Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 1470331 Details for
Bug 1607989
SELinux violations with rhnsd / rhn_check
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
rhnsd / rhn_check selinux violations
rhnsd-rhn_check-selinux-issues.log (text/plain), 20.18 KB, created by
Neal Gompa
on 2018-07-24 16:45:11 UTC
(
hide
)
Description:
rhnsd / rhn_check selinux violations
Filename:
MIME Type:
Creator:
Neal Gompa
Created:
2018-07-24 16:45:11 UTC
Size:
20.18 KB
patch
obsolete
>SELinux is preventing rhn_check from open access on the file /var/log/up2date. > >***** Plugin catchall (100. confidence) suggests ************************** > >If you believe that rhn_check should be allowed open access on the up2date file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'rhn_check' --raw | audit2allow -M my-rhncheck ># semodule -X 300 -i my-rhncheck.pp > >Additional Information: >Source Context system_u:system_r:rhnsd_t:s0 >Target Context system_u:object_r:rpm_log_t:s0 >Target Objects /var/log/up2date [ file ] >Source rhn_check >Source Path rhn_check >Port <Unknown> >Host gunboat-diplomat >Source RPM Packages >Target RPM Packages >Policy RPM selinux-policy-3.14.1-32.fc28.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gunboat-diplomat >Platform Linux gunboat-diplomat 4.17.6-200.fc28.x86_64 #1 > SMP Wed Jul 11 20:29:01 UTC 2018 x86_64 x86_64 >Alert Count 15 >First Seen 2018-07-20 22:14:18 EDT >Last Seen 2018-07-23 06:45:40 EDT >Local ID 1fe94cec-6a11-4531-a5ca-6a7ab9b657e8 > >Raw Audit Messages >type=AVC msg=audit(1532342740.955:773): avc: denied { open } for pid=20334 comm="rhn_check" path="/var/log/up2date" dev="dm-5" ino=130321 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:rpm_log_t:s0 tclass=file permissive=0 > > >Hash: rhn_check,rhnsd_t,rpm_log_t,file,open > > >SELinux is preventing rhn_check from search access on the directory .local. > >***** Plugin catchall (100. confidence) suggests ************************** > >If you believe that rhn_check should be allowed search access on the .local directory by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'rhn_check' --raw | audit2allow -M my-rhncheck ># semodule -X 300 -i my-rhncheck.pp > >Additional Information: >Source Context system_u:system_r:rhnsd_t:s0 >Target Context unconfined_u:object_r:gconf_home_t:s0 >Target Objects .local [ dir ] >Source rhn_check >Source Path rhn_check >Port <Unknown> >Host gunboat-diplomat >Source RPM Packages >Target RPM Packages >Policy RPM selinux-policy-3.14.1-32.fc28.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gunboat-diplomat >Platform Linux gunboat-diplomat 4.17.6-200.fc28.x86_64 #1 > SMP Wed Jul 11 20:29:01 UTC 2018 x86_64 x86_64 >Alert Count 15 >First Seen 2018-07-20 22:14:18 EDT >Last Seen 2018-07-23 06:45:40 EDT >Local ID 374e9b96-0bd1-45d9-b784-d11bb0e326d3 > >Raw Audit Messages >type=AVC msg=audit(1532342740.810:753): avc: denied { search } for pid=20334 comm="rhn_check" name=".local" dev="dm-1" ino=262155 scontext=system_u:system_r:rhnsd_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 > > >Hash: rhn_check,rhnsd_t,gconf_home_t,dir,search > > >SELinux is preventing rhn_check from execute access on the file /usr/sbin/ldconfig. > >***** Plugin catchall (100. confidence) suggests ************************** > >If you believe that rhn_check should be allowed execute access on the ldconfig file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'rhn_check' --raw | audit2allow -M my-rhncheck ># semodule -X 300 -i my-rhncheck.pp > >Additional Information: >Source Context system_u:system_r:rhnsd_t:s0 >Target Context system_u:object_r:ldconfig_exec_t:s0 >Target Objects /usr/sbin/ldconfig [ file ] >Source rhn_check >Source Path rhn_check >Port <Unknown> >Host gunboat-diplomat >Source RPM Packages >Target RPM Packages glibc-2.27-30.fc28.x86_64 >Policy RPM selinux-policy-3.14.1-32.fc28.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gunboat-diplomat >Platform Linux gunboat-diplomat 4.17.6-200.fc28.x86_64 #1 > SMP Wed Jul 11 20:29:01 UTC 2018 x86_64 x86_64 >Alert Count 15 >First Seen 2018-07-20 22:14:18 EDT >Last Seen 2018-07-23 06:45:40 EDT >Local ID a38386bb-4687-4e7e-ab28-13e8654b0eac > >Raw Audit Messages >type=AVC msg=audit(1532342740.857:754): avc: denied { execute } for pid=20335 comm="rhn_check" name="ldconfig" dev="dm-3" ino=915077 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 > > >Hash: rhn_check,rhnsd_t,ldconfig_exec_t,file,execute > > >SELinux is preventing rhn_check from write access on the directory /var/tmp. > >***** Plugin catchall (100. confidence) suggests ************************** > >If you believe that rhn_check should be allowed write access on the tmp directory by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'rhn_check' --raw | audit2allow -M my-rhncheck ># semodule -X 300 -i my-rhncheck.pp > >Additional Information: >Source Context system_u:system_r:rhnsd_t:s0 >Target Context system_u:object_r:tmp_t:s0 >Target Objects /var/tmp [ dir ] >Source rhn_check >Source Path rhn_check >Port <Unknown> >Host gunboat-diplomat >Source RPM Packages >Target RPM Packages filesystem-3.8-2.fc28.x86_64 >Policy RPM selinux-policy-3.14.1-32.fc28.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gunboat-diplomat >Platform Linux gunboat-diplomat 4.17.6-200.fc28.x86_64 #1 > SMP Wed Jul 11 20:29:01 UTC 2018 x86_64 x86_64 >Alert Count 45 >First Seen 2018-07-20 22:14:18 EDT >Last Seen 2018-07-23 06:45:40 EDT >Local ID b7087855-9342-405e-9c06-4faeaeb6bbf7 > >Raw Audit Messages >type=AVC msg=audit(1532342740.858:757): avc: denied { write } for pid=20334 comm="rhn_check" name="tmp" dev="dm-5" ino=17 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 > > >Hash: rhn_check,rhnsd_t,tmp_t,dir,write > > >SELinux is preventing rhn_check from using the dac_override capability. > >***** Plugin dac_override (91.4 confidence) suggests ********************** > >If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system >Then turn on full auditing to get path information about the offending file and generate the error again. >Do > >Turn on full auditing ># auditctl -w /etc/shadow -p w >Try to recreate AVC. Then execute ># ausearch -m avc -ts recent >If you see PATH record check ownership/permissions on file, and fix it, >otherwise report as a bugzilla. > >***** Plugin catchall (9.59 confidence) suggests ************************** > >If you believe that rhn_check should have the dac_override capability by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'rhn_check' --raw | audit2allow -M my-rhncheck ># semodule -X 300 -i my-rhncheck.pp > >Additional Information: >Source Context system_u:system_r:rhnsd_t:s0 >Target Context system_u:system_r:rhnsd_t:s0 >Target Objects Unknown [ capability ] >Source rhn_check >Source Path rhn_check >Port <Unknown> >Host gunboat-diplomat >Source RPM Packages >Target RPM Packages >Policy RPM selinux-policy-3.14.1-32.fc28.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gunboat-diplomat >Platform Linux gunboat-diplomat 4.17.6-200.fc28.x86_64 #1 > SMP Wed Jul 11 20:29:01 UTC 2018 x86_64 x86_64 >Alert Count 15 >First Seen 2018-07-20 22:14:18 EDT >Last Seen 2018-07-23 06:45:40 EDT >Local ID 87736b15-bb03-4c05-9f01-e831ee477dee > >Raw Audit Messages >type=AVC msg=audit(1532342740.858:758): avc: denied { dac_override } for pid=20334 comm="rhn_check" capability=1 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:system_r:rhnsd_t:s0 tclass=capability permissive=0 > > >Hash: rhn_check,rhnsd_t,rhnsd_t,capability,dac_override > >SELinux is preventing rhn_check from search access on the directory /etc/pki. > >***** Plugin catchall (100. confidence) suggests ************************** > >If you believe that rhn_check should be allowed search access on the pki directory by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'rhn_check' --raw | audit2allow -M my-rhncheck ># semodule -X 300 -i my-rhncheck.pp > >Additional Information: >Source Context system_u:system_r:rhnsd_t:s0 >Target Context system_u:object_r:cert_t:s0 >Target Objects /etc/pki [ dir ] >Source rhn_check >Source Path rhn_check >Port <Unknown> >Host gunboat-diplomat >Source RPM Packages >Target RPM Packages filesystem-3.8-2.fc28.x86_64 >Policy RPM selinux-policy-3.14.1-32.fc28.