selinux-policy update

Zdenek Pytela pytela at phil.muni.cz
Wed Aug 29 12:16:35 UTC 2012 

Daniel J Walsh pise:
> > Hello everyone, every time I upgrade selinux-policy packages, I get
> > 
> > SELinux is preventing /usr/sbin/load_policy from 'read, append' accesses
> > on the file /tmp/tmp5vo8of.
> > 
> > Raw Audit Messages type=AVC msg=audit(1340799402.853:3866): avc:  denied  {
> > read append } for pid=22456 comm="load_policy" path="/tmp/tmp5vo8of"
> > dev="tmpfs" ino=464186 
> > scontext=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 
> > tcontext=system_u:object_r:tmp_t:s0 tclass=file type=SYSCALL
> > msg=audit(1340799402.853:3866): arch=x86_64 syscall=execve success=yes
> > exit=0 a0=ff5f80 a1=ff5f60 a2=ff2e90 a3=10 items=0 ppid=22449 pid=22456
> > auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts16
> > ses=357 comm=load_policy exe=/usr/sbin/load_policy 
> > subj=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 key=(null)
> > 
> > The command load_policy is executed by the rpm postinstall scriptlet. It
> > happens on workstations with f16 or f17, the only less usual thing is that
> > /tmp is mounted as tmpfs with 
> > rw,nodev,noexec,noatime,nodiratime,context=system_u:object_r:tmp_t:s0 
> > Context of /tmp is the same as it was before and the same as physical 
> > directory /var/tmp.
> > 
> > I know how to make local policy rules, but I would like to know if there is
> > a better solution. Thanks,
> > 
> 
> This is a leaked file descriptor from who ever created the file /tmp/tmp5v080f
> or a redirected stdin/stdout/stderr.  Possible candidates would be puppet or
> simple redirection using bash
> 
> command << _EOF
> input
> input
> _EOF
> 
> Could cause something like this if the command eventually executed
> rpm/load_policy.
	The only occurence of load_policy in postinstall script is 
	
   [ "${SELINUXTYPE}" == "targeted" ] && [ selinuxenabled ] && load_policy; 

I guess that the tmp file is created by rpm in the phase of upgrading
package for executing the script.
 
> Simplest thing would be to generate an audit2allow rule for it to dontaudit
> this action.
	Thanks, dontaudit rule is fine solution for me.

-- 

--Zdenek Pytela, <pytela at phil.muni.cz>

More information about the selinux mailing list