Attachment 314965 Details for Bug 460098 – SELinux AVCs when updating from RHEL-5.2-Z repo (e.g. "SELinux is preventing tzdata-update (tzdata_t) "write" to /var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t).")

SELinux AVCs when updating from RHEL-5.2-Z repo (e.g. "SELinux is preventing tzdata-update (tzdata_t) "write" to /var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t).")

selinux_alert.txt (text/plain), 33.76 KB, created by Jan Hutař on 2008-08-26 06:56:49 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jan Hutař

Created: 2008-08-26 06:56:49 UTC

Size: 33.76 KB

patch

obsolete

>
>Summary:
>
>SELinux is preventing cupsd (cupsd_t) "write" to
>/var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t).
>
>Detailed Description:
>
>SELinux is preventing cupsd (cupsd_t) "write" to
>/var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t). The SELinux type
>var_lib_t, is a generic type for all files in the directory and very few
>processes (SELinux Domains) are allowed to write to this SELinux type. This type
>of denial usual indicates a mislabeled file. By default a file created in a
>directory has the gets the context of the parent directory, but SELinux policy
>has rules about the creation of directories, that say if a process running in
>one SELinux Domain (D1) creates a file in a directory with a particular SELinux
>File Context (F1) the file gets a different File Context (F2). The policy
>usually allows the SELinux Domain (D1) the ability to write, unlink, and append
>on (F2). But if for some reason a file
>(/var/lib/yum/transaction-done.2008-08-06.17:36.41) was created with the wrong
>context, this domain will be denied. The usual solution to this problem is to
>reset the file context on the target file, restorecon -v
>'/var/lib/yum/transaction-done.2008-08-06.17:36.41'. If the file context does
>not change from var_lib_t, then this is probably a bug in policy. Please file a
>bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
>selinux-policy package. If it does change, you can try your application again to
>see if it works. The file context could have been mislabeled by editing the file
>or moving the file from a different directory, if the file keeps getting
>mislabeled, check the init scripts to see if they are doing something to
>mislabel the file.
>
>Allowing Access:
>
>You can attempt to fix file context by executing restorecon -v
>'/var/lib/yum/transaction-done.2008-08-06.17:36.41'
>
>The following command will allow this access:
>
>restorecon '/var/lib/yum/transaction-done.2008-08-06.17:36.41'
>
>Additional Information:
>
>Source Context                user_u:system_r:cupsd_t:SystemLow-SystemHigh
>Target Context                user_u:object_r:var_lib_t
>Target Objects                /var/lib/yum/transaction-done.2008-08-06.17:36.41
>                              [ file ]
>Source                        cupsd
>Source Path                   /usr/sbin/cupsd
>Port                          <Unknown>
>Host                          barron.usersys.redhat.com
>Source RPM Packages           cups-1.2.4-11.18.el5_2.1
>Target RPM Packages           
>Policy RPM                    selinux-policy-2.4.6-137.1.el5_2
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   mislabeled_file
>Host Name                     barron.usersys.redhat.com
>Platform                      Linux barron.usersys.redhat.com 2.6.18-92.1.3.el5
>                              #1 SMP Fri Jun 6 04:04:58 EDT 2008 i686 i686
>Alert Count                   1
>First Seen                    Wed 06 Aug 2008 05:42:08 PM EDT
>Last Seen                     Wed 06 Aug 2008 05:42:08 PM EDT
>Local ID                      b2c73493-c337-46b0-b81f-4281f880c20e
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058928.391:70491): avc:  denied  { write } for  pid=3088 comm="cupsd" path="/var/lib/yum/transaction-done.2008-08-06.17:36.41" dev=dm-0 ino=12320782 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058928.391:70491): avc:  denied  { read write } for  pid=3088 comm="cupsd" path="/var/lib/rpm/__db.000" dev=dm-0 ino=12026780 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:rpm_var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=SYSCALL msg=audit(1218058928.391:70491): arch=40000003 syscall=11 success=yes exit=0 a0=8a810d0 a1=8a80f30 a2=8a81410 a3=0 items=0 ppid=3087 pid=3088 auid=4401 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm="cupsd" exe="/usr/sbin/cupsd" subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
>Summary:
>
>SELinux is preventing rpc.statd (rpcd_t) "read write" to /var/lib/rpm/__db.000
>(rpm_var_lib_t).
