Bug 842053 - SELinux is preventing semanage (semanage_t) "getattr" to / (fs_t).
SELinux is preventing semanage (semanage_t) "getattr" to / (fs_t).
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
x86_64 Linux
unspecified Severity low
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2012-07-21 07:24 EDT by Tony Molloy
Modified: 2013-01-07 22:32 EST (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-330.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-01-07 22:32:35 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0060 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-01-08 03:27:19 EST

  None (edit)
Description Tony Molloy 2012-07-21 07:24:41 EDT
Description of problem:

This is on a fully updated CentOS 5,8 

SELinux AVC ( see above error )

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

[root@garryowen ~]#  sealert -l 8eb9a49a-1f43-4cf5-9d5f-6ab7d4718cd0


SELinux is preventing semanage (semanage_t) "getattr" to / (fs_t).

Detailed Description:

SELinux denied access requested by semanage. It is not expected that this access
is required by semanage and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:semanage_t:SystemLow-SystemHigh
Target Context                system_u:object_r:fs_t
Target Objects                / [ filesystem ]
Source                        semanage
Source Path                   <Unknown>
Port                          <Unknown>
Host                          a.b.c.d
Source RPM Packages           
Target RPM Packages           filesystem-2.4.0-3.el5.centos
Policy RPM                    selinux-policy-2.4.6-327.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     a.b.c.d
Platform                      Linux garryowen.csisdmz.ul.ie 2.6.18-308.8.2.el5
                              #1 SMP Tue Jun 12 09:58:12 EDT 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Sat Jul 21 10:48:11 2012
Last Seen                     Sat Jul 21 10:48:11 2012
Local ID                      8eb9a49a-1f43-4cf5-9d5f-6ab7d4718cd0
Line Numbers                  

Raw Audit Messages            

host=a.b.c.d type=AVC msg=audit(1342864091.173:106700): avc:  denied  { getattr } for  pid=29302 comm="semanage" name="/" dev=sda5 ino=2 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Comment 1 Miroslav Grepl 2012-07-24 06:40:42 EDT
We have this one in RHEL6
Comment 2 RHEL Product and Program Management 2012-07-24 06:58:08 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 Karel Srot 2012-07-24 08:45:56 EDT
are you able to provide a reproducer?
Comment 4 Tony Molloy 2012-07-24 13:22:10 EDT
"a reproducer"

I can't reproduce the error. I don't know what caused it. The server was running normally and still is. The AVC just appeared in audit logs and on just this one server.

It hasn't affected the runing of the server which is why I reported as low priority.
Comment 5 Daniel Walsh 2012-07-24 13:27:07 EDT
We can add the allow rule, and I would just ignore it, since it has not caused any damage.
Comment 6 Tony Molloy 2012-07-25 02:48:38 EDT
That's what I did.
I just reported it as low priority as it was involved with SELinux itself.

Comment 7 Miroslav Grepl 2012-07-30 02:50:13 EDT
Fixed in selinux-policy-2.4.6-330.el5
Comment 11 errata-xmlrpc 2013-01-07 22:32:35 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.