2:59 p.m.
I have been running this with SELinux disabled, but I'm trying to be A
Better Person by running in enforcing mode all the time. I got the following
alert while running appliace-creator. What the heck is "run lnk_file"?
----
SELinux is preventing /usr/sbin/useradd from read access on the lnk_file
run.
***** Plugin catchall_labels (83.8 confidence) suggests
***** ********************
If you want to allow useradd to have read access on the run lnk_file
Then you need to change the label on run
Do
# semanage fcontext -a -t FILE_TYPE 'run'
where FILE_TYPE is one of the following: cert_t, selinux_config_t,
# user_home_dir_t, device_t, device_t, devlog_t, locale_t,
# httpd_user_content_type, security_t, etc_t, ld_so_t, proc_t, mail_spool_t,
# device_t, abrt_t, bin_t, etc_t, base_ro_file_type, lib_t, man_t,
# etc_runtime_t, root_t, tmp_t, bin_t, cert_t, var_run_t, tmp_t, tmp_t,
# selinux_login_config_t, httpd_user_script_exec_type, textrel_shlib_t,
# etc_runtime_t, var_run_t, selinux_config_t, rpm_script_tmp_t, security_t,
# proc_t, net_conf_t, security_t, etc_t, etc_runtime_t, var_run_t, bin_t,
# var_run_t, var_run_t, useradd_t, usr_t, user_home_type, domain,
# home_root_t, etc_t, var_run_t, var_run_t.
Then execute:
restorecon -v 'run'
***** Plugin catchall (17.1 confidence) suggests
***** ***************************
If you believe that useradd should be allowed read access on the run
lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep useradd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context
unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:var_t:s0
Target Objects run [ lnk_file ]
Source useradd
Source Path /usr/sbin/useradd
Port <Unknown>
Host ubik.home.mkmiller.org
Source RPM Packages shadow-utils-4.1.5.1-1.fc18.x86_64
Target RPM Packages filesystem-3.1-2.fc18.x86_64
Policy RPM selinux-policy-3.11.1-50.fc18.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ubik.home.mkmiller.org
Platform Linux ubik.home.mkmiller.org
3.6.5-2.fc18.x86_64
#1 SMP Thu Nov 1 00:39:17 UTC 2012 x86_64
# x86_64
Alert Count 7
First Seen 2012-11-08 15:53:06 EST
Last Seen 2012-11-08 15:53:10 EST
Local ID e1402ea5-4bcb-45fa-b220-95fe0c0dc868
Raw Audit Messages
type=AVC msg=audit(1352407990.104:1493): avc: denied { read } for
pid=19226 comm="useradd" name="run" dev="dm-1" ino=130358
scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1352407990.104:1493): arch=x86_64 syscall=connect
success=no exit=EACCES a0=5 a1=7ffffac812e0 a2=6e a3=ffffffffffffffff
items=0 ppid=19218 pid=19226 auid=18281 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm=useradd exe=/usr/sbin/useradd
subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
Hash: useradd,useradd_t,var_t,lnk_file,read
audit2allow
#============= useradd_t ==============
allow useradd_t var_t:lnk_file read;
audit2allow -R
#============= useradd_t ==============
allow useradd_t var_t:lnk_file read;
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>
3:28 p.m.
On Thu, 2012-11-08 at 15:59 -0500, Matthew Miller wrote:
I have been running this with SELinux disabled, but I'm trying to
be A
Better Person by running in enforcing mode all the time. I got the following
alert while running appliace-creator. What the heck is "run lnk_file"?
it is probably the /var/run symlink to /run
Looks like it is mislabeled (currently var_t; should be var_run_t)
See if restorecon -R -v -F /var/run resets it to var_run_t
----
SELinux is preventing /usr/sbin/useradd from read access on the lnk_file
run.