>
>Detailed Description:
>
>SELinux denied access requested by rpc.statd. It is not expected that this
>access is required by rpc.statd and this access may signal an intrusion attempt.
>It is also possible that the specific version or configuration of the
>application is causing it to require additional access.
>
>Allowing Access:
>
>Sometimes labeling problems can cause SELinux denials. You could try to restore
>the default system file context for /var/lib/rpm/__db.000,
>
>restorecon -v '/var/lib/rpm/__db.000'
>
>If this does not work, there is currently no automatic way to allow this access.
>Instead, you can generate a local policy module to allow this access - see FAQ
>(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>SELinux protection altogether. Disabling SELinux protection is not recommended.
>Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>
>Additional Information:
>
>Source Context                user_u:system_r:rpcd_t
>Target Context                user_u:object_r:rpm_var_lib_t
>Target Objects                /var/lib/rpm/__db.000 [ file ]
>Source                        rpc.idmapd
>Source Path                   /usr/sbin/rpc.idmapd
>Port                          <Unknown>
>Host                          barron.usersys.redhat.com
>Source RPM Packages           nfs-utils-1.0.9-35z.el5_2
>Target RPM Packages           
>Policy RPM                    selinux-policy-2.4.6-137.el5
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   catchall_file
>Host Name                     barron.usersys.redhat.com
>Platform                      Linux barron.usersys.redhat.com 2.6.18-92.1.3.el5
>                              #1 SMP Fri Jun 6 04:04:58 EDT 2008 i686 i686
>Alert Count                   2
>First Seen                    Wed 06 Aug 2008 05:40:50 PM EDT
>Last Seen                     Wed 06 Aug 2008 05:40:50 PM EDT
>Local ID                      3ddbb7f0-52ef-42ad-b543-cdad77629269
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058850.993:70490): avc:  denied  { read write } for  pid=2856 comm="rpc.statd" path="/var/lib/rpm/__db.000" dev=dm-0 ino=12026780 scontext=user_u:system_r:rpcd_t:s0 tcontext=user_u:object_r:rpm_var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=SYSCALL msg=audit(1218058850.993:70490): arch=40000003 syscall=11 success=yes exit=0 a0=863b2a0 a1=863b078 a2=863a5b0 a3=0 items=0 ppid=2855 pid=2856 auid=4401 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm="rpc.statd" exe="/sbin/rpc.statd" subj=user_u:system_r:rpcd_t:s0 key=(null)
>
>
>
>
>Summary:
>
>SELinux is preventing tzdata-update (tzdata_t) "write" to
>/var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t).
>
>Detailed Description:
>
>SELinux is preventing tzdata-update (tzdata_t) "write" to
>/var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t). The SELinux type
>var_lib_t, is a generic type for all files in the directory and very few
>processes (SELinux Domains) are allowed to write to this SELinux type. This type
>of denial usual indicates a mislabeled file. By default a file created in a
>directory has the gets the context of the parent directory, but SELinux policy
>has rules about the creation of directories, that say if a process running in
>one SELinux Domain (D1) creates a file in a directory with a particular SELinux
>File Context (F1) the file gets a different File Context (F2). The policy
>usually allows the SELinux Domain (D1) the ability to write, unlink, and append
>on (F2). But if for some reason a file
>(/var/lib/yum/transaction-done.2008-08-06.17:36.41) was created with the wrong
>context, this domain will be denied. The usual solution to this problem is to
>reset the file context on the target file, restorecon -v
>'/var/lib/yum/transaction-done.2008-08-06.17:36.41'. If the file context does
>not change from var_lib_t, then this is probably a bug in policy. Please file a
>bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
>selinux-policy package. If it does change, you can try your application again to
>see if it works. The file context could have been mislabeled by editing the file
>or moving the file from a different directory, if the file keeps getting
>mislabeled, check the init scripts to see if they are doing something to
>mislabel the file.
