new denials: shutdown, cupsd and abrt?
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 18 15:37:37 UTC 2010
On 01/15/2010 07:34 PM, Antonio Olivares wrote:
> Dear all,
>
> after being unable to update to latest since end of December and updating successfully, I see the following alerts. I try to submit reports but abrt? is crashing :(
>
> Thanks for any pointers/advice/suggestions in advance,
>
setroubleshoot reporting has been broken do to a bug in python-bugzilla that is blowing up. The bug has been reported but
has not been fixed.
> Regards,
>
>
> Antonio
>
>
> Summary:
>
> SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.
>
> Detailed Description:
>
> [abrtd has a permissive type (abrt_t). This access was not denied.]
>
> SELinux denied access requested by abrtd. It is not expected that this access is
> required by abrtd and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
> report.
>
> Additional Information:
>
> Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023
> Target Context system_u:object_r:abrt_etc_t:s0
> Target Objects /etc/abrt [ dir ]
> Source abrtd
> Source Path /usr/sbin/abrtd (deleted)
> Port <Unknown>
> Host (removed)
> Source RPM Packages
> Target RPM Packages abrt-1.0.2-1.fc13
> Policy RPM selinux-policy-3.7.7-2.fc13
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name (removed)
> Platform Linux (removed) 2.6.32-7.fc13.x86_64 #1 SMP
> Wed Dec 9 10:51:00 EST 2009 x86_64 x86_64
> Alert Count 3
> First Seen Fri 15 Jan 2010 05:16:23 PM CST
> Last Seen Fri 15 Jan 2010 05:16:23 PM CST
> Local ID 384ec928-68a3-44de-99df-c72f1463e4d6
> Line Numbers
>
> Raw Audit Messages
>
> node=(removed) type=AVC msg=audit(1263597383.547:63): avc: denied { write } for pid=1420 comm="abrtd" name="abrt" dev=dm-0 ino=28638 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir
>
> node=(removed) type=AVC msg=audit(1263597383.547:63): avc: denied { add_name } for pid=1420 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir
>
> node=(removed) type=AVC msg=audit(1263597383.547:63): avc: denied { create } for pid=1420 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file
>
> node=(removed) type=SYSCALL msg=audit(1263597383.547:63): arch=c000003e syscall=2 success=yes exit=9 a0=7f72659b8625 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=1420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe=2F7573722F7362696E2F6162727464202864656C6574656429 subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
>
>
>
THis is a reported bug on abrt
https://bugzilla.redhat.com/show_bug.cgi?id=550523
If you take the subject line of setroubleshoot and give it to google, it is pretty good at finding a duplicate bug.
> Summary:
>
>
>
> Detailed Description:
>
> [shutdown has a permissive type (xdm_t). This access was not denied.]
>
> SELinux denied access requested by shutdown. It is not expected that this access
> is required by shutdown and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
> report.
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_u:system_r:init_t:s0
> Target Objects [ unix_stream_socket ]
> Source shutdown
> Source Path /sbin/shutdown
> Port <Unknown>
> Host n6355-ET1161-05
> Source RPM Packages upstart-0.6.3-5.fc13
> Target RPM Packages filesystem-2.4.31-1.fc13
> Policy RPM selinux-policy-3.7.7-2.fc13
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name n6355-ET1161-05
> Platform Linux n6355-ET1161-05 2.6.32-7.fc13.x86_64 #1 SMP
> Wed Dec 9 10:51:00 EST 2009 x86_64 x86_64
> Alert Count 1
> First Seen Fri 15 Jan 2010 06:18:46 PM CST
> Last Seen Fri 15 Jan 2010 06:18:46 PM CST
> Local ID 68992789-1746-4d6e-9f9b-fb5113529442
> Line Numbers
>
> Raw Audit Messages
>
> node=n6355-ET1161-05 type=AVC msg=audit(1263601126.315:74): avc: denied { connectto } for pid=23588 comm="shutdown" path=002F636F6D2F7562756E74752F75707374617274 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>
> node=n6355-ET1161-05 type=SYSCALL msg=audit(1263601126.315:74): arch=c000003e syscall=42 success=yes exit=128 a0=3 a1=7fff661de2d0 a2=16 a3=7fff661de050 items=0 ppid=1483 pid=23588 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="shutdown" exe="/sbin/shutdown" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
>
Fixed in selinux-policy-3.7.7-3.fc13.noarch
>
> Summary:
>
> SELinux is preventing /usr/bin/python "read" access on /var/run/abrt.pid.
