semanage is prevented from writing to user_tmp_t file

Daniel J Walsh dwalsh at redhat.com
Wed Feb 29 15:39:31 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/29/2012 10:34 AM, Daniel J Walsh wrote:
> On 02/29/2012 07:06 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
>> On 2012-02-29 14:00, Miroslav Grepl wrote:
>>> On 02/29/2012 10:32 AM, Jeroen van Meeuwen (Kolab Systems) 
>>> wrote:
>>>> Hello,
>>>> 
>>>> I have an Enterprise Linux 6 machine, managed by Puppet, 
>>>> enforcing the target policy, for which Puppet manages a
>>>> bunch of contexts and policies, but the following message
>>>> occurs when it attempts to do so:
>>>> 
>>>> type=AVC msg=audit(1330511088.080:1757): avc:  denied  {
>>>> write } for  pid=9222 comm="semanage" 
>>>> path="/tmp/puppet20120229-8297-bjmcbp-0" dev=dm-0 ino=1572875
>>>>  scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
>>>>  tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>>> 
>>> Could you attach full AVC message. I am interested in
>>> "syscall" and "success" fields.
>>> 
>>> It looks like a leak file descriptor.
>>> 
> 
>> I believe this is everything, but if not, please point me in the 
>> right direction:
> 
>> type=AVC msg=audit(1330454003.144:529): avc:  denied  { write }
>> for pid=16025 comm="semanage" 
>> path="/tmp/puppet20120228-15545-zg7uoe-0" dev=dm-0 ino=1572875 
>> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 
>> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file 
>> type=SYSCALL msg=audit(1330454003.144:529): arch=c000003e 
>> syscall=59 success=yes exit=0 a0=1007110 a1=1007c90 a2=1006c00 
>> a3=7fff5e096620 items=0 ppid=16022 pid=16025 auid=0 uid=0 gid=0 
>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 
>> comm="semanage" exe="/usr/bin/python" 
>> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 
>> key=(null)
> 
>> Thanks,
> 
>>>> 
>>>> The following is a reference to what Puppet is trying to do:
>>>> 
>>>> 
>>>> http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98
>>>>
>>>>
>>>>
>>>>
>
>>>> 
In short, I'm installing custom built mailman packages so that I can
>>>> have devel at project1 alongside devel at project2 mailing lists by
>>>>  installing dedicated mailman instances for project1 and 
>>>> project2. The Puppet module I'm referring to attempts to
>>>> apply the necessary SELinux contexts to the files deployed
>>>> with each RPM package.
>>>> 
>>>> I'm wondering what is causing the denial (or, why semanage 
>>>> needs something in /tmp/ with the name of puppet in it) as
>>>> well as what to do about it - it doesn't seem to be blocking
>>>> Puppet from achieving the goal of adding new file_contexts
>>>> for these custom packages.
>>>> 
>>>> Kind regards,
>>>> 
>>>> Jeroen van Meeuwen
>>>> 
> 
>> Kind regards,
> 
>> Jeroen van Meeuwen
> 
> 
> 
> Puppet is creating a log file in /tmp that it is then handing to 
> semanage as its stdout.  SELinux is blocking the tools ability to 
> write to stdout and SELinux is just replaceing the /tmp file with 
> /dev/null.  So semanage is succeeding but an ugly AVC is created.
> 
> Miroslav we probably should go through policy and allow domains to 
> write to inherited user_tmp_t files.  Which would solve the puppet 
> problem. -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 

It would also be nice if puppet opened the file for append rather then
write.

 sesearch -A -s semanage_t -t user_tmp_t -p append -c file
Found 1 semantic av rules:
   allow application_domain_type user_tmp_t : file { getattr append } ;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9ORrMACgkQrlYvE4MpobOidgCfaMyZ2JUF4B43F6X5we8JXjk1
0cUAoI9hL1ZWi6IEPTIYbBd7dZKQ+Ja9
=bL2Q
-----END PGP SIGNATURE-----

More information about the selinux mailing list