SELinux security alert
Paolo Galtieri
pgaltieri at gmail.com
Sun Dec 20 13:15:01 UTC 2009
The problem is that the SElinux message re-occurs. It appears that cron
creates the file with cron's context and then SElinux gets triggered because
the context is wrong. Why does cron create the file and leave it lying
around? And if cron needs to create the file why isn't SElinux aware of
this and not complain?
Paolo
On Sat, Dec 19, 2009 at 1:04 PM, Petrus de Calguarium
<kwhiskerz at gmail.com>wrote:
> I am not very knowledgeable about selinux, but I will see what I can do.
>
> vinny wrote:
>
> > [find has a permissive type (prelink_cron_system_t). This access was not
> > denied.]
> >
> The section in [] brackets says that since the command has a "permissive
> type", the
> "access was not denied"; in other words the command ran without being
> hindered by
> selinux, so you can read the security message as a warning.
>
> > SELinux denied access requested by find. /var/lib/misc/prelink.full may
> > be a
> > mislabeled. /var/lib/misc/prelink.full default SELinux type is
> > prelink_var_lib_t,
> > but its current type is cron_var_lib_t. Changing this file back to the
> > default
> > type, may fix your problem.
> >
> This means that /var/lib/misc/prelink.full has the wrong file context (to
> check
> context: ls -Z filename). Selinux should have blocked access, but the
> context is
> permissive, so it didn't (refer to the section at the very beginning in the
> []
> brackets).
>
> > You can restore the default system context to this file by executing the
> > restorecon command.
> >
> > /sbin/restorecon '/var/lib/misc/prelink.full'
> >
> If this error message bothers you, even though selinux tells you that it
> didn't
> prevent the command from executing, you have the option to restore the
> context of
> the file using this command:
>
> sudo /sbin/restorecon -v '/var/lib/misc/prelink.full'
>
> -v means verbose, so you will see if a change was made to the context.
>
> Sometimes files will get the wrong context each time you reboot, so you
> might have
> to keep on doing this every time you reboot, or wait for an update that
> fixes the
> default context. If you want to know which rpm package creates or supplies
> this
> file:
>
> yum provides */prelink.full
> or
> yum provides /var/lib/misc/prelink.full
>
> I don't know what kind of file prelink.full is, but if it comes from an
> installed
> rpm package from the fedora repositories, you could file a bug report at
> bugzilla.redhat.com. If you created the file or edited the file, then you
> must
> restore the context.
>
> I hope this helps sufficiently.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines:
> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20091220/84916750/attachment-0001.htm>
More information about the fedora-list
mailing list