***** Plugin catchall_labels (83.8 confidence) suggests
***** ********************
If you want to allow useradd to have read access on the run lnk_file
Then you need to change the label on run
Do
# semanage fcontext -a -t FILE_TYPE 'run'
where FILE_TYPE is one of the following: cert_t, selinux_config_t,
# user_home_dir_t, device_t, device_t, devlog_t, locale_t,
# httpd_user_content_type, security_t, etc_t, ld_so_t, proc_t, mail_spool_t,
# device_t, abrt_t, bin_t, etc_t, base_ro_file_type, lib_t, man_t,
# etc_runtime_t, root_t, tmp_t, bin_t, cert_t, var_run_t, tmp_t, tmp_t,
# selinux_login_config_t, httpd_user_script_exec_type, textrel_shlib_t,
# etc_runtime_t, var_run_t, selinux_config_t, rpm_script_tmp_t, security_t,
# proc_t, net_conf_t, security_t, etc_t, etc_runtime_t, var_run_t, bin_t,
# var_run_t, var_run_t, useradd_t, usr_t, user_home_type, domain,
# home_root_t, etc_t, var_run_t, var_run_t.
Then execute:
restorecon -v 'run'
***** Plugin catchall (17.1 confidence) suggests
***** ***************************
If you believe that useradd should be allowed read access on the run
lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep useradd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context
unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:var_t:s0
Target Objects run [ lnk_file ]
Source useradd
Source Path /usr/sbin/useradd
Port <Unknown>
Host ubik.home.mkmiller.org
Source RPM Packages shadow-utils-4.1.5.1-1.fc18.x86_64
Target RPM Packages filesystem-3.1-2.fc18.x86_64
Policy RPM selinux-policy-3.11.1-50.fc18.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ubik.home.mkmiller.org
Platform Linux ubik.home.mkmiller.org
3.6.5-2.fc18.x86_64
#1 SMP Thu Nov 1 00:39:17 UTC 2012 x86_64
# x86_64
Alert Count 7
First Seen 2012-11-08 15:53:06 EST
Last Seen 2012-11-08 15:53:10 EST
Local ID e1402ea5-4bcb-45fa-b220-95fe0c0dc868
Raw Audit Messages
type=AVC msg=audit(1352407990.104:1493): avc: denied { read } for
pid=19226 comm="useradd" name="run" dev="dm-1" ino=130358
scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1352407990.104:1493): arch=x86_64 syscall=connect
success=no exit=EACCES a0=5 a1=7ffffac812e0 a2=6e a3=ffffffffffffffff
items=0 ppid=19218 pid=19226 auid=18281 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm=useradd exe=/usr/sbin/useradd
subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
Hash: useradd,useradd_t,var_t,lnk_file,read
audit2allow
#============= useradd_t ==============
allow useradd_t var_t:lnk_file read;
audit2allow -R
#============= useradd_t ==============
allow useradd_t var_t:lnk_file read;
3:53 p.m.
On Thu, Nov 08, 2012 at 10:28:16PM +0100, Dominick Grift wrote:
it is probably the /var/run symlink to /run
Looks like it is mislabeled (currently var_t; should be var_run_t)
See if restorecon -R -v -F /var/run resets it to var_run_t
Ahhh. So, the /var/run symlink *inside the chroot* is
"system_u:object_r:var_run_t:s0". Okay, that gives me something to go on....
--
Matthew Miller mattdm(a)mattdm.org <http://mattdm.org/>
4:43 p.m.
On Thu, 2012-11-08 at 16:53 -0500, Matthew Miller wrote:
On Thu, Nov 08, 2012 at 10:28:16PM +0100, Dominick Grift wrote:
> it is probably the /var/run symlink to /run
> Looks like it is mislabeled (currently var_t; should be var_run_t)
> See if restorecon -R -v -F /var/run resets it to var_run_t
Ahhh. So, the /var/run symlink *inside the chroot* is
"system_u:object_r:var_run_t:s0". Okay, that gives me something to go on....
chroot? i didnt mention a chroot. But anyways that symlink should be
labeled var_run_t i think and then things will be able to read it
5:08 p.m.
On Thu, Nov 08, 2012 at 11:43:20PM +0100, Dominick Grift wrote:
> > it is probably the /var/run symlink to /run
> > Looks like it is mislabeled (currently var_t; should be var_run_t)
> > See if restorecon -R -v -F /var/run resets it to var_run_t
> Ahhh. So, the /var/run symlink *inside the chroot* is
> "system_u:object_r:var_run_t:s0". Okay, that gives me something to go
on....
chroot? i didnt mention a chroot. But anyways that symlink should be
labeled var_run_t i think and then things will be able to read it
You didn't mention it, but appliance-creator is making one.
