Re: error when adding a translation with "semanage translation -a"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Murray McAllister wrote:
> Hi,
> 
> This is probably user error. I want to add a translation:
> 
> 1. sudo cat /etc/selinux/targeted/setrans.conf
> 
> s0=
> s0-s0:c0.c1023=SystemLow-SystemHigh
> s0:c0.c1023=SystemHigh
> 
> 2. $ sudo semanage translation -l
> 
> Level                     Translation
> 
> s0
> s0-s0:c0.c1023            SystemLow-SystemHigh
> s0:c0.c1023               SystemHigh
> 
> 3. Attempt to add a new translation:
> $ sudo semanage translation -a -T NotSecret s0:c1
> 
> /etc/init.d/functions: line 19: /sbin/consoletype: Permission denied
> basename: write error: Permission denied
> basename: write error: Permission denied
> env: /etc/init.d/mcstrans: Permission denied
> 
> 4. Translation appears to have been added:
> 
> sudo semanage translation -l
> 
> Level                     Translation
> 
> s0
> s0-s0:c0.c1023            SystemLow-SystemHigh
> s0:c0.c1023               SystemHigh
> s0:c1                     NotSecret
> 
> sudo cat /etc/selinux/targeted/setrans.conf
> 
> s0=
> s0-s0:c0.c1023=SystemLow-SystemHigh
> s0:c0.c1023=SystemHigh
> s0:c1=NotSecret
> 
> The following is logged to /var/log/messages:
> 
> Aug 31 20:57:00 localhost setroubleshoot: SELinux is preventing service
> (semanage_t) "execute" to ./consoletype (consoletype_exec_t). For
> complete SELinux messages. run sealert -l
> 3a9da9b1-9310-492b-a4fd-3706d8d78259
> Aug 31 20:57:00 localhost setroubleshoot: SELinux is preventing service
> (semanage_t) "execute" to ./consoletype (consoletype_exec_t). For
> complete SELinux messages. run sealert -l
> 3a9da9b1-9310-492b-a4fd-3706d8d78259
> Aug 31 20:57:00 localhost setroubleshoot: SELinux is preventing service
> (semanage_t) "read" to pipe (semanage_t). For complete SELinux messages.
> run sealert -l 154967ff-45a0-4b8f-bf04-25546f129dd3
> Aug 31 20:57:00 localhost setroubleshoot: SELinux is preventing service
> (semanage_t) "read" to pipe (semanage_t). For complete SELinux messages.
> run sealert -l 154967ff-45a0-4b8f-bf04-25546f129dd3
> Aug 31 20:57:00 localhost setroubleshoot: SELinux is preventing basename
> (semanage_t) "getattr" to pipe (semanage_t). For complete SELinux
> messages. run sealert -l 641f7545-c40c-4d79-84c7-97e2b32d8c0a
> Aug 31 20:57:00 localhost setroubleshoot: SELinux is preventing basename
> (semanage_t) "write" to pipe (semanage_t). For complete SELinux
> messages. run sealert -l 2ab7598a-b0f7-4dec-a10d-cb4cfac057ee
> Aug 31 20:57:01 localhost setroubleshoot: SELinux is preventing basename
> (semanage_t) "getattr" to pipe (semanage_t). For complete SELinux
> messages. run sealert -l 641f7545-c40c-4d79-84c7-97e2b32d8c0a
> Aug 31 20:57:01 localhost setroubleshoot: SELinux is preventing basename
> (semanage_t) "write" to pipe (semanage_t). For complete SELinux
> messages. run sealert -l 2ab7598a-b0f7-4dec-a10d-cb4cfac057ee
> Aug 31 20:57:01 localhost setroubleshoot: SELinux is preventing service
> (semanage_t) "read" to pipe (semanage_t). For complete SELinux messages.
