LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	SELinux is preventing the groupadd from using potentially mislabeled files (/tmp/yum.temp).
From:	John Summerfield <[log in to unmask]>
Reply To:	John Summerfield <[log in to unmask]>
Date:	Fri, 24 Jul 2009 10:19:44 +0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (88 lines)

The suggested resolution doesn't seem appropriate. Are others seeing 
this, and what are they doing about it?



Summary:

SELinux is preventing the groupadd from using potentially mislabeled files
(/tmp/yum.temp).

Detailed Description:

SELinux has denied groupadd access to potentially mislabeled file(s)
(/tmp/yum.temp). This means that SELinux will not allow groupadd to use 
these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem 
is that
the files end up with the wrong file context which confined applications 
are not
allowed to access.

Allowing Access:

If you want groupadd to access this files, you need to relabel them using
restorecon -v '/tmp/yum.temp'. You might want to relabel the entire 
directory
using restorecon -R -v '/tmp'.

Additional Information:

Source Context                user_u:system_r:groupadd_t
Target Context                user_u:object_r:tmp_t
Target Objects                /tmp/yum.temp [ file ]
Source                        groupadd
Source Path                   /usr/sbin/groupadd
Port                          <Unknown>
Host                          bobtail.demo.lan
Source RPM Packages           shadow-utils-4.0.17-14.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     bobtail.demo.lan
Platform                      Linux bobtail.demo.lan 2.6.18-128.1.10.el5 
#1 SMP
                               Thu May 7 12:48:13 EDT 2009 x86_64 x86_64
Alert Count                   7
First Seen                    Thu Sep  4 04:36:32 2008
Last Seen                     Fri Jul 24 04:05:03 2009
Local ID                      5c97302c-0bb5-44dd-bcdf-570851410cbd
Line Numbers

Raw Audit Messages

host=bobtail.demo.lan type=AVC msg=audit(1248379503.595:3899): avc: 
denied  { write } for  pid=10117 comm="groupadd" path="/tmp/yum.temp" 
dev=dm-0 ino=16777376 scontext=user_u:system_r:groupadd_t:s0 
tcontext=user_u:object_r:tmp_t:s0 tclass=file

host=bobtail.demo.lan type=SYSCALL msg=audit(1248379503.595:3899): 
arch=c000003e syscall=59 success=yes exit=0 a0=5991d30 a1=5990380 
a2=5990120 a3=3eff751a30 items=0 ppid=10116 pid=10117 auid=0 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=707 
comm="groupadd" exe="/usr/sbin/groupadd" 
subj=user_u:system_r:groupadd_t:s0 key=(null)


Why groupadd is running at all is a mystery I've yet to resolve.


-- 

Cheers
John

-- spambait
[log in to unmask]  [log in to unmask]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV