policy rpm %post script encounters avc violations
Daniel J Walsh
dwalsh at redhat.com
Wed Sep 3 16:22:41 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johnson, Richard wrote:
> When installing a policy rpm, one cannot log the install activity w/o
> generating avc errors. For example:
>
> rpm -i lsb-ft-asn-selinux > /var/log/rpm-update.log
>
> produces the following violation:
>
> type=SYSCALL msg=audit(1219774608.030:789): arch=c000003e syscall=59
> success=yes exit=0 a0=be952e0 a1=be93390 a2=be958f0 a3=8 items=0
> ppid=2848 pid=2875 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="restorecon" exe="/sbin/restorecon"
> subj=root:system_r:restorecon_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1219774608.030:789): avc: denied { write } for
> pid=2875 comm="restorecon" path="/var/log/rpm-update.log" dev=md2
> ino=2694055 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023
> tcontext=root:object_r:var_log_t:s0 tclass=file
>
> The problems seems to stem from recording the %post script's attempts to
> relabel files affected by the policy, specifically:
>
> /sbin/restorecon -F -R -v /opt/ft/sbin/sra_alarm;
> /sbin/restorecon -F -R -v /etc/opt/ft/asn;
> /sbin/restorecon -F -R -v /var/opt/ft/asn;
> /sbin/restorecon -F -R -v /var/opt/ft/log;
>
> Is there any way to preserve the logging w/o disabling selinux for the
> duration of the install?
>
> FWIW, the rpm commands are executed from a bash script.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Answered in
http://danwalsh.livejournal.com/22860.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAki+udEACgkQrlYvE4MpobNuGwCgyTO3dySralLkMd+Xt71/IyPY
Qg8AoK2w8AKq0JC+1Id1GXfhtGmzWTwn
=PpRO
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list