SE alert

Ed Greshko ed.greshko at greshko.com
Sun Jul 19 01:10:55 UTC 2015 

On 07/19/15 09:00, jd1008 wrote:
> The sealert below does not tell me exactly which dir
> that the shell tried to access.
> I have run the suggested commands (below)
> but they did not do any good.
> The alerts keep popping up.
>
>
>
> SELinux is preventing /usr/bin/sh from read access on the directory .
>
> *****  Plugin catchall (100. confidence) suggests **************************
>
> If you believe that sh should be allowed read access on the directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep sa1 /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context system_u:system_r:sysstat_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:admin_home_t:s0
> Target Objects                 [ dir ]
> Source                        sa1
> Source Path                   /usr/bin/sh
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           sh-20120801-23.fc20.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.12.1-197.fc20.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
>                               3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
>                               UTC 2013 x86_64 x86_64
> Alert Count                   4
> First Seen                    2015-07-18 18:20:02 MDT
> Last Seen                     2015-07-18 18:50:01 MDT
> Local ID d59f7aa5-d595-46be-8186-412acb6133bf
>
> Raw Audit Messages
> type=AVC msg=audit(1437267001.953:644): avc:  denied  { read } for  pid=6476 comm="sa1" name="root" dev="sda3" ino=47972353 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

sudo debugfs -R 'ncheck 47972353' /dev/sda3 2>/dev/null

Should tell you the file being accessed along with the path.

>
>
> type=SYSCALL msg=audit(1437267001.953:644): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0 items=0 ppid=6474 pid=6476 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=22 tty=(none) comm=sa1 exe=/usr/bin/sh subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)
>
> Hash: sa1,sysstat_t,admin_home_t,dir,read
>


-- 
If I wanted a blog or social media I'd go elsewhere

More information about the users mailing list