semanage is prevented from writing to user_tmp_t file
Daniel J Walsh
dwalsh at redhat.com
Wed Feb 29 15:39:31 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/29/2012 10:34 AM, Daniel J Walsh wrote:
> On 02/29/2012 07:06 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
>> On 2012-02-29 14:00, Miroslav Grepl wrote:
>>> On 02/29/2012 10:32 AM, Jeroen van Meeuwen (Kolab Systems)
>>> wrote:
>>>> Hello,
>>>>
>>>> I have an Enterprise Linux 6 machine, managed by Puppet,
>>>> enforcing the target policy, for which Puppet manages a
>>>> bunch of contexts and policies, but the following message
>>>> occurs when it attempts to do so:
>>>>
>>>> type=AVC msg=audit(1330511088.080:1757): avc: denied {
>>>> write } for pid=9222 comm="semanage"
>>>> path="/tmp/puppet20120229-8297-bjmcbp-0" dev=dm-0 ino=1572875
>>>> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
>>>> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>>>
>>> Could you attach full AVC message. I am interested in
>>> "syscall" and "success" fields.
>>>
>>> It looks like a leak file descriptor.
>>>
>
>> I believe this is everything, but if not, please point me in the
>> right direction:
>
>> type=AVC msg=audit(1330454003.144:529): avc: denied { write }
>> for pid=16025 comm="semanage"
>> path="/tmp/puppet20120228-15545-zg7uoe-0" dev=dm-0 ino=1572875
>> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>> type=SYSCALL msg=audit(1330454003.144:529): arch=c000003e
>> syscall=59 success=yes exit=0 a0=1007110 a1=1007c90 a2=1006c00
>> a3=7fff5e096620 items=0 ppid=16022 pid=16025 auid=0 uid=0 gid=0
>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2
>> comm="semanage" exe="/usr/bin/python"
>> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
>> key=(null)
>
>> Thanks,
>
>>>>
>>>> The following is a reference to what Puppet is trying to do:
>>>>
>>>>
>>>> http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98
>>>>
>>>>
>>>>
>>>>
>
>>>>
In short, I'm installing custom built mailman packages so that I can
>>>> have devel at project1 alongside devel at project2 mailing lists by
>>>> installing dedicated mailman instances for project1 and
>>>> project2. The Puppet module I'm referring to attempts to
>>>> apply the necessary SELinux contexts to the files deployed
>>>> with each RPM package.
>>>>
>>>> I'm wondering what is causing the denial (or, why semanage
>>>> needs something in /tmp/ with the name of puppet in it) as
>>>> well as what to do about it - it doesn't seem to be blocking
>>>> Puppet from achieving the goal of adding new file_contexts
>>>> for these custom packages.
>>>>
>>>> Kind regards,
>>>>
>>>> Jeroen van Meeuwen
>>>>
>
>> Kind regards,
>
>> Jeroen van Meeuwen
>
>
>
> Puppet is creating a log file in /tmp that it is then handing to
> semanage as its stdout. SELinux is blocking the tools ability to
> write to stdout and SELinux is just replaceing the /tmp file with
> /dev/null. So semanage is succeeding but an ugly AVC is created.
>
> Miroslav we probably should go through policy and allow domains to
> write to inherited user_tmp_t files. Which would solve the puppet
> problem. -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
It would also be nice if puppet opened the file for append rather then
write.
sesearch -A -s semanage_t -t user_tmp_t -p append -c file
Found 1 semantic av rules:
allow application_domain_type user_tmp_t : file { getattr append } ;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9ORrMACgkQrlYvE4MpobOidgCfaMyZ2JUF4B43F6X5we8JXjk1
0cUAoI9hL1ZWi6IEPTIYbBd7dZKQ+Ja9
=bL2Q
-----END PGP SIGNATURE-----
More information about the selinux
mailing list