rawhide yum denied for transition bootloader_t, two alerts

Daniel J Walsh dwalsh at redhat.com
Mon Mar 17 21:26:34 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Farris wrote:
> On Mon, Mar 17, 2008 at 7:33 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>>  Hash: SHA1
>>
>>
>>
>>  Andrew Farris wrote:
>>  > These happen on two machines during updates,  I'm also noticing many
>>  > %post scriptlets failing when these pop up, though I don't know if
>>  > they are related or not.
> 
>>  > Raw Audit Messages
>>  >
>>  > host=durthangnix type=AVC msg=audit(1205476368.460:1339): avc:  denied
>>  >  { transition } for  pid=28100 comm="yum" path="/sbin/ldconfig"
>>  > dev=sda3 ino=858775 scontext=user_u:system_r:bootloader_t:s0
>>  > tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
>>  >
>>  > host=durthangnix type=SYSCALL msg=audit(1205476368.460:1339):
>>  > arch=c000003e syscall=59 success=no exit=-13 a0=7ff2034c2aca
>>  > a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144
>>  > pid=28100 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>  > fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python"
>>  > subj=user_u:system_r:bootloader_t:s0 key=(null)
>>  >
> 
>>  > Raw Audit Messages
>>  >
>>  > host=durthangnix type=AVC msg=audit(1205476368.64:1338): avc:  denied
>>  > { transition } for  pid=28099 comm="yum" path="/bin/bash" dev=sda3
>>  > ino=835647 scontext=user_u:system_r:bootloader_t:s0
>>  > tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
>>  >
>>  > host=durthangnix type=SYSCALL msg=audit(1205476368.64:1338):
>>  > arch=c000003e syscall=59 success=no exit=-13 a0=7ff20063e90d
>>  > a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144
>>  > pid=28099 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>  > fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python"
>>  > subj=user_u:system_r:bootloader_t:s0 key=(null)
>>  >
>>  >
>>  >
>>  THis looks like you are logged in as bootloader_t?  Something is very
>>  wrong with your system.
>>
>>  What does
>>  id -Z
>>
>>  Show?
> 
> On one system I am logged in as bootloader_t:
> My user id -Z:  user_u:system_r:bootloader_t:s0
> And root (su - from my user):  user_u:system_r:bootloader_t:s0
> 
> On the other system I am not, instead I am:
> unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
> 
> The first is kernel-2.6.25-0.121.rc5.git4.fc9.x86_64 and look at this:
> 
> 04:11:39  |root.durthangnix:1| |28 files:848K at yum| |0 jobs|
>  - rpm -q selinux-policy-targeted
> package selinux-policy-targeted is not installed
> 
> 04:12:00  |root.durthangnix:1| |28 files:848K at yum| |0 jobs|
>  - rpm -qa | grep selinux
> libselinux-python-2.0.57-1.fc9.x86_64
> libselinux-2.0.59-1.fc9.x86_64
> selinux-policy-3.3.1-16.fc9.noarch
> selinux-policy-devel-3.3.1-16.fc9.noarch
> libselinux-2.0.57-1.fc9.x86_64
> libselinux-python-2.0.59-1.fc9.x86_64
> libselinux-2.0.59-1.fc9.i386
> selinux-policy-3.3.1-14.fc9.noarch
> 
> 04:12:08  |root.durthangnix:1| |28 files:848K at yum| |0 jobs|
>  - yum list selinux-policy-targeted
> Loaded plugins: basearchonly, fastestmirror, fedorakmod, priorities, security,
>               : versionlock
> Loading mirror speeds from cached hostfile
>  * livna-development: mirrors.tummy.com
>  * livna-development-debuginfo: mirrors.tummy.com
>  * rawhide: limestone.uoregon.edu
>  * upstart-debuginfo: notting.fedorapeople.org
>  * upstart: notting.fedorapeople.org
> Reading version lock configuration
> Available Packages
> selinux-policy-targeted.noarch           3.3.1-16.fc9           rawhide
> 
> 04:12:36  |root.durthangnix:1| |28 files:848K at yum| |0 jobs|
>  - cat /etc/sysconfig/selinux
> 
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> #	enforcing - SELinux security policy is enforced.
> #	permissive - SELinux prints warnings instead of enforcing.
> #	disabled - No SELinux policy is loaded.
> SELINUX=enforcing
> # SELINUXTYPE= can take one of these two values:
> #	targeted - Targeted processes are protected,
> #	mls - Multi Level Security protection.
> SELINUXTYPE=targeted
> # SETLOCALDEFS= Check local definition changes
> SETLOCALDEFS=0
> 
> So the configured policy is not even installed... it was previously,
> so I'm not sure where it went.  This is from /var/log/yum.log:
>  - cat /var/log/yum.log | grep selinux
> Mar 13 23:21:49 Updated: selinux-policy-3.3.1-16.fc9.noarch
> Mar 13 23:24:46 Updated: selinux-policy-targeted-3.3.1-16.fc9.noarch
> Mar 13 23:24:51 Updated: selinux-policy-devel-3.3.1-16.fc9.noarch
> Mar 13 23:31:17 selinux-policy-targeted: ts_done name in te is yum
> should be selinux-policy-targeted
> Mar 13 23:31:17 rpm: ts_done name in te is selinux-policy-targeted should be rpm
> Mar 13 23:31:20 selinux-policy-devel: ts_done name in te is
> totem-gstreamer should be selinux-policy-devel
> Mar 13 23:31:49 xulrunner-debuginfo: ts_done name in te is
> selinux-policy-devel should be xulrunner-debuginfo
> Mar 13 23:32:37 selinux-policy: ts_done name in te is mesa-libGL
> should be selinux-policy
> Mar 13 23:32:49 pulseaudio-module-gconf: ts_done name in te is
> selinux-policy should be pulseaudio-module-gconf
> 
> The second system does have selinux-policy-targeted installed and
> thats the one chosen in config.  This is the system that is logged in
> unconfined.
> 
>>  You might need to relabel.  Are you using a different login program?
> 
> Was logged in from gdm on both systems, AFTER a fresh autorelabel on
> both that I did yesterday.  I'll try it again after I pull today's
> updates and autorelabel.
> 
Well install selinux-policy-targeted on both machine/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfe4goACgkQrlYvE4MpobOYKQCfSfrZO5FVfaHtv2b2qv3p1mRX
8FoAoOl2dMK7mOv9jVTEmETp63X7Y1y8
=u4SZ
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list