>
> Detailed Description:
>
> SELinux denied access requested by SetroubleshootF. It is not expected that this
> access is required by SetroubleshootF and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
> report.
>
> Additional Information:
>
> Source Context system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.
> c1023
> Target Context system_u:object_r:abrt_var_run_t:s0
> Target Objects /var/run/abrt.pid [ file ]
> Source SetroubleshootF
> Source Path /usr/bin/python
> Port <Unknown>
> Host n6355-ET1161-05
> Source RPM Packages python-2.6.4-4.fc13
> Target RPM Packages
> Policy RPM selinux-policy-3.7.7-2.fc13
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name n6355-ET1161-05
> Platform Linux n6355-ET1161-05 2.6.32.3-21.fc13.x86_64 #1
> SMP Mon Jan 11 16:53:56 UTC 2010 x86_64 x86_64
> Alert Count 0
> First Seen Fri 15 Jan 2010 12:23:06 PM CST
> Last Seen Fri 15 Jan 2010 12:23:06 PM CST
> Local ID 5806d5ac-edaf-4975-99eb-28b018e6379f
> Line Numbers
>
> Raw Audit Messages
>
> node=n6355-ET1161-05 type=AVC msg=audit(1263579786.790:22): avc: denied { read } for pid=2250 comm="SetroubleshootF" name="abrt.pid" dev=dm-0 ino=131500 scontext=system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_var_run_t:s0 tclass=file
>
> node=n6355-ET1161-05 type=SYSCALL msg=audit(1263579786.790:22): arch=c000003e syscall=2 success=no exit=-13 a0=d44570 a1=0 a2=1b6 a3=0 items=0 ppid=2249 pid=2250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="SetroubleshootF" exe="/usr/bin/python" subj=system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023 key=(null)
>
>
I believe this is fixed in the latest abrt tools, Make sure you have the latest abrt. If not report this as an abrt bug. Every tool in the world should not need to read the pid file of abrt, the helper should be used.
>
> Summary:
>
> SELinux is preventing /usr/sbin/cupsd "read" access to
> /etc/cups/ppd/Cups-PDF.ppd.
>
> Detailed Description:
>
> SELinux denied access requested by cupsd. /etc/cups/ppd/Cups-PDF.ppd may be a
> mislabeled. /etc/cups/ppd/Cups-PDF.ppd default SELinux type is cupsd_rw_etc_t,
> but its current type is tmp_t. Changing this file back to the default type, may
> fix your problem.
>
> File contexts can be assigned to a file in the following ways.
>
> * Files created in a directory receive the file context of the parent
> directory by default.
> * The SELinux policy might override the default label inherited from the
> parent directory by specifying a process running in context A which creates
> a file in a directory labeled B will instead create the file with label C.
> An example of this would be the dhcp client running with the dhclient_t type
> and creating a file in the directory /etc. This file would normally receive
> the etc_t type due to parental inheritance but instead the file is labeled
> with the net_conf_t type because the SELinux policy specifies this.
> * Users can change the file context on a file using tools such as chcon, or
> restorecon.
>
> This file could have been mislabeled either by user error, or if an normally
> confined application was run under the wrong domain.
>
> However, this might also indicate a bug in SELinux because the file should not
> have been labeled with this type.
>
> If you believe this is a bug, please file a bug report against this package.
>
> Allowing Access:
>
> You can restore the default system context to this file by executing the
> restorecon command. restorecon '/etc/cups/ppd/Cups-PDF.ppd', if this file is a
> directory, you can recursively restore using restorecon -R
> '/etc/cups/ppd/Cups-PDF.ppd'.
