Hi,
I'm getting the following denial on a fully updated Centos 5.3 system with ( selinux-policy-2.4.6-203.el5.noarch )
Summary:
SELinux is preventing semodule (semanage_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by semodule. It is not expected that this access is required by semodule and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context root:system_r:semanage_t:SystemLow-SystemHigh Target Context system_u:object_r:fs_t Target Objects / [ filesystem ] Source semodule Source Path <Unknown> Port <Unknown> Host a.b.c.d Source RPM Packages Target RPM Packages filesystem-2.4.0-2.el5.centos Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name a.b.c.d Platform Linux a.b.c.d 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1 09:10:25 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Thu Apr 23 08:53:08 2009 Last Seen Thu Apr 23 08:53:08 2009 Local ID 227642bc-dd66-4a04-bcad-13c3d52e5e63 Line Numbers Raw Audit Messages
host=a.b.c.d type=AVC msg=audit(1240473188.358:3149): avc: denied { getattr } for pid=29325 comm="semodule" name="/" dev=sda5 ino=2 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I can generate local policy but is that the best solution
Regards,
Tony
On 04/23/2009 04:32 AM, Tony Molloy wrote:
host=a.b.c.d type=AVC msg=audit(1240473188.358:3149): avc: denied { getattr } for pid=29325 comm="semodule" name="/" dev=sda5 ino=2 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I am working home today so I don't have access to my RHEL5 box. Could you check the latest RHEL5.4 policy preview available on
http://people.redhat.com/dwalsh/SELinux/RHEL5
To see if this problem is fixed.
On Thursday 23 April 2009 13:31:53 you wrote:
On 04/23/2009 04:32 AM, Tony Molloy wrote:
host=a.b.c.d type=AVC msg=audit(1240473188.358:3149): avc: denied { getattr } for pid=29325 comm="semodule" name="/" dev=sda5 ino=2 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I am working home today so I don't have access to my RHEL5 box. Could you check the latest RHEL5.4 policy preview available on
http://people.redhat.com/dwalsh/SELinux/RHEL5
To see if this problem is fixed.
Daniel,
I'm just re-installin the test server now. I've downloaded all the rpms, which ones do you want me to install. libsemanage-1.9.1-4.2.el5.x86_64.rpm
Thanks,
Tony
On 04/24/2009 03:48 AM, Tony Molloy wrote:
On Thursday 23 April 2009 13:31:53 you wrote:
On 04/23/2009 04:32 AM, Tony Molloy wrote:
host=a.b.c.d type=AVC msg=audit(1240473188.358:3149): avc: denied { getattr } for pid=29325 comm="semodule" name="/" dev=sda5 ino=2 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I am working home today so I don't have access to my RHEL5 box. Could you check the latest RHEL5.4 policy preview available on
http://people.redhat.com/dwalsh/SELinux/RHEL5
To see if this problem is fixed.
Daniel,
I'm just re-installin the test server now. I've downloaded all the rpms, which ones do you want me to install. libsemanage-1.9.1-4.2.el5.x86_64.rpm
Thanks,
Tony
selinux-policy
selinux@lists.fedoraproject.org