SELinux error with icecast package

Adam D. Ligas adam at physco.com
Sun Dec 7 21:52:57 UTC 2008


Hey folks,

I've got a bunch of SELinux errors on my newly installed F10 server.
I'm a decently knowledgeable Linux user, but SELinux is pretty much over
my head at this point.

Rather then spam the IRC channel, I thought I would send a series of
messages with the various errors to this list.  If this is not the
appropriate place to do this, please let me know and accept my apology
in advance.

This error occurred when installing icecast from the standard Fedora
repo.  According to the GUI troubleshoot tool, it tried it more then
once.

--- Begin SELinux Alert 1 ---
Summary:

SELinux is preventing nscd (nscd_t) "read" unconfined_notrans_t.

Detailed Description:

SELinux denied access requested by nscd. It is not expected that this
access is
required by nscd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application
is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:nscd_t:s0
Target Context
unconfined_u:system_r:unconfined_notrans_t:s0
Target Objects                pipe [ fifo_file ]
Source                        nscd
Source Path                   /usr/sbin/nscd
Port                          <Unknown>
Host                          boris
Source RPM Packages           nscd-2.9-2
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     boris
Platform                      Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
                              18 12:19:59 EST 2008 i686 athlon
Alert Count                   4
First Seen                    Sat 06 Dec 2008 04:16:14 PM EST
Last Seen                     Sat 06 Dec 2008 04:16:14 PM EST
Local ID                      cd43cbcd-4bae-4524-b52f-f8ab36f00764
Line Numbers                  

Raw Audit Messages            

node=boris type=AVC msg=audit(1228598174.876:203): avc:  denied
{ read } for  pid=5357 comm="nscd" path="pipe:[35289]" dev=pipefs
ino=35289 scontext=unconfined_u:system_r:nscd_t:s0
tcontext=unconfined_u:system_r:unconfined_notrans_t:s0 tclass=fifo_file

node=boris type=SYSCALL msg=audit(1228598174.876:203): arch=40000003
syscall=11 success=yes exit=0 a0=8056c6b a1=bfb25c24 a2=bfb25c38 a3=0
items=0 ppid=5352 pid=5357 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="nscd" exe="/usr/sbin/nscd"
subj=unconfined_u:system_r:nscd_t:s0 key=(null)
--- End SELinux Alert ---

When I removed the package with yum, it threw this error a bunch more
times and added an additional one:

--- Begin SELinux Alert 2 ---
Summary:

SELinux prevented semanage from using the terminal 0.

Detailed Description:

SELinux prevented semanage from using the terminal 0. In most cases
daemons do
not need to interact with the terminal, usually these avc messages can
be
ignored. All of the confined daemons should have dontaudit rules around
using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
selinux-policy.
If you would like to allow all daemons to interact with the terminal,
you can
turn on the allow_daemons_use_tty boolean.

Allowing Access:

Changing the "allow_daemons_use_tty" boolean to true will allow this
access:
"setsebool -P allow_daemons_use_tty=1."

Fix Command:

setsebool -P allow_daemons_use_tty=1

Additional Information:

Source Context                unconfined_u:system_r:semanage_t:s0
Target Context                unconfined_u:object_r:devpts_t:s0
Target Objects                0 [ chr_file ]
Source                        semanage
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          boris
Source RPM Packages           python-2.5.2-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_daemons_use_tty
Host Name                     boris
Platform                      Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
                              18 12:19:59 EST 2008 i686 athlon
Alert Count                   1
First Seen                    Sun 07 Dec 2008 04:34:19 PM EST
Last Seen                     Sun 07 Dec 2008 04:34:19 PM EST
Local ID                      5ff62f2f-d05d-46b3-9624-b1308e1a06f6
Line Numbers                  

Raw Audit Messages            

node=boris type=AVC msg=audit(1228685659.553:6520): avc:  denied  { read
write } for  pid=32355 comm="semanage" name="0" dev=devpts ino=2
scontext=unconfined_u:system_r:semanage_t:s0
tcontext=unconfined_u:object_r:devpts_t:s0 tclass=chr_file

node=boris type=SYSCALL msg=audit(1228685659.553:6520): arch=40000003
syscall=11 success=yes exit=0 a0=8050a82 a1=bf871adc a2=0 a3=0 items=0
ppid=32354 pid=32355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=3 comm="semanage" exe="/usr/bin/python"
subj=unconfined_u:system_r:semanage_t:s0 key=(null)
-- End SELinux Alert ---

The second one includes some instructions to repair the error, but it
seems to be an "all or nothing" sort of command, and it seems even
weirder to run it after I've uninstalled the package that appears to be
using it.

Thoughts?

- Adam




More information about the selinux mailing list