Hi,
I'm running SELinux in enforcing mode on fully updated CentOS-5 servers. selinux-policy-2.4.6-279.el5_5.1.noarch
After the latest "possibly glibc" update I've seen the following AVC on several of my servers.
Summary:
SELinux is preventing tzdata-update (tzdata_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by tzdata-update. It is not expected that this access is required by tzdata-update and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context root:system_r:tzdata_t:SystemLow-SystemHigh Target Context system_u:object_r:fs_t Target Objects / [ filesystem ] Source tzdata-update Source Path <Unknown> Port <Unknown> Host remote-backup.x.y.z Source RPM Packages Target RPM Packages filesystem-2.4.0-3.el5 Policy RPM selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name remote-backup.x.y.z Platform Linux remote-backup.x.y.z 2.6.18-194.17.1.el5 #1 SMP Wed Sep 29 12:50:31 EDT 2010 x86_64 x86_64 Alert Count 3 First Seen Fri Oct 22 06:31:14 2010 Last Seen Wed Oct 27 06:39:14 2010 Local ID ec15ac2d-b644-40fb-809a-2b3809b001e5 Line Numbers
Raw Audit Messages
host=remote-backup.csis.ul.ie type=AVC msg=audit(1288157954.817:16502): avc: denied { getattr } for pid=2135 comm="tzdata-update" name="/" dev=sda5 ino=2 scontext=root:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Regards,
Tony
On 10/27/2010 12:28 PM, Tony Molloy wrote:
Hi,
I'm running SELinux in enforcing mode on fully updated CentOS-5 servers. selinux-policy-2.4.6-279.el5_5.1.noarch
After the latest "possibly glibc" update I've seen the following AVC on several of my servers.
Summary:
SELinux is preventing tzdata-update (tzdata_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by tzdata-update. It is not expected that this access is required by tzdata-update and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context root:system_r:tzdata_t:SystemLow-SystemHigh Target Context system_u:object_r:fs_t Target Objects / [ filesystem ] Source tzdata-update Source Path <Unknown> Port <Unknown> Host remote-backup.x.y.z Source RPM Packages Target RPM Packages filesystem-2.4.0-3.el5 Policy RPM selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name remote-backup.x.y.z Platform Linux remote-backup.x.y.z 2.6.18-194.17.1.el5 #1 SMP Wed Sep 29 12:50:31 EDT 2010 x86_64 x86_64 Alert Count 3 First Seen Fri Oct 22 06:31:14 2010 Last Seen Wed Oct 27 06:39:14 2010 Local ID ec15ac2d-b644-40fb-809a-2b3809b001e5 Line Numbers
Raw Audit Messages
host=remote-backup.csis.ul.ie type=AVC msg=audit(1288157954.817:16502): avc: denied { getattr } for pid=2135 comm="tzdata-update" name="/" dev=sda5 ino=2 scontext=root:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
This was fixed in fedora but looks like the fix was not back ported to el5:
mkdir ~/mytzdata; cd ~/mytzdata; echo "policy_module(mytzdata, 1.0.0) gen_require(` type tzdata_t; ') fs_getattr_xattr_fs(tzdata_t)" > mytzdata.te; make -f /usr/share/selinux/devel/Makefile mytzdata.pp sudo semodule -i mytzdata.pp
... should fix it
Regards,
Tony
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Wednesday 27 October 2010 11:36:40 Dominick Grift wrote:
On 10/27/2010 12:28 PM, Tony Molloy wrote:
Hi,
I'm running SELinux in enforcing mode on fully updated CentOS-5 servers. selinux-policy-2.4.6-279.el5_5.1.noarch
After the latest "possibly glibc" update I've seen the following AVC on several of my servers.
Summary:
SELinux is preventing tzdata-update (tzdata_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by tzdata-update. It is not expected that this access is required by tzdata-update and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context root:system_r:tzdata_t:SystemLow-SystemHigh Target Context system_u:object_r:fs_t Target Objects / [ filesystem ] Source tzdata-update Source Path <Unknown> Port <Unknown> Host remote-backup.x.y.z Source RPM Packages Target RPM Packages filesystem-2.4.0-3.el5 Policy RPM selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name remote-backup.x.y.z Platform Linux remote-backup.x.y.z 2.6.18-194.17.1.el5
#1 SMP Wed Sep 29 12:50:31 EDT 2010 x86_64
x86_64 Alert Count 3 First Seen Fri Oct 22 06:31:14 2010 Last Seen Wed Oct 27 06:39:14 2010 Local ID ec15ac2d-b644-40fb-809a-2b3809b001e5 Line Numbers
Raw Audit Messages
host=remote-backup.csis.ul.ie type=AVC msg=audit(1288157954.817:16502): avc: denied { getattr } for pid=2135 comm="tzdata-update" name="/" dev=sda5 ino=2 scontext=root:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
This was fixed in fedora but looks like the fix was not back ported to el5:
mkdir ~/mytzdata; cd ~/mytzdata; echo "policy_module(mytzdata, 1.0.0) gen_require(` type tzdata_t; ') fs_getattr_xattr_fs(tzdata_t)" > mytzdata.te; make -f /usr/share/selinux/devel/Makefile mytzdata.pp sudo semodule -i mytzdata.pp
... should fix it
Dominick,
I was just reporting it in the hope that it would get back ported. I just generated a local policy module for tzdata.
Thanks for the quick reply.
Regards,
Tony
Regards,
Tony
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/27/2010 06:28 AM, Tony Molloy wrote:
Hi,
I'm running SELinux in enforcing mode on fully updated CentOS-5 servers. selinux-policy-2.4.6-279.el5_5.1.noarch
After the latest "possibly glibc" update I've seen the following AVC on several of my servers.
Summary:
SELinux is preventing tzdata-update (tzdata_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by tzdata-update. It is not expected that this access is required by tzdata-update and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context root:system_r:tzdata_t:SystemLow-SystemHigh Target Context system_u:object_r:fs_t Target Objects / [ filesystem ] Source tzdata-update Source Path <Unknown> Port <Unknown> Host remote-backup.x.y.z Source RPM Packages Target RPM Packages filesystem-2.4.0-3.el5 Policy RPM selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name remote-backup.x.y.z Platform Linux remote-backup.x.y.z 2.6.18-194.17.1.el5 #1 SMP Wed Sep 29 12:50:31 EDT 2010 x86_64 x86_64 Alert Count 3 First Seen Fri Oct 22 06:31:14 2010 Last Seen Wed Oct 27 06:39:14 2010 Local ID ec15ac2d-b644-40fb-809a-2b3809b001e5 Line Numbers
Raw Audit Messages
host=remote-backup.csis.ul.ie type=AVC msg=audit(1288157954.817:16502): avc: denied { getattr } for pid=2135 comm="tzdata-update" name="/" dev=sda5 ino=2 scontext=root:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Regards,
Tony
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can ignore this.
selinux@lists.fedoraproject.org