tzdata AVC

Tony Molloy tony.molloy at ul.ie
Wed Oct 27 10:45:42 UTC 2010 

On Wednesday 27 October 2010 11:36:40 Dominick Grift wrote:
> On 10/27/2010 12:28 PM, Tony Molloy wrote:
> > Hi,
> > 
> > I'm running SELinux in enforcing mode on fully updated CentOS-5 servers.
> > selinux-policy-2.4.6-279.el5_5.1.noarch
> > 
> > After the latest "possibly glibc" update I've seen the following AVC on
> > several of my servers.
> > 
> > 
> > 
> > Summary:
> > 
> > SELinux is preventing tzdata-update (tzdata_t) "getattr" to / (fs_t).
> > 
> > Detailed Description:
> > 
> > SELinux denied access requested by tzdata-update. It is not expected that
> > this access is required by tzdata-update and this access may signal an
> > intrusion attempt. It is also possible that the specific version or
> > configuration of the application is causing it to require additional
> > access.
> > 
> > Allowing Access:
> > 
> > You can generate a local policy module to allow this access - see FAQ
> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> > disable SELinux protection altogether. Disabling SELinux protection is
> > not recommended.
> > Please file a bug report
> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
> > package.
> > 
> > Additional Information:
> > 
> > Source Context                root:system_r:tzdata_t:SystemLow-SystemHigh
> > Target Context                system_u:object_r:fs_t
> > Target Objects                / [ filesystem ]
> > Source                        tzdata-update
> > Source Path                   <Unknown>
> > Port                          <Unknown>
> > Host                          remote-backup.x.y.z
> > Source RPM Packages
> > Target RPM Packages           filesystem-2.4.0-3.el5
> > Policy RPM                    selinux-policy-2.4.6-279.el5_5.1
> > Selinux Enabled               True
> > Policy Type                   targeted
> > MLS Enabled                   True
> > Enforcing Mode                Enforcing
> > Plugin Name                   catchall
> > Host Name                     remote-backup.x.y.z
> > Platform                      Linux remote-backup.x.y.z
> > 2.6.18-194.17.1.el5
> > 
> >                               #1 SMP Wed Sep 29 12:50:31 EDT 2010 x86_64
> > 
> > x86_64
> > Alert Count                   3
> > First Seen                    Fri Oct 22 06:31:14 2010
> > Last Seen                     Wed Oct 27 06:39:14 2010
> > Local ID                      ec15ac2d-b644-40fb-809a-2b3809b001e5
> > Line Numbers
> > 
> > Raw Audit Messages
> > 
> > host=remote-backup.csis.ul.ie type=AVC msg=audit(1288157954.817:16502):
> > avc: denied  { getattr } for  pid=2135 comm="tzdata-update" name="/"
> > dev=sda5 ino=2 scontext=root:system_r:tzdata_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> 
> This was fixed in fedora but looks like the fix was not back ported to el5:
> 
> 
> mkdir ~/mytzdata; cd ~/mytzdata;
> echo "policy_module(mytzdata, 1.0.0) gen_require(\` type tzdata_t; ')
> fs_getattr_xattr_fs(tzdata_t)" > mytzdata.te;
> make -f /usr/share/selinux/devel/Makefile mytzdata.pp
> sudo semodule -i mytzdata.pp
> 
> ... should fix it

Dominick, 

I was just reporting it in the hope that it would get back ported. I just 
generated a local policy module for tzdata.

Thanks for the quick reply.

Regards,

Tony

> 
> > Regards,
> > 
> > Tony
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list