FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-01-2012, 08:01 AM
Philippe Naudin
 
Default SELinux : please explain ...

Hello,

This is somehow off-topic, since the problem appears on a modified
CentOS-6.2 (turned into a xen-4.1 host) : I get SELinux errors, and
I'm not able to understand them.

>From audit2why :
type=AVC msg=audit(1343724164.898:298772): avc: denied { mac_admin } for pid=12399 comm="restore" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2

... and from audit2allow :
#============= unconfined_t ==============
allow unconfined_t self:capability2 mac_admin;

I don't know what triggers these records in /var/log/audit (everything
seems to work). Running retorecon -rv / doesn't produce any error.

Can someone tell me what is the mac_admin functionnality, and if it
is safe to allow it ? If I understand correctly what I have found by
googling around, it is not advised.

Thanks,

--
Philippe Naudin
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-01-2012, 03:45 PM
Daniel J Walsh
 
Default SELinux : please explain ...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/01/2012 04:01 AM, Philippe Naudin wrote:
> Hello,
>
> This is somehow off-topic, since the problem appears on a modified
> CentOS-6.2 (turned into a xen-4.1 host) : I get SELinux errors, and I'm not
> able to understand them.
>
>> From audit2why :
> type=AVC msg=audit(1343724164.898:298772): avc: denied { mac_admin } for
> pid=12399 comm="restore" capability=33
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=capability2
>
> ... and from audit2allow : #============= unconfined_t ============== allow
> unconfined_t self:capability2 mac_admin;
>
> I don't know what triggers these records in /var/log/audit (everything
> seems to work). Running retorecon -rv / doesn't produce any error.
>
> Can someone tell me what is the mac_admin functionnality, and if it is safe
> to allow it ? If I understand correctly what I have found by googling
> around, it is not advised.
>
> Thanks,
>

mac_admin means some where you have a command that is trying to set a file
context to something your current policy loaded into the kernel does not
understand.

Something like

touch /tmp/foobar
chcon -t unknownlabel /tmp/foobar

Would cause this AVC.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAZTycACgkQrlYvE4MpobM4HACgyzSpmHxxnR 3EMvoiYpLWK5LW
wQUAnR9DvzRY4jjgj1k2lwi3L1PB7loP
=c2Nc
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org