SELinux security alert
Daniel J Walsh
dwalsh at redhat.com
Mon Dec 21 16:50:19 UTC 2009
On 12/19/2009 02:06 PM, vinny wrote:
> Hello,
> I installed F12 in 2 desktop no problem both working perfectly.
> lately one has developed this security problem, it suggest to rename a
> file as a possible cure, I do not understand how can a file change name
> by it self. So before I make a mess of things I better ask for help.
> Vinny
>
> Summary:
>
> SELinux is preventing /bin/find "getattr" access
> to /var/lib/misc/prelink.full.
>
> Detailed Description:
>
> [find has a permissive type (prelink_cron_system_t). This access was not
> denied.]
>
> SELinux denied access requested by find. /var/lib/misc/prelink.full may
> be a
> mislabeled. /var/lib/misc/prelink.full default SELinux type is
> prelink_var_lib_t,
> but its current type is cron_var_lib_t. Changing this file back to the
> default
> type, may fix your problem.
>
> File contexts can be assigned to a file in the following ways.
>
> * Files created in a directory receive the file context of the parent
> directory by default.
> * The SELinux policy might override the default label inherited from
> the
> parent directory by specifying a process running in context A which
> creates
> a file in a directory labeled B will instead create the file with
> label C.
> An example of this would be the dhcp client running with the
> dhclient_t type
> and creating a file in the directory /etc. This file would normally
> receive
> the etc_t type due to parental inheritance but instead the file is
> labeled
> with the net_conf_t type because the SELinux policy specifies this.
> * Users can change the file context on a file using tools such as
> chcon, or
> restorecon.
>
> This file could have been mislabeled either by user error, or if an
> normally
> confined application was run under the wrong domain.
>
> However, this might also indicate a bug in SELinux because the file
> should not
> have been labeled with this type.
>
> If you believe this is a bug, please file a bug report against this
> package.
>
> Allowing Access:
>
> You can restore the default system context to this file by executing the
> restorecon command. restorecon '/var/lib/misc/prelink.full', if this
> file is a
> directory, you can recursively restore using restorecon -R
> '/var/lib/misc/prelink.full'.
>
> Fix Command:
>
> /sbin/restorecon '/var/lib/misc/prelink.full'
>
> Additional Information:
>
> Source Context
> system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
> 1023
> Target Context system_u:object_r:cron_var_lib_t:s0
> Target Objects /var/lib/misc/prelink.full [ file ]
> Source find
> Source Path /bin/find
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages findutils-4.4.2-4.fc12
> Target RPM Packages prelink-0.4.2-4.fc12
> Policy RPM selinux-policy-3.6.32-55.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name restorecon
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.31.6-166.fc12.i686.PAE #1 SMP Wed Dec
> 9
> 11:00:30 EST 2009 i686 i686
> Alert Count 4
> First Seen Sat 12 Dec 2009 07:32:14 AM EST
> Last Seen Sat 19 Dec 2009 01:45:15 PM EST
> Local ID e5732596-f308-439c-9920-c4a394f95061
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1261248315.138:22): avc:
> denied { getattr } for pid=2950 comm="find"
> path="/var/lib/misc/prelink.full" dev=dm-0 ino=2402
> scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file
>
> node=localhost.localdomain type=SYSCALL msg=audit(1261248315.138:22):
> arch=40000003 syscall=300 success=yes exit=0 a0=ffffff9c a1=8594704
> a2=85946a4 a3=100 items=0 ppid=2949 pid=2950 auid=0 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="find"
> exe="/bin/find"
> subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
Fixed in selinux-policy-3.6.32-59.fc12.noarch
yum update selinux-policy-targeted --enablerepo=updatest-testing
I believe this is now fixed in this release.
More information about the fedora-list
mailing list