Denials when installing from updates-testing
Adam Huffman
adam.huffman at gmail.com
Mon Apr 21 14:30:02 UTC 2008
This morning I used yum to install the latest packages from the
updates-testing repository for F8. Some SELinux denials meant that
problems were reported with a lot of these updates e.g.
Updating : libxml2 ##################### [ 1/145]
error: %post(libxml2-2.6.32-1.fc8.x86_64) scriptlet failed, exit status 255
Updating : gtk2 ##################### [ 2/145]
error: %post(gtk2-2.12.8-2.fc8.x86_64) scriptlet failed, exit status 255
Updating : libxslt ##################### [ 3/145]
error: %post(libxslt-1.1.23-1.fc8.x86_64) scriptlet failed, exit status 255
Updating : evolution-data-server ##################### [ 4/145]
error: %post(evolution-data-server-1.12.3-5.fc8.x86_64) scriptlet
failed, exit status 255
and here are excerpts of the sealert messages:
Summary:
SELinux is preventing yum (mono_t) "transition" to /sbin/ldconfig
(rpm_script_t).
Source Context unconfined_u:system_r:mono_t:SystemLow-SystemHigh
Target Context
unconfined_u:system_r:rpm_script_t:SystemLow-SystemHigh
Target Objects /sbin/ldconfig [ process ]
Source yum
Source Path /usr/bin/python
Port <Unknown>
Source RPM Packages python-2.5.1-15.fc8
Target RPM Packages glibc-2.7-2
Policy RPM selinux-policy-3.0.8-95.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Raw Audit Messages
type=AVC msg=audit(1208774766.511:30956): avc: denied { transition }
for pid=4487 comm="yum" path="/sbin/ldconfig" dev=dm-0 ino=852080
scontext=unconfined_u:system_r:mono_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
tclass=process
type=SYSCALL msg=audit(1208774766.511:30956): arch=c000003e syscall=59
success=no exit=-13 a0=1637234f a1=7fff43a32a40 a2=947ac50
a3=3d4fc13bb2 items=0 ppid=4089 pid=4487 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 comm="yum"
exe="/usr/bin/python" subj=unconfined_u:system_r:mono_t:s0-s0:c0.c1023
key=(null)
and
Summary:
SELinux is preventing yum (mono_t) "transition" to /bin/bash (rpm_script_t).
Additional Information:
Source Context unconfined_u:system_r:mono_t:SystemLow-SystemHigh
Target Context
unconfined_u:system_r:rpm_script_t:SystemLow-SystemHigh
Target Objects /bin/bash [ process ]
Source yum
Source Path /usr/bin/python
Port <Unknown>
Source RPM Packages python-2.5.1-15.fc8
Target RPM Packages bash-3.2-20.fc8
Policy RPM selinux-policy-3.0.8-95.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Alert Count 69
First Seen Mon 07 Apr 2008 13:02:19 BST
Last Seen Mon 21 Apr 2008 11:46:06 BST
Local ID e148a133-5374-43a6-953b-45076d5c667b
Line Numbers
Raw Audit Messages
type=AVC msg=audit(1208774766.470:30955): avc: denied { transition }
for pid=4486 comm="yum" path="/bin/bash" dev=dm-0 ino=65580
scontext=unconfined_u:system_r:mono_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
tclass=process
type=SYSCALL msg=audit(1208774766.470:30955): arch=c000003e syscall=59
success=no exit=-13 a0=1658931a a1=7fff43a32a40 a2=947ac50
a3=3d4fc13bb2 items=0 ppid=4089 pid=4486 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 comm="yum"
exe="/usr/bin/python" subj=unconfined_u:system_r:mono_t:s0-s0:c0.c1023
key=(null)
Does this look like a local problem and relabelling is needed?
Adam
More information about the selinux
mailing list