I have been running this with SELinux disabled, but I'm trying to be A Better Person by running in enforcing mode all the time. I got the following alert while running appliace-creator. What the heck is "run lnk_file"?
----
SELinux is preventing /usr/sbin/useradd from read access on the lnk_file run.
***** Plugin catchall_labels (83.8 confidence) suggests ***** ********************
If you want to allow useradd to have read access on the run lnk_file Then you need to change the label on run Do # semanage fcontext -a -t FILE_TYPE 'run' where FILE_TYPE is one of the following: cert_t, selinux_config_t, # user_home_dir_t, device_t, device_t, devlog_t, locale_t, # httpd_user_content_type, security_t, etc_t, ld_so_t, proc_t, mail_spool_t, # device_t, abrt_t, bin_t, etc_t, base_ro_file_type, lib_t, man_t, # etc_runtime_t, root_t, tmp_t, bin_t, cert_t, var_run_t, tmp_t, tmp_t, # selinux_login_config_t, httpd_user_script_exec_type, textrel_shlib_t, # etc_runtime_t, var_run_t, selinux_config_t, rpm_script_tmp_t, security_t, # proc_t, net_conf_t, security_t, etc_t, etc_runtime_t, var_run_t, bin_t, # var_run_t, var_run_t, useradd_t, usr_t, user_home_type, domain, # home_root_t, etc_t, var_run_t, var_run_t. Then execute: restorecon -v 'run'
***** Plugin catchall (17.1 confidence) suggests ***** ***************************
If you believe that useradd should be allowed read access on the run lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep useradd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:var_t:s0 Target Objects run [ lnk_file ] Source useradd Source Path /usr/sbin/useradd Port <Unknown> Host ubik.home.mkmiller.org Source RPM Packages shadow-utils-4.1.5.1-1.fc18.x86_64 Target RPM Packages filesystem-3.1-2.fc18.x86_64 Policy RPM selinux-policy-3.11.1-50.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ubik.home.mkmiller.org Platform Linux ubik.home.mkmiller.org 3.6.5-2.fc18.x86_64 #1 SMP Thu Nov 1 00:39:17 UTC 2012 x86_64 # x86_64 Alert Count 7 First Seen 2012-11-08 15:53:06 EST Last Seen 2012-11-08 15:53:10 EST Local ID e1402ea5-4bcb-45fa-b220-95fe0c0dc868
Raw Audit Messages type=AVC msg=audit(1352407990.104:1493): avc: denied { read } for pid=19226 comm="useradd" name="run" dev="dm-1" ino=130358 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1352407990.104:1493): arch=x86_64 syscall=connect success=no exit=EACCES a0=5 a1=7ffffac812e0 a2=6e a3=ffffffffffffffff items=0 ppid=19218 pid=19226 auid=18281 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm=useradd exe=/usr/sbin/useradd subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
Hash: useradd,useradd_t,var_t,lnk_file,read
audit2allow
#============= useradd_t ============== allow useradd_t var_t:lnk_file read;
audit2allow -R
#============= useradd_t ============== allow useradd_t var_t:lnk_file read;
On Thu, 2012-11-08 at 15:59 -0500, Matthew Miller wrote:
I have been running this with SELinux disabled, but I'm trying to be A Better Person by running in enforcing mode all the time. I got the following alert while running appliace-creator. What the heck is "run lnk_file"?
it is probably the /var/run symlink to /run
Looks like it is mislabeled (currently var_t; should be var_run_t)
See if restorecon -R -v -F /var/run resets it to var_run_t
SELinux is preventing /usr/sbin/useradd from read access on the lnk_file run.
