-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/27/2011 11:26 AM, Tony Molloy wrote: > On Monday 26 September 2011 22:22:31 Dominick Grift wrote: > >> On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote: > >>> Hi, > >>> > >>> > >>> On a fully updated CentOS 5.7 box I get the following AVC > >>> > >>> > >>> Summary: > >>> > >>> > >>> SELinux is preventing unix_update (updpwd_t) "getattr" to / > >>> (fs_t). > >>> > >>> > >>> Detailed Description: > >>> > >>> > >>> SELinux denied access requested by unix_update. It is not > >>> expected that this > >>> > >>> access is required by unix_update and this access may signal >>> an > >>> intrusion > >>> > >>> attempt. It is also possible that the specific version or > >>> configuration of the > >>> > >>> application is causing it to require additional access. > >>> > >>> > >>> Allowing Access: > >>> > >>> > >>> You can generate a local policy module to allow this access - >>> see > >>> FAQ > >>> > >>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or >>> you > >>> can disable > >>> > >>> SELinux protection altogether. Disabling SELinux protection is > >>> not recommended. > >>> > >>> Please file a bug report > >>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > >>> > >>> against this package. > >>> > >>> > >>> Additional Information: > >>> > >>> > >>> Source Context system_u:system_r:updpwd_t > >>> > >>> Target Context system_u:object_r:fs_t > >>> > >>> Target Objects / [ filesystem ] > >>> > >>> Source unix_update > >>> > >>> Source Path <Unknown> > >>> > >>> Port <Unknown> > >>> > >>> Host a.b.c.d > >>> > >>> Source RPM Packages > >>> > >>> Target RPM Packages filesystem-2.4.0-3.el5.centos > >>> > >>> Policy RPM selinux-policy-2.4.6-316.el5 > >>> > >>> Selinux Enabled True > >>> > >>> Policy Type targeted > >>> > >>> MLS Enabled True > >>> > >>> Enforcing Mode Enforcing > >>> > >>> Plugin Name catchall > >>> > >>> Host Name a.b.c.d > >>> > >>> Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5 > >>> > >>> #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64 > >>> > >>> Alert Count 11 > >>> > >>> First Seen Fri Feb 25 15:39:33 2011 > >>> > >>> Last Seen Mon Sep 26 14:18:54 2011 > >>> > >>> Local ID 275eef01-114a-419b-9df0-4bb81932bc5e > >>> > >>> Line Numbers > >>> > >>> > >>> Raw Audit Messages > >>> > >>> > >>> host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: >>> denied > >>> { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 > >>> ino=2 scontext=system_u:system_r:updpwd_t:s0 > >>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > >>> > >>> > >>> > >>> I can generate a local policy module. > >> > >> Any idea what you were doing when this happened? The reason i >> ask > >> is because this is not even allowed in latest fedora as far as i > >> can see. > >> > > > This machine is basically a mail and ftp server. As far as I can > tell from the logs ( secure and messages ) nobody was doing > anything on the machine at the times I get the AVC, 5 times > yesterday. > > >> It is no big deal to allow updpwd_t to get attributes of the >> fs_t > >> filesystem but it is certainly not common for updpwd_t to want >> this > >> access i believe. If it was we probably would have gotten may >> more > >> reports much earlier. > >> > > > Strange then that I am getting it from this one server only. > > > Here's the context for unix_update > > > -rwx------ root root system_u:object_r:updpwd_exec_t > /sbin/unix_update > > > I've just run an autorelabel on the entire filesystem as part of > the 5.6 to 5.7 CentOS update > > > Thanks, > > > Tony > > >>> Thanks, > >>> > >>> > >>> Tony > >>> > >>> -- > >>> selinux mailing list > >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux Probably has to do with the way the mount table is setup on this machine versus other machines. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6CEy0ACgkQrlYvE4MpobN1aQCdHc2uXuJIjh64759AuQyAmoz+ rwEAoIfSac27Ch+eaJZyBD6iIAKTwxNU =CME3 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
