semodule denial
Tony Molloy
tony.molloy at ul.ie
Thu Apr 23 08:32:33 UTC 2009
Hi,
I'm getting the following denial on a fully updated Centos 5.3 system
with ( selinux-policy-2.4.6-203.el5.noarch )
Summary:
SELinux is preventing semodule (semanage_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by semodule. It is not expected that this
access
is required by semodule and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context root:system_r:semanage_t:SystemLow-SystemHigh
Target Context system_u:object_r:fs_t
Target Objects / [ filesystem ]
Source semodule
Source Path <Unknown>
Port <Unknown>
Host a.b.c.d
Source RPM Packages
Target RPM Packages filesystem-2.4.0-2.el5.centos
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name a.b.c.d
Platform Linux a.b.c.d 2.6.18-128.1.6.el5
#1 SMP Wed Apr 1 09:10:25 EDT 2009 x86_64 x86_64
Alert Count 1
First Seen Thu Apr 23 08:53:08 2009
Last Seen Thu Apr 23 08:53:08 2009
Local ID 227642bc-dd66-4a04-bcad-13c3d52e5e63
Line Numbers
Raw Audit Messages
host=a.b.c.d type=AVC msg=audit(1240473188.358:3149): avc: denied {
getattr } for pid=29325 comm="semodule" name="/" dev=sda5 ino=2
scontext=root:system_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I can generate local policy but is that the best solution
Regards,
Tony
--
Dept. of Comp. Sci.
University of Limerick.
More information about the fedora-selinux-list
mailing list