Bug 706005 - SELinux is preventing restorecond (restorecond_t) "write" to nss (sssd_var_lib_t).
Summary: SELinux is preventing restorecond (restorecond_t) "write" to nss (sssd_var_li...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.7
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
: 706011 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-19 07:10 UTC by Kaushik Banerjee
Modified: 2012-10-16 11:03 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-2.4.6-306.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-21 09:20:31 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1069 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-07-21 09:18:27 UTC

Description Kaushik Banerjee 2011-05-19 07:10:09 UTC 
Note: This selinux alert was seen during the automation run.

Description of problem:
SELinux is preventing restorecond (restorecond_t) "write" to nss
(sssd_var_lib_t).

Detailed Description:

SELinux denied access requested by restorecond. It is not expected that this
access is required by restorecond and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for nss,

restorecon -v 'nss'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:restorecond_t
Target Context                root:object_r:sssd_var_lib_t
Target Objects                nss [ sock_file ]
Source                        restorecond
Source Path                   /usr/sbin/restorecond
Port                          <Unknown>
Host                          jetfire.lab.eng.pnq.redhat.com
Source RPM Packages           policycoreutils-1.33.12-14.8.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-302.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     jetfire.lab.eng.pnq.redhat.com
Platform                      Linux jetfire.lab.eng.pnq.redhat.com
                              2.6.18-259.el5 #1 SMP Fri Apr 29 01:09:57 EDT 2011
                              x86_64 x86_64
Alert Count                   186
First Seen                    Tue May 10 01:56:08 2011
Last Seen                     Wed May 18 22:37:06 2011
Local ID                      caf6c913-b94e-4c07-961b-595d2d8a9054
Line Numbers                  

Raw Audit Messages            

host=jetfire.lab.eng.pnq.redhat.com type=AVC msg=audit(1305738426.820:5680): avc:  denied  { write } for  pid=1827 comm="restorecond" name="nss" dev=dm-0 ino=1231224 scontext=system_u:system_r:restorecond_t:s0 tcontext=root:object_r:sssd_var_lib_t:s0 tclass=sock_file

host=jetfire.lab.eng.pnq.redhat.com type=SYSCALL msg=audit(1305738426.820:5680): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fffe290bb70 a2=6e a3=0 items=0 ppid=1 pid=1827 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null)
Comment 1 Miroslav Grepl 2011-05-19 10:30:42 UTC 
I am fixing it.
Comment 2 Miroslav Grepl 2011-05-19 10:31:25 UTC 
*** Bug 706011 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2011-05-19 15:32:36 UTC 
Fixed in selinux-policy-2.4.6-306.el5
Comment 6 errata-xmlrpc 2011-07-21 09:20:31 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 7 errata-xmlrpc 2011-07-21 11:56:56 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Note You need to log in before you can comment on or make changes to this bug.