Bug 1583090
| Summary: | SELinux is preventing /usr/sbin/setfiles from map access on the file /usr/sbin/setfiles | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Lukas Slebodnik <lslebodn> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.6 | CC: | lvrabec, mgrepl, mmalik, plautrba, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-204.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 10:04:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I can see AVC even in enforcing mode
type=AVC msg=audit(1528193626.424:166): avc: denied { map } for pid=11713 comm="restorecon" path="/usr/sbin/setfiles" dev="dm-0" ino=33620913 scontext=system_u:system_r:sshd_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |
SELinux is preventing /usr/sbin/setfiles from map access on the file /usr/sbin/setfiles. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that setfiles should be allowed map access on the setfiles file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'restorecon' --raw | audit2allow -M my-restorecon # semodule -i my-restorecon.pp Additional Information: Source Context system_u:system_r:sshd_keygen_t:s0 Target Context system_u:object_r:setfiles_exec_t:s0 Target Objects /usr/sbin/setfiles [ file ] Source restorecon Source Path /usr/sbin/setfiles Port <Unknown> Host bkr-hv01-guest24.example.com Source RPM Packages policycoreutils-2.5-23.el7.x86_64 Target RPM Packages policycoreutils-2.5-23.el7.x86_64 Policy RPM selinux-policy-3.13.1-197.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name bkr-hv01-guest24.example.com Platform Linux bkr-hv01-guest24.example.com 3.10.0-893.el7.x86_64 #1 SMP Thu May 24 21:37:14 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-05-26 13:12:32 EDT Last Seen 2018-05-26 13:12:32 EDT Local ID b089678b-2971-420b-b710-a74a4704ec1d Raw Audit Messages type=AVC msg=audit(1527354752.808:36): avc: denied { map } for pid=749 comm="restorecon" path="/usr/sbin/setfiles" dev="dm-0" ino=33862505 scontext=system_u:system_r:sshd_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1527354752.808:36): arch=x86_64 syscall=execve success=yes exit=0 a0=21c8a30 a1=21ff220 a2=21f8d40 a3=7ffe7cfe5de0 items=0 ppid=639 pid=749 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=restorecon exe=/usr/sbin/setfiles subj=system_u:system_r:setfiles_t:s0 key=(null) Hash: restorecon,sshd_keygen_t,setfiles_exec_t,file,map