>
>Allowing Access:
>
>You can attempt to fix file context by executing restorecon -v
>'/var/lib/yum/transaction-done.2008-08-06.17:36.41'
>
>The following command will allow this access:
>
>restorecon '/var/lib/yum/transaction-done.2008-08-06.17:36.41'
>
>Additional Information:
>
>Source Context                user_u:system_r:tzdata_t
>Target Context                user_u:object_r:var_lib_t
>Target Objects                /var/lib/yum/transaction-done.2008-08-06.17:36.41
>                              [ file ]
>Source                        tzdata-update
>Source Path                   /usr/sbin/tzdata-update
>Port                          <Unknown>
>Host                          barron.usersys.redhat.com
>Source RPM Packages           glibc-common-2.5-24
>Target RPM Packages           
>Policy RPM                    selinux-policy-2.4.6-137.el5
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   mislabeled_file
>Host Name                     barron.usersys.redhat.com
>Platform                      Linux barron.usersys.redhat.com 2.6.18-92.1.3.el5
>                              #1 SMP Fri Jun 6 04:04:58 EDT 2008 i686 i686
>Alert Count                   1
>First Seen                    Wed 06 Aug 2008 05:40:30 PM EDT
>Last Seen                     Wed 06 Aug 2008 05:40:30 PM EDT
>Local ID                      7fd47ce8-d0ca-4b80-858f-a253b6b91e94
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058830.931:70488): avc:  denied  { write } for  pid=2734 comm="tzdata-update" path="/var/lib/yum/transaction-done.2008-08-06.17:36.41" dev=dm-0 ino=12320782 scontext=user_u:system_r:tzdata_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058830.931:70488): avc:  denied  { read } for  pid=2734 comm="tzdata-update" path="/var/cache/yum/My-5.2-Z/packages/tzdata-2008b-3.el5.noarch.rpm" dev=dm-0 ino=12156993 scontext=user_u:system_r:tzdata_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058830.931:70488): avc:  denied  { read write } for  pid=2734 comm="tzdata-update" path="/var/lib/rpm/__db.000" dev=dm-0 ino=12026780 scontext=user_u:system_r:tzdata_t:s0 tcontext=user_u:object_r:rpm_var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=SYSCALL msg=audit(1218058830.931:70488): arch=40000003 syscall=11 success=yes exit=0 a0=b5a40f7d a1=bfa847a0 a2=cc344c0 a3=0 items=0 ppid=351 pid=2734 auid=4401 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=user_u:system_r:tzdata_t:s0 key=(null)
>
>
>
>
>Summary:
>
>SELinux is preventing restorecon (restorecon_t) "write" to
>/var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t).
>
>Detailed Description:
>
>SELinux is preventing restorecon (restorecon_t) "write" to
>/var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t). The SELinux type
>var_lib_t, is a generic type for all files in the directory and very few
>processes (SELinux Domains) are allowed to write to this SELinux type. This type
>of denial usual indicates a mislabeled file. By default a file created in a
>directory has the gets the context of the parent directory, but SELinux policy
>has rules about the creation of directories, that say if a process running in
>one SELinux Domain (D1) creates a file in a directory with a particular SELinux
>File Context (F1) the file gets a different File Context (F2). The policy
>usually allows the SELinux Domain (D1) the ability to write, unlink, and append
>on (F2). But if for some reason a file
>(/var/lib/yum/transaction-done.2008-08-06.17:36.41) was created with the wrong
>context, this domain will be denied. The usual solution to this problem is to
>reset the file context on the target file, restorecon -v
>'/var/lib/yum/transaction-done.2008-08-06.17:36.41'. If the file context does
>not change from var_lib_t, then this is probably a bug in policy. Please file a
>bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
>selinux-policy package. If it does change, you can try your application again to
>see if it works. The file context could have been mislabeled by editing the file
>or moving the file from a different directory, if the file keeps getting
>mislabeled, check the init scripts to see if they are doing something to
>mislabel the file.
