Bug 146830
Summary: | avc denied for tmpfs_t | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | noarch | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-02-03 19:15:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2005-02-01 23:03:58 UTC
Here are all the denied messages I get at boot and root ssh login with selinux-policy-targeted-source-1.21.7-1 audit(1107343316.159:0): avc: denied { read write } for pid=814 exe=/sbin/minilogd name=console dev=tmpfs ino=456 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=chr_file audit(1107343316.160:0): avc: denied { write } for pid=814 exe=/sbin/minilogd name=/ dev=tmpfs ino=455 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=dir audit(1107343316.160:0): avc: denied { add_name } for pid=814 exe=/sbin/minilogd name=log scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=dir audit(1107343316.161:0): avc: denied { create } for pid=814 exe=/sbin/minilogd name=log scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file audit(1107343316.161:0): avc: denied { getattr } for pid=816 exe=/sbin/minilogd path=/dev/log dev=tmpfs ino=1943 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file audit(1107343320.093:0): avc: denied { write } for pid=816 exe=/sbin/minilogd name=log dev=tmpfs ino=1943 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file audit(1107343321.406:0): avc: denied { remove_name } for pid=1415 exe=/sbin/minilogd name=log dev=tmpfs ino=1943 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=dir audit(1107343321.406:0): avc: denied { unlink } for pid=1415 exe=/sbin/minilogd name=log dev=tmpfs ino=1943 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file audit(1107368545.872:0): avc: denied { create } for pid=2593 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107368545.872:0): avc: denied { bind } for pid=2593 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107368545.872:0): avc: denied { getattr } for pid=2593 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107368545.872:0): avc: denied { write } for pid=2593 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107368545.872:0): avc: denied { net_admin } for pid=2593 exe=/sbin/syslogd capability=12 scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=capability audit(1107368545.872:0): avc: denied { nlmsg_read } for pid=2593 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107368545.873:0): avc: denied { read } for pid=2593 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107368545.873:0): avc: denied { setattr } for pid=2593 exe=/sbin/syslogd name=log dev=tmpfs ino=5744 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file audit(1107368546.587:0): avc: denied { search } for pid=2624 exe=/sbin/portmap name=/dev=tmpfs ino=455 scontext=user_u:system_r:portmap_t tcontext=user_u:object_r:tmpfs_t tclass=dir audit(1107368549.839:0): avc: denied { search } for pid=2821 exe=/sbin/ypbind name=/ dev=tmpfs ino=455 scontext=user_u:system_r:ypbind_t tcontext=user_u:object_r:tmpfs_t tclass=dir audit(1107368554.092:0): avc: denied { search } for pid=3258 exe=/usr/sbin/ntpd name=/ dev=tmpfs ino=455 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:tmpfs_t tclass=dir audit(1107368554.093:0): avc: denied { write } for pid=3258 exe=/usr/sbin/ntpd name=log dev=tmpfs ino=5744 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file audit(1107368637.014:0): avc: denied { transition } for pid=3989 exe=/usr/sbin/sshd path=/bin/bash dev=dm-1 ino=28707 scontext=user_u:system_r:initrc_t tcontext=root:system_r:unconfined_t tclass=process Upgrade libsepol and libselinux appears to perhaps have fixed some of these. Now on reboot I see: audit(1107370701.145:0): avc: denied { create } for pid=2400 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107370701.145:0): avc: denied { bind } for pid=2400 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107370701.145:0): avc: denied { getattr } for pid=2400 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107370701.145:0): avc: denied { write } for pid=2400 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107370701.145:0): avc: denied { net_admin } for pid=2400 exe=/sbin/syslogd capability=12 scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=capability audit(1107370701.146:0): avc: denied { nlmsg_read } for pid=2400 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107370701.146:0): avc: denied { read } for pid=2400 exe=/sbin/syslogd scontext=user_u:system_r:syslogd_t tcontext=user_u:system_r:syslogd_t tclass=netlink_route_socket audit(1107370802.141:0): avc: denied { transition } for pid=3796 exe=/usr/sbin/crond path=/bin/bash dev=dm-1 ino=28707 scontext=user_u:system_r:initrc_t tcontext=system_u:system_r:unconfined_t tclass=process audit(1107370817.910:0): avc: denied { transition } for pid=3804 exe=/usr/sbin/sshd path=/bin/bash dev=dm-1 ino=28707 scontext=user_u:system_r:initrc_t tcontext=root:system_r:unconfined_t tclass=process Policy 1.21.8-1 has the netlink_route fix. The unconfined_t is caused by labeling. You probably should relabel the system touch /.autorelabel reboot Upgraded to latest selinux tools and did a relabel/reboot. Now (in permissive mode): audit(1107389151.366:0): avc: denied { search } for pid=2938 exe=/usr/sbin/cupsd name=bin dev=dm-1 ino=28673 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir audit(1107389151.773:0): avc: denied { search } for pid=3011 exe=/usr/sbin/cupsd name=bin dev=dm-1 ino=28673 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir Which *I* don't care about and not sure what it affects. I just removed cups. audit(1107389152.886:0): avc: denied { getattr } for pid=3122 exe=/usr/sbin/exportfs path=/export dev=dm-1 ino=4097 scontext=user_u:system_r:nfsd_t tcontext=system_u:object_r:default_t tclass=dir audit(1107389152.886:0): avc: denied { search } for pid=3122 exe=/usr/sbin/exportfs name=export dev=dm-1 ino=4097 scontext=user_u:system_r:nfsd_t tcontext=system_u:object_r:default_t tclass=dir audit(1107389152.887:0): avc: denied { getattr } for pid=3122 exe=/usr/sbin/exportfs path=/export/web dev=dm-0 ino=2 scontext=user_u:system_r:nfsd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir These are the file systems I want to export via NFS. /export/web also has webserver content. /export/ftp is the vsftpd area. No labelling yet as vsftpd does not appear to be targeted yet. audit(1107389157.543:0): avc: denied { search } for pid=3346 exe=/usr/sbin/httpd name=export dev=dm-1 ino=4097 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir The relabel marked /export as system_u:object_r:default_t. This will break apache from startup. I've been changing the context to var_t or httpd_sys_content_t to make it work. Any suggestions? How do I preserve the context when relabelling? Thanks for your help! You should be able to put special context in file_contexts.local. /etc/selinux/targeted/contexts/files/file_contexts.local cat /etc/selinux/targeted/contexts/files/file_contexts.local /export system_u:object_r:var_t restorecon -R -v /export restorecon reset context /export:root:object_r:root_t->system_u:object_r:var_t Thanks for the file context info. Any suggestions on the ftp export issue? Feb 3 10:26:43 hawk kernel: audit(1107451603.275:0): avc: denied { getattr } for pid=4141 exe=/usr/sbin/exportfs path=/export/ftp dev=dm-2 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:default_t tclass=dir Feb 3 10:26:43 hawk kernel: audit(1107451603.275:0): avc: denied { getattr } for pid=4141 exe=/usr/sbin/exportfs path=/export/web dev=dm-0 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir Feb 3 10:26:43 hawk nfs: Starting NFS services: succeeded Feb 3 10:26:43 hawk nfs: rpc.rquotad startup succeeded Feb 3 10:26:43 hawk nfs: rpc.nfsd startup succeeded Feb 3 10:26:43 hawk kernel: audit(1107451603.349:0): avc: denied { getattr } for pid=4162 exe=/usr/sbin/rpc.mountd path=/export/web dev=dm-0 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir Feb 3 10:26:43 hawk kernel: audit(1107451603.349:0): avc: denied { getattr } for pid=4162 exe=/usr/sbin/rpc.mountd path=/export/ftp dev=dm-2 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:default_t tclass=dir Feb 3 10:26:43 hawk nfs: rpc.mountd startup succeeded Feb 3 10:26:43 hawk rpcidmapd: rpc.idmapd -SIGHUP succeeded Feb 3 10:27:55 hawk kernel: audit(1107451675.583:0): avc: denied { getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/ftp dev=dm-2 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:default_t tclass=dir Feb 3 10:27:55 hawk rpc.mountd: authenticated mount request from saga.cora.nwra.com:733for /export/ftp (/export/ftp) Feb 3 10:27:55 hawk kernel: audit(1107451675.620:0): avc: denied { getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/ftp dev=dm-2 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:default_t tclass=dir Feb 3 10:27:55 hawk rpc.mountd: can't stat exported dir /export/ftp: Permission denied Feb 3 10:27:55 hawk kernel: audit(1107451675.685:0): avc: denied { getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/ftp dev=dm-2 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:default_t tclass=dir Feb 3 10:27:55 hawk rpc.mountd: authenticated mount request from saga.cora.nwra.com:735for /export/ftp (/export/ftp) Feb 3 10:27:55 hawk rpc.mountd: can't stat exported dir /export/ftp: Permission denied Feb 3 10:27:55 hawk kernel: audit(1107451675.687:0): avc: denied { getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/ftp dev=dm-2 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:default_t tclass=dir Feb 3 10:27:59 hawk kernel: audit(1107451679.625:0): avc: denied { getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/web dev=dm-0 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir Feb 3 10:27:59 hawk rpc.mountd: authenticated mount request from saga.cora.nwra.com:738for /export/web (/export/web) Feb 3 10:27:59 hawk kernel: audit(1107451679.627:0): avc: denied { getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/web dev=dm-0 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir Feb 3 10:27:59 hawk rpc.mountd: can't stat exported dir /export/web: Permission denied Feb 3 10:27:59 hawk kernel: audit(1107451679.649:0): avc: denied { getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/web dev=dm-0 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir Feb 3 10:27:59 hawk rpc.mountd: authenticated mount request from saga.cora.nwra.com:740for /export/web (/export/web) Feb 3 10:27:59 hawk rpc.mountd: can't stat exported dir /export/web: Permission denied Feb 3 10:27:59 hawk kernel: audit(1107451679.650:0): avc: denied { getattr } for pid=4163 exe=/usr/sbin/rpc.mountd path=/export/web dev=dm-0 ino=2 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir You have to turn on one of these booleans. nfs_export_all_ro nfs_export_all_rw Dan that's it for me then this time. Thanks! |