semanage is prevented from writing to user_tmp_t file
Jeroen van Meeuwen (Kolab Systems)
vanmeeuwen at kolabsys.com
Wed Feb 29 12:06:50 UTC 2012
On 2012-02-29 14:00, Miroslav Grepl wrote:
> On 02/29/2012 10:32 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
>> Hello,
>>
>> I have an Enterprise Linux 6 machine, managed by Puppet, enforcing
>> the target policy, for which Puppet manages a bunch of contexts and
>> policies, but the following message occurs when it attempts to do so:
>>
>> type=AVC msg=audit(1330511088.080:1757): avc: denied { write }
>> for pid=9222 comm="semanage" path="/tmp/puppet20120229-8297-bjmcbp-0"
>> dev=dm-0 ino=1572875
>> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>
> Could you attach full AVC message. I am interested in "syscall" and
> "success" fields.
>
> It looks like a leak file descriptor.
>
I believe this is everything, but if not, please point me in the right
direction:
type=AVC msg=audit(1330454003.144:529): avc: denied { write } for
pid=16025 comm="semanage" path="/tmp/puppet20120228-15545-zg7uoe-0"
dev=dm-0 ino=1572875
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1330454003.144:529): arch=c000003e syscall=59
success=yes exit=0 a0=1007110 a1=1007c90 a2=1006c00 a3=7fff5e096620
items=0 ppid=16022 pid=16025 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="semanage"
exe="/usr/bin/python"
subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
Thanks,
>>
>> The following is a reference to what Puppet is trying to do:
>>
>>
>> http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98
>>
>> In short, I'm installing custom built mailman packages so that I can
>> have devel at project1 alongside devel at project2 mailing lists by
>> installing dedicated mailman instances for project1 and project2. The
>> Puppet module I'm referring to attempts to apply the necessary SELinux
>> contexts to the files deployed with each RPM package.
>>
>> I'm wondering what is causing the denial (or, why semanage needs
>> something in /tmp/ with the name of puppet in it) as well as what to
>> do about it - it doesn't seem to be blocking Puppet from achieving the
>> goal of adding new file_contexts for these custom packages.
>>
>> Kind regards,
>>
>> Jeroen van Meeuwen
>>
Kind regards,
Jeroen van Meeuwen
--
Systems Architect, Kolab Systems AG
e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com
pgp: 9342 BF08
More information about the selinux
mailing list