Bug 486438 - SELinux is preventing chcon (rpm_script_t) "mac_admin" rpm_script_t.
Summary: SELinux is preventing chcon (rpm_script_t) "mac_admin" rpm_script_t.
Keywords:
Status: CLOSED DUPLICATE of bug 486634
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-19 18:43 UTC by stanl
Modified: 2009-02-23 14:44 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-02-20 19:23:21 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description stanl 2009-02-19 18:43:26 UTC 
Description of problem:SELinux denied access requested by chcon. It is not expected that this access is required by chcon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. 


Version-Release number of selected component (if applicable):


How reproducible:  Not sure, probably every time.


Steps to Reproduce:
1.  I was running a yum update with updates-testing enabled
2.
3.
  
Actual results:  Lots of SElinux denials (yellow stars)


Expected results:  No denials.


Additional info:  It's formatted in the SETroubleshooter output, not sure what happens when I paste it.

Source Context:  unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023Target Context:  unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023Target Objects:  None [ capability2 ]Source:  chconSource Path:  /usr/bin/chconPort:  <Unknown>Host:  fedora10.sata1Source RPM Packages:  coreutils-6.12-18.fc10Target RPM Packages:  Policy RPM:  selinux-policy-3.5.13-45.fc10Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchallHost Name:  fedora10.sata1Platform:  Linux fedora10.sata1 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11 23:14:31 EST 2009 x86_64 x86_64Alert Count:  200First Seen:  Fri 13 Feb 2009 12:48:32 PM MSTLast Seen:  Thu 19 Feb 2009 11:31:13 AM MSTLocal ID:  e7133d74-d5cb-4d55-b2c2-6799a36512a9Line Numbers:  Raw Audit Messages :node=fedora10.sata1 type=AVC msg=audit(1235068273.927:93233): avc: denied { mac_admin } for pid=1211 comm="chcon" capability=33 scontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=capability2 node=fedora10.sata1 type=SYSCALL msg=audit(1235068273.927:93233): arch=c000003e syscall=189 success=no exit=-22 a0=12f3670 a1=3aaba146f9 a2=12f3570 a3=20 items=0 ppid=1210 pid=1211 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 ses=376 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-02-20 13:48:02 UTC 
Do you have any idea which program was being updated when you say this AVC?

Could you execute the following

rpm -qa --scripts | grep chcon
Comment 2 stanl 2009-02-20 18:26:38 UTC 
I don't have an answer for your question.  If it happens again, I'll make note of the currently occurring update.  In the meantime, here is the result of the command you requested.

$ rpm -qa --scripts | grep chcon
                /usr/bin/chcon "$SECXT"  /var/log/lastlog >/dev/null 2>&1
/usr/bin/chcon -R system_u:object_r:squid_cache_t /var/squidGuard >/dev/null 2>&1
/usr/bin/chcon -R system_u:object_r:squid_log_t /var/log/squidGuard >/dev/null 2>&1
chcon -t texrel_shlib_t /usr/lib64/libannodex.so.*
Comment 3 Daniel Walsh 2009-02-20 19:23:21 UTC 

*** This bug has been marked as a duplicate of bug 486634 ***
Comment 4 Daniel Walsh 2009-02-23 14:44:45 UTC 
stanl, I found what is causing this and opened a bug with squidGuard to fix it.
Note You need to log in before you can comment on or make changes to this bug.