***** Plugin catchall_labels (83.8 confidence) suggests
If you want to allow useradd to have read access on the run lnk_file Then you need to change the label on run Do # semanage fcontext -a -t FILE_TYPE 'run' where FILE_TYPE is one of the following: cert_t, selinux_config_t, # user_home_dir_t, device_t, device_t, devlog_t, locale_t, # httpd_user_content_type, security_t, etc_t, ld_so_t, proc_t, mail_spool_t, # device_t, abrt_t, bin_t, etc_t, base_ro_file_type, lib_t, man_t, # etc_runtime_t, root_t, tmp_t, bin_t, cert_t, var_run_t, tmp_t, tmp_t, # selinux_login_config_t, httpd_user_script_exec_type, textrel_shlib_t, # etc_runtime_t, var_run_t, selinux_config_t, rpm_script_tmp_t, security_t, # proc_t, net_conf_t, security_t, etc_t, etc_runtime_t, var_run_t, bin_t, # var_run_t, var_run_t, useradd_t, usr_t, user_home_type, domain, # home_root_t, etc_t, var_run_t, var_run_t. Then execute: restorecon -v 'run'
***** Plugin catchall (17.1 confidence) suggests
If you believe that useradd should be allowed read access on the run lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep useradd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:var_t:s0 Target Objects run [ lnk_file ] Source useradd Source Path /usr/sbin/useradd Port <Unknown> Host ubik.home.mkmiller.org Source RPM Packages shadow-utils-4.1.5.1-1.fc18.x86_64 Target RPM Packages filesystem-3.1-2.fc18.x86_64 Policy RPM selinux-policy-3.11.1-50.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ubik.home.mkmiller.org Platform Linux ubik.home.mkmiller.org 3.6.5-2.fc18.x86_64 #1 SMP Thu Nov 1 00:39:17 UTC 2012 x86_64 # x86_64 Alert Count 7 First Seen 2012-11-08 15:53:06 EST Last Seen 2012-11-08 15:53:10 EST Local ID e1402ea5-4bcb-45fa-b220-95fe0c0dc868
Raw Audit Messages type=AVC msg=audit(1352407990.104:1493): avc: denied { read } for pid=19226 comm="useradd" name="run" dev="dm-1" ino=130358 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1352407990.104:1493): arch=x86_64 syscall=connect success=no exit=EACCES a0=5 a1=7ffffac812e0 a2=6e a3=ffffffffffffffff items=0 ppid=19218 pid=19226 auid=18281 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm=useradd exe=/usr/sbin/useradd subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
Hash: useradd,useradd_t,var_t,lnk_file,read
audit2allow
#============= useradd_t ============== allow useradd_t var_t:lnk_file read;
audit2allow -R
#============= useradd_t ============== allow useradd_t var_t:lnk_file read;
On Thu, Nov 08, 2012 at 10:28:16PM +0100, Dominick Grift wrote:
it is probably the /var/run symlink to /run Looks like it is mislabeled (currently var_t; should be var_run_t) See if restorecon -R -v -F /var/run resets it to var_run_t
Ahhh. So, the /var/run symlink *inside the chroot* is "system_u:object_r:var_run_t:s0". Okay, that gives me something to go on....
On Thu, 2012-11-08 at 16:53 -0500, Matthew Miller wrote:
On Thu, Nov 08, 2012 at 10:28:16PM +0100, Dominick Grift wrote:
it is probably the /var/run symlink to /run Looks like it is mislabeled (currently var_t; should be var_run_t) See if restorecon -R -v -F /var/run resets it to var_run_t
Ahhh. So, the /var/run symlink *inside the chroot* is "system_u:object_r:var_run_t:s0". Okay, that gives me something to go on....
chroot? i didnt mention a chroot. But anyways that symlink should be labeled var_run_t i think and then things will be able to read it
On Thu, Nov 08, 2012 at 11:43:20PM +0100, Dominick Grift wrote:
it is probably the /var/run symlink to /run Looks like it is mislabeled (currently var_t; should be var_run_t) See if restorecon -R -v -F /var/run resets it to var_run_t
Ahhh. So, the /var/run symlink *inside the chroot* is "system_u:object_r:var_run_t:s0". Okay, that gives me something to go on....
chroot? i didnt mention a chroot. But anyways that symlink should be labeled var_run_t i think and then things will be able to read it
You didn't mention it, but appliance-creator is making one.
