selinux Missing type enforcement (TE) allow rule

usa ims asked:

When I run my FTP test to test for full functionality, I’m concerned on why am I getting an avc denial error on such a popular command, such as ‘mkdir’?

Here is the AVC denial message:

type=AVC msg=audit(1365021919.400:283): avc:  denied  { create } for  pid=2210     comm="mkdir" name="64F77DCE-9C9F-11E2-90A8-39AEF085A14A"   scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir
    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

According to Fedora’s web site, Missing Type Enforcement rules are usually caused by bugs in SELinux policy. So, is this a truly a bug?

My answer:


It appears that you are trying to have your web server write to a user’s home directory. There are no SELinux reference policies to permit this behavior. You should think carefully about whether you should be serving content from users’ home directories at all.

If you really need this access, you can use the audit2allow utility to generate a local policy module that you can load in and permit the access.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.