Red Hat Bugzilla – Bug 146124
targeted policy: audit(1106666401.707:0): avc: denied { transition }
Last modified: 2007-11-30 17:10:59 EST
Description of problem: in dmesg [...] SELinux: initialized (dev hda8, type ext3), uses xattr [...] audit(1106666401.707:0): avc: denied { transition } for pid=4023 exe=/usr/sbin/crond path=/bin/bash dev=hda8 ino=926648 scontext=user_u:system_r:initrc_t tcontext=system_u:system_r:unconfined_t tclass=process ---- $ mount /dev/hda8 on / type ext3 (rw) none on /proc type proc (rw) none on /sys type sysfs (rw) none on /dev/pts type devpts (rw,gid=5,mode=620) none on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) Version-Release number of selected component (if applicable): selinux-policy-targeted-1.21.3-1 How reproducible: always Steps to Reproduce: 1. booting 2. 3. Actual results: avc: denied Expected results: Additional info: policy is "targeted". vixie-cron-4.1-21 sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted Policy booleans: allow_kerberos active allow_ypbind active cupsd_disable_trans inactive dhcpd_disable_trans inactive dovecot_disable_trans inactive fingerd_disable_trans inactive ftp_home_dir active ftpd_disable_trans inactive ftpd_is_daemon active howl_disable_trans inactive httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active i18n_input_disable_transinactive inetd_child_disable_transinactive inetd_disable_trans inactive innd_disable_trans inactive kadmind_disable_trans inactive krb5kdc_disable_trans inactive ktalkd_disable_trans inactive lpd_disable_trans inactive mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zonesinactive nfs_export_all_ro active nfs_export_all_rw active nmbd_disable_trans inactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive privoxy_disable_trans inactive ptal_disable_trans inactive radiusd_disable_trans inactive radvd_disable_trans inactive read_default_t active rlogind_disable_trans inactive rsync_disable_trans inactive samba_enable_home_dirs inactive slapd_disable_trans inactive smbd_disable_trans inactive snmpd_disable_trans inactive spamd_disable_trans inactive squid_disable_trans inactive stunnel_disable_trans inactive stunnel_is_daemon inactive syslogd_disable_trans inactive telnetd_disable_trans inactive tftpd_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive winbind_disable_trans inactive ypbind_disable_trans inactive ypserv_disable_trans inactive zebra_disable_trans inactive Process contexts: Current context: root:system_r:unconfined_t Init context: user_u:system_r:unconfined_t /sbin/mingetty user_u:system_r:unconfined_t /usr/sbin/sshd user_u:system_r:initrc_t File contexts: Controlling term: user_u:object_r:devpts_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:bin_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:sbin_t /sbin/init system_u:object_r:init_exec_t /sbin/mingetty system_u:object_r:sbin_t /usr/sbin/sshd system_u:object_r:sbin_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
This problem happens again in selinux-policy-targeted-1.21.3-6. ---- in dmesg [...] audit(1106839801.270:0): avc: denied { transition } for pid=3881 exe=/usr/sbin/crond path=/bin/bash dev=hda8 ino=926648 scontext=user_u:system_r:system_crond_t tcontext=system_u:system_r:unconfined_t tclass=process
I get the same here, with yesterday's rawhide, even after relabeling / (containing usr, var, etc, etc :-) and rebooting. I get hourly e-mails indicating permission denied to run /bin/bash or /bin/sh, with subjects such as: Cron <root@$host> run-parts /etc/cron.hourly Cron <root@$host> /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok Cron <root@$host> /usr/lib/sa/sa1 1 1 Quite annoying :-( I see there are special provisions for cron in crond.te, but I don't see any of them making to file_contexts or policy, is that intentional?
1.21.5-4 should fix that. Available now on ftp://people.redhat.com/dwalsh/SELinux/Fedora or tomorrow via Rawhide.