Interesting Denials from semodule on Centos 5.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

I have an interesting denial here - and I think I understand what is causing it - but I'm not sure of the best method of resolving it. I have pasted the denial below.

What seems to cause it is running the gui "System/Administration/Selinux Management" tool - while in a gnome x session in an "nx" session. I'm not sure how well know it is - but "nx" is a very good gui remote terminal (like vnc but much better imho) running over ssh. Very fast ad accurate and presumably secure. I use nx to manage the Centos 5.2 server - rather than use a physical terminal. Every time I start the gui Selinux Management tool I get one of these denials. Note that the /root/.nx directory must be a housekeeping directory for nx where it keeps session information.

I have run audit2allow on this denial and it suggests this very simple policy
---------
module mynx 1.0;

require {
       type semanage_t;
       type user_home_t;
       class file append;
}

#============= semanage_t ==============
allow semanage_t user_home_t:file append;
-------

Is this a good solution - or is it freeing up the wrong thing?
Does anyone understand why this configuration should cause the denial - and can anyone suggest a better solution?

BTW: I have tried the suggested re-labelling - and it didn't help.

Richard.





Summary
SELinux is preventing the semodule from using potentially mislabeled files (/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]

SELinux has denied semodule access to potentially mislabeled file(s) (/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session). This means that SELinux will not allow semodule to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access.

Allowing Access
If you want semodule to access this files, you need to relabel them using restorecon -v '/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session'. You might want to relabel the entire directory using restorecon -R -v '/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9'.
Additional Information

Source Context:   	system_u:system_r:semanage_t
Target Context:   	user_u:object_r:user_home_t
Target Objects: /root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session [ file ]
Source:   	semodule
Source Path:   	/usr/sbin/semodule
Port:   	<Unknown>
Host:   	C5.aardvark.com.au
Source RPM Packages:   	policycoreutils-1.33.12-14.el5
Target RPM Packages:   	
Policy RPM:   	selinux-policy-2.4.6-203.el5
Selinux Enabled:   	True
Policy Type:   	targeted
MLS Enabled:   	True
Enforcing Mode:   	Permissive
Plugin Name:   	home_tmp_bad_labels
Host Name:   	C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count:   	3
First Seen:   	Sun Feb 1 15:21:40 2009
Last Seen:   	Sun Feb 1 16:01:16 2009
Local ID:   	31b6bb16-26ba-419d-8057-7bb9eee9708a
Line Numbers:   	

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1233471676.49:19106): avc: denied { append } for pid=25330 comm="semodule" path="/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session" dev=dm-0 ino=29294826 scontext=system_u:system_r:semanage_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file host=C5.aardvark.com.au type=AVC msg=audit(1233471676.49:19106): avc: denied { append } for pid=25330 comm="semodule" path="/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session" dev=dm-0 ino=29294826 scontext=system_u:system_r:semanage_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file host=C5.aardvark.com.au type=SYSCALL msg=audit(1233471676.49:19106): arch=c000003e syscall=59 success=yes exit=0 a0=16674410 a1=166747b0 a2=16673660 a3=3 items=0 ppid=25327 pid=25330 auid=102 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1740 comm="semodule" exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1233471676.49:19106): arch=c000003e syscall=59 success=yes exit=0 a0=16674410 a1=166747b0 a2=16673660 a3=3 items=0 ppid=25327 pid=25330 auid=102 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1740 comm="semodule" exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null)


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux