httpd_sys_content_t:file { lock read write getattr create append unlink rename};
now that we have our vsftpd.te file we need to transform it into a module(.mod) then into a policy packet(.pp) and finaly load it
checkmodule: loading policy configuration from vsftpd.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to vsftpd.mod
root# semodule_package -o vsftpd.pp -m vsftpd.mod
root# semodule -i vsftpd.pp
Or if you’re a lazy admin as myself you can use the follwing script, you just need to create the vsftpd.te file and run it passing the name of the module
#!/bin/bash MODNAME= $1 if [ ! -f ${MODNAME}.te ]; then echo Couldn't find the ${MODNAME}.te, non-base policy module exit 1 fi checkmodule -M -m -o ${MODNAME}.mod ${MODNAME}.te if [ $? -gt 0 ]; then echo Error processing ${MODNAME}.te exit 1 fi semodule_package -o ${MODNAME}.pp -m ${MODNAME}.mod if [ $? -gt 0 ]; then echo Error creating policy module packet ${MODNAME}.pp exit 1 fi semodule -i ${MODNAME}.pp if [ $? -gt 0 ]; then echo Error installing policy module ${MODNAME}.pp exit 1 fi