Looking for directory paths...

Paul Howarth paul at city-fan.org
Mon Dec 12 09:36:43 UTC 2011 

On 12/11/2011 01:49 PM, Arthur Dent wrote:
> Hello all,
>
> When I get a SEL alert it refers only to to the actual directory and not
> the full pathname. For example:
>
> SELinux is preventing /usr/sbin/smbd from create access on the directory 05.
>
> The advice for fixing this alert is probably useful but without knowing
> the full path is actually completely useless:
>
> If you want to allow smbd to have create access on the 05 directory
> Then you need to change the label on '05'
> Do
> # semanage fcontext -a -t samba_share_t '05'
> # restorecon  -v '05'
>
> The problem is - I don't know where directory "05" is. It's probably
> some temporary cache file or some such and trying to even find its
> parent directory with a name like "05" makes using 'locate' or 'find'
> really quite hard work.
>
> In this case the alert(s) (there were several - each with a different
> numerical directory name) were actually caused when I tried to sync my
> iPhone using iTunes installed on a Windows XP virtual machine running
> under VirtualBox on this Fedora 16 host, accessing the music library via
> a Samba share on a separate partition on the Fedora 16 box.... Yeah... I
> know....
>
> But anyway - if I could find the full path of the directory in question
> I *might* be able to take a closer look at where the problem lies...
>
> Thanks in advance for any help or suggestions.

Standard advice here is to add an audit watch record for something that 
rarely happens, such as writing to /etc/shadow:

# auditctl -w /etc/shadow -p w

A happy side effect of this is that a PATH record is included in the 
audit log for subsequent AVCs, e.g.

type=AVC msg=audit(1316699607.377:150425): avc:  denied  { read } for 
pid=4151 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=209876 
scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 
tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file

type=AVC msg=audit(1316699607.377:150425): avc:  denied  { open } for 
pid=4151 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=209876 
scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 
tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file

type=SYSCALL msg=audit(1316699607.377:150425): arch=c000003e syscall=2 
success=yes exit=3 a0=14c60a0 a1=80900 a2=fffffffffffffed0 
a3=7ffffdee5c80 items=1 ppid=4150 pid=4151 auid=0 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=9220 
comm="systemd-tty-ask" exe="/bin/systemd-tty-ask-password-agent" 
subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)

type=CWD msg=audit(1316699607.377:150425):  cwd="/"

type=PATH msg=audit(1316699607.377:150425): item=0 
name="/run/systemd/ask-password-block/136:0" inode=209876 dev=00:12 
mode=010600 ouid=0 ogid=0 rdev=00:00 
obj=unconfined_u:object_r:init_var_run_t:s0

The watch rule can be turned off using auditctl's -W option:

# auditctl -l
LIST_RULES: exit,always watch=/etc/shadow perm=w
# auditctl  -W /etc/shadow -p w
# auditctl -l
No rules

Paul.

More information about the selinux mailing list