Hosts file access
Emmett Culley
lst_manage at webengineer.com
Fri May 30 17:25:35 UTC 2014
On 05/29/2014 01:20 AM, Miroslav Grepl wrote:
> On 05/28/2014 05:13 PM, Daniel J Walsh wrote:
>> restorecon -R -v /etc/hosts
>>
>> Would fix this issue.
> Yes, but he needs to repeat it.
>>
>> On 05/28/2014 06:36 AM, Miroslav Grepl wrote:
>>> On 05/28/2014 12:24 AM, Emmett Culley wrote:
>>>> On 05/22/2014 10:31 PM, Miroslav Grepl wrote:
>>>>> On 05/22/2014 06:35 PM, Emmett Culley wrote:
>>>>>> I am continually getting getattr and read AVC errors. From my
>>>>>> research, I believe it is because my hosts file gets modified each
>>>>>> time I VPN into my work network.
>>>>>>
>>>>>> I cause the host names and IP addresses that are part of the
>>>>>> internal work network to be appended to the hosts file upon the VPN
>>>>>> connection and then restore the original hosts file upon
>>>>>> disconnection.
>>>>>>
>>>>>> I have tried restorecon /etc/hosts, but I still get the warnings.
>>>>>> I have also done the mypol fixes suggested in the troubleshooting
>>>>>> dialog's details page. Nothing I do resolves this issue.
>>>>>>
>>>>>> How can I prevent these AVC errors? Or at least properly modify my
>>>>>> hosts file (and possibly others) the SELinux way?
>>>>>>
>>>>>> Emmett
>>>>>> --
>>>>>> selinux mailing list
>>>>>> selinux at lists.fedoraproject.org
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> What AVC message are you getting?
>>>>>
>>>>> What OS?
>>>>>
>>>>> Regards,
>>>>> Miroslav
>>>>>
>>>> Linux (Fedora 20)
>>>>
>>>> type=AVC msg=audit(1401200342.155:473): avc: denied { read } for
>>>> pid=5501 comm="httpd" name="hosts" dev="dm-0" ino=270007
>>>> scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023
>>>> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>>>>
>>>> AND
>>>>
>>>> type=AVC msg=audit(1401195880.487:401): avc: denied { getattr }
>>>> for pid=1064 comm="chronyd" path="/etc/hosts" dev="dm-0" ino=270007
>>>> scontext=system_u:system_r:chronyd_t:s0
>>>> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>>>>
>>>>
>>>> type=SYSCALL msg=audit(1401195880.487:401): arch=x86_64 syscall=fstat
>>>> success=yes exit=0 a0=4 a1=7fff126bb590 a2=7fff126bb590 a3=0 items=0
>>>> ppid=1 pid=1064 auid=4294967295 uid=997 gid=996 euid=997 suid=997
>>>> fsuid=997 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295
>>>> comm=chronyd exe=/usr/sbin/chronyd
>>>> subj=system_u:system_r:chronyd_t:s0 key=(null)
>>>>
>>>> Each of the errors are caused by attempts to access the hosts file.
>>>>
>>>> Emmett
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> "admin_home_t" is label for files/dirs in /root directory. It means
>>> the /etc/hosts is moved from this directory. Any chance you have a
>>> script which does it?
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Yes, I am using a script to save the current hosts file to /root when starting a VPN connection, then moving it back when closing the VPN connection. I will add the restorecon command to the script.
Emmett
More information about the selinux
mailing list