0

I've been able to figure this out a little easier in the past just due to the context but this one has me stumped. When I run sealert -a /var/log/audit/audit.log and get the typical output such as...

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/php-fpm from write access on the file index.html.

*****  Plugin httpd_write_content (92.2 confidence) suggests   ***************

If you want to allow php-fpm to have write access on the index.html file
Then you need to change the label on 'index.html'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t 'index.html'
# restorecon -v 'index.html'

...
...
...

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_sys_content_t:s0:c30
Target Objects                index.html [ file ]
Source                        php-fpm
Source Path                   /usr/sbin/php-fpm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           php-fpm-... 
Target RPM Packages
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     --REMOVED--
Platform                      --REMOVED--
Alert Count                   12
First Seen                    2020-07-28 10:31:59 EDT
Last Seen                     2020-07-28 10:31:59 EDT
Local ID                      --REMOVED--

Raw Audit Messages
type=AVC msg=audit(...): avc:  denied  { write } for  pid=... comm="php-fpm" name="index.html" dev="sda" ino=... scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0:c30 tclass=file permissive=0


type=SYSCALL msg=audit(...): arch=x86_64 syscall=access success=no exit=EACCES a0=... a1=2 a2=0 a3=0 items=0 ppid=... pid=... auid=... uid=... gid=... euid=... suid=... fsuid=... egid=... sgid=... fsgid=... tty=(none) ses=... comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=access AUID=unset UID=...  GID=...  EUID=...  SUID=...  FSUID=...  EGID=...  SGID=...  FSGID=... 

Hash: php-fpm,httpd_t,httpd_sys_content_t,file,write

--------------------------------------------------------------------------------

(some info removed for brevity, some for privacy)

There is nothing in this synopsis that indicates the location of the index.html file anywhere. My only thought it that one of the bits of info returned can be used to be a more detailed answer? But which? I'm sure with a little time I could figure out this specific one, as there won't be too many index.html files on my system, but I keep running into this and it's very time consuming trying to locate the files being referenced. Any help would be greatly appreciated!

oucil
  • 445
  • 3
  • 16
  • Be careful. It is very likely that you have gone much too far in over-obfuscation here. See [here](https://meta.serverfault.com/q/963/126632) for guidance. – Michael Hampton Jul 28 '20 at 18:45
  • Thanks @MichaelHampton, but in this case, none of the values themselves are important to the question, only the key ident that I should be using to look up more info, such as the `ino=...` referenced in the answer provided below. Never hurts to provide the reminders though, cheers! – oucil Jul 29 '20 at 12:54

1 Answers1

1

You should be able to track it down using find and the inode number ino=... that you have removed.

user584912
  • 11
  • 1
  • Thanks very much, I've found a good example of what you mentioned here (https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details) thanks to your hint. If you want to update your answer with an example of how to perform the action you suggest, which is best for future users with similar questions and just in case this link dies, I'll go ahead and accept your answer. – oucil Jul 29 '20 at 12:59