Attempting to 'yum update' to dev-3.8.3-1.i386 from dev-3.8.2-1 produces:
dev 100 % done 50/101 error: unpacking of archive failed: cpio: lstat
and the update fails. No avc's in log.
Rerunning 'yum update dev' in permissive mode succeeds.
Avc's from permissive mode run:
Jul 31 10:56:04 fedora kernel: audit(1091296564.101:0): avc: denied { getattr } for pid=9419 exe=/usr/bin/python path=/dev/dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:19 fedora kernel: audit(1091296579.901:0): avc: denied { search } for pid=9421 exe=/usr/sbin/groupadd name=selinux dev=hda2 ino=4509743 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jul 31 10:56:19 fedora kernel: audit(1091296579.901:0): avc: denied { read } for pid=9421 exe=/usr/sbin/groupadd name=config dev=hda2 ino=4509759 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 31 10:56:19 fedora kernel: audit(1091296579.902:0): avc: denied { getattr } for pid=9421 exe=/usr/sbin/groupadd path=/etc/selinux/config dev=hda2 ino=4509759 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 31 10:56:20 fedora kernel: audit(1091296580.078:0): avc: denied { search } for pid=9422 exe=/usr/sbin/useradd name=run dev=hda2 ino=4456484 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:var_run_t tclass=dir Jul 31 10:56:29 fedora kernel: audit(1091296589.978:0): avc: denied { relabelfrom } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:29 fedora kernel: audit(1091296589.979:0): avc: denied { relabelto } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.011:0): avc: denied { setattr } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.017:0): avc: denied { search } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.083:0): avc: denied { write } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.083:0): avc: denied { add_name } for pid=9419 exe=/usr/bin/python name=card0;410bdd3f scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.136:0): avc: denied { remove_name } for pid=9419 exe=/usr/bin/python name=card0;410bdd3f dev=hda2 ino=2689465 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:57:49 fedora kernel: audit(1091296669.135:0): avc: denied { search } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:57:49 fedora kernel: audit(1091296669.136:0): avc: denied { getattr } for pid=9419 exe=/usr/bin/python path=/dev/dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir
Audit2allow on the above produces:
allow groupadd_t selinux_config_t:dir { search }; allow groupadd_t selinux_config_t:file { getattr read }; allow rpm_t dri_device_t:dir { add_name getattr relabelfrom relabelto remove_name search setattr write }; allow useradd_t var_run_t:dir { search };
Hope this helps, tom
Tom London wrote:
Attempting to 'yum update' to dev-3.8.3-1.i386 from dev-3.8.2-1 produces:
dev 100 % done 50/101 error: unpacking of archive failed: cpio: lstat
and the update fails. No avc's in log.
Rerunning 'yum update dev' in permissive mode succeeds.
Avc's from permissive mode run:
Jul 31 10:56:04 fedora kernel: audit(1091296564.101:0): avc: denied { getattr } for pid=9419 exe=/usr/bin/python path=/dev/dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:19 fedora kernel: audit(1091296579.901:0): avc: denied { search } for pid=9421 exe=/usr/sbin/groupadd name=selinux dev=hda2 ino=4509743 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jul 31 10:56:19 fedora kernel: audit(1091296579.901:0): avc: denied { read } for pid=9421 exe=/usr/sbin/groupadd name=config dev=hda2 ino=4509759 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 31 10:56:19 fedora kernel: audit(1091296579.902:0): avc: denied { getattr } for pid=9421 exe=/usr/sbin/groupadd path=/etc/selinux/config dev=hda2 ino=4509759 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 31 10:56:20 fedora kernel: audit(1091296580.078:0): avc: denied { search } for pid=9422 exe=/usr/sbin/useradd name=run dev=hda2 ino=4456484 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:var_run_t tclass=dir Jul 31 10:56:29 fedora kernel: audit(1091296589.978:0): avc: denied { relabelfrom } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:29 fedora kernel: audit(1091296589.979:0): avc: denied { relabelto } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.011:0): avc: denied { setattr } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.017:0): avc: denied { search } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.083:0): avc: denied { write } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.083:0): avc: denied { add_name } for pid=9419 exe=/usr/bin/python name=card0;410bdd3f scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.136:0): avc: denied { remove_name } for pid=9419 exe=/usr/bin/python name=card0;410bdd3f dev=hda2 ino=2689465 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:57:49 fedora kernel: audit(1091296669.135:0): avc: denied { search } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:57:49 fedora kernel: audit(1091296669.136:0): avc: denied { getattr } for pid=9419 exe=/usr/bin/python path=/dev/dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir
Audit2allow on the above produces:
allow groupadd_t selinux_config_t:dir { search }; allow groupadd_t selinux_config_t:file { getattr read };
Added rules for groupadd
allow rpm_t dri_device_t:dir { add_name getattr relabelfrom relabelto remove_name search setattr write };
Modified /dev/dri directory back to device_t
allow useradd_t var_run_t:dir { search }
Added dontaudit rule.
;
Hope this helps, tom
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org