Re: SE alert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/19/15 09:00, jd1008 wrote:
> The sealert below does not tell me exactly which dir
> that the shell tried to access.
> I have run the suggested commands (below)
> but they did not do any good.
> The alerts keep popping up.
>
>
>
> SELinux is preventing /usr/bin/sh from read access on the directory .
>
> *****  Plugin catchall (100. confidence) suggests **************************
>
> If you believe that sh should be allowed read access on the directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep sa1 /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context system_u:system_r:sysstat_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:admin_home_t:s0
> Target Objects                 [ dir ]
> Source                        sa1
> Source Path                   /usr/bin/sh
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           sh-20120801-23.fc20.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.12.1-197.fc20.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
>                               3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
>                               UTC 2013 x86_64 x86_64
> Alert Count                   4
> First Seen                    2015-07-18 18:20:02 MDT
> Last Seen                     2015-07-18 18:50:01 MDT
> Local ID d59f7aa5-d595-46be-8186-412acb6133bf
>
> Raw Audit Messages
> type=AVC msg=audit(1437267001.953:644): avc:  denied  { read } for  pid=6476 comm="sa1" name="root" dev="sda3" ino=47972353 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

sudo debugfs -R 'ncheck 47972353' /dev/sda3 2>/dev/null

Should tell you the file being accessed along with the path.

>
>
> type=SYSCALL msg=audit(1437267001.953:644): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0 items=0 ppid=6474 pid=6476 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=22 tty=(none) comm=sa1 exe=/usr/bin/sh subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)
>
> Hash: sa1,sysstat_t,admin_home_t,dir,read
>


-- 
If I wanted a blog or social media I'd go elsewhere
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux