On condor upgrade, an AVC is thrown Mar 12 19:51:17 amd-warthog-03 setroubleshoot: SELinux is preventing setfiles (setfiles_t) "write" to pipe (rpm_script_t). For complete SELinux messages. run sealert -l ef251d04-c7b8-4e5f-a2c9-9d633d9609ec # sealert -l ef251d04-c7b8-4e5f-a2c9-9d633d9609ec Summary: SELinux is preventing setfiles (setfiles_t) "write" to pipe (rpm_script_t). Detailed Description: SELinux denied access requested by setfiles. It is not expected that this accessis required by setfiles and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:setfiles_t:SystemLow-SystemHigh Target Context root:system_r:rpm_script_t:SystemLow-SystemHigh Target Objects pipe [ fifo_file ] Source setfiles Source Path /sbin/setfiles Port <Unknown> Host amd-warthog-03.lab.bos.redhat.com Source RPM Packages policycoreutils-1.33.12-14.2.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name amd-warthog-03.lab.bos.redhat.com Platform Linux amd-warthog-03.lab.bos.redhat.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Thu Feb 26 23:45:18 2009 Last Seen Thu Mar 12 19:51:17 2009 Local ID ef251d04-c7b8-4e5f-a2c9-9d633d9609ec Line Numbers Raw Audit Messages host=amd-warthog-03.lab.bos.redhat.com type=AVC msg=audit(1236901877.106:688): avc: denied { write } for pid=6110 comm="setfiles" path="pipe:[236241]" dev=pipefs ino=236241 scontext=root:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=fifo_file host=amd-warthog-03.lab.bos.redhat.com type=AVC msg=audit(1236901877.106:688): avc: denied { write } for pid=6110 comm="setfiles" path="pipe:[236241]" dev=pipefs ino=236241 scontext=root:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=fifo_file host=amd-warthog-03.lab.bos.redhat.com type=SYSCALL msg=audit(1236901877.106:688): arch=c000003e syscall=59 success=yes exit=0 a0=1bf398b0 a1=1bfe9b00 a2=0 a3=2b50f29a3ff0 items=0 ppid=6107 pid=6110 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=102 comm="setfiles" exe="/sbin/setfiles" subj=root:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)
Any idea why this is happening, or if it prevents upgrade or installation?
It's not fatal and doesn't appear to have any ill effects. Is there a fifo pipe in one of the directories that is getting moved around for this update that may be triggering an AVC upon being moved? I didn't see it on a clean install, just an upgrade.
if [ -e /var/lib/condor/condor_master.pid ]; then mv /var/lib/condor/condor_master.pid /var/run/condor/condor_master.pid fi So a fifo in /var/run/condor that isn't being touched causes the issue? No pipe should be moved as part of the install or upgrade.
move was just a guess on my part. Turns out it happens on a fresh install too. Are any fifos created as part of the install or upgrade procedure in any different way than previous releases?
There should be no fifos created at all. I'd hope it couldn't be this pipe, which was added since 1.1... if [ $? = 0 ]; then semanage fcontext -a -t unconfined_execmem_exec_t %_sbindir/condor_startd 2>& 1| grep -v "already defined" restorecon %_sbindir/condor_startd fi
Yes, that's exactly what it is, and in talking to Dan, it's an SELinux policy deficiency that will be addressed in 5.4. So for now, we can simply ignore the AVC message as it's completely innocuous.
Seems it was not addressed in 5.4, see bug 660653.