plenty of unix_chkpwd
by lejeczek
hi guys.
I get lots of:
Jun 10 16:34:03 dzien.private.lot setroubleshoot[489537]:
SELinux is preventing /usr/sbin/unix_chkpwd from getattr
access on the filesystem /proc. For complete SELinux
messages run: sealert -l 0e04b2ea-b63d-481f-9633-e0bf0530e7ba
and I yet do not know from what and before I start
investigation I wanted to ask if that is indeed a "valid"
denial?
...
Additional Information:
Source Context system_u:system_r:chkpwd_t:s0
Target Context system_u:object_r:proc_t:s0
Target Objects /proc [ filesystem ]
Source unix_chkpwd
Source Path /usr/sbin/unix_chkpwd
Port <Unknown>
Host dzien.private.lot
Source RPM Packages pam-1.3.1-15.el8.x86_64
Target RPM Packages filesystem-3.8-4.el8.0.1.x86_64
SELinux Policy RPM selinux-policy-targeted-3.14.3-68.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-68.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name dzien.private.lot
Platform Linux dzien.private.lot
4.18.0-305.3.1.el8.x86_64 #1
SMP Tue Jun 1
16:14:33 UTC 2021 x86_64 x86_64
Alert Count 1988
First Seen 2021-06-09 09:50:01 BST
Last Seen 2021-06-10 16:32:01 BST
Local ID 87f481c4-e4dd-4b77-80c5-52a898760061
Raw Audit Messages
type=AVC msg=audit(1623339121.659:34011): avc: denied {
getattr } for pid=487286 comm="unix_chkpwd" name="/"
dev="proc" ino=1 scontext=system_u:system_r:chkpwd_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
permissive=0
type=SYSCALL msg=audit(1623339121.659:34011): arch=x86_64
syscall=fstatfs success=no exit=EACCES a0=3 a1=7ffe61eee320
a2=0 a3=0 items=0 ppid=487285 pid=487286 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm=unix_chkpwd
exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:chkpwd_t:s0
key=(null)
Hash: unix_chkpwd,chkpwd_t,proc_t,filesystem,getattr
...
many thanks, L.
2 years, 3 months
question about selinux context when creating a directory
by Anthony LaTorre
Hi all,
I was recently setting up a webserver with cgit and apache on a fresh
Fedora 34 installation and ran into one issue that I still don't quite
understand. After installing both apache and cgit, I created the
default location expected for git repositories in /var/lib/git via:
# mkdir /var/lib/git
and then added a few bare repositories and pushed to them.
I wasn't able to view the cgit page though and was getting the
following errors in audit.log:
type=AVC msg=audit(1622927247.335:77187): avc: denied { getattr }
for pid=281294 comm="cgit" path="/var/lib/git/chroma.git/HEAD"
dev="sda" ino=134922 scontext=system_u:system_r:git_script_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
I eventually found out that I needed to run:
# restorecon -vR /var/lib/git/
which fixed the issue, but I thought it was supposed to happen
automatically since there was already a rule which was supposed to set
these as type git_content_t (I think that's it).
I emailed the cgit package maintainer and he was suprised too, and has
since updated the README to include instructions to run restorecon,
but I was curious as to whether this should be necessary. Why doesn't
the /var/lib/git directory get the correct context?
Thanks,
Tony
2 years, 3 months
Memory protection checking
by Abhijit Tikekar
> All,
>
> Just stumbled upon the following setting for selinux
>
> Memory protection checking: actual (secure)
>
> I could not find any documentation around this. Can anyone point me in the right direction? Is this something controlled separately or related to certain booleans being active?
>
> Thanks,
>
> ~ abhi
2 years, 3 months
