On Monday 26 September 2011 22:22:31 Dominick Grift wrote:

> On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:

> > Hi,

> >

> >

> > On a fully updated CentOS 5.7 box I get the following AVC

> >

> >

> > Summary:

> >

> >

> > SELinux is preventing unix_update (updpwd_t) "getattr" to /

> > (fs_t).

> >

> >

> > Detailed Description:

> >

> >

> > SELinux denied access requested by unix_update. It is not

> > expected that this

> >

> > access is required by unix_update and this access may signal an

> > intrusion

> >

> > attempt. It is also possible that the specific version or

> > configuration of the

> >

> > application is causing it to require additional access.

> >

> >

> > Allowing Access:

> >

> >

> > You can generate a local policy module to allow this access - see

> > FAQ

> >

> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you

> > can disable

> >

> > SELinux protection altogether. Disabling SELinux protection is

> > not recommended.

> >

> > Please file a bug report

> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

> >

> > against this package.

> >

> >

> > Additional Information:

> >

> >

> > Source Context system_u:system_r:updpwd_t

> >

> > Target Context system_u:object_r:fs_t

> >

> > Target Objects / [ filesystem ]

> >

> > Source unix_update

> >

> > Source Path <Unknown>

> >

> > Port <Unknown>

> >

> > Host a.b.c.d

> >

> > Source RPM Packages

> >

> > Target RPM Packages filesystem-2.4.0-3.el5.centos

> >

> > Policy RPM selinux-policy-2.4.6-316.el5

> >

> > Selinux Enabled True

> >

> > Policy Type targeted

> >

> > MLS Enabled True

> >

> > Enforcing Mode Enforcing

> >

> > Plugin Name catchall

> >

> > Host Name a.b.c.d

> >

> > Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5

> >

> > #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64

> >

> > Alert Count 11

> >

> > First Seen Fri Feb 25 15:39:33 2011

> >

> > Last Seen Mon Sep 26 14:18:54 2011

> >

> > Local ID 275eef01-114a-419b-9df0-4bb81932bc5e

> >

> > Line Numbers

> >

> >

> > Raw Audit Messages

> >

> >

> > host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied

> > { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5

> > ino=2 scontext=system_u:system_r:updpwd_t:s0

> > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

> >

> >

> >

> > I can generate a local policy module.

>

> Any idea what you were doing when this happened? The reason i ask

> is because this is not even allowed in latest fedora as far as i

> can see.

>

This machine is basically a mail and ftp server. As far as I can tell from the logs ( secure and messages ) nobody was doing anything on the machine at the times I get the AVC, 5 times yesterday.

> It is no big deal to allow updpwd_t to get attributes of the fs_t

> filesystem but it is certainly not common for updpwd_t to want this

> access i believe. If it was we probably would have gotten may more

> reports much earlier.

>

Strange then that I am getting it from this one server only.

Here's the context for unix_update

-rwx------ root root system_u:object_r:updpwd_exec_t /sbin/unix_update

I've just run an autorelabel on the entire filesystem as part of the 5.6 to 5.7 CentOS update

Thanks,

Tony

> > Thanks,

> >

> >

> > Tony

> >

> > --

> > selinux mailing list

> > selinux@lists.fedoraproject.org

> > https://admin.fedoraproject.org/mailman/listinfo/selinux