On 11/08/2012 06:08 PM, Matthew Miller wrote:
On Thu, Nov 08, 2012 at 11:43:20PM +0100, Dominick Grift wrote:
it is probably the /var/run symlink to /run Looks like it is mislabeled (currently var_t; should be var_run_t) See if restorecon -R -v -F /var/run resets it to var_run_t
Ahhh. So, the /var/run symlink *inside the chroot* is "system_u:object_r:var_run_t:s0". Okay, that gives me something to go on....
chroot? i didnt mention a chroot. But anyways that symlink should be labeled var_run_t i think and then things will be able to read it
You didn't mention it, but appliance-creator is making one.
Matthew, I am interested in how chroot subdirs look?
# ls -lZ PATH_TO_CHROOT/
On Fri, Nov 09, 2012 at 04:23:14AM -0500, Miroslav Grepl wrote:
Matthew, I am interested in how chroot subdirs look? # ls -lZ PATH_TO_CHROOT/
Sure.
$ sudo ls -lZ imgcreate-V5g52_/install_root lrwxrwxrwx. root root system_u:object_r:bin_t:s0 bin -> usr/bin dr-xr-xr-x. root root system_u:object_r:boot_t:s0 boot drwxr-xr-x. root root system_u:object_r:device_t:s0 dev drwxr-xr-x. root root system_u:object_r:etc_t:s0 etc drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home lrwxrwxrwx. root root system_u:object_r:lib_t:s0 lib -> usr/lib lrwxrwxrwx. root root system_u:object_r:lib_t:s0 lib64 -> usr/lib64 drwx------. root root system_u:object_r:lost_found_t:s0 lost+found drwxr-xr-x. root root system_u:object_r:mnt_t:s0 media drwxr-xr-x. root root system_u:object_r:mnt_t:s0 mnt drwxr-xr-x. root root system_u:object_r:usr_t:s0 opt dr-xr-xr-x. root root system_u:object_r:proc_t:s0 proc dr-xr-x---. root root system_u:object_r:admin_home_t:s0 root drwxr-xr-x. root root system_u:object_r:var_run_t:s0 run lrwxrwxrwx. root root system_u:object_r:bin_t:s0 sbin -> usr/sbin drwxr-xr-x. root root system_u:object_r:var_t:s0 srv drwxr-xr-x. root root system_u:object_r:sysfs_t:s0 sys drwxrwxrwt. root root system_u:object_r:tmp_t:s0 tmp drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr drwxr-xr-x. root root system_u:object_r:var_t:s0 var
And
$ sudo ls -lZ imgcreate-V5g52_/install_root/var drwxr-xr-x. root root system_u:object_r:var_t:s0 adm drwxr-xr-x. root root system_u:object_r:var_t:s0 cache drwxr-xr-x. root root system_u:object_r:var_t:s0 db drwxr-xr-x. root root system_u:object_r:var_t:s0 empty drwxr-xr-x. root root system_u:object_r:games_data_t:s0 games drwxr-xr-x. root root system_u:object_r:var_t:s0 gopher drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 lib drwxr-xr-x. root root system_u:object_r:var_t:s0 local lrwxrwxrwx. root root unconfined_u:object_r:var_t:s0 lock -> ../run/lock drwxr-xr-x. root root system_u:object_r:var_log_t:s0 log lrwxrwxrwx. root root system_u:object_r:mail_spool_t:s0 mail -> spool/mail drwxr-xr-x. root root system_u:object_r:var_t:s0 nis drwxr-xr-x. root root system_u:object_r:var_t:s0 opt drwxr-xr-x. root root system_u:object_r:var_t:s0 preserve lrwxrwxrwx. root root unconfined_u:object_r:var_run_t:s0 run -> ../run drwxr-xr-x. root root system_u:object_r:var_spool_t:s0 spool drwxrwxrwt. root root system_u:object_r:tmp_t:s0 tmp drwxr-xr-x. root root system_u:object_r:var_yp_t:s0 yp
selinux@lists.fedoraproject.org