On 10/27/2010 12:28 PM, Tony Molloy wrote: > > Hi, > > I'm running SELinux in enforcing mode on fully updated CentOS-5 servers. > selinux-policy-2.4.6-279.el5_5.1.noarch > > After the latest "possibly glibc" update I've seen the following AVC on > several of my servers. > > > > Summary: > > SELinux is preventing tzdata-update (tzdata_t) "getattr" to / (fs_t). > > Detailed Description: > > SELinux denied access requested by tzdata-update. It is not expected that this > access is required by tzdata-update and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context root:system_r:tzdata_t:SystemLow-SystemHigh > Target Context system_u:object_r:fs_t > Target Objects / [ filesystem ] > Source tzdata-update > Source Path <Unknown> > Port <Unknown> > Host remote-backup.x.y.z > Source RPM Packages > Target RPM Packages filesystem-2.4.0-3.el5 > Policy RPM selinux-policy-2.4.6-279.el5_5.1 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name remote-backup.x.y.z > Platform Linux remote-backup.x.y.z 2.6.18-194.17.1.el5 > #1 SMP Wed Sep 29 12:50:31 EDT 2010 x86_64 > x86_64 > Alert Count 3 > First Seen Fri Oct 22 06:31:14 2010 > Last Seen Wed Oct 27 06:39:14 2010 > Local ID ec15ac2d-b644-40fb-809a-2b3809b001e5 > Line Numbers > > Raw Audit Messages > > host=remote-backup.csis.ul.ie type=AVC msg=audit(1288157954.817:16502): avc: > denied { getattr } for pid=2135 comm="tzdata-update" name="/" dev=sda5 ino=2 > scontext=root:system_r:tzdata_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem This was fixed in fedora but looks like the fix was not back ported to el5: mkdir ~/mytzdata; cd ~/mytzdata; echo "policy_module(mytzdata, 1.0.0) gen_require(\` type tzdata_t; ') fs_getattr_xattr_fs(tzdata_t)" > mytzdata.te; make -f /usr/share/selinux/devel/Makefile mytzdata.pp sudo semodule -i mytzdata.pp ... should fix it > > Regards, > > Tony > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
