Questo contenuto non è disponibile nella lingua selezionata.
50.2.4. Granting Access to a Directory or a Tree
Similar to standard Linux DAC permissions, a targeted daemon must have SELinux permissions to be able to descend the directory tree. This does not mean that a directory and its contents need to have the same type. There are many types, such as
root_t
, tmp_t
, and usr_t
that grant read access for a directory. These types are suitable for directories that do not contain any confidential information, and that you want to be widely readable. They could also be used for a parent directory of more secured directories with different contexts.
If you are working with an
avc: denied
message, there are some common problems that arise with directory traversal. For example, many programs run a command equivalent to ls -l /
that is not necessary to their operation but generates a denial message in the logs. For this you need to create a dontaudit
rule in your local.te
file.
When trying to interpret AVC denial messages, do not be misled by the
path=/
component. This path is not related to the label for the root file system, /
. It is actually relative to the root of the file system on the device node. For example, if your /var/
directory is located on an LVM (Logical Volume Management [22]) device, /dev/dm-0
, the device node is identified in the message as dev=dm-0
. When you see path=/
in this example, that is the top level of the LVM device dm-0
, not necessarily the same as the root file system designation /
.
[22]
LVM is the grouping of physical storage into virtual pools that are partitioned into logical volumes.