> run sealert -l 154967ff-45a0-4b8f-bf04-25546f129dd3
> Aug 31 20:57:01 localhost setroubleshoot: SELinux is preventing env
> (semanage_t) "transition" to /etc/rc.d/init.d/mcstrans (semanage_t). For
> complete SELinux messages. run sealert -l
> ac0f934e-29dc-4702-a2f4-3a752150cb8f
> 
> The following is logged to /var/log/audit/audit.log:
> 
> type=AVC msg=audit(1220180220.598:367): avc:  denied  { execute } for
> pid=2118 comm="service" name="consoletype" dev=sda5 ino=73034
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1220180220.598:367): arch=40000003 syscall=11
> success=no exit=-13 a0=8d4c760 a1=8d4c7a8 a2=8d4c3b8 a3=0 items=0
> ppid=2117 pid=2118 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=1 comm="service" exe="/bin/bash"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1220180220.599:368): avc:  denied  { execute } for
> pid=2118 comm="service" name="consoletype" dev=sda5 ino=73034
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1220180220.599:368): arch=40000003 syscall=33
> success=no exit=-13 a0=8d4c760 a1=1 a2=11 a3=8d4c760 items=0 ppid=2117
> pid=2118 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=1 comm="service" exe="/bin/bash"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1220180220.637:369): avc:  denied  { read } for
> pid=2116 comm="service" path="pipe:[12134]" dev=pipefs ino=12134
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tclass=fifo_file
> type=SYSCALL msg=audit(1220180220.637:369): arch=40000003 syscall=3
> success=no exit=-13 a0=3 a1=bfb075c8 a2=80 a3=80 items=0 ppid=2115
> pid=2116 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=1 comm="service" exe="/bin/bash"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1220180220.679:370): avc:  denied  { read } for
> pid=2116 comm="service" path="pipe:[12135]" dev=pipefs ino=12135
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tclass=fifo_file
> type=SYSCALL msg=audit(1220180220.679:370): arch=40000003 syscall=3
> success=no exit=-13 a0=3 a1=bfb079c8 a2=80 a3=80 items=0 ppid=2115
> pid=2116 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=1 comm="service" exe="/bin/bash"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1220180220.694:371): avc:  denied  { getattr } for
> pid=2119 comm="basename" path="pipe:[12135]" dev=pipefs ino=12135
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tclass=fifo_file
> type=SYSCALL msg=audit(1220180220.694:371): arch=40000003 syscall=197
> success=no exit=-13 a0=1 a1=bfd3e414 a2=960ff4 a3=9614c0 items=0
> ppid=2116 pid=2119 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=1 comm="basename" exe="/bin/basename"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1220180220.708:372): avc:  denied  { write } for
> pid=2119 comm="basename" path="pipe:[12135]" dev=pipefs ino=12135
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tclass=fifo_file
> type=SYSCALL msg=audit(1220180220.708:372): arch=40000003 syscall=4
> success=no exit=-13 a0=1 a1=b7f3d000 a2=8 a3=8 items=0 ppid=2116
> pid=2119 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=1 comm="basename" exe="/bin/basename"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1220180220.727:373): avc:  denied  { getattr } for
> pid=2120 comm="basename" path="pipe:[12136]" dev=pipefs ino=12136
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tclass=fifo_file
> type=SYSCALL msg=audit(1220180220.727:373): arch=40000003 syscall=197
> success=no exit=-13 a0=1 a1=bffb9684 a2=960ff4 a3=9614c0 items=0
> ppid=2116 pid=2120 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=1 comm="basename" exe="/bin/basename"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1220180220.728:374): avc:  denied  { write } for
> pid=2120 comm="basename" path="pipe:[12136]" dev=pipefs ino=12136
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tclass=fifo_file
> type=SYSCALL msg=audit(1220180220.728:374): arch=40000003 syscall=4
> success=no exit=-13 a0=1 a1=b80b8000 a2=8 a3=8 items=0 ppid=2116
> pid=2120 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=1 comm="basename" exe="/bin/basename"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1220180220.749:375): avc:  denied  { read } for
> pid=2116 comm="service" path="pipe:[12136]" dev=pipefs ino=12136
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tclass=fifo_file
> type=SYSCALL msg=audit(1220180220.749:375): arch=40000003 syscall=3
> success=no exit=-13 a0=3 a1=bfb079c8 a2=80 a3=80 items=0 ppid=2115
> pid=2116 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=1 comm="service" exe="/bin/bash"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1220180220.760:376): avc:  denied  { transition } for
>  pid=2121 comm="env" path="/etc/rc.d/init.d/mcstrans" dev=sda5
> ino=222868 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:system_r:semanage_t:s0 tclass=process
> type=SYSCALL msg=audit(1220180220.760:376): arch=40000003 syscall=11
> success=no exit=-13 a0=bfd449ce a1=bfd435b8 a2=9922858 a3=5 items=0
> ppid=2116 pid=2121 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=1 comm="env" exe="/bin/env"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> 
> The system:
> 
> * Fedora release 9 (Sulphur)
> * kernel-2.6.25.14-108.fc9.i686
> * kernel-headers-2.6.25.14-108.fc9.i386
> 
> * policycoreutils-2.0.52-5.fc9.i386
> * mcstrans-0.2.11-1.fc9.i386
> * selinux-policy-targeted-3.3.1-84.fc9.noarch
> * selinux-policy-3.3.1-84.fc9.noarch
> * selinux-policy-devel-3.3.1-84.fc9.noarch
> * libselinux-python-2.0.67-4.fc9.i386
> * libselinux-2.0.67-4.fc9.i386
> 
> $ sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 22
> Policy from config file:        targeted
> 
> ps -eZ | grep mcs
> system_u:system_r:setrans_t:SystemLow-SystemHigh 1262 ? 00:00:00 mcstransd
> 
> Regards,
> 
> Murray.
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fixed in
selinux-policy-3.5.6-2.fc10.noarch

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux