Bug 486438 - SELinux is preventing chcon (rpm_script_t) "mac_admin" rpm_script_t.
SELinux is preventing chcon (rpm_script_t) "mac_admin" rpm_script_t.
Status: CLOSED DUPLICATE of bug 486634
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-19 13:43 EST by stanl
Modified: 2009-02-23 09:44 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-20 14:23:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description stanl 2009-02-19 13:43:26 EST
Description of problem:SELinux denied access requested by chcon. It is not expected that this access is required by chcon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. 


Version-Release number of selected component (if applicable):


How reproducible:  Not sure, probably every time.


Steps to Reproduce:
1.  I was running a yum update with updates-testing enabled
2.
3.
  
Actual results:  Lots of SElinux denials (yellow stars)


Expected results:  No denials.


Additional info:  It's formatted in the SETroubleshooter output, not sure what happens when I paste it.

Source Context:  unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023Target Context:  unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023Target Objects:  None [ capability2 ]Source:  chconSource Path:  /usr/bin/chconPort:  <Unknown>Host:  fedora10.sata1Source RPM Packages:  coreutils-6.12-18.fc10Target RPM Packages:  Policy RPM:  selinux-policy-3.5.13-45.fc10Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchallHost Name:  fedora10.sata1Platform:  Linux fedora10.sata1 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11 23:14:31 EST 2009 x86_64 x86_64Alert Count:  200First Seen:  Fri 13 Feb 2009 12:48:32 PM MSTLast Seen:  Thu 19 Feb 2009 11:31:13 AM MSTLocal ID:  e7133d74-d5cb-4d55-b2c2-6799a36512a9Line Numbers:  Raw Audit Messages :node=fedora10.sata1 type=AVC msg=audit(1235068273.927:93233): avc: denied { mac_admin } for pid=1211 comm="chcon" capability=33 scontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=capability2 node=fedora10.sata1 type=SYSCALL msg=audit(1235068273.927:93233): arch=c000003e syscall=189 success=no exit=-22 a0=12f3670 a1=3aaba146f9 a2=12f3570 a3=20 items=0 ppid=1210 pid=1211 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 ses=376 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-02-20 08:48:02 EST
Do you have any idea which program was being updated when you say this AVC?

Could you execute the following

rpm -qa --scripts | grep chcon
Comment 2 stanl 2009-02-20 13:26:38 EST
I don't have an answer for your question.  If it happens again, I'll make note of the currently occurring update.  In the meantime, here is the result of the command you requested.

$ rpm -qa --scripts | grep chcon
                /usr/bin/chcon "$SECXT"  /var/log/lastlog >/dev/null 2>&1
/usr/bin/chcon -R system_u:object_r:squid_cache_t /var/squidGuard >/dev/null 2>&1
/usr/bin/chcon -R system_u:object_r:squid_log_t /var/log/squidGuard >/dev/null 2>&1
chcon -t texrel_shlib_t /usr/lib64/libannodex.so.*
Comment 3 Daniel Walsh 2009-02-20 14:23:21 EST

*** This bug has been marked as a duplicate of bug 486634 ***
Comment 4 Daniel Walsh 2009-02-23 09:44:45 EST
stanl, I found what is causing this and opened a bug with squidGuard to fix it.

Note You need to log in before you can comment on or make changes to this bug.