semanage is prevented from writing to user_tmp_t file

Jeroen van Meeuwen (Kolab Systems) vanmeeuwen at kolabsys.com
Wed Feb 29 12:06:50 UTC 2012 

On 2012-02-29 14:00, Miroslav Grepl wrote:
> On 02/29/2012 10:32 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
>> Hello,
>>
>> I have an Enterprise Linux 6 machine, managed by Puppet, enforcing 
>> the target policy, for which Puppet manages a bunch of contexts and 
>> policies, but the following message occurs when it attempts to do so:
>>
>>   type=AVC msg=audit(1330511088.080:1757): avc:  denied  { write } 
>> for  pid=9222 comm="semanage" path="/tmp/puppet20120229-8297-bjmcbp-0" 
>> dev=dm-0 ino=1572875 
>> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 
>> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>
> Could you attach full AVC message. I am interested in "syscall" and
> "success" fields.
>
> It looks like a leak file descriptor.
>

I believe this is everything, but if not, please point me in the right 
direction:

   type=AVC msg=audit(1330454003.144:529): avc:  denied  { write } for  
pid=16025 comm="semanage" path="/tmp/puppet20120228-15545-zg7uoe-0" 
dev=dm-0 ino=1572875 
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
   type=SYSCALL msg=audit(1330454003.144:529): arch=c000003e syscall=59 
success=yes exit=0 a0=1007110 a1=1007c90 a2=1006c00 a3=7fff5e096620 
items=0 ppid=16022 pid=16025 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="semanage" 
exe="/usr/bin/python" 
subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)

Thanks,

>>
>> The following is a reference to what Puppet is trying to do:
>>
>>   
>> http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98
>>
>> In short, I'm installing custom built mailman packages so that I can 
>> have devel at project1 alongside devel at project2 mailing lists by 
>> installing dedicated mailman instances for project1 and project2. The 
>> Puppet module I'm referring to attempts to apply the necessary SELinux 
>> contexts to the files deployed with each RPM package.
>>
>> I'm wondering what is causing the denial (or, why semanage needs 
>> something in /tmp/ with the name of puppet in it) as well as what to 
>> do about it - it doesn't seem to be blocking Puppet from achieving the 
>> goal of adding new file_contexts for these custom packages.
>>
>> Kind regards,
>>
>> Jeroen van Meeuwen
>>

Kind regards,

Jeroen van Meeuwen

-- 
Systems Architect, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08

More information about the selinux mailing list