>
>Allowing Access:
>
>You can attempt to fix file context by executing restorecon -v
>'/var/lib/yum/transaction-done.2008-08-06.17:36.41'
>
>The following command will allow this access:
>
>restorecon '/var/lib/yum/transaction-done.2008-08-06.17:36.41'
>
>Additional Information:
>
>Source Context                user_u:system_r:restorecon_t
>Target Context                user_u:object_r:var_lib_t
>Target Objects                /var/lib/yum/transaction-done.2008-08-06.17:36.41
>                              [ file ]
>Source                        restorecon
>Source Path                   /sbin/restorecon
>Port                          <Unknown>
>Host                          barron.usersys.redhat.com
>Source RPM Packages           policycoreutils-1.33.12-14.el5
>Target RPM Packages           
>Policy RPM                    selinux-policy-2.4.6-137.el5
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   mislabeled_file
>Host Name                     barron.usersys.redhat.com
>Platform                      Linux barron.usersys.redhat.com 2.6.18-92.1.3.el5
>                              #1 SMP Fri Jun 6 04:04:58 EDT 2008 i686 i686
>Alert Count                   2
>First Seen                    Wed 06 Aug 2008 05:39:31 PM EDT
>Last Seen                     Wed 06 Aug 2008 05:39:31 PM EDT
>Local ID                      90bea695-90e4-4655-8e76-64ea96de424c
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058771.289:70481): avc:  denied  { write } for  pid=1574 comm="restorecon" path="/var/lib/yum/transaction-done.2008-08-06.17:36.41" dev=dm-0 ino=12320782 scontext=user_u:system_r:restorecon_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058771.289:70481): avc:  denied  { read } for  pid=1574 comm="restorecon" path="/var/cache/yum/My-5.2-Z/packages/selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm" dev=dm-0 ino=12157041 scontext=user_u:system_r:restorecon_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058771.289:70481): avc:  denied  { read write } for  pid=1574 comm="restorecon" path="/var/lib/rpm/__db.000" dev=dm-0 ino=12026780 scontext=user_u:system_r:restorecon_t:s0 tcontext=user_u:object_r:rpm_var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=SYSCALL msg=audit(1218058771.289:70481): arch=40000003 syscall=11 success=yes exit=0 a0=8b76db0 a1=8b770e0 a2=8b75528 a3=0 items=0 ppid=1536 pid=1574 auid=4401 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm="restorecon" exe="/sbin/restorecon" subj=user_u:system_r:restorecon_t:s0 key=(null)
>
>
>
>
>Summary:
>
>SELinux is preventing setfiles (setfiles_t) "read" to
>/var/cache/yum/My-5.2-Z/packages/selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm
>(var_t).
>
>Detailed Description:
>
>SELinux denied access requested by setfiles. It is not expected that this access
>is required by setfiles and this access may signal an intrusion attempt. It is
>also possible that the specific version or configuration of the application is
>causing it to require additional access.
>
>Allowing Access:
>
>Sometimes labeling problems can cause SELinux denials. You could try to restore
>the default system file context for
>/var/cache/yum/My-5.2-Z/packages/selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm,
>
>restorecon -v
>'/var/cache/yum/My-5.2-Z/packages/selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm'
>
>If this does not work, there is currently no automatic way to allow this access.
>Instead, you can generate a local policy module to allow this access - see FAQ
>(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>SELinux protection altogether. Disabling SELinux protection is not recommended.
>Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>
>Additional Information:
>
>Source Context                user_u:system_r:setfiles_t
>Target Context                user_u:object_r:var_t
>Target Objects                /var/cache/yum/My-5.2-Z/packages/selinux-policy-
>                              targeted-2.4.6-137.1.el5_2.noarch.rpm [ file ]
>Source                        setfiles
>Source Path                   /sbin/setfiles
>Port                          <Unknown>
>Host                          barron.usersys.redhat.com
>Source RPM Packages           policycoreutils-1.33.12-14.el5
>Target RPM Packages           
>Policy RPM                    selinux-policy-2.4.6-137.el5
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   catchall_file
>Host Name                     barron.usersys.redhat.com
>Platform                      Linux barron.usersys.redhat.com 2.6.18-92.1.3.el5
>                              #1 SMP Fri Jun 6 04:04:58 EDT 2008 i686 i686
>Alert Count                   1
>First Seen                    Wed 06 Aug 2008 05:39:29 PM EDT
>Last Seen                     Wed 06 Aug 2008 05:39:29 PM EDT
>Local ID                      48fae68c-8c87-46ee-aff6-0db3d76090a1
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058769.83:70479): avc:  denied  { read } for  pid=1540 comm="setfiles" path="/var/cache/yum/My-5.2-Z/packages/selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm" dev=dm-0 ino=12157041 scontext=user_u:system_r:setfiles_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=SYSCALL msg=audit(1218058769.83:70479): arch=40000003 syscall=11 success=yes exit=0 a0=8a4b768 a1=98a9860 a2=0 a3=0 items=0 ppid=1538 pid=1540 auid=4401 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=user_u:system_r:setfiles_t:s0 key=(null)
>
>
>
>
>Summary:
>
>SELinux is preventing load_policy (load_policy_t) "read" to
>/var/cache/yum/My-5.2-Z/packages/selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm
>(var_t).
>
>Detailed Description:
>
>SELinux denied access requested by load_policy. It is not expected that this
>access is required by load_policy and this access may signal an intrusion
>attempt. It is also possible that the specific version or configuration of the
>application is causing it to require additional access.