>
> Fix Command:
>
> /sbin/restorecon '/etc/cups/ppd/Cups-PDF.ppd'
>
> Additional Information:
>
> Source Context unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023
> Target Context system_u:object_r:tmp_t:s0
> Target Objects /etc/cups/ppd/Cups-PDF.ppd [ file ]
> Source cupsd
> Source Path /usr/sbin/cupsd
> Port <Unknown>
> Host n6355-ET1161-05
> Source RPM Packages cups-1.4.2-24.fc13
> Target RPM Packages
> Policy RPM selinux-policy-3.7.7-2.fc13
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name restorecon
> Host Name n6355-ET1161-05
> Platform Linux n6355-ET1161-05 2.6.32-7.fc13.x86_64 #1 SMP
> Wed Dec 9 10:51:00 EST 2009 x86_64 x86_64
> Alert Count 2
> First Seen Mon 14 Dec 2009 09:04:50 AM CST
> Last Seen Fri 15 Jan 2010 05:06:08 PM CST
> Local ID d2a2744e-27fd-40d6-8f8b-46ef65fd1026
> Line Numbers
>
> Raw Audit Messages
>
> node=n6355-ET1161-05 type=AVC msg=audit(1263596768.153:59): avc: denied { read } for pid=21527 comm="cupsd" name="Cups-PDF.ppd" dev=dm-0 ino=221456 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file
>
> node=n6355-ET1161-05 type=SYSCALL msg=audit(1263596768.153:59): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcd2267e0 a1=0 a2=0 a3=7fffcd225fc0 items=0 ppid=21526 pid=21527 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd" exe="/usr/sbin/cupsd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
>
>
>
> Summary:
>
> SELinux is preventing /usr/sbin/cupsd "read" access to
> /etc/cups/ppd/HP-LaserJet-1200.ppd.
>
> Detailed Description:
>
> SELinux denied access requested by cupsd. /etc/cups/ppd/HP-LaserJet-1200.ppd may
> be a mislabeled. /etc/cups/ppd/HP-LaserJet-1200.ppd default SELinux type is
> cupsd_rw_etc_t, but its current type is tmp_t. Changing this file back to the
> default type, may fix your problem.
>
> File contexts can be assigned to a file in the following ways.
>
> * Files created in a directory receive the file context of the parent
> directory by default.
> * The SELinux policy might override the default label inherited from the
> parent directory by specifying a process running in context A which creates
> a file in a directory labeled B will instead create the file with label C.
> An example of this would be the dhcp client running with the dhclient_t type
> and creating a file in the directory /etc. This file would normally receive
> the etc_t type due to parental inheritance but instead the file is labeled
> with the net_conf_t type because the SELinux policy specifies this.
> * Users can change the file context on a file using tools such as chcon, or
> restorecon.
>
> This file could have been mislabeled either by user error, or if an normally
> confined application was run under the wrong domain.
>
> However, this might also indicate a bug in SELinux because the file should not
> have been labeled with this type.
>
> If you believe this is a bug, please file a bug report against this package.
>
> Allowing Access:
>
> You can restore the default system context to this file by executing the
> restorecon command. restorecon '/etc/cups/ppd/HP-LaserJet-1200.ppd', if this
> file is a directory, you can recursively restore using restorecon -R
> '/etc/cups/ppd/HP-LaserJet-1200.ppd'.
>
> Fix Command:
>
> /sbin/restorecon '/etc/cups/ppd/HP-LaserJet-1200.ppd'
>
> Additional Information:
>
> Source Context unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023
> Target Context system_u:object_r:tmp_t:s0
> Target Objects /etc/cups/ppd/HP-LaserJet-1200.ppd [ file ]
> Source cupsd
> Source Path /usr/sbin/cupsd
> Port <Unknown>
> Host n6355-ET1161-05
> Source RPM Packages cups-1.4.2-24.fc13
> Target RPM Packages
> Policy RPM selinux-policy-3.7.7-2.fc13
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name restorecon
> Host Name n6355-ET1161-05
> Platform Linux n6355-ET1161-05 2.6.32-7.fc13.x86_64 #1 SMP
> Wed Dec 9 10:51:00 EST 2009 x86_64 x86_64
> Alert Count 2
> First Seen Mon 14 Dec 2009 09:04:50 AM CST
> Last Seen Fri 15 Jan 2010 05:06:08 PM CST
> Local ID 38fbab19-5c32-404e-9d68-ca6fded185b0
> Line Numbers
>
> Raw Audit Messages
>
> node=n6355-ET1161-05 type=AVC msg=audit(1263596768.222:61): avc: denied { read } for pid=21527 comm="cupsd" name="HP-LaserJet-1200.ppd" dev=dm-0 ino=104601 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file
>
> node=n6355-ET1161-05 type=SYSCALL msg=audit(1263596768.222:61): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcd2267e0 a1=0 a2=0 a3=1 items=0 ppid=21526 pid=21527 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd" exe="/usr/sbin/cupsd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
>
>
> Thanks for helping.
>
>
Both of these are mislabeled files. You need to run restorecon. Not sure how they got mislabeled.
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
More information about the selinux
mailing list