updpwd AVC
Daniel J Walsh
dwalsh at redhat.com
Tue Sep 27 18:17:17 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/27/2011 11:26 AM, Tony Molloy wrote:
> On Monday 26 September 2011 22:22:31 Dominick Grift wrote:
>
>> On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
>
>>> Hi,
>
>>>
>
>>>
>
>>> On a fully updated CentOS 5.7 box I get the following AVC
>
>>>
>
>>>
>
>>> Summary:
>
>>>
>
>>>
>
>>> SELinux is preventing unix_update (updpwd_t) "getattr" to /
>
>>> (fs_t).
>
>>>
>
>>>
>
>>> Detailed Description:
>
>>>
>
>>>
>
>>> SELinux denied access requested by unix_update. It is not
>
>>> expected that this
>
>>>
>
>>> access is required by unix_update and this access may signal
>>> an
>
>>> intrusion
>
>>>
>
>>> attempt. It is also possible that the specific version or
>
>>> configuration of the
>
>>>
>
>>> application is causing it to require additional access.
>
>>>
>
>>>
>
>>> Allowing Access:
>
>>>
>
>>>
>
>>> You can generate a local policy module to allow this access -
>>> see
>
>>> FAQ
>
>>>
>
>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or
>>> you
>
>>> can disable
>
>>>
>
>>> SELinux protection altogether. Disabling SELinux protection is
>
>>> not recommended.
>
>>>
>
>>> Please file a bug report
>
>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>
>>>
>
>>> against this package.
>
>>>
>
>>>
>
>>> Additional Information:
>
>>>
>
>>>
>
>>> Source Context system_u:system_r:updpwd_t
>
>>>
>
>>> Target Context system_u:object_r:fs_t
>
>>>
>
>>> Target Objects / [ filesystem ]
>
>>>
>
>>> Source unix_update
>
>>>
>
>>> Source Path <Unknown>
>
>>>
>
>>> Port <Unknown>
>
>>>
>
>>> Host a.b.c.d
>
>>>
>
>>> Source RPM Packages
>
>>>
>
>>> Target RPM Packages filesystem-2.4.0-3.el5.centos
>
>>>
>
>>> Policy RPM selinux-policy-2.4.6-316.el5
>
>>>
>
>>> Selinux Enabled True
>
>>>
>
>>> Policy Type targeted
>
>>>
>
>>> MLS Enabled True
>
>>>
>
>>> Enforcing Mode Enforcing
>
>>>
>
>>> Plugin Name catchall
>
>>>
>
>>> Host Name a.b.c.d
>
>>>
>
>>> Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5
>
>>>
>
>>> #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64
>
>>>
>
>>> Alert Count 11
>
>>>
>
>>> First Seen Fri Feb 25 15:39:33 2011
>
>>>
>
>>> Last Seen Mon Sep 26 14:18:54 2011
>
>>>
>
>>> Local ID 275eef01-114a-419b-9df0-4bb81932bc5e
>
>>>
>
>>> Line Numbers
>
>>>
>
>>>
>
>>> Raw Audit Messages
>
>>>
>
>>>
>
>>> host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc:
>>> denied
>
>>> { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5
>
>>> ino=2 scontext=system_u:system_r:updpwd_t:s0
>
>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
>>>
>
>>>
>
>>>
>
>>> I can generate a local policy module.
>
>>
>
>> Any idea what you were doing when this happened? The reason i
>> ask
>
>> is because this is not even allowed in latest fedora as far as i
>
>> can see.
>
>>
>
>
> This machine is basically a mail and ftp server. As far as I can
> tell from the logs ( secure and messages ) nobody was doing
> anything on the machine at the times I get the AVC, 5 times
> yesterday.
>
>
>> It is no big deal to allow updpwd_t to get attributes of the
>> fs_t
>
>> filesystem but it is certainly not common for updpwd_t to want
>> this
>
>> access i believe. If it was we probably would have gotten may
>> more
>
>> reports much earlier.
>
>>
>
>
> Strange then that I am getting it from this one server only.
>
>
> Here's the context for unix_update
>
>
> -rwx------ root root system_u:object_r:updpwd_exec_t
> /sbin/unix_update
>
>
> I've just run an autorelabel on the entire filesystem as part of
> the 5.6 to 5.7 CentOS update
>
>
> Thanks,
>
>
> Tony
>
>
>>> Thanks,
>
>>>
>
>>>
>
>>> Tony
>
>>>
>
>>> --
>
>>> selinux mailing list
>
>>> selinux at lists.fedoraproject.org
>
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Probably has to do with the way the mount table is setup on this
machine versus other machines.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6CEy0ACgkQrlYvE4MpobN1aQCdHc2uXuJIjh64759AuQyAmoz+
rwEAoIfSac27Ch+eaJZyBD6iIAKTwxNU
=CME3
-----END PGP SIGNATURE-----
More information about the selinux
mailing list