Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   selinux-policy update (http://www.linux-archive.org/fedora-selinux-support/698405-selinux-policy-update.html)

Zdenek Pytela 08-28-2012 12:08 PM

selinux-policy update
 
Hello everyone,
every time I upgrade selinux-policy packages, I get

SELinux is preventing /usr/sbin/load_policy from 'read, append' accesses on
the file /tmp/tmp5vo8of.

Raw Audit Messages
type=AVC msg=audit(1340799402.853:3866): avc: denied { read append } for
pid=22456 comm="load_policy" path="/tmp/tmp5vo8of" dev="tmpfs" ino=464186
scontext=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1340799402.853:3866): arch=x86_64 syscall=execve
success=yes exit=0 a0=ff5f80 a1=ff5f60 a2=ff2e90 a3=10 items=0 ppid=22449
pid=22456 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts16 ses=357 comm=load_policy exe=/usr/sbin/load_policy
subj=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 key=(null)

The command load_policy is executed by the rpm postinstall scriptlet.
It happens on workstations with f16 or f17, the only less usual thing is
that /tmp is mounted as tmpfs with
rw,nodev,noexec,noatime,nodiratime,context=system_ u:object_r:tmp_t:s0
Context of /tmp is the same as it was before and the same as physical
directory /var/tmp.

I know how to make local policy rules, but I would like to know if there
is a better solution. Thanks,

--

--Zdenek Pytela, <pytela@phil.muni.cz>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 04:34 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.