Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   F12: SeLinux denials on older Fedora version mounted filesystems (http://www.linux-archive.org/fedora-selinux-support/336642-f12-selinux-denials-older-fedora-version-mounted-filesystems.html)

"Daniel B. Thurman" 03-05-2010 05:29 PM

F12: SeLinux denials on older Fedora version mounted filesystems
 
I reported this before, but got no response - perhaps because
I bundled several issues into one posting? If so, here is a separate
posting.

It appears that SeLinux examines all mounted filesystem but
in this case, SeLinux sees other Fedora versions and starts to
complain when it is not related to the current running OS that
is running. As you can see below, and running F12, it complains
about F11 (and in several places in the mounted F11 filesystem).

Many other complaints are similar for mounted Fedora versions
BELOW the current running OS (F12), such as F11, 10, 9, 8, ...

How does one get around this issue?


=============================================
Summary:

SELinux is preventing /usr/bin/updatedb "getattr" access to
/md/RF11D1/etc/poker-network.

Detailed Description:

SELinux denied access requested by updatedb.
/md/RF11D1/etc/poker-network may be
a mislabeled. /md/RF11D1/etc/poker-network default SELinux type is
default_t,
but its current type is unlabeled_t. Changing this file back to the default
type, may fix your problem.

File contexts can be assigned to a file in the following ways.

* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which
creates
a file in a directory labeled B will instead create the file with
label C.
An example of this would be the dhcp client running with the
dhclient_t type
and creating a file in the directory /etc. This file would normally
receive
the etc_t type due to parental inheritance but instead the file is
labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as
chcon, or
restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file
should not
have been labeled with this type.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/md/RF11D1/etc/poker-network', if this
file is a
directory, you can recursively restore using restorecon -R
'/md/RF11D1/etc/poker-network'.

Fix Command:

/sbin/restorecon '/md/RF11D1/etc/poker-network'

Additional Information:

Source Context system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context system_u:object_r:unlabeled_t:s0
Target Objects /md/RF11D1/etc/poker-network [ dir ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host gold.cdkkt.com
Source RPM Packages mlocate-0.22.2-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-92.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name restorecon
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com
2.6.31.12-174.2.22.fc12.i686
#1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count 4
First Seen Tue 02 Mar 2010 03:14:22 AM PST
Last Seen Fri 05 Mar 2010 03:15:44 AM PST
Local ID 98ffff35-e41b-4d4e-b3d3-d286a4916baf
Line Numbers

Raw Audit Messages

node=gold.cdkkt.com type=AVC msg=audit(1267787744.981:42770): avc:
denied { getattr } for pid=15175 comm="updatedb"
path="/md/RF11D1/etc/poker-network" dev=sda10 ino=413
scontext=system_u:system_r:locate_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

node=gold.cdkkt.com type=SYSCALL msg=audit(1267787744.981:42770):
arch=40000003 syscall=196 success=no exit=-13 a0=a02bea9 a1=bfb343b0
a2=4c5ff4 a3=a02bea9 items=0 ppid=15169 pid=15175 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=246
comm="updatedb" exe="/usr/bin/updatedb"
subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 03-05-2010 05:44 PM

F12: SeLinux denials on older Fedora version mounted filesystems
 
On 03/05/2010 07:29 PM, Daniel B. Thurman wrote:

> Many other complaints are similar for mounted Fedora versions
> BELOW the current running OS (F12), such as F11, 10, 9, 8, ...
>
> How does one get around this issue?

That is updatdb, I think it only wants to get attributes.

if this is the only thing bothering you than you could implement a
dontaudit rule i guess or label the mount points with a type that
updatedb can get attributes of.

echo "policy_module(mylocate, 1.0.0)" > mylocate.te;
echo "optional_policy(`" >> mylocate.te;
echo "gen_require(`" >> mylocate.te;
echo "type locate_t, unlabeled_t;" >> mylocate.te;
echo "')" >> mylocate.te;
echo "dontaudit locate_t unlabeled_t:file getattr_file_perms;" >>
mylocate.te;
echo "dontaudit locate_t unlabeled_t:dir getattr_dir_perms;" >> mylocate.te;
echo "dontaudit locate_t unlabeled_t:lnk_file getattr_lnk_file_perms;"
>> mylocate.te;
echo "')" >> mylocate.te

make -f /usr/share/selinux/devel/Makefile mylocate.pp
sudo semodule -i mylocate.pp

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Stephen Smalley 03-05-2010 05:45 PM

F12: SeLinux denials on older Fedora version mounted filesystems
 
On Fri, 2010-03-05 at 10:29 -0800, Daniel B. Thurman wrote:
> I reported this before, but got no response - perhaps because
> I bundled several issues into one posting? If so, here is a separate
> posting.
>
> It appears that SeLinux examines all mounted filesystem but
> in this case, SeLinux sees other Fedora versions and starts to
> complain when it is not related to the current running OS that
> is running. As you can see below, and running F12, it complains
> about F11 (and in several places in the mounted F11 filesystem).
>
> Many other complaints are similar for mounted Fedora versions
> BELOW the current running OS (F12), such as F11, 10, 9, 8, ...
>
> How does one get around this issue?

updatedb creates a database for locate to use. It isn't
SELinux-related. SELinux is just reporting a denial when updatedb tries
to access those files because they have a security context that isn't
legal/defined under the active policy. To avoid, you can:
1) not mount those filesystems when they aren't being used, or
2) configure /etc/updatedb.conf to exclude them from being scanned by
updatedb.

man updatedb and updatedb.conf

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 09:15 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.