F12: "mac_admin"
Stephen Smalley
sds at tycho.nsa.gov
Mon Mar 8 14:16:11 UTC 2010
On Sun, 2010-03-07 at 12:21 -0800, Daniel B. Thurman wrote:
> I have no idea what this is, but it is new:
>
> ================================================
> Summary:
>
> SELinux is preventing /usr/bin/chcon "mac_admin" access .
>
> Detailed Description:
>
> SELinux denied access requested by chcon. It is not expected that this
> access is
> required by chcon and this access may signal an intrusion attempt. It is
> also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
> report.
>
> Additional Information:
>
> Source Context
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Context
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Objects None [ capability2 ]
> Source chcon
> Source Path /usr/bin/chcon
> Port <Unknown>
> Host host.domain.com
> Source RPM Packages coreutils-7.6-9.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-92.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name host.domain.com
> Platform Linux host.domain.com
> 2.6.31.12-174.2.22.fc12.i686
> #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
> Alert Count 1
> First Seen Fri 05 Mar 2010 11:24:27 AM PST
> Last Seen Fri 05 Mar 2010 11:24:27 AM PST
> Local ID 73c77171-b9bb-44f9-98bb-68a6d3ee1e96
> Line Numbers
>
> Raw Audit Messages
>
> node=host.domain.com type=AVC msg=audit(1267817067.517:43791): avc:
> denied { mac_admin } for pid=28356 comm="chcon" capability=33
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=capability2
>
> node=host.domain.com type=SYSCALL msg=audit(1267817067.517:43791):
> arch=40000003 syscall=226 success=no exit=-22 a0=834b8d0 a1=7fd69ed
> a2=834cc90 a3=23 items=0 ppid=28098 pid=28356 auid=500 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts10 ses=1 comm="chcon"
> exe="/usr/bin/chcon"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
This just means you invoked chcon with an invalid security context. If
you had been allowed mac_admin in the policy, then you would have been
allowed to do so; this can be used in order to label files when creating
an image for another distribution release with a different policy. But
generally you don't want to allow it.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list