avc while running appliance-creator

Matthew Miller mattdm at fedoraproject.org
Thu Nov 8 20:59:37 UTC 2012 

I have been running this with SELinux disabled, but I'm trying to be A
Better Person by running in enforcing mode all the time. I got the following
alert while running appliace-creator. What the heck is "run lnk_file"?

----

SELinux is preventing /usr/sbin/useradd from read access on the lnk_file
run.

*****  Plugin catchall_labels (83.8 confidence) suggests
***** ********************

If you want to allow useradd to have read access on the run lnk_file
Then you need to change the label on run
Do
# semanage fcontext -a -t FILE_TYPE 'run'
where FILE_TYPE is one of the following: cert_t, selinux_config_t,
# user_home_dir_t, device_t, device_t, devlog_t, locale_t,
# httpd_user_content_type, security_t, etc_t, ld_so_t, proc_t, mail_spool_t,
# device_t, abrt_t, bin_t, etc_t, base_ro_file_type, lib_t, man_t,
# etc_runtime_t, root_t, tmp_t, bin_t, cert_t, var_run_t, tmp_t, tmp_t,
# selinux_login_config_t, httpd_user_script_exec_type, textrel_shlib_t,
# etc_runtime_t, var_run_t, selinux_config_t, rpm_script_tmp_t, security_t,
# proc_t, net_conf_t, security_t, etc_t, etc_runtime_t, var_run_t, bin_t,
# var_run_t, var_run_t, useradd_t, usr_t, user_home_type, domain,
# home_root_t, etc_t, var_run_t, var_run_t. 
Then execute: 
restorecon -v 'run'


*****  Plugin catchall (17.1 confidence) suggests
***** ***************************

If you believe that useradd should be allowed read access on the run
lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep useradd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context
unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                run [ lnk_file ]
Source                        useradd
Source Path                   /usr/sbin/useradd
Port                          <Unknown>
Host                          ubik.home.mkmiller.org
Source RPM Packages           shadow-utils-4.1.5.1-1.fc18.x86_64
Target RPM Packages           filesystem-3.1-2.fc18.x86_64
Policy RPM                    selinux-policy-3.11.1-50.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ubik.home.mkmiller.org
Platform                      Linux ubik.home.mkmiller.org
3.6.5-2.fc18.x86_64
                              #1 SMP Thu Nov 1 00:39:17 UTC 2012 x86_64
                              # x86_64
Alert Count                   7
First Seen                    2012-11-08 15:53:06 EST
Last Seen                     2012-11-08 15:53:10 EST
Local ID                      e1402ea5-4bcb-45fa-b220-95fe0c0dc868

Raw Audit Messages
type=AVC msg=audit(1352407990.104:1493): avc:  denied  { read } for
pid=19226 comm="useradd" name="run" dev="dm-1" ino=130358
scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1352407990.104:1493): arch=x86_64 syscall=connect
success=no exit=EACCES a0=5 a1=7ffffac812e0 a2=6e a3=ffffffffffffffff
items=0 ppid=19218 pid=19226 auid=18281 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm=useradd exe=/usr/sbin/useradd
subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)

Hash: useradd,useradd_t,var_t,lnk_file,read

audit2allow

#============= useradd_t ==============
allow useradd_t var_t:lnk_file read;

audit2allow -R

#============= useradd_t ==============
allow useradd_t var_t:lnk_file read;



-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  <mattdm at fedoraproject.org>

More information about the selinux mailing list