Bug 146830
| Summary: | avc denied for tmpfs_t | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | noarch | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-02-03 19:15:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Here are all the denied messages I get at boot and root ssh login with
selinux-policy-targeted-source-1.21.7-1
audit(1107343316.159:0): avc: denied { read write } for pid=814
exe=/sbin/minilogd name=console dev=tmpfs ino=456
scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=chr_file
audit(1107343316.160:0): avc: denied { write } for pid=814 exe=/sbin/minilogd
name=/ dev=tmpfs ino=455 scontext=user_u:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1107343316.160:0): avc: denied { add_name } for pid=814
exe=/sbin/minilogd name=log scontext=user_u:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1107343316.161:0): avc: denied { create } for pid=814
exe=/sbin/minilogd name=log scontext=user_u:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=sock_file
audit(1107343316.161:0): avc: denied { getattr } for pid=816
exe=/sbin/minilogd path=/dev/log dev=tmpfs ino=1943
scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file
audit(1107343320.093:0): avc: denied { write } for pid=816 exe=/sbin/minilogd
name=log dev=tmpfs ino=1943 scontext=user_u:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=sock_file
audit(1107343321.406:0): avc: denied { remove_name } for pid=1415
exe=/sbin/minilogd name=log dev=tmpfs ino=1943
scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1107343321.406:0): avc: denied { unlink } for pid=1415
exe=/sbin/minilogd name=log dev=tmpfs ino=1943
scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file
audit(1107368545.872:0): avc: denied { create } for pid=2593
exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t
tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket
audit(1107368545.872:0): avc: denied { bind } for pid=2593 exe=/sbin/syslogd
scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t
tclass=netlink_route_socket
audit(1107368545.872:0): avc: denied { getattr } for pid=2593
exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t
tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket
audit(1107368545.872:0): avc: denied { write } for pid=2593 exe=/sbin/syslogd
scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t
tclass=netlink_route_socket
audit(1107368545.872:0): avc: denied { net_admin } for pid=2593
exe=/sbin/syslogd capability=12 scontext=user_u:system_r:syslogd_t
tcontext=user_u:system_r:syslogd_t tclass=capability
audit(1107368545.872:0): avc: denied { nlmsg_read } for pid=2593
exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t
tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket
audit(1107368545.873:0): avc: denied { read } for pid=2593 exe=/sbin/syslogd
scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t
tclass=netlink_route_socket
audit(1107368545.873:0): avc: denied { setattr } for pid=2593
exe=/sbin/syslogd name=log dev=tmpfs ino=5744 scontext=user_u:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=sock_file
audit(1107368546.587:0): avc: denied { search } for pid=2624
exe=/sbin/portmap name=/dev=tmpfs ino=455 scontext=user_u:system_r:portmap_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1107368549.839:0): avc: denied { search } for pid=2821 exe=/sbin/ypbind
name=/ dev=tmpfs ino=455 scontext=user_u:system_r:ypbind_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1107368554.092:0): avc: denied { search } for pid=3258
exe=/usr/sbin/ntpd name=/ dev=tmpfs ino=455 scontext=user_u:system_r:ntpd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1107368554.093:0): avc: denied { write } for pid=3258
exe=/usr/sbin/ntpd name=log dev=tmpfs ino=5744 scontext=user_u:system_r:ntpd_t
tcontext=user_u:object_r:tmpfs_t tclass=sock_file
audit(1107368637.014:0): avc: denied { transition } for pid=3989
exe=/usr/sbin/sshd path=/bin/bash dev=dm-1 ino=28707
scontext=user_u:system_r:initrc_t tcontext=root:system_r:unconfined_t tclass=process
Upgrade libsepol and libselinux appears to perhaps have fixed some of these.
