Daniel J Walsh pise:
> Hello everyone, every time I upgrade selinux-policy packages, I
get
>
> SELinux is preventing /usr/sbin/load_policy from 'read, append' accesses
> on the file /tmp/tmp5vo8of.
>
> Raw Audit Messages type=AVC msg=audit(1340799402.853:3866): avc: denied {
> read append } for pid=22456 comm="load_policy"
path="/tmp/tmp5vo8of"
> dev="tmpfs" ino=464186
> scontext=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:tmp_t:s0 tclass=file type=SYSCALL
> msg=audit(1340799402.853:3866): arch=x86_64 syscall=execve success=yes
> exit=0 a0=ff5f80 a1=ff5f60 a2=ff2e90 a3=10 items=0 ppid=22449 pid=22456
> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts16
> ses=357 comm=load_policy exe=/usr/sbin/load_policy
> subj=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 key=(null)
>
> The command load_policy is executed by the rpm postinstall scriptlet. It
> happens on workstations with f16 or f17, the only less usual thing is that
> /tmp is mounted as tmpfs with
> rw,nodev,noexec,noatime,nodiratime,context=system_u:object_r:tmp_t:s0
> Context of /tmp is the same as it was before and the same as physical
> directory /var/tmp.
>
> I know how to make local policy rules, but I would like to know if there is
> a better solution. Thanks,
>
This is a leaked file descriptor from who ever created the file /tmp/tmp5v080f
or a redirected stdin/stdout/stderr. Possible candidates would be puppet or
simple redirection using bash
command << _EOF
input
input
_EOF
Could cause something like this if the command eventually executed
rpm/load_policy.
The only occurence of load_policy in postinstall script is
[ "${SELINUXTYPE}" == "targeted" ] && [ selinuxenabled ]
&& load_policy;
I guess that the tmp file is created by rpm in the phase of upgrading
package for executing the script.
Simplest thing would be to generate an audit2allow rule for it to
dontaudit
this action.
Thanks, dontaudit rule is fine solution for me.
--
--Zdenek Pytela, <pytela(a)phil.muni.cz>