On 2012-02-29 14:00, Miroslav Grepl wrote:
On 02/29/2012 10:32 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
Hello,
I have an Enterprise Linux 6 machine, managed by Puppet, enforcing
the target policy, for which Puppet manages a bunch of contexts and
policies, but the following message occurs when it attempts to do so:
type=AVC msg=audit(1330511088.080:1757): avc: denied { write }
for pid=9222 comm="semanage" path="/tmp/puppet20120229-8297-bjmcbp-0"
dev=dm-0 ino=1572875
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
Could you attach full AVC message. I am interested in "syscall" and
"success" fields.
It looks like a leak file descriptor.
I believe this is everything, but if not, please point me in the right
direction:
type=AVC msg=audit(1330454003.144:529): avc: denied { write } for
pid=16025 comm="semanage" path="/tmp/puppet20120228-15545-zg7uoe-0"
dev=dm-0 ino=1572875
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1330454003.144:529): arch=c000003e syscall=59
success=yes exit=0 a0=1007110 a1=1007c90 a2=1006c00 a3=7fff5e096620
items=0 ppid=16022 pid=16025 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="semanage"
exe="/usr/bin/python"
subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
Thanks,
The following is a reference to what Puppet is trying to do:
http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98
In short, I'm installing custom built mailman packages so that I can
have devel@project1 alongside devel@project2 mailing lists by
installing dedicated mailman instances for project1 and project2. The
Puppet module I'm referring to attempts to apply the necessary SELinux
contexts to the files deployed with each RPM package.
I'm wondering what is causing the denial (or, why semanage needs
something in /tmp/ with the name of puppet in it) as well as what to
do about it - it doesn't seem to be blocking Puppet from achieving the
goal of adding new file_contexts for these custom packages.
Kind regards,
Jeroen van Meeuwen
Kind regards,
Jeroen van Meeuwen
--
Systems Architect, Kolab Systems AG
e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com
pgp: 9342 BF08
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux