avc while running appliance-creator
Dominick Grift
dominick.grift at gmail.com
Thu Nov 8 21:28:16 UTC 2012
On Thu, 2012-11-08 at 15:59 -0500, Matthew Miller wrote:
> I have been running this with SELinux disabled, but I'm trying to be A
> Better Person by running in enforcing mode all the time. I got the following
> alert while running appliace-creator. What the heck is "run lnk_file"?
>
it is probably the /var/run symlink to /run
Looks like it is mislabeled (currently var_t; should be var_run_t)
See if restorecon -R -v -F /var/run resets it to var_run_t
> ----
>
> SELinux is preventing /usr/sbin/useradd from read access on the lnk_file
> run.
>
> ***** Plugin catchall_labels (83.8 confidence) suggests
> ***** ********************
>
> If you want to allow useradd to have read access on the run lnk_file
> Then you need to change the label on run
> Do
> # semanage fcontext -a -t FILE_TYPE 'run'
> where FILE_TYPE is one of the following: cert_t, selinux_config_t,
> # user_home_dir_t, device_t, device_t, devlog_t, locale_t,
> # httpd_user_content_type, security_t, etc_t, ld_so_t, proc_t, mail_spool_t,
> # device_t, abrt_t, bin_t, etc_t, base_ro_file_type, lib_t, man_t,
> # etc_runtime_t, root_t, tmp_t, bin_t, cert_t, var_run_t, tmp_t, tmp_t,
> # selinux_login_config_t, httpd_user_script_exec_type, textrel_shlib_t,
> # etc_runtime_t, var_run_t, selinux_config_t, rpm_script_tmp_t, security_t,
> # proc_t, net_conf_t, security_t, etc_t, etc_runtime_t, var_run_t, bin_t,
> # var_run_t, var_run_t, useradd_t, usr_t, user_home_type, domain,
> # home_root_t, etc_t, var_run_t, var_run_t.
> Then execute:
> restorecon -v 'run'
>
>
> ***** Plugin catchall (17.1 confidence) suggests
> ***** ***************************
>
> If you believe that useradd should be allowed read access on the run
> lnk_file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep useradd /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context
> unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
> Target Context unconfined_u:object_r:var_t:s0
> Target Objects run [ lnk_file ]
> Source useradd
> Source Path /usr/sbin/useradd
> Port <Unknown>
> Host ubik.home.mkmiller.org
> Source RPM Packages shadow-utils-4.1.5.1-1.fc18.x86_64
> Target RPM Packages filesystem-3.1-2.fc18.x86_64
> Policy RPM selinux-policy-3.11.1-50.fc18.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name ubik.home.mkmiller.org
> Platform Linux ubik.home.mkmiller.org
> 3.6.5-2.fc18.x86_64
> #1 SMP Thu Nov 1 00:39:17 UTC 2012 x86_64
> # x86_64
> Alert Count 7
> First Seen 2012-11-08 15:53:06 EST
> Last Seen 2012-11-08 15:53:10 EST
> Local ID e1402ea5-4bcb-45fa-b220-95fe0c0dc868
>
> Raw Audit Messages
> type=AVC msg=audit(1352407990.104:1493): avc: denied { read } for
> pid=19226 comm="useradd" name="run" dev="dm-1" ino=130358
> scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
>
>
> type=SYSCALL msg=audit(1352407990.104:1493): arch=x86_64 syscall=connect
> success=no exit=EACCES a0=5 a1=7ffffac812e0 a2=6e a3=ffffffffffffffff
> items=0 ppid=19218 pid=19226 auid=18281 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm=useradd exe=/usr/sbin/useradd
> subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
>
> Hash: useradd,useradd_t,var_t,lnk_file,read
>
> audit2allow
>
> #============= useradd_t ==============
> allow useradd_t var_t:lnk_file read;
>
> audit2allow -R
>
> #============= useradd_t ==============
> allow useradd_t var_t:lnk_file read;
>
>
>
More information about the selinux
mailing list