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gunboat-diplomat >Platform Linux gunboat-diplomat 4.17.6-200.fc28.x86_64 #1 > SMP Wed Jul 11 20:29:01 UTC 2018 x86_64 x86_64 >Alert Count 15 >First Seen 2018-07-20 22:14:18 EDT >Last Seen 2018-07-23 06:45:40 EDT >Local ID 041ea764-5a75-4102-ac23-64b60d40af5c > >Raw Audit Messages >type=AVC msg=audit(1532342740.899:759): avc: denied { search } for pid=20334 comm="rhn_check" name="pki" dev="dm-1" ino=786538 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 > > >Hash: rhn_check,rhnsd_t,cert_t,dir,search > > >SELinux is preventing rhn_check from search access on the directory /var/lib/sss. > >***** Plugin catchall (100. confidence) suggests ************************** > >If you believe that rhn_check should be allowed search access on the sss directory by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'rhn_check' --raw | audit2allow -M my-rhncheck ># semodule -X 300 -i my-rhncheck.pp > >Additional Information: >Source Context system_u:system_r:rhnsd_t:s0 >Target Context system_u:object_r:sssd_var_lib_t:s0 >Target Objects /var/lib/sss [ dir ] >Source rhn_check >Source Path rhn_check >Port <Unknown> >Host gunboat-diplomat >Source RPM Packages >Target RPM Packages sssd-common-1.16.2-4.fc28.x86_64 >Policy RPM selinux-policy-3.14.1-32.fc28.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gunboat-diplomat >Platform Linux gunboat-diplomat 4.17.6-200.fc28.x86_64 #1 > SMP Wed Jul 11 20:29:01 UTC 2018 x86_64 x86_64 >Alert Count 135 >First Seen 2018-07-20 22:14:18 EDT >Last Seen 2018-07-23 06:45:40 EDT >Local ID ce5d9bdb-839e-4027-8d96-3fd4373abb9a > >Raw Audit Messages >type=AVC msg=audit(1532342740.934:767): avc: denied { search } for pid=20334 comm="rhn_check" name="sss" dev="dm-5" ino=391087 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 > > >Hash: rhn_check,rhnsd_t,sssd_var_lib_t,dir,search > > >SELinux is preventing rhn_check from read access on the file /etc/group. > >***** Plugin catchall (100. confidence) suggests ************************** > >If you believe that rhn_check should be allowed read access on the group file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'rhn_check' --raw | audit2allow -M my-rhncheck ># semodule -X 300 -i my-rhncheck.pp > >Additional Information: >Source Context system_u:system_r:rhnsd_t:s0 >Target Context system_u:object_r:passwd_file_t:s0 >Target Objects /etc/group [ file ] >Source rhn_check >Source Path rhn_check >Port <Unknown> >Host gunboat-diplomat >Source RPM Packages >Target RPM Packages setup-2.11.4-1.fc28.noarch >Policy RPM selinux-policy-3.14.1-32.fc28.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gunboat-diplomat >Platform Linux gunboat-diplomat 4.17.6-200.fc28.x86_64 #1 > SMP Wed Jul 11 20:29:01 UTC 2018 x86_64 x86_64 >Alert Count 45 >First Seen 2018-07-20 22:14:18 EDT >Last Seen 2018-07-23 06:45:40 EDT >Local ID d253c4f0-083f-4eb7-a3db-39ac8d138856 > >Raw Audit Messages >type=AVC msg=audit(1532342740.934:768): avc: denied { read } for pid=20334 comm="rhn_check" name="group" dev="dm-1" ino=789088 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 > > >Hash: rhn_check,rhnsd_t,passwd_file_t,file,read > > >SELinux is preventing rhn_check from getattr access on the file /etc/resolv.conf. > >***** Plugin catchall (100. confidence) suggests ************************** > >If you believe that rhn_check should be allowed getattr access on the resolv.conf file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'rhn_check' --raw | audit2allow -M my-rhncheck ># semodule -X 300 -i my-rhncheck.pp > >Additional Information: >Source Context system_u:system_r:rhnsd_t:s0 >Target Context system_u:object_r:net_conf_t:s0 >Target Objects /etc/resolv.conf [ file ] >Source rhn_check >Source Path rhn_check >Port <Unknown> >Host gunboat-diplomat >Source RPM Packages >Target RPM Packages >Policy RPM selinux-policy-3.14.1-32.fc28.