tzdata AVC
Dominick Grift
domg472 at gmail.com
Wed Oct 27 10:36:40 UTC 2010
On 10/27/2010 12:28 PM, Tony Molloy wrote:
>
> Hi,
>
> I'm running SELinux in enforcing mode on fully updated CentOS-5 servers.
> selinux-policy-2.4.6-279.el5_5.1.noarch
>
> After the latest "possibly glibc" update I've seen the following AVC on
> several of my servers.
>
>
>
> Summary:
>
> SELinux is preventing tzdata-update (tzdata_t) "getattr" to / (fs_t).
>
> Detailed Description:
>
> SELinux denied access requested by tzdata-update. It is not expected that this
> access is required by tzdata-update and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context root:system_r:tzdata_t:SystemLow-SystemHigh
> Target Context system_u:object_r:fs_t
> Target Objects / [ filesystem ]
> Source tzdata-update
> Source Path <Unknown>
> Port <Unknown>
> Host remote-backup.x.y.z
> Source RPM Packages
> Target RPM Packages filesystem-2.4.0-3.el5
> Policy RPM selinux-policy-2.4.6-279.el5_5.1
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name remote-backup.x.y.z
> Platform Linux remote-backup.x.y.z 2.6.18-194.17.1.el5
> #1 SMP Wed Sep 29 12:50:31 EDT 2010 x86_64
> x86_64
> Alert Count 3
> First Seen Fri Oct 22 06:31:14 2010
> Last Seen Wed Oct 27 06:39:14 2010
> Local ID ec15ac2d-b644-40fb-809a-2b3809b001e5
> Line Numbers
>
> Raw Audit Messages
>
> host=remote-backup.csis.ul.ie type=AVC msg=audit(1288157954.817:16502): avc:
> denied { getattr } for pid=2135 comm="tzdata-update" name="/" dev=sda5 ino=2
> scontext=root:system_r:tzdata_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
This was fixed in fedora but looks like the fix was not back ported to el5:
mkdir ~/mytzdata; cd ~/mytzdata;
echo "policy_module(mytzdata, 1.0.0) gen_require(\` type tzdata_t; ')
fs_getattr_xattr_fs(tzdata_t)" > mytzdata.te;
make -f /usr/share/selinux/devel/Makefile mytzdata.pp
sudo semodule -i mytzdata.pp
... should fix it
>
> Regards,
>
> Tony
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20101027/1a8a5f82/attachment.bin
More information about the selinux
mailing list