SELinux error with icecast package
Adam D. Ligas
adam at physco.com
Sun Dec 7 21:52:57 UTC 2008
Hey folks,
I've got a bunch of SELinux errors on my newly installed F10 server.
I'm a decently knowledgeable Linux user, but SELinux is pretty much over
my head at this point.
Rather then spam the IRC channel, I thought I would send a series of
messages with the various errors to this list. If this is not the
appropriate place to do this, please let me know and accept my apology
in advance.
This error occurred when installing icecast from the standard Fedora
repo. According to the GUI troubleshoot tool, it tried it more then
once.
--- Begin SELinux Alert 1 ---
Summary:
SELinux is preventing nscd (nscd_t) "read" unconfined_notrans_t.
Detailed Description:
SELinux denied access requested by nscd. It is not expected that this
access is
required by nscd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application
is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:nscd_t:s0
Target Context
unconfined_u:system_r:unconfined_notrans_t:s0
Target Objects pipe [ fifo_file ]
Source nscd
Source Path /usr/sbin/nscd
Port <Unknown>
Host boris
Source RPM Packages nscd-2.9-2
Target RPM Packages
Policy RPM selinux-policy-3.5.13-26.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name boris
Platform Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
18 12:19:59 EST 2008 i686 athlon
Alert Count 4
First Seen Sat 06 Dec 2008 04:16:14 PM EST
Last Seen Sat 06 Dec 2008 04:16:14 PM EST
Local ID cd43cbcd-4bae-4524-b52f-f8ab36f00764
Line Numbers
Raw Audit Messages
node=boris type=AVC msg=audit(1228598174.876:203): avc: denied
{ read } for pid=5357 comm="nscd" path="pipe:[35289]" dev=pipefs
ino=35289 scontext=unconfined_u:system_r:nscd_t:s0
tcontext=unconfined_u:system_r:unconfined_notrans_t:s0 tclass=fifo_file
node=boris type=SYSCALL msg=audit(1228598174.876:203): arch=40000003
syscall=11 success=yes exit=0 a0=8056c6b a1=bfb25c24 a2=bfb25c38 a3=0
items=0 ppid=5352 pid=5357 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="nscd" exe="/usr/sbin/nscd"
subj=unconfined_u:system_r:nscd_t:s0 key=(null)
--- End SELinux Alert ---
When I removed the package with yum, it threw this error a bunch more
times and added an additional one:
--- Begin SELinux Alert 2 ---
Summary:
SELinux prevented semanage from using the terminal 0.
Detailed Description:
SELinux prevented semanage from using the terminal 0. In most cases
daemons do
not need to interact with the terminal, usually these avc messages can
be
ignored. All of the confined daemons should have dontaudit rules around
using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
selinux-policy.
If you would like to allow all daemons to interact with the terminal,
you can
turn on the allow_daemons_use_tty boolean.
Allowing Access:
Changing the "allow_daemons_use_tty" boolean to true will allow this
access:
"setsebool -P allow_daemons_use_tty=1."
Fix Command:
setsebool -P allow_daemons_use_tty=1
Additional Information:
Source Context unconfined_u:system_r:semanage_t:s0
Target Context unconfined_u:object_r:devpts_t:s0
Target Objects 0 [ chr_file ]
Source semanage
Source Path /usr/bin/python
Port <Unknown>
Host boris
Source RPM Packages python-2.5.2-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-26.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_daemons_use_tty
Host Name boris
Platform Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
18 12:19:59 EST 2008 i686 athlon
Alert Count 1
First Seen Sun 07 Dec 2008 04:34:19 PM EST
Last Seen Sun 07 Dec 2008 04:34:19 PM EST
Local ID 5ff62f2f-d05d-46b3-9624-b1308e1a06f6
Line Numbers
Raw Audit Messages
node=boris type=AVC msg=audit(1228685659.553:6520): avc: denied { read
write } for pid=32355 comm="semanage" name="0" dev=devpts ino=2
scontext=unconfined_u:system_r:semanage_t:s0
tcontext=unconfined_u:object_r:devpts_t:s0 tclass=chr_file
node=boris type=SYSCALL msg=audit(1228685659.553:6520): arch=40000003
syscall=11 success=yes exit=0 a0=8050a82 a1=bf871adc a2=0 a3=0 items=0
ppid=32354 pid=32355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=3 comm="semanage" exe="/usr/bin/python"
subj=unconfined_u:system_r:semanage_t:s0 key=(null)
-- End SELinux Alert ---
The second one includes some instructions to repair the error, but it
seems to be an "all or nothing" sort of command, and it seems even
weirder to run it after I've uninstalled the package that appears to be
using it.
Thoughts?
- Adam
More information about the fedora-selinux-list
mailing list