F12: "mac_admin"

Stephen Smalley sds at tycho.nsa.gov
Mon Mar 8 14:16:11 UTC 2010 

On Sun, 2010-03-07 at 12:21 -0800, Daniel B. Thurman wrote:
> I have no idea what this is, but it is new:
> 
> ================================================
> Summary:
> 
> SELinux is preventing /usr/bin/chcon "mac_admin" access .
> 
> Detailed Description:
> 
> SELinux denied access requested by chcon. It is not expected that this 
> access is
> required by chcon and this access may signal an intrusion attempt. It is 
> also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
> report.
> 
> Additional Information:
> 
> Source Context                
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                                023
> Target Context                
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                                023
> Target Objects                None [ capability2 ]
> Source                        chcon
> Source Path                   /usr/bin/chcon
> Port <Unknown>
> Host                          host.domain.com
> Source RPM Packages           coreutils-7.6-9.fc12
> Target RPM Packages
> Policy RPM                    selinux-policy-3.6.32-92.fc12
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     host.domain.com
> Platform                      Linux host.domain.com 
> 2.6.31.12-174.2.22.fc12.i686
>                                #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
> Alert Count                   1
> First Seen                    Fri 05 Mar 2010 11:24:27 AM PST
> Last Seen                     Fri 05 Mar 2010 11:24:27 AM PST
> Local ID                      73c77171-b9bb-44f9-98bb-68a6d3ee1e96
> Line Numbers
> 
> Raw Audit Messages
> 
> node=host.domain.com type=AVC msg=audit(1267817067.517:43791): avc:  
> denied  { mac_admin } for  pid=28356 comm="chcon" capability=33 
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> tclass=capability2
> 
> node=host.domain.com type=SYSCALL msg=audit(1267817067.517:43791): 
> arch=40000003 syscall=226 success=no exit=-22 a0=834b8d0 a1=7fd69ed 
> a2=834cc90 a3=23 items=0 ppid=28098 pid=28356 auid=500 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts10 ses=1 comm="chcon" 
> exe="/usr/bin/chcon" 
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

This just means you invoked chcon with an invalid security context.  If
you had been allowed mac_admin in the policy, then you would have been
allowed to do so; this can be used in order to label files when creating
an image for another distribution release with a different policy.  But
generally you don't want to allow it.

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list