AVC for df from logwatch

Steven Stern subscribed-lists at sterndata.com
Tue Dec 18 15:03:20 UTC 2012 

This has appeared the past two mornings.  The initial triggering event
was probably the last kernel update:

Dec 16 08:59:09 Installed: kernel-3.6.10-2.fc17.x86_64

**********************************

SELinux is preventing /usr/bin/df from getattr access on the directory
/sys/kernel/config.

*****  Plugin restorecon (99.5 confidence) suggests
*************************

If you want to fix the label.
/sys/kernel/config default label should be sysfs_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /sys/kernel/config

*****  Plugin catchall (1.49 confidence) suggests
***************************

If you believe that df should be allowed getattr access on the config
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep df /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:logwatch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:configfs_t:s0
Target Objects                /sys/kernel/config [ dir ]
Source                        df
Source Path                   /usr/bin/df
Port                          <Unknown>
Host                          sds-desk-2.sterndata.local
Source RPM Packages           coreutils-8.15-9.fc17.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     sds-desk-2.sterndata.local
Platform                      Linux sds-desk-2.sterndata.local
                              3.6.10-2.fc17.x86_64 #1 SMP Tue Dec 11
18:07:34
                              UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-12-18 03:33:03 CST
Last Seen                     2012-12-18 03:33:03 CST
Local ID                      9f9df328-2e36-4b38-8e5b-ec1ee816c1e1

Raw Audit Messages
type=AVC msg=audit(1355823183.154:493): avc:  denied  { getattr } for
pid=31684 comm="df" path="/sys/kernel/config" dev="configfs" ino=9139
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:configfs_t:s0 tclass=dir


type=SYSCALL msg=audit(1355823183.154:493): arch=x86_64 syscall=stat
success=yes exit=0 a0=1078340 a1=7ffff0c48b90 a2=7ffff0c48b90
a3=3eb5b2f360 items=0 ppid=31683 pid=31684 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=54 comm=df
exe=/usr/bin/df subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)

Hash: df,logwatch_t,configfs_t,dir,getattr

audit2allow

#============= logwatch_t ==============
allow logwatch_t configfs_t:dir getattr;

audit2allow -R

#============= logwatch_t ==============
allow logwatch_t configfs_t:dir getattr;


-- 
-- Steve

More information about the selinux mailing list