Selinux warning -
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 13 19:52:44 UTC 2010
On 01/13/2010 12:43 PM, Bob Goodwin wrote:
> I'm not sure what this means or how to react to it. I noticed it for the
> first time after an update a little while ago although it also refers to
> an earlier episode. This is the first time I saw it though.
>
> Advise appreciated.
>
> Bob
>
>
> Summary:
>
> SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on
> /etc/abrt.
>
> Detailed Description:
>
> [abrtd has a permissive type (abrt_t). This access was not denied.]
>
> SELinux denied access requested by abrtd. It is not expected that
> this access is
> required by abrtd and this access may signal an intrusion attempt.
> It is also
> possible that the specific version or configuration of the
> application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please
> file a bug
> report.
>
> Additional Information:
>
> Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023
> Target Context system_u:object_r:abrt_etc_t:s0
> Target Objects /etc/abrt [ dir ]
> Source abrtd
> Source Path /usr/sbin/abrtd (deleted)
> Port <Unknown>
> Host box6
> Source RPM Packages
> Target RPM Packages abrt-1.0.3-1.fc12
> Policy RPM selinux-policy-3.6.32-66.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name box6
> Platform Linux box6 2.6.31.9-174.fc12.x86_64 #1
> SMP Mon Dec
> 21 05:33:33 UTC 2009 x86_64 x86_64
> Alert Count 3
> First Seen Wed 13 Jan 2010 10:04:23 AM EST
> Last Seen Wed 13 Jan 2010 10:04:23 AM EST
> Local ID 5b2d146c-4a5b-4d4b-bd2b-17df8e2837a5
> Line Numbers
>
> Raw Audit Messages
>
> node=box6 type=AVC msg=audit(1263395063.649:71): avc: denied {
> write } for pid=1458 comm="abrtd" name="abrt" dev=dm-2 ino=24239
> scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir
>
> node=box6 type=AVC msg=audit(1263395063.649:71): avc: denied {
> add_name } for pid=1458 comm="abrtd" name="pyhook.conf"
> scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir
>
> node=box6 type=AVC msg=audit(1263395063.649:71): avc: denied {
> create } for pid=1458 comm="abrtd" name="pyhook.conf"
> scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file
>
> node=box6 type=SYSCALL msg=audit(1263395063.649:71): arch=c000003e
> syscall=2 success=yes exit=9 a0=7f7549437625 a1=241 a2=1b6 a3=0
> items=0 ppid=1 pid=1458 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd"
> exe=2F7573722F7362696E2F6162727464202864656C6574656429
> subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
> .
>
I believe there is a new abrt package available that does not do this any longer.
yum -y update abrt\* --enablerepo=updates-testing
More information about the users
mailing list