Now on reboot I see:
audit(1107370701.145:0): avc: denied { create } for pid=2400
exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t
tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket
audit(1107370701.145:0): avc: denied { bind } for pid=2400 exe=/sbin/syslogd
scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t
tclass=netlink_route_socket
audit(1107370701.145:0): avc: denied { getattr } for pid=2400
exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t
tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket
audit(1107370701.145:0): avc: denied { write } for pid=2400 exe=/sbin/syslogd
scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t
tclass=netlink_route_socket
audit(1107370701.145:0): avc: denied { net_admin } for pid=2400
exe=/sbin/syslogd capability=12 scontext=user_u:system_r:syslogd_t
tcontext=user_u:system_r:syslogd_t tclass=capability
audit(1107370701.146:0): avc: denied { nlmsg_read } for pid=2400
exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t
tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket
audit(1107370701.146:0): avc: denied { read } for pid=2400 exe=/sbin/syslogd
scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t
tclass=netlink_route_socket
audit(1107370802.141:0): avc: denied { transition } for pid=3796
exe=/usr/sbin/crond path=/bin/bash dev=dm-1 ino=28707
scontext=user_u:system_r:initrc_t tcontext=system_u:system_r:unconfined_t
tclass=process
audit(1107370817.910:0): avc: denied { transition } for pid=3804
exe=/usr/sbin/sshd path=/bin/bash dev=dm-1 ino=28707
scontext=user_u:system_r:initrc_t tcontext=root:system_r:unconfined_t tclass=process
Policy 1.21.8-1 has the netlink_route fix. The unconfined_t is caused by labeling. You probably should relabel the system touch /.autorelabel reboot Upgraded to latest selinux tools and did a relabel/reboot.
Now (in permissive mode):
audit(1107389151.366:0): avc: denied { search } for pid=2938
exe=/usr/sbin/cupsd name=bin dev=dm-1 ino=28673 scontext=user_u:system_r:cupsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
audit(1107389151.773:0): avc: denied { search } for pid=3011
exe=/usr/sbin/cupsd name=bin dev=dm-1 ino=28673 scontext=user_u:system_r:cupsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
Which *I* don't care about and not sure what it affects. I just removed cups.
audit(1107389152.886:0): avc: denied { getattr } for pid=3122
exe=/usr/sbin/exportfs path=/export dev=dm-1 ino=4097
scontext=user_u:system_r:nfsd_t tcontext=system_u:object_r:default_t tclass=dir
audit(1107389152.886:0): avc: denied { search } for pid=3122
exe=/usr/sbin/exportfs name=export dev=dm-1 ino=4097
scontext=user_u:system_r:nfsd_t tcontext=system_u:object_r:default_t tclass=dir
audit(1107389152.887:0): avc: denied { getattr } for pid=3122
exe=/usr/sbin/exportfs path=/export/web dev=dm-0 ino=2
scontext=user_u:system_r:nfsd_t tcontext=system_u:object_r:httpd_sys_content_t
tclass=dir
These are the file systems I want to export via NFS. /export/web also has
webserver content. /export/ftp is the vsftpd area. No labelling yet as vsftpd
does not appear to be targeted yet.
audit(1107389157.543:0): avc: denied { search } for pid=3346
exe=/usr/sbin/httpd name=export dev=dm-1 ino=4097
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir
The relabel marked /export as system_u:object_r:default_t. This will break
apache from startup. I've been changing the context to var_t or
httpd_sys_content_t to make it work. Any suggestions? How do I preserve the
context when relabelling?
Thanks for your help!
You should be able to put special context in file_contexts.local. /etc/selinux/targeted/contexts/files/file_contexts.local cat /etc/selinux/targeted/contexts/files/file_contexts.local /export system_u:object_r:var_t restorecon -R -v /export restorecon reset context /export:root:object_r:root_t->system_u:object_r:var_t Thanks for the file context info. Any suggestions on the ftp export
issue?
Feb 3 10:26:43 hawk kernel: audit(1107451603.275:0): avc: denied {
getattr } for pid=4141 exe=/usr/sbin/exportfs path=/export/ftp
dev=dm-2 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Feb 3 10:26:43 hawk kernel: audit(1107451603.275:0): avc: denied {
getattr } for pid=4141 exe=/usr/sbin/exportfs path=/export/web
dev=dm-0 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
Feb 3 10:26:43 hawk nfs: Starting NFS services: succeeded
Feb 3 10:26:43 hawk nfs: rpc.rquotad startup succeeded
Feb 3 10:26:43 hawk nfs: rpc.nfsd startup succeeded
Feb 3 10:26:43 hawk kernel: audit(1107451603.349:0): avc: denied {
getattr } for pid=4162 exe=/usr/sbin/rpc.mountd path=/export/web
dev=dm-0 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
Feb 3 10:26:43 hawk kernel: audit(1107451603.349:0): avc: denied {
getattr } for pid=4162 exe=/usr/sbin/rpc.mountd path=/export/ftp
dev=dm-2 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Feb 3 10:26:43 hawk nfs: rpc.mountd startup succeeded
Feb 3 10:26:43 hawk rpcidmapd: rpc.idmapd -SIGHUP succeeded
Feb 3 10:27:55 hawk kernel: audit(1107451675.583:0): avc: denied {
getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/ftp
dev=dm-2 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Feb 3 10:27:55 hawk rpc.mountd: authenticated mount request from
saga.cora.nwra.com:733for /export/ftp (/export/ftp)
Feb 3 10:27:55 hawk kernel: audit(1107451675.620:0): avc: denied {
getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/ftp
dev=dm-2 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Feb 3 10:27:55 hawk rpc.mountd: can't stat exported dir /export/ftp:
Permission denied
Feb 3 10:27:55 hawk kernel: audit(1107451675.685:0): avc: denied {
getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/ftp
dev=dm-2 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Feb 3 10:27:55 hawk rpc.mountd: authenticated mount request from
saga.cora.nwra.com:735for /export/ftp (/export/ftp)
Feb 3 10:27:55 hawk rpc.mountd: can't stat exported dir /export/ftp:
Permission denied
Feb 3 10:27:55 hawk kernel: audit(1107451675.687:0): avc: denied {
getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/ftp
dev=dm-2 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Feb 3 10:27:59 hawk kernel: audit(1107451679.625:0): avc: denied {
getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/web
dev=dm-0 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
Feb 3 10:27:59 hawk rpc.mountd: authenticated mount request from
saga.cora.nwra.com:738for /export/web (/export/web)
Feb 3 10:27:59 hawk kernel: audit(1107451679.627:0): avc: denied {
getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/web
dev=dm-0 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
Feb 3 10:27:59 hawk rpc.mountd: can't stat exported dir /export/web:
Permission denied
Feb 3 10:27:59 hawk kernel: audit(1107451679.649:0): avc: denied {
getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/web
dev=dm-0 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
Feb 3 10:27:59 hawk rpc.mountd: authenticated mount request from
saga.cora.nwra.com:740for /export/web (/export/web)
Feb 3 10:27:59 hawk rpc.mountd: can't stat exported dir /export/web:
Permission denied
Feb 3 10:27:59 hawk kernel: audit(1107451679.650:0): avc: denied {
getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/web
dev=dm-0 ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
You have to turn on one of these booleans. nfs_export_all_ro nfs_export_all_rw Dan that's it for me then this time. Thanks! |
Description of problem: Booting FC3 system with updated selinux (remade from rawhide sources with 2 extra rules in local.te) gives lots of errors: audit(1107298494.186:0): avc: denied { read write } for pid=1645 exe=/sbin/minilogd dev=tmpfs ino=456 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=chr_file audit(1107298513.188:0): avc: denied { write } for pid=2597 exe=/sbin/syslogd name=/ dev=tmpfs ino=455 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=dir audit(1107298515.429:0): avc: denied { search } for pid=2835 exe=/sbin/ypbind name=/ dev=tmpfs ino=455 scontext=user_u:system_r:ypbind_t tcontext=user_u:object_r:tmpfs_t tclass=dir Version-Release number of selected component (if applicable): checkpolicy-1.20.1-1 selinux-policy-targeted-sources-1.21.5-5 policycoreutils-1.21.9-1 selinux-policy-targeted-1.21.5-5 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: