updpwd AVC
Hi,
On a fully updated CentOS 5.7 box I get the following AVC Summary: SELinux is preventing unix_update (updpwd_t) "getattr" to / (fs_t). Detailed Description: SELinux denied access requested by unix_update. It is not expected that this access is required by unix_update and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:updpwd_t Target Context system_u:object_r:fs_t Target Objects / [ filesystem ] Source unix_update Source Path <Unknown> Port <Unknown> Host a.b.c.d Source RPM Packages Target RPM Packages filesystem-2.4.0-3.el5.centos Policy RPM selinux-policy-2.4.6-316.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name a.b.c.d Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5 #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64 Alert Count 11 First Seen Fri Feb 25 15:39:33 2011 Last Seen Mon Sep 26 14:18:54 2011 Local ID 275eef01-114a-419b-9df0-4bb81932bc5e Line Numbers Raw Audit Messages host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 ino=2 scontext=system_u:system_r:updpwd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem I can generate a local policy module. Thanks, Tony -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
updpwd AVC
On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
> > Hi, > > > On a fully updated CentOS 5.7 box I get the following AVC > > > Summary: > > > SELinux is preventing unix_update (updpwd_t) "getattr" to / (fs_t). > > > Detailed Description: > > > SELinux denied access requested by unix_update. It is not expected > that this > > access is required by unix_update and this access may signal an > intrusion > > attempt. It is also possible that the specific version or > configuration of the > > application is causing it to require additional access. > > > Allowing Access: > > > You can generate a local policy module to allow this access - see FAQ > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > > SELinux protection altogether. Disabling SELinux protection is not > recommended. > > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > against this package. > > > Additional Information: > > > Source Context system_u:system_r:updpwd_t > > Target Context system_u:object_r:fs_t > > Target Objects / [ filesystem ] > > Source unix_update > > Source Path <Unknown> > > Port <Unknown> > > Host a.b.c.d > > Source RPM Packages > > Target RPM Packages filesystem-2.4.0-3.el5.centos > > Policy RPM selinux-policy-2.4.6-316.el5 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name catchall > > Host Name a.b.c.d > > Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5 > > #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64 > > Alert Count 11 > > First Seen Fri Feb 25 15:39:33 2011 > > Last Seen Mon Sep 26 14:18:54 2011 > > Local ID 275eef01-114a-419b-9df0-4bb81932bc5e > > Line Numbers > > > Raw Audit Messages > > > host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied > { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 ino=2 > scontext=system_u:system_r:updpwd_t:s0 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > > > > I can generate a local policy module. Any idea what you were doing when this happened? The reason i ask is because this is not even allowed in latest fedora as far as i can see. It is no big deal to allow updpwd_t to get attributes of the fs_t filesystem but it is certainly not common for updpwd_t to want this access i believe. If it was we probably would have gotten may more reports much earlier. > Thanks, > > > Tony > > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
updpwd AVC
On Monday 26 September 2011 22:22:31 Dominick Grift wrote:
> On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote: > > Hi, > > > > > > On a fully updated CentOS 5.7 box I get the following AVC > > > > > > Summary: > > > > > > SELinux is preventing unix_update (updpwd_t) "getattr" to / > > (fs_t). > > > > > > Detailed Description: > > > > > > SELinux denied access requested by unix_update. It is not > > expected that this > > > > access is required by unix_update and this access may signal an > > intrusion > > > > attempt. It is also possible that the specific version or > > configuration of the > > > > application is causing it to require additional access. > > > > > > Allowing Access: > > > > > > You can generate a local policy module to allow this access - see > > FAQ > > > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you > > can disable > > > > SELinux protection altogether. Disabling SELinux protection is > > not recommended. > > > > Please file a bug report > > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > > > against this package. > > > > > > Additional Information: > > > > > > Source Context