Re: selinux-policy update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/28/2012 08:08 AM, Zdenek Pytela wrote:
> Hello everyone, every time I upgrade selinux-policy packages, I get
> 
> SELinux is preventing /usr/sbin/load_policy from 'read, append' accesses
> on the file /tmp/tmp5vo8of.
> 
> Raw Audit Messages type=AVC msg=audit(1340799402.853:3866): avc:  denied  {
> read append } for pid=22456 comm="load_policy" path="/tmp/tmp5vo8of"
> dev="tmpfs" ino=464186 
> scontext=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:tmp_t:s0 tclass=file type=SYSCALL
> msg=audit(1340799402.853:3866): arch=x86_64 syscall=execve success=yes
> exit=0 a0=ff5f80 a1=ff5f60 a2=ff2e90 a3=10 items=0 ppid=22449 pid=22456
> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts16
> ses=357 comm=load_policy exe=/usr/sbin/load_policy 
> subj=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 key=(null)
> 
> The command load_policy is executed by the rpm postinstall scriptlet. It
> happens on workstations with f16 or f17, the only less usual thing is that
> /tmp is mounted as tmpfs with 
> rw,nodev,noexec,noatime,nodiratime,context=system_u:object_r:tmp_t:s0 
> Context of /tmp is the same as it was before and the same as physical 
> directory /var/tmp.
> 
> I know how to make local policy rules, but I would like to know if there is
> a better solution. Thanks,
> 

This is a leaked file descriptor from who ever created the file /tmp/tmp5v080f
or a redirected stdin/stdout/stderr.  Possible candidates would be puppet or
simple redirection using bash

command << _EOF
input
input
_EOF

Could cause something like this if the command eventually executed
rpm/load_policy.

Simplest thing would be to generate an audit2allow rule for it to dontaudit
this action.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlA8vgIACgkQrlYvE4MpobNJagCfUwLA6oGAiVCr36J42INVFkXi
ZAIAn2vNBMsy1W2rTsMSvGrRqxHHaw4F
=Wk72
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux