Hi,
On a fully updated CentOS 5.7 box I get the following AVC
Summary:
SELinux is preventing unix_update (updpwd_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by unix_update. It is not expected that this access is required by unix_update and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:updpwd_t Target Context system_u:object_r:fs_t Target Objects / [ filesystem ] Source unix_update Source Path <Unknown> Port <Unknown> Host a.b.c.d Source RPM Packages Target RPM Packages filesystem-2.4.0-3.el5.centos Policy RPM selinux-policy-2.4.6-316.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name a.b.c.d Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5 #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64 Alert Count 11 First Seen Fri Feb 25 15:39:33 2011 Last Seen Mon Sep 26 14:18:54 2011 Local ID 275eef01-114a-419b-9df0-4bb81932bc5e Line Numbers
Raw Audit Messages
host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 ino=2 scontext=system_u:system_r:updpwd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I can generate a local policy module.
Thanks,
Tony
On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
Hi,
On a fully updated CentOS 5.7 box I get the following AVC
Summary:
SELinux is preventing unix_update (updpwd_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by unix_update. It is not expected that this
access is required by unix_update and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:updpwd_t
Target Context system_u:object_r:fs_t
Target Objects / [ filesystem ]
Source unix_update
Source Path <Unknown>
Port <Unknown>
Host a.b.c.d
Source RPM Packages
Target RPM Packages filesystem-2.4.0-3.el5.centos
Policy RPM selinux-policy-2.4.6-316.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name a.b.c.d
Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5
#1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64
Alert Count 11
First Seen Fri Feb 25 15:39:33 2011
Last Seen Mon Sep 26 14:18:54 2011
Local ID 275eef01-114a-419b-9df0-4bb81932bc5e
Line Numbers
Raw Audit Messages
host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 ino=2 scontext=system_u:system_r:updpwd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I can generate a local policy module.
Any idea what you were doing when this happened? The reason i ask is because this is not even allowed in latest fedora as far as i can see.
It is no big deal to allow updpwd_t to get attributes of the fs_t filesystem but it is certainly not common for updpwd_t to want this access i believe. If it was we probably would have gotten may more reports much earlier.
Thanks,
Tony
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Monday 26 September 2011 22:22:31 Dominick Grift wrote:
On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
Hi,
On a fully updated CentOS 5.7 box I get the following AVC
Summary:
SELinux is preventing unix_update (updpwd_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by unix_update. It is not expected that this
access is required by unix_update and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:updpwd_t
Target Context system_u:object_r:fs_t
Target Objects / [ filesystem ]
Source unix_update
Source Path <Unknown>
Port <Unknown>
Host a.b.c.d
Source RPM Packages
Target RPM Packages filesystem-2.4.0-3.el5.centos
Policy RPM selinux-policy-2.4.6-316.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name a.b.c.d
Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5
#1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64
Alert Count 11
First Seen Fri Feb 25 15:39:33 2011
Last Seen Mon Sep 26 14:18:54 2011
Local ID 275eef01-114a-419b-9df0-4bb81932bc5e
Line Numbers
Raw Audit Messages
host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 ino=2 scontext=system_u:system_r:updpwd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I can generate a local policy module.
Any idea what you were doing when this happened? The reason i ask is because this is not even allowed in latest fedora as far as i can see.
This machine is basically a mail and ftp server. As far as I can tell from the logs ( secure and messages ) nobody was doing anything on the machine at the times I get the AVC, 5 times yesterday.
It is no big deal to allow updpwd_t to get attributes of the fs_t filesystem but it is certainly not common for updpwd_t to want this access i believe. If it was we probably would have gotten may more reports much earlier.
Strange then that I am getting it from this one server only.
Here's the context for unix_update
-rwx------ root root system_u:object_r:updpwd_exec_t /sbin/unix_update
I've just run an autorelabel on the entire filesystem as part of the 5.6 to 5.7 CentOS update
Thanks,
Tony
Thanks,
Tony
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Tue, 2011-09-27 at 16:26 +0100, Tony Molloy wrote:
On Monday 26 September 2011 22:22:31 Dominick Grift wrote:
On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
Hi,
On a fully updated CentOS 5.7 box I get the following AVC
Summary:
SELinux is preventing unix_update (updpwd_t) "getattr" to /
(fs_t).
Detailed Description:
SELinux denied access requested by unix_update. It is not
expected that this
access is required by unix_update and this access may signal an
intrusion
attempt. It is also possible that the specific version or
configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see
FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you
can disable
SELinux protection altogether. Disabling SELinux protection is
not recommended.
Please file a bug report
against this package.
Additional Information:
Source Context system_u:system_r:updpwd_t
Target Context system_u:object_r:fs_t
Target Objects / [ filesystem ]
Source unix_update
Source Path <Unknown>
Port <Unknown>
Host a.b.c.d
Source RPM Packages
Target RPM Packages filesystem-2.4.0-3.el5.centos
Policy RPM selinux-policy-2.4.6-316.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name a.b.c.d
Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5
#1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64
Alert Count 11
First Seen Fri Feb 25 15:39:33 2011
Last Seen Mon Sep 26 14:18:54 2011
Local ID 275eef01-114a-419b-9df0-4bb81932bc5e
Line Numbers
Raw Audit Messages
host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied
{ getattr } for pid=21354 comm="unix_update" name="/" dev=sda5
ino=2 scontext=system_u:system_r:updpwd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I can generate a local policy module.
Any idea what you were doing when this happened? The reason i ask
is because this is not even allowed in latest fedora as far as i
can see.
This machine is basically a mail and ftp server. As far as I can tell from the logs ( secure and messages ) nobody was doing anything on the machine at the times I get the AVC, 5 times yesterday.
It is no big deal to allow updpwd_t to get attributes of the fs_t
filesystem but it is certainly not common for updpwd_t to want this
access i believe. If it was we probably would have gotten may more
reports much earlier.
Strange then that I am getting it from this one server only.
Here's the context for unix_update
-rwx------ root root system_u:object_r:updpwd_exec_t /sbin/unix_update
I've just run an autorelabel on the entire filesystem as part of the 5.6 to 5.7 CentOS update
See if you can reproduce it
Thanks,
Tony
Thanks,
Tony
--
selinux mailing list
selinux@lists.fedoraproject.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/27/2011 11:26 AM, Tony Molloy wrote:
On Monday 26 September 2011 22:22:31 Dominick Grift wrote:
On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
Hi,
On a fully updated CentOS 5.7 box I get the following AVC
Summary:
SELinux is preventing unix_update (updpwd_t) "getattr" to /
(fs_t).
Detailed Description:
SELinux denied access requested by unix_update. It is not
expected that this
access is required by unix_update and this access may signal an
intrusion
attempt. It is also possible that the specific version or
configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see
FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you
can disable
SELinux protection altogether. Disabling SELinux protection is
not recommended.
Please file a bug report
against this package.
Additional Information:
Source Context system_u:system_r:updpwd_t
Target Context system_u:object_r:fs_t
Target Objects / [ filesystem ]
Source unix_update
Source Path <Unknown>
Port <Unknown>
Host a.b.c.d
Source RPM Packages
Target RPM Packages filesystem-2.4.0-3.el5.centos
Policy RPM selinux-policy-2.4.6-316.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name a.b.c.d
Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5
#1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64
Alert Count 11
First Seen Fri Feb 25 15:39:33 2011
Last Seen Mon Sep 26 14:18:54 2011
Local ID 275eef01-114a-419b-9df0-4bb81932bc5e
Line Numbers
Raw Audit Messages
host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied
{ getattr } for pid=21354 comm="unix_update" name="/" dev=sda5
ino=2 scontext=system_u:system_r:updpwd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I can generate a local policy module.
Any idea what you were doing when this happened? The reason i ask
is because this is not even allowed in latest fedora as far as i
can see.
This machine is basically a mail and ftp server. As far as I can tell from the logs ( secure and messages ) nobody was doing anything on the machine at the times I get the AVC, 5 times yesterday.
It is no big deal to allow updpwd_t to get attributes of the fs_t
filesystem but it is certainly not common for updpwd_t to want this
access i believe. If it was we probably would have gotten may more
reports much earlier.
Strange then that I am getting it from this one server only.
Here's the context for unix_update
-rwx------ root root system_u:object_r:updpwd_exec_t /sbin/unix_update
I've just run an autorelabel on the entire filesystem as part of the 5.6 to 5.7 CentOS update
Thanks,
Tony
Thanks,
Tony
--
selinux mailing list
selinux@lists.fedoraproject.org
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Probably has to do with the way the mount table is setup on this machine versus other machines.
On Tuesday 27 September 2011 19:17:17 Daniel J Walsh wrote:
On 09/27/2011 11:26 AM, Tony Molloy wrote:
On Monday 26 September 2011 22:22:31 Dominick Grift wrote:
On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
Hi,
On a fully updated CentOS 5.7 box I get the following AVC
SELinux is preventing unix_update (updpwd_t) "getattr" to / (fs_t).
Raw Audit Message
host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied
{ getattr } for pid=21354 comm="unix_update" name="/" dev=sda5
ino=2 scontext=system_u:system_r:updpwd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Probably has to do with the way the mount table is setup on this machine versus other machines.
Now I've just noticed some other SElinux problems on this machine.
Unusual System Events =-=-=-=-=-=-=-=-=-=-= Sep 24 13:25:24 garryowen ssh: /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /home/[^/]*/.+. Sep 24 13:25:24 garryowen ssh: /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /home/[^/]*/.virtinst(/.*)?.
.....
Now some time ago I moved some test mail accounts on this machine from /users to /home and ran genhomedircon.
There is a file in /etc/selinux/targeted/contexts/files/ called file_contexts.homedirs, generated by genhomedircon, which contains context information for /home.
Could this multiple definitions be the root cause of the problem
Should I remove this file and autorelabel the entire filesystem again.
Thanks,
Tony
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/28/2011 10:56 AM, Tony Molloy wrote:
On Tuesday 27 September 2011 19:17:17 Daniel J Walsh wrote:
On 09/27/2011 11:26 AM, Tony Molloy wrote:
On Monday 26 September 2011 22:22:31 Dominick Grift wrote:
On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
Hi,
On a fully updated CentOS 5.7 box I get the following AVC
SELinux is preventing unix_update (updpwd_t) "getattr" to /
(fs_t).
Raw Audit Message
host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc:
denied
{ getattr } for pid=21354 comm="unix_update" name="/" dev=sda5
ino=2 scontext=system_u:system_r:updpwd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Probably has to do with the way the mount table is setup on this
machine versus other machines.
Now I've just noticed some other SElinux problems on this machine.
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Sep 24 13:25:24 garryowen ssh: /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /home/[^/]*/.+.
Sep 24 13:25:24 garryowen ssh: /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /home/[^/]*/.virtinst(/.*)?.
.....
Now some time ago I moved some test mail accounts on this machine from /users to /home and ran genhomedircon.
There is a file in /etc/selinux/targeted/contexts/files/ called file_contexts.homedirs, generated by genhomedircon, which contains context information for /home.
Could this multiple definitions be the root cause of the problem
Should I remove this file and autorelabel the entire filesystem again.
Thanks,
Tony
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
No
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Tony Molloy