system_u:system_r:updpwd_t > > > > Target Context system_u:object_r:fs_t > > > > Target Objects / [ filesystem ] > > > > Source unix_update > > > > Source Path <Unknown> > > > > Port <Unknown> > > > > Host a.b.c.d > > > > Source RPM Packages > > > > Target RPM Packages filesystem-2.4.0-3.el5.centos > > > > Policy RPM selinux-policy-2.4.6-316.el5 > > > > Selinux Enabled True > > > > Policy Type targeted > > > > MLS Enabled True > > > > Enforcing Mode Enforcing > > > > Plugin Name catchall > > > > Host Name a.b.c.d > > > > Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5 > > > > #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64 > > > > Alert Count 11 > > > > First Seen Fri Feb 25 15:39:33 2011 > > > > Last Seen Mon Sep 26 14:18:54 2011 > > > > Local ID 275eef01-114a-419b-9df0-4bb81932bc5e > > > > Line Numbers > > > > > > Raw Audit Messages > > > > > > host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied > > { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 > > ino=2 scontext=system_u:system_r:updpwd_t:s0 > > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > > > > > > > > I can generate a local policy module. > > Any idea what you were doing when this happened? The reason i ask > is because this is not even allowed in latest fedora as far as i > can see. > This machine is basically a mail and ftp server. As far as I can tell from the logs ( secure and messages ) nobody was doing anything on the machine at the times I get the AVC, 5 times yesterday. > It is no big deal to allow updpwd_t to get attributes of the fs_t > filesystem but it is certainly not common for updpwd_t to want this > access i believe. If it was we probably would have gotten may more > reports much earlier. > Strange then that I am getting it from this one server only. Here's the context for unix_update -rwx------ root root system_u:object_r:updpwd_exec_t /sbin/unix_update I've just run an autorelabel on the entire filesystem as part of the 5.6 to 5.7 CentOS update Thanks, Tony > > Thanks, > > > > > > Tony > > > > -- > > selinux mailing list > > selinux@lists.fedoraproject.org > > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
updpwd AVC
On Tue, 2011-09-27 at 16:26 +0100, Tony Molloy wrote:
> On Monday 26 September 2011 22:22:31 Dominick Grift wrote: > > > On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote: > > > > Hi, > > > > > > > > > > > > On a fully updated CentOS 5.7 box I get the following AVC > > > > > > > > > > > > Summary: > > > > > > > > > > > > SELinux is preventing unix_update (updpwd_t) "getattr" to / > > > > (fs_t). > > > > > > > > > > > > Detailed Description: > > > > > > > > > > > > SELinux denied access requested by unix_update. It is not > > > > expected that this > > > > > > > > access is required by unix_update and this access may signal an > > > > intrusion > > > > > > > > attempt. It is also possible that the specific version or > > > > configuration of the > > > > > > > > application is causing it to require additional access. > > > > > > > > > > > > Allowing Access: > > > > > > > > > > > > You can generate a local policy module to allow this access - see > > > > FAQ > > > > > > > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you > > > > can disable > > > > > > > > SELinux protection altogether. Disabling SELinux protection is > > > > not recommended. > > > > > > > > Please file a bug report > > > > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > > > > > > > against this package. > > > > > > > > > > > > Additional Information: > > > > > > > > > > > > Source Context system_u:system_r:updpwd_t > > > > > > > > Target Context system_u:object_r:fs_t > > > > > > > > Target Objects / [ filesystem ] > > > > > > > > Source unix_update > > > > > > > > Source Path <Unknown> > > > > > > > > Port <Unknown> > > > > > > > > Host a.b.c.d > > > > > > > > Source RPM Packages > > > > > > > > Target RPM Packages filesystem-2.4.0-3.el5.centos > > > > > > > > Policy RPM selinux-policy-2.4.6-316.el5 > > > > > > > > Selinux Enabled True > > > > > > > > Policy Type targeted > > > > > > > > MLS Enabled True > > > > > > > > Enforcing Mode Enforcing > > > > > > > > Plugin Name catchall > > > > > > > > Host Name a.b.c.d > > > > > > > > Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5 > > > > > > > > #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64 > > > > > > > > Alert Count 11 > > > > > > > > First Seen Fri Feb 25 15:39:33 2011 > > > > > > > > Last Seen Mon Sep 26 14:18:54 2011 > > > > > > > > Local ID 275eef01-114a-419b-9df0-4bb81932bc5e > > > > > > > > Line Numbers > > > > > > > > > > > > Raw Audit Messages > > > > > > > > > > > > host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied > > > > { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 > > > > ino=2 scontext=system_u:system_r:updpwd_t:s0 > > > > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > > > > > > > > > > > > > > > > I can generate a local policy module. > > > > > > Any idea what you were doing when this happened? The reason i ask > > > is because this is not even allowed in latest fedora as far as i > > > can see. > > > > > > This machine is basically a mail and ftp server. As far as I can tell > from the logs ( secure and messages ) nobody was doing anything on the > machine at the times I get the AVC, 5 times yesterday. > > > > It is no big deal to allow updpwd_t to get attributes of the fs_t > > > filesystem but it is certainly not common for updpwd_t to want this > > > access i believe. If it was we probably would have gotten may more > > > reports much earlier. > > > > > > Strange then that I am getting it from this one server only. > > > Here's the context for unix_update > > > -rwx------ root root system_u:object_r:updpwd_exec_t /sbin/unix_update > > > I've just run an autorelabel on the entire filesystem as part of the > 5.6 to 5.7 CentOS update See if you can reproduce it > > Thanks, > > > Tony > > > > > Thanks, > > > > > > > > > > > > Tony > > > > > > > > -- > > > > selinux mailing list > > > > selinux@lists.fedoraproject.org > > > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
updpwd AVC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 09/27/2011 11:26 AM, Tony Molloy wrote: > On Monday 26 September 2011 22:22:31 Dominick Grift wrote: > >> On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote: > >>> Hi, > >>> > >>> > >>> On a fully updated CentOS 5.7 box I get the following AVC > >>> > >>> > >>> Summary: > >>> > >>> > >>> SELinux is preventing unix_update (updpwd_t) "getattr" to / > >>> (fs_t). > >>> > >>> > >>> Detailed Description: > >>> > >>> > >>> SELinux denied access requested by unix_update. It is not > >>> expected that this > >>> > >>> access is required by unix_update and this access may signal >>> an > >>> intrusion > >>> > >>> attempt. It is also possible that the specific version or > >>> configuration of the > >>> > >>> application is causing it to require additional access. > >>> > >>> > >>> Allowing Access: > >>> > >>> > >>> You can generate a local policy module to allow this access - >>> see > >>> FAQ > >>> > >>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or >>> you > >>> can disable > >>> > >>> SELinux protection altogether. Disabling SELinux protection is > >>> not recommended. > >>> > >>> Please file a bug report > >>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > >>> > >>> against this package. > >>> > >>> > >>> Additional Information: > >>> > >>> > >>> Source Context system_u:system_r:updpwd_t > >>> > >>> Target Context system_u:object_r:fs_t > >>> > >>> Target Objects / [ filesystem ] > >>> > >>> Source unix_update > >>> > >>> Source Path <Unknown> > >>> > >>> Port <Unknown> > >>> > >>> Host a.b.c.d > >>> > >>> Source RPM Packages > >>> > >>> Target RPM Packages filesystem-2.4.0-3.el5.centos > >>> > >>> Policy RPM selinux-policy-2.4.6-316.el5 > >>> > >>> Selinux Enabled True > >>> > >>> Policy Type targeted > >>> > >>> MLS Enabled True > >>> > >>> Enforcing Mode Enforcing > >>> > >>> Plugin Name catchall > >>> > >>> Host Name a.b.c.d > >>> > >>> Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5 > >>> > >>> #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64 > >>> > >>> Alert Count 11 > >>> > >>> First Seen Fri Feb 25 15:39:33 2011 > >>> > >>> Last Seen Mon Sep 26 14:18:54 2011 > >>> > >>> Local ID 275eef01-114a-419b-9df0-4bb81932bc5e > >>> > >>> Line Numbers > >>> > >>> > >>> Raw Audit Messages > >>> > >>> > >>> host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: >>> denied > >>> { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 > >>> ino=2 scontext=system_u:system_r:updpwd_t:s0 > >>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > >>> > >>> > >>> > >>> I can generate a local policy module. > >> > >> Any idea what you were doing when this happened? The reason i >> ask > >> is because this is not even allowed in latest fedora as far as i > >> can see. > >> > > > This machine is basically a mail and ftp server. As far as I can > tell from the logs ( secure and messages ) nobody was doing > anything on the machine at the times I get the AVC, 5 times > yesterday. > > >> It is no big deal to allow updpwd_t to get attributes of the >> fs_t > >> filesystem but it is certainly not common for updpwd_t to want >> this > >> access i believe. If it was we probably would have gotten may >> more > >> reports much earlier. > >> > > > Strange then that I am getting it from this one server only. > > > Here's the context for unix_update > > > -rwx------ root root system_u:object_r:updpwd_exec_t > /sbin/unix_update > > > I've just run an autorelabel on the entire filesystem as part of > the 5.6 to 5.7 CentOS update > > > Thanks, > > > Tony > > >>> Thanks, > >>> > >>> > >>> Tony > >>> > >>> -- > >>> selinux mailing list > >>> selinux@lists.fedoraproject.org > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > -- selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux Probably has to do with the way the mount table is setup on this machine versus other machines. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6CEy0ACgkQrlYvE4MpobN1aQCdHc2uXuJIjh 64759AuQyAmoz+ rwEAoIfSac27Ch+eaJZyBD6iIAKTwxNU =CME3 -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
updpwd AVC
On Tuesday 27 September 2011 19:17:17 Daniel J Walsh wrote:
> On 09/27/2011 11:26 AM, Tony Molloy wrote: > > On Monday 26 September 2011 22:22:31 Dominick Grift wrote: > >> On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote: > >>> Hi, > >>> > >>> On a fully updated CentOS 5.7 box I get the following AVC > >>> SELinux is preventing unix_update (updpwd_t) "getattr" to / > >>> (fs_t). > >>> > >>> Raw Audit Message > >>> > >>> host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: > >>> denied > >>> > >>> { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5 > >>> > >>> ino=2 scontext=system_u:system_r:updpwd_t:s0 > >>> > >>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > >>> > >>> > Probably has to do with the way the mount table is setup on this > machine versus other machines. Now I've just noticed some other SElinux problems on this machine. Unusual System Events =-=-=-=-=-=-=-=-=-=-= Sep 24 13:25:24 garryowen ssh: /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /home/[^/]*/.+. Sep 24 13:25:24 garryowen ssh: /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /home/[^/]*/.virtinst(/.*)?. ..... Now some time ago I moved some test mail accounts on this machine from /users to /home and ran genhomedircon. There is a file in /etc/selinux/targeted/contexts/files/ called file_contexts.homedirs, generated by genhomedircon, which contains context information for /home. Could this multiple definitions be the root cause of the problem Should I remove this file and autorelabel the entire filesystem again. Thanks, Tony -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
updpwd AVC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 09/28/2011 10:56 AM, Tony Molloy wrote: > On Tuesday 27 September 2011 19:17:17 Daniel J Walsh wrote: > >> On 09/27/2011 11:26 AM, Tony Molloy wrote: > >>> On Monday 26 September 2011 22:22:31 Dominick Grift wrote: > >>>> On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote: > >>>>> Hi, > >>>>> > >>>>> On a fully updated CentOS 5.7 box I get the following AVC > > >>>>> SELinux is preventing unix_update (updpwd_t) "getattr" to >>>>> / > >>>>> (fs_t). > >>>>> > >>>>> Raw Audit Message > >>>>> > >>>>> host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: > >>>>> denied > >>>>> > >>>>> { getattr } for pid=21354 comm="unix_update" name="/" >>>>> dev=sda5 > >>>>> > >>>>> ino=2 scontext=system_u:system_r:updpwd_t:s0 > >>>>> > >>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > >>>>> > >>>>> > >> Probably has to do with the way the mount table is setup on this > >> machine versus other machines. > > > Now I've just noticed some other SElinux problems on this machine. > > > > Unusual System Events > > =-=-=-=-=-=-=-=-=-=-= > > Sep 24 13:25:24 garryowen ssh: > /etc/selinux/targeted/contexts/files/file_contexts: Multiple same > specifications for /home/[^/]*/.+. > > Sep 24 13:25:24 garryowen ssh: > /etc/selinux/targeted/contexts/files/file_contexts: Multiple same > specifications for /home/[^/]*/.virtinst(/.*)?. > > > ..... > > > > Now some time ago I moved some test mail accounts on this machine > from /users to /home and ran genhomedircon. > > > There is a file in /etc/selinux/targeted/contexts/files/ called > file_contexts.homedirs, generated by genhomedircon, which contains > context information for /home. > > > Could this multiple definitions be the root cause of the problem > > > Should I remove this file and autorelabel the entire filesystem > again. > > > Thanks, > > > Tony > > > > -- selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux No -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6DQbQACgkQrlYvE4MpobPAvgCcCCEhB1N2ce 1LCaStIc7vE6KZ lMAAnjtwrA+4FDguLnTsyFwZZ9YmrKes =tT5S -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
| All times are GMT. The time now is 10:45 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.