Bug 457421 - SELinux complains of mislabeled /etc/services file
SELinux complains of mislabeled /etc/services file
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.2
All Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-31 11:44 EDT by Sean Cavanaugh
Modified: 2008-08-01 10:54 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-01 10:54:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sean Cavanaugh 2008-07-31 11:44:59 EDT
Description of problem:

In a fresh default RHEL 5.2 install, the /etc/services file is mislabeled,
causing SELinux to deny access to the file. This prevents NTP from syncing on
boot. The install was performed via NFS install, and the system was updated to
the latest packages very soon after first boot. I can't remember if this problem
existed on the very first boot or not.

The /etc/services file is labeled as user_u:object_r:rpm_script_tmp_t

How reproducible:

Unsure. I will try another install when I get a chance to try to reproduce. 

From setroubleshoot browser:

Summary
SELinux is preventing the ntpd from using potentially mislabeled files
(./services). 

Detailed Description
SELinux has denied ntpd access to potentially mislabeled file(s) (./services).
This means that SELinux will not allow ntpd to use these files. It is common for
users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access. 

Allowing Access
If you want ntpd to access this files, you need to relabel them using restorecon
-v './services'. You might want to relabel the entire directory using restorecon
-R -v '.'. 

Additional Information
Source Context:  system_u:system_r:ntpd_t
Target Context:  user_u:object_r:rpm_script_tmp_t
Target Objects:  ./services [ file ]
Source:  ntpdate
Source Path:  /usr/sbin/ntpdate
Port:  <Unknown>
Host:  kana.usask.caSource 
RPM Packages:  ntp-4.2.2p1-8.el5
Target RPM Packages:  
Policy RPM:  selinux-policy-2.4.6-137.1.el5_2
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  home_tmp_bad_labels
Host Name:  kana.usask.ca
Platform:  Linux kana.usask.ca 2.6.18-92.1.6.el5PAE #1 SMP Fri Jun 20 02:51:01
EDT 2008 i686 i686
Alert Count:  20
First Seen:  Thu 31 Jul 2008 09:13:36 AM CST
Last Seen:  Thu 31 Jul 2008 09:16:29 AM CST
Local ID:  35e7e958-2271-41d3-b8b2-61556da730e4
Line Numbers:  
Raw Audit Messages :
host=kana.usask.ca type=AVC msg=audit(1217517389.459:19): avc: denied { read }
for pid=5493 comm="ntpd" name="services" dev=dm-0 ino=2587691
scontext=system_u:system_r:ntpd_t:s0
tcontext=user_u:object_r:rpm_script_tmp_t:s0 tclass=file 
host=kana.usask.ca type=SYSCALL msg=audit(1217517389.459:19): arch=40000003
syscall=5 success=no exit=-13 a0=733291 a1=0 a2=1b6 a3=9814870 items=0 ppid=5476
pid=5493 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd"
subj=system_u:system_r:ntpd_t:s0 key=(null) 


[root@kana etc]# ls -Z /etc/services
-rw-r--r--  root root user_u:object_r:rpm_script_tmp_t /etc/services
Comment 1 Daniel Walsh 2008-08-01 10:54:21 EDT
vmware installation breaks the label of /etc/services

restorecon /etc/services


will fix.

You can add /etc/services to /etc/selinux/restorecond.conf

to make sure this does not happen again.


Note You need to log in before you can comment on or make changes to this bug.