Bug 120016
| Summary: | fails to remake policy after user changed | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tim Waugh <twaugh> |
| Component: | setools | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-04-08 15:39:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
We have removed the seuser policy, from the default so seuser should run under the sysadm context. Please try with policy-1.10.1-4 Dan Seems fine (no audit messages). The reload fails now for a different reason (policyver is 17). :-/ |
Description of problem: I tried this: [root@tornado root]# id -Z root:sysadm_r:sysadm_t [root@tornado root]# seuser change -R sysadm_r tim committing changes.... re-making policy... Error: Make string: make -f Makefile -C /etc/security/selinux/src/policy install > /tmp/seuseGWTC73 2>&1.Problem re-making policy.conf [root@tornado root]# cat /tmp/seuseGWTC73 cat: standard output: Permission denied cat: standard output: Permission denied make: Entering directory `/etc/security/selinux/src/policy' mkdir -p tmp m4 -Imacros -s flask/security_classes flask/initial_sids flask/access_vectors tunable.te attrib.te tmp/program_used_flags.te macros/program/apache_macros.te macros/program/chkpwd_macros.te macros/program/chroot_macros.te macros/program/clamav_macros.te macros/program/crond_macros.te macros/program/crontab_macros.te macros/program/fingerd_macros.te macros/program/gpg_macros.te macros/program/gph_macros.te macros/program/irc_macros.te macros/program/login_macros.te macros/program/lpr_macros.te macros/program/mount_macros.te macros/program/mozilla_macros.te macros/program/mta_macros.te macros/program/newrole_macros.te macros/program/rhgb_macros.te macros/program/run_program_macros.te macros/program/screen_macros.te macros/program/screensaver_macros.te macros/program/sendmail_macros.te macros/program/slocate_macros.te macros/program/ssh_agent_macros.te macros/program/ssh_macros.te macros/program/su_macros.te macros/program/uml_macros.te macros/program/xauth_macros.te macros/program/x_client_macros.te macros/program/xserver_macros.te macros/program/ypbind_macros.te macros/admin_macros.te macros/base_user_macros.te macros/core_macros.te macros/global_macros.te macros/mini_user_macros.te macros/user_macros.te types/device.te types/devpts.te types/file.te types/network.te types/nfs.te types/procfs.te types/security.te domains/admin.te domains/user.te domains/misc/auth-net.te domains/misc/fcron.te domains/misc/kernel.te domains/misc/startx.te domains/program/acct.te domains/program/amanda.te domains/program/amavis.te domains/program/anaconda.te domains/program/apache.te domains/program/apmd.te domains/program/atd.te domains/program/auditd.te domains/program/authbind.te domains/program/automount.te domains/program/backup.te domains/program/bluetooth.te domains/program/bootloader.te domains/program/calamaris.te domains/program/canna.te domains/program/cardmgr.te domains/program/checkpolicy.te domains/program/chkpwd.te domains/program/chroot.te domains/program/ciped.te domains/program/clamav.te domains/program/consoletype.te domains/program/courier.te domains/program/cpucontrol.te domains/program/cpuspeed.te domains/program/crack.te domains/program/crond.te domains/program/crontab.te domains/program/cups.te domains/program/cyrus.te domains/program/dbusd.te domains/program/ddt-client.te domains/program/devfsd.te domains/program/dhcpc.te domains/program/dhcpd.te domains/program/dictd.te domains/program/dmesg.te domains/program/dovecot.te domains/program/fingerd.te domains/program/firstboot.te domains/program/fsadm.te domains/program/fs_daemon.te domains/program/ftpd.te domains/program/games.te domains/program/getty.te domains/program/gnome-pty-helper.te domains/program/gpg.te domains/program/gpm.te domains/program/hostname.te domains/program/hotplug.te domains/program/hwclock.te domains/program/ifconfig.te domains/program/imazesrv.te domains/program/inetd.te domains/program/initrc.te domains/program/init.te domains/program/innd.te domains/program/ipsec.te domains/program/iptables.te domains/program/ircd.te domains/program/irc.te domains/program/irqbalance.te domains/program/jabberd.te domains/program/klogd.te domains/program/kudzu.te domains/program/lcd.te domains/program/ldconfig.te domains/program/loadkeys.te domains/program/load_policy.te domains/program/login.te domains/program/logrotate.te domains/program/lpd.te domains/program/lpr.te domains/program/lrrd.te domains/program/lvm.te domains/program/mailman.te domains/program/mdadm.te domains/program/modutil.te domains/program/monopd.te domains/program/mount.te domains/program/mozilla.te domains/program/mrtg.te domains/program/mta.te domains/program/mysqld.te domains/program/named.te domains/program/nessusd.te domains/program/netsaint.te domains/program/netutils.te domains/program/newrole.te domains/program/nscd.te domains/program/nsd.te domains/program/ntpd.te domains/program/oav-update.te domains/program/openca-ca.te domains/program/pamconsole.te domains/program/pam.te domains/program/passwd.te domains/program/perdition.te domains/program/ping.te domains/program/portmap.te domains/program/portslave.te domains/program/postfix.te domains/program/postgresql.te domains/program/pppd.te domains/program/prelink.te domains/program/privoxy.te domains/program/procmail.te domains/program/pump.te domains/program/pxe.te domains/program/quota.te domains/program/radius.te domains/program/radvd.te domains/program/restorecon.te domains/program/rhgb.te domains/program/rlogind.te domains/program/rpcd.te domains/program/rpm.te domains/program/rshd.te domains/program/samba.te domains/program/scannerdaemon.te domains/program/screensaver.te domains/program/screen.te domains/program/sendmail.te domains/program/setfiles.te domains/program/seuser.te domains/program/slapd.te domains/program/slocate.te domains/program/slrnpull.te domains/program/snmpd.te domains/program/snort.te domains/program/sound-server.te domains/program/sound.te domains/program/spamd.te domains/program/speedmgmt.te domains/program/squid.te domains/program/ssh-agent.te domains/program/ssh.te domains/program/sudo.te domains/program/sulogin.te domains/program/su.te domains/program/sxid.te domains/program/syslogd.te domains/program/sysstat.te domains/program/tcpd.te domains/program/tftpd.te domains/program/tmpreaper.te domains/program/traceroute.te domains/program/transproxy.te domains/program/udev.te domains/program/uml.te domains/program/updfstab.te domains/program/uptimed.te domains/program/usbmodules.te domains/program/useradd.te domains/program/userhelper.te domains/program/utempter.te domains/program/vmware.te domains/program/watchdog.te domains/program/xauth.te domains/program/xdm.te domains/program/xfs.te domains/program/xserver.te domains/program/ypbind.te domains/program/ypserv.te domains/program/zebra.te assert.te rbac users serviceusers constraints initial_sid_contexts fs_use genfs_contexts net_contexts > policy.conf.tmp mv policy.conf.tmp policy.conf mkdir -p /etc/security/selinux/src install -m 644 policy.conf /etc/security/selinux/src/policy.conf mkdir -p /etc/security/selinux /usr/bin/checkpolicy -o /etc/security/selinux/policy. /etc/security/selinux/src/policy.conf /usr/bin/checkpolicy: loading policy configuration from /etc/security/selinux/src/policy.conf security: 5 users, 6 roles, 1198 types, 1 bools security: 30 classes, 263989 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 16) to /etc/security/selinux/policy. Building file_contexts ... /bin/sh: line 1: /usr/sbin/genhomedircon: Permission denied make: *** [file_contexts/file_contexts] Error 126 make: Leaving directory `/etc/security/selinux/src/policy' [root@tornado root]# Version-Release number of selected component (if applicable): setools-1.2.1-4 policy-1.9.2-10 How reproducible: 100% Audit messages: audit(1081152539.388:0): avc: denied { search } for pid=1994 exe=/bin/bash dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152539.581:0): avc: denied { read } for pid=1994 exe=/bin/bash name=0 dev= ino=130711552 scontext=root:sysadm_r:seuser_t tcontext=root:sysadm_r:seuser_t tclass=lnk_file audit(1081152539.791:0): avc: denied { getattr } for pid=1994 exe=/bin/bash path=/dev/pts dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152540.002:0): avc: denied { read } for pid=1994 exe=/bin/bash name=dev dev=hdb1 ino=1170433 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:device_t tclass=dir audit(1081152540.215:0): avc: denied { read } for pid=1994 exe=/bin/bash name=mtab dev=hdb1 ino=994815 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:etc_runtime_t tclass=file audit(1081152540.475:0): avc: denied { getattr } for pid=1996 exe=/bin/cat path=pipe:[3636] dev= ino=3636 scontext=root:sysadm_r:seuser_t tcontext=root:sysadm_r:seuser_t tclass=fifo_file audit(1081152540.698:0): avc: denied { getattr } for pid=1997 exe=/bin/cat path=pipe:[3637] dev= ino=3637 scontext=root:sysadm_r:seuser_t tcontext=root:sysadm_r:seuser_t tclass=fifo_file audit(1081152541.717:0): avc: denied { search } for pid=1999 exe=/bin/bash dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152541.911:0): avc: denied { read } for pid=1999 exe=/bin/bash name=0 dev= ino=131039232 scontext=root:sysadm_r:seuser_t