updpwd AVC

Dominick Grift dominick.grift at gmail.com
Mon Sep 26 21:22:31 UTC 2011 

On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
> 
> Hi,
> 
> 
> On a fully updated CentOS 5.7 box I get the following AVC
> 
> 
> Summary:
> 
> 
> SELinux is preventing unix_update (updpwd_t) "getattr" to / (fs_t).
> 
> 
> Detailed Description:
> 
> 
> SELinux denied access requested by unix_update. It is not expected
> that this
> 
> access is required by unix_update and this access may signal an
> intrusion
> 
> attempt. It is also possible that the specific version or
> configuration of the
> 
> application is causing it to require additional access.
> 
> 
> Allowing Access:
> 
> 
> You can generate a local policy module to allow this access - see FAQ
> 
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> 
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> 
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> 
> against this package.
> 
> 
> Additional Information:
> 
> 
> Source Context system_u:system_r:updpwd_t
> 
> Target Context system_u:object_r:fs_t
> 
> Target Objects / [ filesystem ]
> 
> Source unix_update
> 
> Source Path <Unknown>
> 
> Port <Unknown>
> 
> Host a.b.c.d
> 
> Source RPM Packages 
> 
> Target RPM Packages filesystem-2.4.0-3.el5.centos
> 
> Policy RPM selinux-policy-2.4.6-316.el5
> 
> Selinux Enabled True
> 
> Policy Type targeted
> 
> MLS Enabled True
> 
> Enforcing Mode Enforcing
> 
> Plugin Name catchall
> 
> Host Name a.b.c.d
> 
> Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5
> 
> #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64
> 
> Alert Count 11
> 
> First Seen Fri Feb 25 15:39:33 2011
> 
> Last Seen Mon Sep 26 14:18:54 2011
> 
> Local ID 275eef01-114a-419b-9df0-4bb81932bc5e
> 
> Line Numbers 
> 
> 
> Raw Audit Messages 
> 
> 
> host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied
> { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 ino=2
> scontext=system_u:system_r:updpwd_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> 
> 
> 
> I can generate a local policy module.

Any idea what you were doing when this happened? The reason i ask is
because this is not even allowed in latest fedora as far as i can see.

It is no big deal to allow updpwd_t to get attributes of the fs_t
filesystem but it is certainly not common for updpwd_t to want this
access i believe. If it was we probably would have gotten may more
reports much earlier.

> Thanks,
> 
> 
> Tony
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110926/ed94c8e4/attachment.bin

More information about the selinux mailing list