-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/27/2011 11:26 AM, Tony Molloy wrote:
On Monday 26 September 2011 22:22:31 Dominick Grift wrote:
> On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
>> Hi,
>>
>>
>> On a fully updated CentOS 5.7 box I get the following AVC
>>
>>
>> Summary:
>>
>>
>> SELinux is preventing unix_update (updpwd_t) "getattr" to /
>> (fs_t).
>>
>>
>> Detailed Description:
>>
>>
>> SELinux denied access requested by unix_update. It is not
>> expected that this
>>
>> access is required by unix_update and this access may signal
>> an
>> intrusion
>>
>> attempt. It is also possible that the specific version or
>> configuration of the
>>
>> application is causing it to require additional access.
>>
>>
>> Allowing Access:
>>
>>
>> You can generate a local policy module to allow this access -
>> see
>> FAQ
>>
>> (
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or
>> you
>> can disable
>>
>> SELinux protection altogether. Disabling SELinux protection is
>> not recommended.
>>
>> Please file a bug report
>> (
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>
>> against this package.
>>
>>
>> Additional Information:
>>
>>
>> Source Context system_u:system_r:updpwd_t
>>
>> Target Context system_u:object_r:fs_t
>>
>> Target Objects / [ filesystem ]
>>
>> Source unix_update
>>
>> Source Path <Unknown>
>>
>> Port <Unknown>
>>
>> Host a.b.c.d
>>
>> Source RPM Packages
>>
>> Target RPM Packages filesystem-2.4.0-3.el5.centos
>>
>> Policy RPM selinux-policy-2.4.6-316.el5
>>
>> Selinux Enabled True
>>
>> Policy Type targeted
>>
>> MLS Enabled True
>>
>> Enforcing Mode Enforcing
>>
>> Plugin Name catchall
>>
>> Host Name a.b.c.d
>>
>> Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5
>>
>> #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64
>>
>> Alert Count 11
>>
>> First Seen Fri Feb 25 15:39:33 2011
>>
>> Last Seen Mon Sep 26 14:18:54 2011
>>
>> Local ID 275eef01-114a-419b-9df0-4bb81932bc5e
>>
>> Line Numbers
>>
>>
>> Raw Audit Messages
>>
>>
>> host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc:
>> denied
>> { getattr } for pid=21354 comm="unix_update" name="/"
dev=sda5
>> ino=2 scontext=system_u:system_r:updpwd_t:s0
>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>>
>>
>>
>> I can generate a local policy module.
>
> Any idea what you were doing when this happened? The reason i
> ask
> is because this is not even allowed in latest fedora as far as i
> can see.
>
This machine is basically a mail and ftp server. As far as I can
tell from the logs ( secure and messages ) nobody was doing
anything on the machine at the times I get the AVC, 5 times
yesterday.
> It is no big deal to allow updpwd_t to get attributes of the
> fs_t
> filesystem but it is certainly not common for updpwd_t to want
> this
> access i believe. If it was we probably would have gotten may
> more
> reports much earlier.
>
Strange then that I am getting it from this one server only.
Here's the context for unix_update
-rwx------ root root system_u:object_r:updpwd_exec_t
/sbin/unix_update
I've just run an autorelabel on the entire filesystem as part of
the 5.6 to 5.7 CentOS update
Thanks,
Tony
>> Thanks,
>>
>>
>> Tony
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Probably has to do with the way the mount table is setup on this
machine versus other machines.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk6CEy0ACgkQrlYvE4MpobN1aQCdHc2uXuJIjh64759AuQyAmoz+
rwEAoIfSac27Ch+eaJZyBD6iIAKTwxNU
=CME3
-----END PGP SIGNATURE-----