Hi
I have an interesting denial here - and I think I understand what is
causing it - but I'm not sure of the best method of resolving it. I have
pasted the denial below.
What seems to cause it is running the gui "System/Administration/Selinux
Management" tool - while in a gnome x session in an "nx" session. I'm
not sure how well know it is - but "nx" is a very good gui remote
terminal (like vnc but much better imho) running over ssh. Very fast ad
accurate and presumably secure. I use nx to manage the Centos 5.2 server
- rather than use a physical terminal.
Every time I start the gui Selinux Management tool I get one of these
denials. Note that the /root/.nx directory must be a housekeeping
directory for nx where it keeps session information.
I have run audit2allow on this denial and it suggests this very simple
policy
---------
module mynx 1.0;
require {
type semanage_t;
type user_home_t;
class file append;
}
#============= semanage_t ==============
allow semanage_t user_home_t:file append;
-------
Is this a good solution - or is it freeing up the wrong thing?
Does anyone understand why this configuration should cause the denial -
and can anyone suggest a better solution?
BTW: I have tried the suggested re-labelling - and it didn't help.
Richard.
Summary
SELinux is preventing the semodule from using potentially mislabeled
files
(/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]
SELinux has denied semodule access to potentially mislabeled file(s)
(/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session).
This means that SELinux will not allow semodule to use these files. It
is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem
is that the files end up with the wrong file context which confined
applications are not allowed to access.
Allowing Access
If you want semodule to access this files, you need to relabel them
using restorecon -v
'/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session'.
You might want to relabel the entire directory using restorecon -R -v
'/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9'.
Additional Information
Source Context: system_u:system_r:semanage_t
Target Context: user_u:object_r:user_home_t
Target Objects:
/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session
[ file ]
Source: semodule
Source Path: /usr/sbin/semodule
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: policycoreutils-1.33.12-14.el5
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-203.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: home_tmp_bad_labels
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec
16 11:57:43 EST 2008 x86_64 x86_64
Alert Count: 3
First Seen: Sun Feb 1 15:21:40 2009
Last Seen: Sun Feb 1 16:01:16 2009
Local ID: 31b6bb16-26ba-419d-8057-7bb9eee9708a
Line Numbers:
Raw Audit Messages :
host=C5.aardvark.com.au type=AVC msg=audit(1233471676.49:19106): avc:
denied { append } for pid=25330 comm="semodule"
path="/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session"
dev=dm-0 ino=29294826 scontext=system_u:system_r:semanage_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1233471676.49:19106): avc:
denied { append } for pid=25330 comm="semodule"
path="/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session"
dev=dm-0 ino=29294826 scontext=system_u:system_r:semanage_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1233471676.49:19106):
arch=c000003e syscall=59 success=yes exit=0 a0=16674410 a1=166747b0
a2=16673660 a3=3 items=0 ppid=25327 pid=25330 auid=102 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1740
comm="semodule" exe="/usr/sbin/semodule"
subj=system_u:system_r:semanage_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1233471676.49:19106):
arch=c000003e syscall=59 success=yes exit=0 a0=16674410 a1=166747b0
a2=16673660 a3=3 items=0 ppid=25327 pid=25330 auid=102 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1740
comm="semodule" exe="/usr/sbin/semodule"
subj=system_u:system_r:semanage_t:s0 key=(null)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
