rawhide yum denied for transition bootloader_t, two alerts
Andrew Farris
lordmorgul at gmail.com
Mon Mar 17 20:35:14 UTC 2008
On Mon, Mar 17, 2008 at 7:33 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Andrew Farris wrote:
> > These happen on two machines during updates, I'm also noticing many
> > %post scriptlets failing when these pop up, though I don't know if
> > they are related or not.
> > Raw Audit Messages
> >
> > host=durthangnix type=AVC msg=audit(1205476368.460:1339): avc: denied
> > { transition } for pid=28100 comm="yum" path="/sbin/ldconfig"
> > dev=sda3 ino=858775 scontext=user_u:system_r:bootloader_t:s0
> > tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
> >
> > host=durthangnix type=SYSCALL msg=audit(1205476368.460:1339):
> > arch=c000003e syscall=59 success=no exit=-13 a0=7ff2034c2aca
> > a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144
> > pid=28100 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python"
> > subj=user_u:system_r:bootloader_t:s0 key=(null)
> >
> > Raw Audit Messages
> >
> > host=durthangnix type=AVC msg=audit(1205476368.64:1338): avc: denied
> > { transition } for pid=28099 comm="yum" path="/bin/bash" dev=sda3
> > ino=835647 scontext=user_u:system_r:bootloader_t:s0
> > tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
> >
> > host=durthangnix type=SYSCALL msg=audit(1205476368.64:1338):
> > arch=c000003e syscall=59 success=no exit=-13 a0=7ff20063e90d
> > a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144
> > pid=28099 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python"
> > subj=user_u:system_r:bootloader_t:s0 key=(null)
> >
> >
> >
> THis looks like you are logged in as bootloader_t? Something is very
> wrong with your system.
>
> What does
> id -Z
>
> Show?
On one system I am logged in as bootloader_t:
My user id -Z: user_u:system_r:bootloader_t:s0
And root (su - from my user): user_u:system_r:bootloader_t:s0
On the other system I am not, instead I am:
unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
The first is kernel-2.6.25-0.121.rc5.git4.fc9.x86_64 and look at this:
04:11:39 |root.durthangnix:1| |28 files:848K at yum| |0 jobs|
- rpm -q selinux-policy-targeted
package selinux-policy-targeted is not installed
04:12:00 |root.durthangnix:1| |28 files:848K at yum| |0 jobs|
- rpm -qa | grep selinux
libselinux-python-2.0.57-1.fc9.x86_64
libselinux-2.0.59-1.fc9.x86_64
selinux-policy-3.3.1-16.fc9.noarch
selinux-policy-devel-3.3.1-16.fc9.noarch
libselinux-2.0.57-1.fc9.x86_64
libselinux-python-2.0.59-1.fc9.x86_64
libselinux-2.0.59-1.fc9.i386
selinux-policy-3.3.1-14.fc9.noarch
04:12:08 |root.durthangnix:1| |28 files:848K at yum| |0 jobs|
- yum list selinux-policy-targeted
Loaded plugins: basearchonly, fastestmirror, fedorakmod, priorities, security,
: versionlock
Loading mirror speeds from cached hostfile
* livna-development: mirrors.tummy.com
* livna-development-debuginfo: mirrors.tummy.com
* rawhide: limestone.uoregon.edu
* upstart-debuginfo: notting.fedorapeople.org
* upstart: notting.fedorapeople.org
Reading version lock configuration
Available Packages
selinux-policy-targeted.noarch 3.3.1-16.fc9 rawhide
04:12:36 |root.durthangnix:1| |28 files:848K at yum| |0 jobs|
- cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
So the configured policy is not even installed... it was previously,
so I'm not sure where it went. This is from /var/log/yum.log:
- cat /var/log/yum.log | grep selinux
Mar 13 23:21:49 Updated: selinux-policy-3.3.1-16.fc9.noarch
Mar 13 23:24:46 Updated: selinux-policy-targeted-3.3.1-16.fc9.noarch
Mar 13 23:24:51 Updated: selinux-policy-devel-3.3.1-16.fc9.noarch
Mar 13 23:31:17 selinux-policy-targeted: ts_done name in te is yum
should be selinux-policy-targeted
Mar 13 23:31:17 rpm: ts_done name in te is selinux-policy-targeted should be rpm
Mar 13 23:31:20 selinux-policy-devel: ts_done name in te is
totem-gstreamer should be selinux-policy-devel
Mar 13 23:31:49 xulrunner-debuginfo: ts_done name in te is
selinux-policy-devel should be xulrunner-debuginfo
Mar 13 23:32:37 selinux-policy: ts_done name in te is mesa-libGL
should be selinux-policy
Mar 13 23:32:49 pulseaudio-module-gconf: ts_done name in te is
selinux-policy should be pulseaudio-module-gconf
The second system does have selinux-policy-targeted installed and
thats the one chosen in config. This is the system that is logged in
unconfined.
> You might need to relabel. Are you using a different login program?
Was logged in from gdm on both systems, AFTER a fresh autorelabel on
both that I did yesterday. I'll try it again after I pull today's
updates and autorelabel.
--
Andrew Farris <lordmorgul at gmail.com> www.lordmorgul.net
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
More information about the fedora-selinux-list
mailing list