-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/02/2010 05:13 PM, Daniel B. Thurman wrote: > On 09/02/2010 12:52 PM, Daniel J Walsh wrote: >> On 09/02/2010 01:45 PM, Daniel B. Thurman wrote: >>> It is interesting to note that for /md/X/ mounted filesystem, a root >>> user cannot change the / files, whereas / subdirectory files can be >>> changed/modified. >> >>> The workaround is to unmount the /md/X filesystem, remounting it >>> as default, make the change, unmount again, and then mount -a OR >>> simply reboot to the OS and make the changes in the normal way. >> >> That is strange, what AVC are you seeing? > > Hope this helps somewhat... > > With a little more research, I discovered that I cannot > create a new file, cannot create a new file via the vi > command, but I can modify/delete an existing file and > AVCs are generated in most cases when creating and > modifying a file, but not deleting, or so it seems. > > I am booted in F13, and have F12 mounted in /md. > In general, the same three commands are the same > in any place on the md partition, depending perhaps > on user ownership. > > (1): cd /md/RF12D1; touch foo (Cannot create empty file: foo) > ======================================== > Summary: > > SELinux is preventing /bin/touch "associate" access on foo. > > Detailed Description: > > SELinux denied access requested by touch. It is not expected that this > access is > required by touch and this access may signal an intrusion attempt. It is > also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug > report. > > Additional Information: > > Source Context unconfined_u:object_r:etc_runtime_t:s0 > Target Context system_u:object_r:root_t:s0 > Target Objects foo [ filesystem ] > Source touch > Source Path /bin/touch > Port <Unknown> > Host gold.cdkkt.com > Source RPM Packages coreutils-8.4-8.fc13 > Target RPM Packages > Policy RPM selinux-policy-3.7.19-51.fc13 > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gold.cdkkt.com > Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 > #1 SMP > Fri Aug 27 09:48:44 UTC 2010 i686 i686 > Alert Count 1 > First Seen Thu 02 Sep 2010 01:48:47 PM PDT > Last Seen Thu 02 Sep 2010 01:48:47 PM PDT > Local ID 9e913bde-6ed4-4d4b-9bfc-ddc06ec0f0c8 > Line Numbers > > Raw Audit Messages > > node=gold.cdkkt.com type=AVC msg=audit(1283460527.718:896): avc: > denied { associate } for pid=19648 comm="touch" name="foo" > scontext=unconfined_u:object_r:etc_runtime_t:s0 > tcontext=system_u:object_r:root_t:s0 tclass=filesystem > > node=gold.cdkkt.com type=SYSCALL msg=audit(1283460527.718:896): > arch=40000003 syscall=5 success=no exit=-13 a0=bffb6de9 a1=8941 a2=1b6 > a3=bffb6de9 items=0 ppid=17927 pid=19648 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="touch" > exe="/bin/touch" > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > > > (2): cd /md/RF12D1; vi foo (Cannot create file: foo) > AVS (a) "vi foo", (b) Modify, Write & Save not possible, no AVC > > (a) ======================================== > Summary: > > SELinux is preventing /bin/vi "associate" access on .foo.swp. > > Detailed Description: > > SELinux denied access requested by vi. It is not expected that this > access is > required by vi and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug > report. > > Additional Information: > > Source Context unconfined_u:object_r:etc_runtime_t:s0 > Target Context system_u:object_r:root_t:s0 > Target Objects .foo.swp [ filesystem ] > Source vi > Source Path /bin/vi > Port <Unknown> > Host gold.cdkkt.com > Source RPM Packages vim-minimal-7.2.411-1.fc13 > Target RPM Packages > Policy RPM selinux-policy-3.7.19-51.fc13 > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gold.cdkkt.com > Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 > #1 SMP > Fri Aug 27 09:48:44 UTC 2010 i686 i686 > Alert Count 1 > First Seen Thu 02 Sep 2010 01:49:39 PM PDT > Last Seen Thu 02 Sep 2010 01:49:39 PM PDT > Local ID 01dced02-64b8-4543-a021-c5d9d141d9a4 > Line Numbers > > Raw Audit Messages > > node=gold.cdkkt.com type=AVC msg=audit(1283460579.305:898): avc: > denied { associate } for pid=19762 comm="vi" name=".foo.swp" > scontext=unconfined_u:object_r:etc_runtime_t:s0 > tcontext=system_u:object_r:root_t:s0 tclass=filesystem > > node=gold.cdkkt.com type=SYSCALL