On Monday 26 September 2011 22:22:31 Dominick Grift wrote:
On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
> Hi,
>
>
> On a fully updated CentOS 5.7 box I get the following AVC
>
>
> Summary:
>
>
> SELinux is preventing unix_update (updpwd_t) "getattr" to /
> (fs_t).
>
>
> Detailed Description:
>
>
> SELinux denied access requested by unix_update. It is not
> expected that this
>
> access is required by unix_update and this access may signal an
> intrusion
>
> attempt. It is also possible that the specific version or
> configuration of the
>
> application is causing it to require additional access.
>
>
> Allowing Access:
>
>
> You can generate a local policy module to allow this access - see
> FAQ
>
> (
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you
> can disable
>
> SELinux protection altogether. Disabling SELinux protection is
> not recommended.
>
> Please file a bug report
> (
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>
> against this package.
>
>
> Additional Information:
>
>
> Source Context system_u:system_r:updpwd_t
>
> Target Context system_u:object_r:fs_t
>
> Target Objects / [ filesystem ]
>
> Source unix_update
>
> Source Path <Unknown>
>
> Port <Unknown>
>
> Host a.b.c.d
>
> Source RPM Packages
>
> Target RPM Packages filesystem-2.4.0-3.el5.centos
>
> Policy RPM selinux-policy-2.4.6-316.el5
>
> Selinux Enabled True
>
> Policy Type targeted
>
> MLS Enabled True
>
> Enforcing Mode Enforcing
>
> Plugin Name catchall
>
> Host Name a.b.c.d
>
> Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5
>
> #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64
>
> Alert Count 11
>
> First Seen Fri Feb 25 15:39:33 2011
>
> Last Seen Mon Sep 26 14:18:54 2011
>
> Local ID 275eef01-114a-419b-9df0-4bb81932bc5e
>
> Line Numbers
>
>
> Raw Audit Messages
>
>
> host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied
> { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5
> ino=2 scontext=system_u:system_r:updpwd_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
>
>
> I can generate a local policy module.
Any idea what you were doing when this happened? The reason i ask
is because this is not even allowed in latest fedora as far as i
can see.
This machine is basically a mail and ftp server. As far as I can tell
from the logs ( secure and messages ) nobody was doing anything on the
machine at the times I get the AVC, 5 times yesterday.
It is no big deal to allow updpwd_t to get attributes of the fs_t
filesystem but it is certainly not common for updpwd_t to want this
access i believe. If it was we probably would have gotten may more
reports much earlier.
Strange then that I am getting it from this one server only.
Here's the context for unix_update
-rwx------ root root system_u:object_r:updpwd_exec_t
/sbin/unix_update
I've just run an autorelabel on the entire filesystem as part of the
5.6 to 5.7 CentOS update
Thanks,
Tony
> Thanks,
>
>
> Tony
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux