Bug 431484
Summary: | AVC denial from 00-netreport | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> |
Component: | initscripts | Assignee: | Bill Nottingham <notting> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | dwalsh, rvokal |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-02-05 20:00:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tom London
2008-02-04 22:11:44 UTC
For some reason your labeling is wrong on this directory. restorecon -R -v /etc Should fix it. /etc/NetworkManager/dispatcher.d/00-netreport should be labeled bin_t. Did you recreate these directories? I did the above before filing BZ. Still happens. Argh.... the inode points to [root@localhost etc]# ls -l */init -rwxr-xr-x 1 root root 1068 2008-02-03 21:52 sysconfig/init [root@localhost etc]# [root@localhost etc]# ls -lZ */init -rwxr-xr-x root root system_u:object_r:etc_t sysconfig/init [root@localhost etc]# does /etc/sysconfig/init need to be bin_t? -------------------- [root@localhost NetworkManager]# restorecon -v -R /etc [root@localhost NetworkManager]# ls -lZ drwxr-xr-x root root system_u:object_r:bin_t dispatcher.d drwxr-xr-x root root system_u:object_r:etc_t VPN [root@localhost NetworkManager]# cd * [root@localhost dispatcher.d]# ls -lZ -rwxr-xr-x root root system_u:object_r:bin_t 00-netreport [root@localhost dispatcher.d]# Here is AVC for this morning's boot: type=AVC msg=audit(1202221352.502:25): avc: denied { execute } for pid=3245 comm="00-netreport" name="init" dev=dm-0 ino=11076091 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1202221352.502:25): arch=40000003 syscall=33 success=no exit=-13 a0=95a4398 a1=1 a2=11 a3=95a4398 items=0 ppid=2585 pid=3245 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="00-netreport" exe="/bin/bash" subj=system_u:system_r:NetworkManager_t:s0 key=(null) Repoening, then. Changing the label of /etc/sysconfig/init to 'bin_t' makes the AVC go away on boot. Not sure its "the right thing" though...... Looks ok to me. Fixed in selinux-policy-3.2.6-6.fc9 |