I have been running this with SELinux disabled, but I'm trying to be A
Better Person by running in enforcing mode all the time. I got the following
alert while running appliace-creator. What the heck is "run lnk_file"?
----
SELinux is preventing /usr/sbin/useradd from read access on the lnk_file
run.
***** Plugin catchall_labels (83.8 confidence) suggests
***** ********************
If you want to allow useradd to have read access on the run lnk_file
Then you need to change the label on run
Do
# semanage fcontext -a -t FILE_TYPE 'run'
where FILE_TYPE is one of the following: cert_t, selinux_config_t,
# user_home_dir_t, device_t, device_t, devlog_t, locale_t,
# httpd_user_content_type, security_t, etc_t, ld_so_t, proc_t, mail_spool_t,
# device_t, abrt_t, bin_t, etc_t, base_ro_file_type, lib_t, man_t,
# etc_runtime_t, root_t, tmp_t, bin_t, cert_t, var_run_t, tmp_t, tmp_t,
# selinux_login_config_t, httpd_user_script_exec_type, textrel_shlib_t,
# etc_runtime_t, var_run_t, selinux_config_t, rpm_script_tmp_t, security_t,
# proc_t, net_conf_t, security_t, etc_t, etc_runtime_t, var_run_t, bin_t,
# var_run_t, var_run_t, useradd_t, usr_t, user_home_type, domain,
# home_root_t, etc_t, var_run_t, var_run_t.
Then execute:
restorecon -v 'run'
***** Plugin catchall (17.1 confidence) suggests
***** ***************************
If you believe that useradd should be allowed read access on the run
lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep useradd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context
unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:var_t:s0
Target Objects run [ lnk_file ]
Source useradd
Source Path /usr/sbin/useradd
Port <Unknown>
Host
ubik.home.mkmiller.org
Source RPM Packages shadow-utils-4.1.5.1-1.fc18.x86_64
Target RPM Packages filesystem-3.1-2.fc18.x86_64
Policy RPM selinux-policy-3.11.1-50.fc18.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name
ubik.home.mkmiller.org
Platform Linux
ubik.home.mkmiller.org
3.6.5-2.fc18.x86_64
#1 SMP Thu Nov 1 00:39:17 UTC 2012 x86_64
# x86_64
Alert Count 7
First Seen 2012-11-08 15:53:06 EST
Last Seen 2012-11-08 15:53:10 EST
Local ID e1402ea5-4bcb-45fa-b220-95fe0c0dc868
Raw Audit Messages
type=AVC msg=audit(1352407990.104:1493): avc: denied { read } for
pid=19226 comm="useradd" name="run" dev="dm-1" ino=130358
scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1352407990.104:1493): arch=x86_64 syscall=connect
success=no exit=EACCES a0=5 a1=7ffffac812e0 a2=6e a3=ffffffffffffffff
items=0 ppid=19218 pid=19226 auid=18281 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm=useradd exe=/usr/sbin/useradd
subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
Hash: useradd,useradd_t,var_t,lnk_file,read
audit2allow
#============= useradd_t ==============
allow useradd_t var_t:lnk_file read;
audit2allow -R
#============= useradd_t ==============
allow useradd_t var_t:lnk_file read;
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>