--
Matthew Miller mattdm(a)mattdm.org <http://mattdm.org/>
3:23 a.m.
On 11/08/2012 06:08 PM, Matthew Miller wrote:
On Thu, Nov 08, 2012 at 11:43:20PM +0100, Dominick Grift wrote:
>>> it is probably the /var/run symlink to /run
>>> Looks like it is mislabeled (currently var_t; should be var_run_t)
>>> See if restorecon -R -v -F /var/run resets it to var_run_t
>> Ahhh. So, the /var/run symlink *inside the chroot* is
>> "system_u:object_r:var_run_t:s0". Okay, that gives me something to go
on....
> chroot? i didnt mention a chroot. But anyways that symlink should be
> labeled var_run_t i think and then things will be able to read it
You didn't mention it, but appliance-creator is making one.
Matthew,
I am interested in how chroot subdirs look?
# ls -lZ PATH_TO_CHROOT/
8:46 a.m.
On Fri, Nov 09, 2012 at 04:23:14AM -0500, Miroslav Grepl wrote:
Matthew,
I am interested in how chroot subdirs look?
# ls -lZ PATH_TO_CHROOT/
Sure.
$ sudo ls -lZ imgcreate-V5g52_/install_root
lrwxrwxrwx. root root system_u:object_r:bin_t:s0 bin -> usr/bin
dr-xr-xr-x. root root system_u:object_r:boot_t:s0 boot
drwxr-xr-x. root root system_u:object_r:device_t:s0 dev
drwxr-xr-x. root root system_u:object_r:etc_t:s0 etc
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home
lrwxrwxrwx. root root system_u:object_r:lib_t:s0 lib -> usr/lib
lrwxrwxrwx. root root system_u:object_r:lib_t:s0 lib64 -> usr/lib64
drwx------. root root system_u:object_r:lost_found_t:s0 lost+found
drwxr-xr-x. root root system_u:object_r:mnt_t:s0 media
drwxr-xr-x. root root system_u:object_r:mnt_t:s0 mnt
drwxr-xr-x. root root system_u:object_r:usr_t:s0 opt
dr-xr-xr-x. root root system_u:object_r:proc_t:s0 proc
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 root
drwxr-xr-x. root root system_u:object_r:var_run_t:s0 run
lrwxrwxrwx. root root system_u:object_r:bin_t:s0 sbin -> usr/sbin
drwxr-xr-x. root root system_u:object_r:var_t:s0 srv
drwxr-xr-x. root root system_u:object_r:sysfs_t:s0 sys
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 tmp
drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr
drwxr-xr-x. root root system_u:object_r:var_t:s0 var
And
$ sudo ls -lZ imgcreate-V5g52_/install_root/var
drwxr-xr-x. root root system_u:object_r:var_t:s0 adm
drwxr-xr-x. root root system_u:object_r:var_t:s0 cache
drwxr-xr-x. root root system_u:object_r:var_t:s0 db
drwxr-xr-x. root root system_u:object_r:var_t:s0 empty
drwxr-xr-x. root root system_u:object_r:games_data_t:s0 games
drwxr-xr-x. root root system_u:object_r:var_t:s0 gopher
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 lib
drwxr-xr-x. root root system_u:object_r:var_t:s0 local
lrwxrwxrwx. root root unconfined_u:object_r:var_t:s0 lock -> ../run/lock
drwxr-xr-x. root root system_u:object_r:var_log_t:s0 log
lrwxrwxrwx. root root system_u:object_r:mail_spool_t:s0 mail -> spool/mail
drwxr-xr-x. root root system_u:object_r:var_t:s0 nis
drwxr-xr-x. root root system_u:object_r:var_t:s0 opt
drwxr-xr-x. root root system_u:object_r:var_t:s0 preserve
lrwxrwxrwx. root root unconfined_u:object_r:var_run_t:s0 run -> ../run
drwxr-xr-x. root root system_u:object_r:var_spool_t:s0 spool
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 tmp
drwxr-xr-x. root root system_u:object_r:var_yp_t:s0 yp
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>
4185
days inactive
4186
days old
selinux@lists.fedoraproject.org
6 comments
4 participants
participants (4)
-
Dominick Grift -
Matthew Miller -
Matthew Miller -
Miroslav Grepl