Interesting Denials from semodule on Centos 5.2

Richard Chapman rchapman at aardvark.com.au
Sun Feb 1 11:37:12 UTC 2009 

Hi

I have an interesting denial here - and I think I understand what is 
causing it - but I'm not sure of the best method of resolving it. I have 
pasted the denial below.

What seems to cause it is running the gui "System/Administration/Selinux 
Management" tool - while in a gnome x session in an "nx" session. I'm 
not sure how well know it is - but "nx" is a very good gui remote 
terminal (like vnc but much better imho) running over ssh. Very fast ad 
accurate and presumably secure. I use nx to manage the Centos 5.2 server 
- rather than use a physical terminal.
Every time I start the gui Selinux Management tool I get one of these 
denials. Note that the /root/.nx directory must be a housekeeping 
directory for nx where it keeps session information.

I have run audit2allow on this denial and it suggests this very simple 
policy
---------
module mynx 1.0;

require {
        type semanage_t;
        type user_home_t;
        class file append;
}

#============= semanage_t ==============
allow semanage_t user_home_t:file append;
-------

Is this a good solution - or is it freeing up the wrong thing?
Does anyone understand why this configuration should cause the denial - 
and can anyone suggest a better solution?

BTW: I have tried the suggested re-labelling - and it didn't help.

Richard.





Summary
SELinux is preventing the semodule from using potentially mislabeled 
files 
(/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session). 

Detailed Description
[SELinux is in permissive mode, the operation would have been denied but 
was permitted due to permissive mode.]

SELinux has denied semodule access to potentially mislabeled file(s) 
(/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session). 
This means that SELinux will not allow semodule to use these files. It 
is common for users to edit files in their home directory or tmp 
directories and then move (mv) them to system directories. The problem 
is that the files end up with the wrong file context which confined 
applications are not allowed to access.

Allowing Access
If you want semodule to access this files, you need to relabel them 
using restorecon -v 
'/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session'. 
You might want to relabel the entire directory using restorecon -R -v 
'/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9'.
Additional Information

Source Context:   	system_u:system_r:semanage_t
Target Context:   	user_u:object_r:user_home_t
Target Objects:   
/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session 
[ file ]
Source:   	semodule
Source Path:   	/usr/sbin/semodule
Port:   	<Unknown>
Host:   	C5.aardvark.com.au
Source RPM Packages:   	policycoreutils-1.33.12-14.el5
Target RPM Packages:   	
Policy RPM:   	selinux-policy-2.4.6-203.el5
Selinux Enabled:   	True
Policy Type:   	targeted
MLS Enabled:   	True
Enforcing Mode:   	Permissive
Plugin Name:   	home_tmp_bad_labels
Host Name:   	C5.aardvark.com.au
Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 
16 11:57:43 EST 2008 x86_64 x86_64
Alert Count:   	3
First Seen:   	Sun Feb 1 15:21:40 2009
Last Seen:   	Sun Feb 1 16:01:16 2009
Local ID:   	31b6bb16-26ba-419d-8057-7bb9eee9708a
Line Numbers:   	

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1233471676.49:19106): avc: 
denied { append } for pid=25330 comm="semodule" 
path="/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session" 
dev=dm-0 ino=29294826 scontext=system_u:system_r:semanage_t:s0 
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1233471676.49:19106): avc: 
denied { append } for pid=25330 comm="semodule" 
path="/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session" 
dev=dm-0 ino=29294826 scontext=system_u:system_r:semanage_t:s0 
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1233471676.49:19106): 
arch=c000003e syscall=59 success=yes exit=0 a0=16674410 a1=166747b0 
a2=16673660 a3=3 items=0 ppid=25327 pid=25330 auid=102 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1740 
comm="semodule" exe="/usr/sbin/semodule" 
subj=system_u:system_r:semanage_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1233471676.49:19106): 
arch=c000003e syscall=59 success=yes exit=0 a0=16674410 a1=166747b0 
a2=16673660 a3=3 items=0 ppid=25327 pid=25330 auid=102 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1740 
comm="semodule" exe="/usr/sbin/semodule" 
subj=system_u:system_r:semanage_t:s0 key=(null)

More information about the fedora-selinux-list mailing list