msg=audit(1283460579.305:898): > arch=40000003 syscall=5 success=no exit=-13 a0=858f310 a1=280c2 a2=180 > a3=858f310 items=0 ppid=17927 pid=19762 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" > exe="/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > key=(null) > > > > 3: cd /md/RF12D1/etc; vi fstab [Can modify & save existing file] > AVCs: (a) vi fstab, (b) modify, write & save > (a) ======================================== > Summary: > > SELinux is preventing /bin/vi "associate" access on .fstab.swp. > > Detailed Description: > > SELinux denied access requested by vi. It is not expected that this > access is > required by vi and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug > report. > > Additional Information: > > Source Context unconfined_u:object_r:etc_runtime_t:s0 > Target Context system_u:object_r:root_t:s0 > Target Objects .fstab.swp [ filesystem ] > Source vi > Source Path /bin/vi > Port <Unknown> > Host gold.cdkkt.com > Source RPM Packages vim-minimal-7.2.411-1.fc13 > Target RPM Packages > Policy RPM selinux-policy-3.7.19-51.fc13 > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gold.cdkkt.com > Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 > #1 SMP > Fri Aug 27 09:48:44 UTC 2010 i686 i686 > Alert Count 1 > First Seen Thu 02 Sep 2010 01:51:05 PM PDT > Last Seen Thu 02 Sep 2010 01:51:05 PM PDT > Local ID e7b9c7a4-f908-4e0e-8d33-a92dc5e115a9 > Line Numbers > > Raw Audit Messages > > node=gold.cdkkt.com type=AVC msg=audit(1283460665.979:912): avc: > denied { associate } for pid=19806 comm="vi" name=".fstab.swp" > scontext=unconfined_u:object_r:etc_runtime_t:s0 > tcontext=system_u:object_r:root_t:s0 tclass=filesystem > > node=gold.cdkkt.com type=SYSCALL msg=audit(1283460665.979:912): > arch=40000003 syscall=5 success=no exit=-13 a0=86c9320 a1=280c2 a2=180 > a3=86c9320 items=0 ppid=17927 pid=19806 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" > exe="/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > key=(null) > > (b) ======================================== > Summary: > > SELinux is preventing /bin/vi "associate" access on fstab~. > > Detailed Description: > > SELinux denied access requested by vi. It is not expected that this > access is > required by vi and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug > report. > > Additional Information: > > Source Context unconfined_u:object_r:etc_runtime_t:s0 > Target Context system_u:object_r:root_t:s0 > Target Objects fstab~ [ filesystem ] > Source vi > Source Path /bin/vi > Port <Unknown> > Host gold.cdkkt.com > Source RPM Packages vim-minimal-7.2.411-1.fc13 > Target RPM Packages > Policy RPM selinux-policy-3.7.19-51.fc13 > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gold.cdkkt.com > Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 > #1 SMP > Fri Aug 27 09:48:44 UTC 2010 i686 i686 > Alert Count 4 > First Seen Thu 02 Sep 2010 01:58:28 PM PDT > Last Seen Thu 02 Sep 2010 01:58:32 PM PDT > Local ID 5594e318-4b02-4875-be04-c5fe6fa2cf8d > Line Numbers > > Raw Audit Messages > > node=gold.cdkkt.com type=AVC msg=audit(1283461112.259:930): avc: > denied { associate } for pid=20016 comm="vi" name="fstab~" > scontext=unconfined_u:object_r:etc_runtime_t:s0 > tcontext=system_u:object_r:root_t:s0 tclass=filesystem > > node=gold.cdkkt.com type=SYSCALL msg=audit(1283461112.259:930): > arch=40000003 syscall=5 success=no exit=-13 a0=87dedc0 a1=280c1 a2=1a4 > a3=87dedc0 items=0 ppid=17927 pid=20016 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" > exe="/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > key=(null) > > > > 4: cd /md/var/tmp; rm <file>, selinux context-root_t > No AVC generated > ======================================== > I think the problem is the context you chose. The tools are trying to do a transition and change the context. Since you chose root_t the label of /, the kernel is trying to place etc_runtime_t files in the directory. If you were to touch a file in / the same thing would happen. If you change your context line to use nfs_t or usr_t, I think you will get a better result. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyAFS8ACgkQrlYvE4MpobMGpwCfdernxYOi24kbYe6BZ6Ytc6nj nZ8AnRXEBdf6HI2AX4E1EArANpIsJJXF =+Fm5 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