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gunboat-diplomat >Platform Linux gunboat-diplomat 4.17.6-200.fc28.x86_64 #1 > SMP Wed Jul 11 20:29:01 UTC 2018 x86_64 x86_64 >Alert Count 15 >First Seen 2018-07-20 22:14:18 EDT >Last Seen 2018-07-23 06:45:40 EDT >Local ID 39a87b48-d488-4c71-9e35-18a24882326e > >Raw Audit Messages >type=AVC msg=audit(1532342740.934:769): avc: denied { getattr } for pid=20334 comm="rhn_check" path="/etc/resolv.conf" dev="dm-1" ino=786657 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0 > > >Hash: rhn_check,rhnsd_t,net_conf_t,file,getattr > > >SELinux is preventing rhn_check from read access on the file /etc/hosts. > >***** Plugin catchall (100. confidence) suggests ************************** > >If you believe that rhn_check should be allowed read access on the hosts file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'rhn_check' --raw | audit2allow -M my-rhncheck ># semodule -X 300 -i my-rhncheck.pp > >Additional Information: >Source Context system_u:system_r:rhnsd_t:s0 >Target Context system_u:object_r:net_conf_t:s0 >Target Objects /etc/hosts [ file ] >Source rhn_check >Source Path rhn_check >Port <Unknown> >Host gunboat-diplomat >Source RPM Packages >Target RPM Packages setup-2.11.4-1.fc28.noarch >Policy RPM selinux-policy-3.14.1-32.fc28.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gunboat-diplomat >Platform Linux gunboat-diplomat 4.17.6-200.fc28.x86_64 #1 > SMP Wed Jul 11 20:29:01 UTC 2018 x86_64 x86_64 >Alert Count 30 >First Seen 2018-07-20 22:14:18 EDT >Last Seen 2018-07-23 06:45:40 EDT >Local ID 094a5215-1649-4da1-9f9f-9f52a293d3f1 > >Raw Audit Messages >type=AVC msg=audit(1532342740.934:771): avc: denied { read } for pid=20334 comm="rhn_check" name="hosts" dev="dm-1" ino=788765 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0 > > >Hash: rhn_check,rhnsd_t,net_conf_t,file,read > >SELinux is preventing rhn_check from create access on the udp_socket port None. > >***** Plugin catchall (100. confidence) suggests ************************** > >If you believe that rhn_check should be allowed create access on the port None udp_socket by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'rhn_check' --raw | audit2allow -M my-rhncheck ># semodule -X 300 -i my-rhncheck.pp > >Additional Information: >Source Context system_u:system_r:rhnsd_t:s0 >Target Context system_u:system_r:rhnsd_t:s0 >Target Objects port None [ udp_socket ] >Source rhn_check >Source Path rhn_check >Port <Unknown> >Host gunboat-diplomat >Source RPM Packages >Target RPM Packages >Policy RPM selinux-policy-3.14.1-32.fc28.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gunboat-diplomat >Platform Linux gunboat-diplomat 4.17.6-200.fc28.x86_64 #1 > SMP Wed Jul 11 20:29:01 UTC 2018 x86_64 x86_64 >Alert Count 30 >First Seen 2018-07-20 22:14:18 EDT >Last Seen 2018-07-23 06:45:40 EDT >Local ID 8e0c581e-2e03-4285-9bd0-ff21a7b60ac4 > >Raw Audit Messages >type=AVC msg=audit(1532342740.934:772): avc: denied { create } for pid=20334 comm="rhn_check" scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:system_r:rhnsd_t:s0 tclass=udp_socket permissive=0 > > >Hash: rhn_check,rhnsd_t,rhnsd_t,udp_socket,create
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1470331">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 1607989
: 1470331 |
1470910