Re: Hosts file access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/29/2014 01:20 AM, Miroslav Grepl wrote:
> On 05/28/2014 05:13 PM, Daniel J Walsh wrote:
>> restorecon -R -v /etc/hosts
>>
>> Would fix this issue.
> Yes, but he needs to repeat it.
>>
>> On 05/28/2014 06:36 AM, Miroslav Grepl wrote:
>>> On 05/28/2014 12:24 AM, Emmett Culley wrote:
>>>> On 05/22/2014 10:31 PM, Miroslav Grepl wrote:
>>>>> On 05/22/2014 06:35 PM, Emmett Culley wrote:
>>>>>> I am continually getting getattr and read AVC errors.  From my
>>>>>> research, I believe it is because my hosts file gets modified each
>>>>>> time I VPN into my work network.
>>>>>>
>>>>>> I cause the host names and IP addresses that are part of the
>>>>>> internal work network to be appended to the hosts file upon the VPN
>>>>>> connection and then restore the original hosts file upon
>>>>>> disconnection.
>>>>>>
>>>>>> I have tried restorecon /etc/hosts, but I  still get the warnings.
>>>>>> I have also done the mypol fixes suggested in the troubleshooting
>>>>>> dialog's details page.  Nothing I do resolves this issue.
>>>>>>
>>>>>> How can I prevent these AVC errors?  Or at least properly modify my
>>>>>> hosts file (and possibly others) the SELinux way?
>>>>>>
>>>>>> Emmett
>>>>>> -- 
>>>>>> selinux mailing list
>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> What AVC message are you getting?
>>>>>
>>>>> What OS?
>>>>>
>>>>> Regards,
>>>>> Miroslav
>>>>>
>>>> Linux (Fedora 20)
>>>>
>>>> type=AVC msg=audit(1401200342.155:473): avc:  denied  { read } for
>>>> pid=5501 comm="httpd" name="hosts" dev="dm-0" ino=270007
>>>> scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023
>>>> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>>>>
>>>> AND
>>>>
>>>> type=AVC msg=audit(1401195880.487:401): avc:  denied  { getattr }
>>>> for  pid=1064 comm="chronyd" path="/etc/hosts" dev="dm-0" ino=270007
>>>> scontext=system_u:system_r:chronyd_t:s0
>>>> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>>>>
>>>>
>>>> type=SYSCALL msg=audit(1401195880.487:401): arch=x86_64 syscall=fstat
>>>> success=yes exit=0 a0=4 a1=7fff126bb590 a2=7fff126bb590 a3=0 items=0
>>>> ppid=1 pid=1064 auid=4294967295 uid=997 gid=996 euid=997 suid=997
>>>> fsuid=997 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295
>>>> comm=chronyd exe=/usr/sbin/chronyd
>>>> subj=system_u:system_r:chronyd_t:s0 key=(null)
>>>>
>>>> Each of the errors are caused by attempts to access the hosts file.
>>>>
>>>> Emmett
>>>>
>>>> -- 
>>>> selinux mailing list
>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> "admin_home_t" is label for files/dirs in /root directory. It means
>>> the /etc/hosts is moved from this directory. Any chance you have a
>>> script which does it?
>>>
>>>
>>> -- 
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
Yes, I am using a script to save the current hosts file to /root when starting a VPN connection, then moving it back when closing the VPN connection.  I will add the restorecon command to the script.

Emmett
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux