FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 08-26-2008, 08:02 PM
"Johnson, Richard"
 
Default policy rpm %post script encounters avc violations

When installing a policy rpm, one cannot log the install activity w/o
generating avc errors. For example:

rpm -i lsb-ft-asn-selinux > /var/log/rpm-update.log

produces the following violation:

type=SYSCALL msg=audit(1219774608.030:789): arch=c000003e syscall=59
success=yes exit=0 a0=be952e0 a1=be93390 a2=be958f0 a3=8 items=0
ppid=2848 pid=2875 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="restorecon" exe="/sbin/restorecon"
subj=root:system_r:restorecon_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1219774608.030:789): avc: denied { write } for
pid=2875 comm="restorecon" path="/var/log/rpm-update.log" dev=md2
ino=2694055 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023
tcontext=rootbject_r:var_log_t:s0 tclass=file

The problems seems to stem from recording the %post script's attempts to
relabel files affected by the policy, specifically:

/sbin/restorecon -F -R -v /opt/ft/sbin/sra_alarm;
/sbin/restorecon -F -R -v /etc/opt/ft/asn;
/sbin/restorecon -F -R -v /var/opt/ft/asn;
/sbin/restorecon -F -R -v /var/opt/ft/log;

Is there any way to preserve the logging w/o disabling selinux for the
duration of the install?

FWIW, the rpm commands are executed from a bash script.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-27-2008, 12:04 AM
Paul Howarth
 
Default policy rpm %post script encounters avc violations

On Tue, 26 Aug 2008 16:02:15 -0400
"Johnson, Richard" <Richard.Johnson@stratus.com> wrote:

> When installing a policy rpm, one cannot log the install activity w/o
> generating avc errors. For example:
>
> rpm -i lsb-ft-asn-selinux > /var/log/rpm-update.log
>
> produces the following violation:
>
> type=SYSCALL msg=audit(1219774608.030:789): arch=c000003e syscall=59
> success=yes exit=0 a0=be952e0 a1=be93390 a2=be958f0 a3=8 items=0
> ppid=2848 pid=2875 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="restorecon"
> exe="/sbin/restorecon" subj=root:system_r:restorecon_t:s0-s0:c0.c1023
> key=(null) type=AVC msg=audit(1219774608.030:789): avc: denied
> { write } for pid=2875 comm="restorecon"
> path="/var/log/rpm-update.log" dev=md2 ino=2694055
> scontext=root:system_r:restorecon_t:s0-s0:c0.c1023
> tcontext=rootbject_r:var_log_t:s0 tclass=file
>
> The problems seems to stem from recording the %post script's attempts
> to relabel files affected by the policy, specifically:
>
> /sbin/restorecon -F -R -v /opt/ft/sbin/sra_alarm;
> /sbin/restorecon -F -R -v /etc/opt/ft/asn;
> /sbin/restorecon -F -R -v /var/opt/ft/asn;
> /sbin/restorecon -F -R -v /var/opt/ft/log;
>
> Is there any way to preserve the logging w/o disabling selinux for the
> duration of the install?
>
> FWIW, the rpm commands are executed from a bash script.

You could try logging to a file with a different context type, e.g.

rpm -i lsb-ft-asn-selinux > /tmp/rpm-update.log

and then move the resulting file to /var/log if you need it to be
there. I'm not sure if restorecon_t can write to temp files but it's
probably more likely that writing to var_log_t, which is currently
what's being denied.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-27-2008, 02:01 AM
"Johnson, Richard"
 
Default policy rpm %post script encounters avc violations

On Tue, 26 Aug 2008 8:05 PM
"Paul Howarth" <paul@city-fan.org> wrote:

> On Tue, 26 Aug 2008 16:02:15 -0400
> "Johnson, Richard" <Richard.Johnson@stratus.com> wrote:
>
> > When installing a policy rpm, one cannot log the install activity
w/o
> > generating avc errors. For example:
> >
> > rpm -i lsb-ft-asn-selinux > /var/log/rpm-update.log
> >
> > produces the following violation:
> >
> > type=SYSCALL msg=audit(1219774608.030:789): arch=c000003e syscall=59
> > success=yes exit=0 a0=be952e0 a1=be93390 a2=be958f0 a3=8 items=0
> > ppid=2848 pid=2875 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="restorecon"
> > exe="/sbin/restorecon"
subj=root:system_r:restorecon_t:s0-s0:c0.c1023
> > key=(null) type=AVC msg=audit(1219774608.030:789): avc: denied
> > { write } for pid=2875 comm="restorecon"
> > path="/var/log/rpm-update.log" dev=md2 ino=2694055
> > scontext=root:system_r:restorecon_t:s0-s0:c0.c1023
> > tcontext=rootbject_r:var_log_t:s0 tclass=file
> >
> > The problems seems to stem from recording the %post script's
attempts
> > to relabel files affected by the policy, specifically:
> >
> > /sbin/restorecon -F -R -v /opt/ft/sbin/sra_alarm;
> > /sbin/restorecon -F -R -v /etc/opt/ft/asn;
> > /sbin/restorecon -F -R -v /var/opt/ft/asn;
> > /sbin/restorecon -F -R -v /var/opt/ft/log;
> >
> > Is there any way to preserve the logging w/o disabling selinux for
the
> > duration of the install?
> >
> > FWIW, the rpm commands are executed from a bash script.
>
> You could try logging to a file with a different context type, e.g.
>
> rpm -i lsb-ft-asn-selinux > /tmp/rpm-update.log
>
> and then move the resulting file to /var/log if you need it to be
> there. I'm not sure if restorecon_t can write to temp files but it's
> probably more likely that writing to var_log_t, which is currently
> what's being denied.

I wish it were as simple as using a tmp_t:file. I tried that, and the
answer's no.

I suppose the general process would be a script that:
- creates a temporary file
- label it--silently, to avoid an avc logging the activity
- do the restorecon.
- cat the temporary file to stdout.
- and the various complications of cleanup should an error occur
- and replicating the encapsulation in both %post and %postun scripts.


For my understanding: If it were to work, what's gained by restricting
restorecon from logging directly?

--rich


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-03-2008, 04:22 PM
Daniel J Walsh
 
Default policy rpm %post script encounters avc violations

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johnson, Richard wrote:
> When installing a policy rpm, one cannot log the install activity w/o
> generating avc errors. For example:
>
> rpm -i lsb-ft-asn-selinux > /var/log/rpm-update.log
>
> produces the following violation:
>
> type=SYSCALL msg=audit(1219774608.030:789): arch=c000003e syscall=59
> success=yes exit=0 a0=be952e0 a1=be93390 a2=be958f0 a3=8 items=0
> ppid=2848 pid=2875 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="restorecon" exe="/sbin/restorecon"
> subj=root:system_r:restorecon_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1219774608.030:789): avc: denied { write } for
> pid=2875 comm="restorecon" path="/var/log/rpm-update.log" dev=md2
> ino=2694055 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023
> tcontext=rootbject_r:var_log_t:s0 tclass=file
>
> The problems seems to stem from recording the %post script's attempts to
> relabel files affected by the policy, specifically:
>
> /sbin/restorecon -F -R -v /opt/ft/sbin/sra_alarm;
> /sbin/restorecon -F -R -v /etc/opt/ft/asn;
> /sbin/restorecon -F -R -v /var/opt/ft/asn;
> /sbin/restorecon -F -R -v /var/opt/ft/log;
>
> Is there any way to preserve the logging w/o disabling selinux for the
> duration of the install?
>
> FWIW, the rpm commands are executed from a bash script.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Answered in

http://danwalsh.livejournal.com/22860.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAki+udEACgkQrlYvE4MpobNuGwCgyTO3dySral LkMd+Xt71/IyPY
Qg8AoK2w8AKq0JC+1Id1GXfhtGmzWTwn
=PpRO
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org