| Summary: | SELinux is preventing /usr/sbin/semodule from 'append' accesses on the plik /tmp/tmpWX1ItE. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | mand0s |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 13 | CC: | bugs2rl, dwalsh, mand0s, mgrepl, trimblegator |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:f1cc6a5f1fe833b00bfccb6427a09d55762dd1a608063f6ab43e9d43a1e3c50f | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-27 22:47:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
*** Bug 680682 has been marked as a duplicate of this bug. *** Make sure /usr/libexec/packagekitd is labeled correctly # ls -lZ /usr/libexec/packagekitd -rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0 /usr/libexec/packagekitd If you have a different label on it, please execute # restorecon -R -v /usr/libexec/packagekitd If I am wrong, please reopen the bug. |
SELinux is preventing /usr/sbin/semodule from 'append' accesses on the plik /tmp/tmpWX1ItE. ***** Plugin catchall (50.5 confidence) suggests *************************** If aby semodule powinno mieć domyślnie append dostęp do tmpWX1ItE file. Then proszę to zgłosić jako błąd. Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp. Do można tymczasowo zezwolić na ten dostęp wykonując polecenia: # grep semodule /var/log/audit/audit.log | audit2allow -M moja_polityka # semodule -i moja_polityka.pp ***** Plugin leaks (50.5 confidence) suggests ****************************** If należy zignorować próbę dostępu semodule append do tmpWX1ItE file, ponieważ nie powinno to wymagać tego dostępu. Then należy zgłosić to jako błąd. Można utworzyć lokalny moduł polityki, aby zabronić ten dostęp. Do # grep /usr/sbin/semodule /var/log/audit/audit.log | audit2allow -D -M moja_polityka # semodule -i moja_polityka.pp Additional Information: Source Context system_u:system_r:semanage_t:s0-s0:c0.c1023 Target Context system_u:object_r:initrc_tmp_t:s0 Target Objects /tmp/tmpWX1ItE [ file ] Source semodule Source Path /usr/sbin/semodule Port <Nieznane> Host (removed) Source RPM Packages policycoreutils-2.0.83-33.1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-76.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.34.7-66.fc13.i686.PAE #1 SMP Wed Dec 15 07:21:49 UTC 2010 i686 i686 Alert Count 2 First Seen nie, 27 lut 2011, 00:05:22 Last Seen nie, 27 lut 2011, 00:05:23 Local ID 9ab4ab02-4af7-4193-b0fe-e4bc3f95c593 Raw Audit Messages type=AVC msg=audit(1298761523.261:82): avc: denied { append } for pid=11741 comm="semodule" path="/tmp/tmpWX1ItE" dev=sda4 ino=1105993 scontext=system_u:system_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1298761523.261:82): avc: denied { append } for pid=11741 comm="semodule" path="/tmp/tmpWX1ItE" dev=sda4 ino=1105993 scontext=system_u:system_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1298761523.261:82): arch=i386 syscall=execve success=yes exit=0 a0=8199778 a1=81997c8 a2=8195468 a3=81997c8 items=0 ppid=11740 pid=11741 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=semodule exe=/usr/sbin/semodule subj=system_u:system_r:semanage_t:s0-s0:c0.c1023 key=(null) Hash: semodule,semanage_t,initrc_tmp_t,file,append audit2allow #============= semanage_t ============== allow semanage_t initrc_tmp_t:file append; audit2allow -R #============= semanage_t ============== allow semanage_t initrc_tmp_t:file append;