On Wednesday 27 October 2010 11:36:40 Dominick Grift wrote: > On 10/27/2010 12:28 PM, Tony Molloy wrote: > > Hi, > > > > I'm running SELinux in enforcing mode on fully updated CentOS-5 servers. > > selinux-policy-2.4.6-279.el5_5.1.noarch > > > > After the latest "possibly glibc" update I've seen the following AVC on > > several of my servers. > > > > > > > > Summary: > > > > SELinux is preventing tzdata-update (tzdata_t) "getattr" to / (fs_t). > > > > Detailed Description: > > > > SELinux denied access requested by tzdata-update. It is not expected that > > this access is required by tzdata-update and this access may signal an > > intrusion attempt. It is also possible that the specific version or > > configuration of the application is causing it to require additional > > access. > > > > Allowing Access: > > > > You can generate a local policy module to allow this access - see FAQ > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > > disable SELinux protection altogether. Disabling SELinux protection is > > not recommended. > > Please file a bug report > > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this > > package. > > > > Additional Information: > > > > Source Context root:system_r:tzdata_t:SystemLow-SystemHigh > > Target Context system_u:object_r:fs_t > > Target Objects / [ filesystem ] > > Source tzdata-update > > Source Path <Unknown> > > Port <Unknown> > > Host remote-backup.x.y.z > > Source RPM Packages > > Target RPM Packages filesystem-2.4.0-3.el5 > > Policy RPM selinux-policy-2.4.6-279.el5_5.1 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name catchall > > Host Name remote-backup.x.y.z > > Platform Linux remote-backup.x.y.z > > 2.6.18-194.17.1.el5 > > > > #1 SMP Wed Sep 29 12:50:31 EDT 2010 x86_64 > > > > x86_64 > > Alert Count 3 > > First Seen Fri Oct 22 06:31:14 2010 > > Last Seen Wed Oct 27 06:39:14 2010 > > Local ID ec15ac2d-b644-40fb-809a-2b3809b001e5 > > Line Numbers > > > > Raw Audit Messages > > > > host=remote-backup.csis.ul.ie type=AVC msg=audit(1288157954.817:16502): > > avc: denied { getattr } for pid=2135 comm="tzdata-update" name="/" > > dev=sda5 ino=2 scontext=root:system_r:tzdata_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > > This was fixed in fedora but looks like the fix was not back ported to el5: > > > mkdir ~/mytzdata; cd ~/mytzdata; > echo "policy_module(mytzdata, 1.0.0) gen_require(\` type tzdata_t; ') > fs_getattr_xattr_fs(tzdata_t)" > mytzdata.te; > make -f /usr/share/selinux/devel/Makefile mytzdata.pp > sudo semodule -i mytzdata.pp > > ... should fix it Dominick, I was just reporting it in the hope that it would get back ported. I just generated a local policy module for tzdata. Thanks for the quick reply. Regards, Tony > > > Regards, > > > > Tony > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
