selinux-policy update
Zdenek Pytela
pytela at phil.muni.cz
Tue Aug 28 12:08:13 UTC 2012
Hello everyone,
every time I upgrade selinux-policy packages, I get
SELinux is preventing /usr/sbin/load_policy from 'read, append' accesses on
the file /tmp/tmp5vo8of.
Raw Audit Messages
type=AVC msg=audit(1340799402.853:3866): avc: denied { read append } for
pid=22456 comm="load_policy" path="/tmp/tmp5vo8of" dev="tmpfs" ino=464186
scontext=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1340799402.853:3866): arch=x86_64 syscall=execve
success=yes exit=0 a0=ff5f80 a1=ff5f60 a2=ff2e90 a3=10 items=0 ppid=22449
pid=22456 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts16 ses=357 comm=load_policy exe=/usr/sbin/load_policy
subj=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 key=(null)
The command load_policy is executed by the rpm postinstall scriptlet.
It happens on workstations with f16 or f17, the only less usual thing is
that /tmp is mounted as tmpfs with
rw,nodev,noexec,noatime,nodiratime,context=system_u:object_r:tmp_t:s0
Context of /tmp is the same as it was before and the same as physical
directory /var/tmp.
I know how to make local policy rules, but I would like to know if there
is a better solution. Thanks,
--
--Zdenek Pytela, <pytela at phil.muni.cz>
More information about the selinux
mailing list