tcontext=root:sysadm_r:seuser_t tclass=lnk_file audit(1081152542.121:0): avc: denied { getattr } for pid=1999 exe=/bin/bash path=/dev/pts dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152542.331:0): avc: denied { read } for pid=1999 exe=/bin/bash name=dev dev=hdb1 ino=1170433 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:device_t tclass=dir audit(1081152542.545:0): avc: denied { read } for pid=1999 exe=/bin/bash name=mtab dev=hdb1 ino=994815 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:etc_runtime_t tclass=file audit(1081152560.122:0): avc: denied { search } for pid=2006 exe=/bin/bash dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152560.316:0): avc: denied { read } for pid=2006 exe=/bin/bash name=0 dev= ino=131497984 scontext=root:sysadm_r:seuser_t tcontext=root:sysadm_r:seuser_t tclass=lnk_file audit(1081152560.526:0): avc: denied { getattr } for pid=2006 exe=/bin/bash path=/dev/pts dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152560.737:0): avc: denied { read } for pid=2006 exe=/bin/bash name=dev dev=hdb1 ino=1170433 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:device_t tclass=dir audit(1081152560.950:0): avc: denied { read } for pid=2006 exe=/bin/bash name=mtab dev=hdb1 ino=994815 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:etc_runtime_t tclass=file audit(1081152561.177:0): avc: denied { search } for pid=2007 exe=/bin/bash dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152561.371:0): avc: denied { read } for pid=2007 exe=/bin/bash name=0 dev= ino=131563520 scontext=root:sysadm_r:seuser_t tcontext=root:sysadm_r:seuser_t tclass=lnk_file audit(1081152561.580:0): avc: denied { getattr } for pid=2007 exe=/bin/bash path=/dev/pts dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152561.791:0): avc: denied { read } for pid=2007 exe=/bin/bash name=dev dev=hdb1 ino=1170433 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:device_t tclass=dir audit(1081152562.004:0): avc: denied { read } for pid=2007 exe=/bin/bash name=mtab dev=hdb1 ino=994815 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:etc_runtime_t tclass=file audit(1081152562.400:0): avc: denied { search } for pid=2009 exe=/bin/bash dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152562.594:0): avc: denied { read } for pid=2009 exe=/bin/bash name=0 dev= ino=131694592 scontext=root:sysadm_r:seuser_t tcontext=root:sysadm_r:seuser_t tclass=lnk_file audit(1081152562.803:0): avc: denied { getattr } for pid=2009 exe=/bin/bash path=/dev/pts dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152563.014:0): avc: denied { read } for pid=2009 exe=/bin/bash name=dev dev=hdb1 ino=1170433 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:device_t tclass=dir audit(1081152563.227:0): avc: denied { read } for pid=2009 exe=/bin/bash name=mtab dev=hdb1 ino=994815 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:etc_runtime_t tclass=file audit(1081152563.497:0): avc: denied { search } for pid=2011 exe=/bin/bash dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152563.689:0): avc: denied { read } for pid=2011 exe=/bin/bash name=0 dev= ino=131825664 scontext=root:sysadm_r:seuser_t tcontext=root:sysadm_r:seuser_t tclass=lnk_file audit(1081152563.899:0): avc: denied { getattr } for pid=2011 exe=/bin/bash path=/dev/pts dev= ino=1 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1081152564.109:0): avc: denied { read } for pid=2011 exe=/bin/bash name=dev dev=hdb1 ino=1170433 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:device_t tclass=dir audit(1081152564.323:0): avc: denied { read } for pid=2011 exe=/bin/bash name=mtab dev=hdb1 ino=994815 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:etc_runtime_t tclass=file audit(1081152564.560:0): avc: denied { execute } for pid=2012 exe=/bin/bash name=genhomedircon dev=hdb1 ino=1142533 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:sbin_t tclass=file audit(1081152564.786:0): avc: denied { getattr } for pid=2012 exe=/bin/bash path=/usr/sbin/genhomedircon dev=hdb1 ino=1142533 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:sbin_t tclass=file audit(1081152565.024:0): avc: denied { getattr } for pid=2012 exe=/bin/bash path=/usr/sbin/genhomedircon dev=hdb1 ino=1142533 scontext=root:sysadm_r:seuser_t tcontext=system_u:object_r:sbin_t tclass=file audit2allow says: allow seuser_t device_t:dir { read }; allow seuser_t devpts_t:dir { getattr search }; allow seuser_t etc_runtime_t:file { read }; allow seuser_t sbin_t:file { execute getattr }; allow seuser_t seuser_t:fifo_file { getattr }; allow seuser_t seuser_t:lnk_file { read };