Red Hat Bugzilla – Bug 458328
SELinux preventing Tripwire agent "push" upgrade
Last modified: 2008-09-08 15:59:12 EDT
Description of problem: Tripwire Enterprise v7.1 allows "push" upgrades of the remote agents installed on servers. When attempting to upgrade an agent, SELinux is blocking the upgrade. Version-Release number of selected component (if applicable): Tripwire Agent Version: 7.1.0.552 How reproducible: Attempt a push upgrade. The upgrade fails. The following error message is generated when you search on the SELinux alert number: Summary: SELinux is preventing rpm (java_t) "transition" to /bin/bash (rpm_script_t). Detailed Description: SELinux denied access requested by rpm. It is not expected that this access is required by rpm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:java_t Target Context system_u:system_r:rpm_script_t Target Objects /bin/bash [ process ] Source rpm Source Path /bin/rpm Port <Unknown> Host (server name deleted) Source RPM Packages rpm-4.4.2-48.el5 Target RPM Packages bash-3.2-21.el5 Policy RPM selinux-policy-2.4.6-137.1.el5_2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name scorpius.thirdfed.thirdfederal.local Platform Linux scorpius.thirdfed.thirdfederal.local 2.6.18-92.1.10.el5 #1 SMP Wed Jul 23 03:55:54 EDT 2008 i686 i686 Alert Count 1 First Seen Thu Aug 7 11:31:33 2008 Last Seen Thu Aug 7 11:31:33 2008 Local ID 6d9c3dcc-c980-46c0-bb2e-97f88f7fddd9 Line Numbers Raw Audit Messages host=scorpius.thirdfed.thirdfederal.local type=AVC msg=audit(1218123093.80:491): avc: denied { transition } for pid=1594 comm="rpm" path="/bin/bash" dev=cciss/c0d0p10 ino=8511461 scontext=system_u:system_r:java_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process host=scorpius.thirdfed.thirdfederal.local type=SYSCALL msg=audit(1218123093.80:491): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=8adeb05 a1=bfb88d00 a2=8aa9c88 a3=0 items=0 ppid=1593 pid=1594 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpm" exe="/bin/rpm" subj=system_u:system_r:java_t:s0 key=(null) Additional info: I opened a support case with Tripwire but haven't heard anything yet.
Why is the shell running as java_t? Is java involved somewhere here or are you running on a badly labeled machine? What does > id -Z Show. It should show unconfined_t not java_t.