>
>Allowing Access:
>
>Sometimes labeling problems can cause SELinux denials. You could try to restore
>the default system file context for
>/var/cache/yum/My-5.2-Z/packages/selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm,
>
>restorecon -v
>'/var/cache/yum/My-5.2-Z/packages/selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm'
>
>If this does not work, there is currently no automatic way to allow this access.
>Instead, you can generate a local policy module to allow this access - see FAQ
>(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>SELinux protection altogether. Disabling SELinux protection is not recommended.
>Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>
>Additional Information:
>
>Source Context                user_u:system_r:load_policy_t
>Target Context                user_u:object_r:var_t
>Target Objects                /var/cache/yum/My-5.2-Z/packages/selinux-policy-
>                              targeted-2.4.6-137.1.el5_2.noarch.rpm [ file ]
>Source                        load_policy
>Source Path                   /usr/sbin/load_policy
>Port                          <Unknown>
>Host                          barron.usersys.redhat.com
>Source RPM Packages           policycoreutils-1.33.12-14.el5
>Target RPM Packages           
>Policy RPM                    selinux-policy-2.4.6-137.el5
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   catchall_file
>Host Name                     barron.usersys.redhat.com
>Platform                      Linux barron.usersys.redhat.com 2.6.18-92.1.3.el5
>                              #1 SMP Fri Jun 6 04:04:58 EDT 2008 i686 i686
>Alert Count                   0
>First Seen                    Wed 06 Aug 2008 05:39:28 PM EDT
>Last Seen                     Wed 06 Aug 2008 05:39:28 PM EDT
>Local ID                      20b58321-2545-4fbf-b551-13a0a7dc5303
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058768.977:70476): avc:  denied  { read } for  pid=1539 comm="load_policy" path="/var/cache/yum/My-5.2-Z/packages/selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm" dev=dm-0 ino=12157041 scontext=user_u:system_r:load_policy_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=SYSCALL msg=audit(1218058768.977:70476): arch=40000003 syscall=11 success=yes exit=0 a0=8a4b738 a1=9f56f08 a2=0 a3=0 items=0 ppid=1538 pid=1539 auid=4401 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=user_u:system_r:load_policy_t:s0 key=(null)
>
>
>
>
>Summary:
>
>SELinux is preventing semodule (semanage_t) "write" to
>/var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t).
>
>Detailed Description:
>
>SELinux is preventing semodule (semanage_t) "write" to
>/var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t). The SELinux type
>var_lib_t, is a generic type for all files in the directory and very few
>processes (SELinux Domains) are allowed to write to this SELinux type. This type
>of denial usual indicates a mislabeled file. By default a file created in a
>directory has the gets the context of the parent directory, but SELinux policy
>has rules about the creation of directories, that say if a process running in
>one SELinux Domain (D1) creates a file in a directory with a particular SELinux
>File Context (F1) the file gets a different File Context (F2). The policy
>usually allows the SELinux Domain (D1) the ability to write, unlink, and append
>on (F2). But if for some reason a file
>(/var/lib/yum/transaction-done.2008-08-06.17:36.41) was created with the wrong
>context, this domain will be denied. The usual solution to this problem is to
>reset the file context on the target file, restorecon -v
>'/var/lib/yum/transaction-done.2008-08-06.17:36.41'. If the file context does
>not change from var_lib_t, then this is probably a bug in policy. Please file a
>bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
>selinux-policy package. If it does change, you can try your application again to
>see if it works. The file context could have been mislabeled by editing the file
>or moving the file from a different directory, if the file keeps getting
>mislabeled, check the init scripts to see if they are doing something to
>mislabel the file.
