SE alert

jd1008 jd1008 at gmail.com
Sun Jul 19 01:20:07 UTC 2015 


On 07/18/2015 07:10 PM, Ed Greshko wrote:
> On 07/19/15 09:00, jd1008 wrote:
>> The sealert below does not tell me exactly which dir
>> that the shell tried to access.
>> I have run the suggested commands (below)
>> but they did not do any good.
>> The alerts keep popping up.
>>
>>
>>
>> SELinux is preventing /usr/bin/sh from read access on the directory .
>>
>> *****  Plugin catchall (100. confidence) suggests **************************
>>
>> If you believe that sh should be allowed read access on the directory by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # grep sa1 /var/log/audit/audit.log | audit2allow -M mypol
>> # semodule -i mypol.pp
>>
>> Additional Information:
>> Source Context system_u:system_r:sysstat_t:s0-s0:c0.c1023
>> Target Context                system_u:object_r:admin_home_t:s0
>> Target Objects                 [ dir ]
>> Source                        sa1
>> Source Path                   /usr/bin/sh
>> Port                          <Unknown>
>> Host                          localhost.localdomain
>> Source RPM Packages           sh-20120801-23.fc20.x86_64
>> Target RPM Packages
>> Policy RPM selinux-policy-3.12.1-197.fc20.noarch
>> Selinux Enabled               True
>> Policy Type                   targeted
>> Enforcing Mode                Enforcing
>> Host Name                     localhost.localdomain
>> Platform                      Linux localhost.localdomain
>>                                3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
>>                                UTC 2013 x86_64 x86_64
>> Alert Count                   4
>> First Seen                    2015-07-18 18:20:02 MDT
>> Last Seen                     2015-07-18 18:50:01 MDT
>> Local ID d59f7aa5-d595-46be-8186-412acb6133bf
>>
>> Raw Audit Messages
>> type=AVC msg=audit(1437267001.953:644): avc:  denied  { read } for  pid=6476 comm="sa1" name="root" dev="sda3" ino=47972353 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> sudo debugfs -R 'ncheck 47972353' /dev/sda3 2>/dev/null
>
> Should tell you the file being accessed along with the path.

Also, /dev/sda3 has no dir named root:

$ ls /sda3/root
/bin/ls: cannot access /sda3/root: No such file or directory

More information about the users mailing list