updpwd AVC
Dominick Grift
dominick.grift at gmail.com
Mon Sep 26 21:22:31 UTC 2011
On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
>
> Hi,
>
>
> On a fully updated CentOS 5.7 box I get the following AVC
>
>
> Summary:
>
>
> SELinux is preventing unix_update (updpwd_t) "getattr" to / (fs_t).
>
>
> Detailed Description:
>
>
> SELinux denied access requested by unix_update. It is not expected
> that this
>
> access is required by unix_update and this access may signal an
> intrusion
>
> attempt. It is also possible that the specific version or
> configuration of the
>
> application is causing it to require additional access.
>
>
> Allowing Access:
>
>
> You can generate a local policy module to allow this access - see FAQ
>
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
>
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
>
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>
> against this package.
>
>
> Additional Information:
>
>
> Source Context system_u:system_r:updpwd_t
>
> Target Context system_u:object_r:fs_t
>
> Target Objects / [ filesystem ]
>
> Source unix_update
>
> Source Path <Unknown>
>
> Port <Unknown>
>
> Host a.b.c.d
>
> Source RPM Packages
>
> Target RPM Packages filesystem-2.4.0-3.el5.centos
>
> Policy RPM selinux-policy-2.4.6-316.el5
>
> Selinux Enabled True
>
> Policy Type targeted
>
> MLS Enabled True
>
> Enforcing Mode Enforcing
>
> Plugin Name catchall
>
> Host Name a.b.c.d
>
> Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5
>
> #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64
>
> Alert Count 11
>
> First Seen Fri Feb 25 15:39:33 2011
>
> Last Seen Mon Sep 26 14:18:54 2011
>
> Local ID 275eef01-114a-419b-9df0-4bb81932bc5e
>
> Line Numbers
>
>
> Raw Audit Messages
>
>
> host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied
> { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 ino=2
> scontext=system_u:system_r:updpwd_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
>
>
> I can generate a local policy module.
Any idea what you were doing when this happened? The reason i ask is
because this is not even allowed in latest fedora as far as i can see.
It is no big deal to allow updpwd_t to get attributes of the fs_t
filesystem but it is certainly not common for updpwd_t to want this
access i believe. If it was we probably would have gotten may more
reports much earlier.
> Thanks,
>
>
> Tony
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110926/ed94c8e4/attachment.bin
More information about the selinux
mailing list