>
>Allowing Access:
>
>You can attempt to fix file context by executing restorecon -v
>'/var/lib/yum/transaction-done.2008-08-06.17:36.41'
>
>The following command will allow this access:
>
>restorecon '/var/lib/yum/transaction-done.2008-08-06.17:36.41'
>
>Additional Information:
>
>Source Context                user_u:system_r:semanage_t
>Target Context                user_u:object_r:var_lib_t
>Target Objects                /var/lib/yum/transaction-done.2008-08-06.17:36.41
>                              [ file ]
>Source                        semodule
>Source Path                   /usr/sbin/semodule
>Port                          <Unknown>
>Host                          barron.usersys.redhat.com
>Source RPM Packages           policycoreutils-1.33.12-14.el5
>Target RPM Packages           
>Policy RPM                    selinux-policy-2.4.6-137.el5
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   mislabeled_file
>Host Name                     barron.usersys.redhat.com
>Platform                      Linux barron.usersys.redhat.com 2.6.18-92.1.3.el5
>                              #1 SMP Fri Jun 6 04:04:58 EDT 2008 i686 i686
>Alert Count                   0
>First Seen                    Wed 06 Aug 2008 05:39:24 PM EDT
>Last Seen                     Wed 06 Aug 2008 05:39:24 PM EDT
>Local ID                      626d211c-3bcc-494f-bcd8-92aa931e0d3c
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058764.474:70475): avc:  denied  { write } for  pid=1538 comm="semodule" path="/var/lib/yum/transaction-done.2008-08-06.17:36.41" dev=dm-0 ino=12320782 scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058764.474:70475): avc:  denied  { write } for  pid=1538 comm="semodule" path="/var/lib/rpm/__db.000" dev=dm-0 ino=12026780 scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:object_r:rpm_var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=SYSCALL msg=audit(1218058764.474:70475): arch=40000003 syscall=11 success=yes exit=0 a0=8b75a60 a1=8b75628 a2=8b75528 a3=0 items=0 ppid=1537 pid=1538 auid=4401 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=user_u:system_r:semanage_t:s0 key=(null)
>
>
>
>
>Summary:
>
>SELinux is preventing rpc.statd (rpcd_t) "read" to
>/var/cache/yum/My-5.2-Z/packages/nfs-utils-1.0.9-35z.el5_2.i386.rpm (var_t).
>
>Detailed Description:
>
>SELinux denied access requested by rpc.statd. It is not expected that this
>access is required by rpc.statd and this access may signal an intrusion attempt.
>It is also possible that the specific version or configuration of the
>application is causing it to require additional access.
>
>Allowing Access:
>
>Sometimes labeling problems can cause SELinux denials. You could try to restore
>the default system file context for
>/var/cache/yum/My-5.2-Z/packages/nfs-utils-1.0.9-35z.el5_2.i386.rpm,
>
>restorecon -v
>'/var/cache/yum/My-5.2-Z/packages/nfs-utils-1.0.9-35z.el5_2.i386.rpm'
>
>If this does not work, there is currently no automatic way to allow this access.
>Instead, you can generate a local policy module to allow this access - see FAQ
>(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>SELinux protection altogether. Disabling SELinux protection is not recommended.
>Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>
>Additional Information:
>
>Source Context                user_u:system_r:rpcd_t
>Target Context                user_u:object_r:var_t
>Target Objects                /var/cache/yum/My-5.2-Z/packages/nfs-
>                              utils-1.0.9-35z.el5_2.i386.rpm [ file ]
>Source                        rpc.statd
>Source Path                   /sbin/rpc.statd
>Port                          <Unknown>
>Host                          barron.usersys.redhat.com
>Source RPM Packages           nfs-utils-1.0.9-33.el5
>Target RPM Packages           
>Policy RPM                    selinux-policy-2.4.6-137.el5
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   catchall_file
>Host Name                     barron.usersys.redhat.com
>Platform                      Linux barron.usersys.redhat.com 2.6.18-92.1.3.el5
>                              #1 SMP Fri Jun 6 04:04:58 EDT 2008 i686 i686
>Alert Count                   1
>First Seen                    Wed 06 Aug 2008 05:39:11 PM EDT
>Last Seen                     Wed 06 Aug 2008 05:39:11 PM EDT
>Local ID                      b716e075-4c44-4eb4-a125-1ba6aa53c51b
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058751.645:70474): avc:  denied  { read } for  pid=1525 comm="rpc.statd" path="/var/cache/yum/My-5.2-Z/packages/nfs-utils-1.0.9-35z.el5_2.i386.rpm" dev=dm-0 ino=12157055 scontext=user_u:system_r:rpcd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058751.645:70474): avc:  denied  { read write } for  pid=1525 comm="rpc.statd" path="/var/lib/rpm/__db.000" dev=dm-0 ino=12026780 scontext=user_u:system_r:rpcd_t:s0 tcontext=user_u:object_r:rpm_var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=SYSCALL msg=audit(1218058751.645:70474): arch=40000003 syscall=11 success=yes exit=0 a0=8e462a0 a1=8e46078 a2=8e455b0 a3=0 items=0 ppid=1524 pid=1525 auid=4401 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm="rpc.statd" exe="/sbin/rpc.statd" subj=user_u:system_r:rpcd_t:s0 key=(null)
>
>
>
>
>Summary:
>
>SELinux is preventing useradd (useradd_t) "write" to
>/var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t).
>
>Detailed Description:
>
>SELinux is preventing useradd (useradd_t) "write" to
>/var/lib/yum/transaction-done.2008-08-06.17:36.41 (var_lib_t). The SELinux type
>var_lib_t, is a generic type for all files in the directory and very few
>processes (SELinux Domains) are allowed to write to this SELinux type. This type
>of denial usual indicates a mislabeled file. By default a file created in a
>directory has the gets the context of the parent directory, but SELinux policy
>has rules about the creation of directories, that say if a process running in
>one SELinux Domain (D1) creates a file in a directory with a particular SELinux
>File Context (F1) the file gets a different File Context (F2). The policy
>usually allows the SELinux Domain (D1) the ability to write, unlink, and append
>on (F2). But if for some reason a file
>(/var/lib/yum/transaction-done.2008-08-06.17:36.41) was created with the wrong
>context, this domain will be denied. The usual solution to this problem is to
>reset the file context on the target file, restorecon -v
>'/var/lib/yum/transaction-done.2008-08-06.17:36.41'. If the file context does
>not change from var_lib_t, then this is probably a bug in policy. Please file a
>bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
>selinux-policy package. If it does change, you can try your application again to
>see if it works. The file context could have been mislabeled by editing the file
>or moving the file from a different directory, if the file keeps getting
>mislabeled, check the init scripts to see if they are doing something to
>mislabel the file.
>
>Allowing Access:
>
>You can attempt to fix file context by executing restorecon -v
>'/var/lib/yum/transaction-done.2008-08-06.17:36.41'
>
>The following command will allow this access:
>
>restorecon '/var/lib/yum/transaction-done.2008-08-06.17:36.41'
>
>Additional Information:
>
>Source Context                user_u:system_r:useradd_t
>Target Context                user_u:object_r:var_lib_t
>Target Objects                /var/lib/yum/transaction-done.2008-08-06.17:36.41
>                              [ file ]
>Source                        useradd
>Source Path                   /usr/sbin/useradd
>Port                          <Unknown>
>Host                          barron.usersys.redhat.com
>Source RPM Packages           shadow-utils-4.0.17-13.el5
>Target RPM Packages           
>Policy RPM                    selinux-policy-2.4.6-137.el5
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   mislabeled_file
>Host Name                     barron.usersys.redhat.com
>Platform                      Linux barron.usersys.redhat.com 2.6.18-92.1.3.el5
>                              #1 SMP Fri Jun 6 04:04:58 EDT 2008 i686 i686
>Alert Count                   1
>First Seen                    Wed 06 Aug 2008 05:39:10 PM EDT
>Last Seen                     Wed 06 Aug 2008 05:39:10 PM EDT
>Local ID                      acd6df9f-83d8-42eb-a4ff-870d25ced814
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058750.293:70472): avc:  denied  { write } for  pid=1475 comm="useradd" path="/var/lib/yum/transaction-done.2008-08-06.17:36.41" dev=dm-0 ino=12320782 scontext=user_u:system_r:useradd_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058750.293:70472): avc:  denied  { read } for  pid=1475 comm="useradd" path="/var/cache/yum/My-5.2-Z/packages/nfs-utils-1.0.9-35z.el5_2.i386.rpm" dev=dm-0 ino=12157055 scontext=user_u:system_r:useradd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=AVC msg=audit(1218058750.293:70472): avc:  denied  { read write } for  pid=1475 comm="useradd" path="/var/lib/rpm/__db.000" dev=dm-0 ino=12026780 scontext=user_u:system_r:useradd_t:s0 tcontext=user_u:object_r:rpm_var_lib_t:s0 tclass=file
>
>host=barron.usersys.redhat.com type=SYSCALL msg=audit(1218058750.293:70472): arch=40000003 syscall=11 success=yes exit=0 a0=87bda20 a1=87bc698 a2=87bc528 a3=0 items=0 ppid=1474 pid=1475 auid=4401 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm="useradd" exe="/usr/sbin/useradd" subj=user_u:system_r:useradd_t:s0 key=(null)
>
>
>

Actions: View

Attachments on bug 460098: 314965