Two SELinux AVC denials running with yesterday's rawhide updates -- /usr/bin/updatedb and /sbin/dhcdbd

Miles Lane miles.lane at gmail.com
Mon May 14 05:27:43 UTC 2007 

Summary
    SELinux is preventing /usr/bin/updatedb (locate_t) "search" to / (dosfs_t).

Detailed Description
    SELinux denied access requested by /usr/bin/updatedb. It is not expected
    that this access is required by /usr/bin/updatedb and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /, restorecon -v / If this does
    not work, there is currently no automatic way to allow this access. Instead,
    you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information

Source Context                system_u:system_r:locate_t
Target Context                system_u:object_r:dosfs_t
Target Objects                / [ dir ]
Affected RPM Packages         mlocate-0.16-1 [application]filesystem-2.4.6-1.fc7
                              [target]
Policy RPM                    selinux-policy-2.6.1-1.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-1.3116.fc7 #1
                              SMP Thu Apr 26 10:36:44 EDT 2007 i686 athlon
Alert Count                   2
First Seen                    Wed 02 May 2007 02:24:50 PM PDT
Last Seen                     Sun 13 May 2007 10:23:40 PM PDT
Local ID                      6e0c127c-8364-4122-ad26-27684542b5e0
Line Numbers

Raw Audit Messages

avc: denied { search } for comm="updatedb" dev=sda6 egid=0 euid=0
exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=7589
scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:dosfs_t:s0 tty=(none) uid=0

---------------------------------------------------------------------

Summary
    SELinux is preventing /sbin/dhcdbd (dhcpc_t) "read" to /etc/dbus-1/system.d
    (dbusd_etc_t).

Detailed Description
    SELinux denied access requested by /sbin/dhcdbd. It is not expected that
    this access is required by /sbin/dhcdbd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /etc/dbus-1/system.d, restorecon
    -v /etc/dbus-1/system.d If this does not work, there is currently no
    automatic way to allow this access. Instead,  you can generate a local
    policy module to allow this access - see http://fedora.redhat.com/docs
    /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
    altogether. Disabling SELinux protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information

Source Context                system_u:system_r:dhcpc_t
Target Context                system_u:object_r:dbusd_etc_t
Target Objects                /etc/dbus-1/system.d [ dir ]
Affected RPM Packages         dhcdbd-2.7-4.fc7 [application]dbus-1.0.2-4.fc7
                              [target]
Policy RPM                    selinux-policy-2.6.1-1.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-1.3116.fc7 #1
                              SMP Thu Apr 26 10:36:44 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Sun 13 May 2007 09:59:39 PM PDT
Last Seen                     Sun 13 May 2007 09:59:39 PM PDT
Local ID                      82e7ce83-8b5c-40c5-906e-2873db2c0c18
Line Numbers

Raw Audit Messages

avc: denied { read } for comm="dhcdbd" dev=sda5 egid=81 euid=81
exe="/sbin/dhcdbd" exit=0 fsgid=81 fsuid=81 gid=81 items=0 name="system.d"
path="/etc/dbus-1/system.d" pid=5960 scontext=system_u:system_r:dhcpc_t:s0
sgid=81 subj=system_u:system_r:dhcpc_t:s0 suid=81 tclass=dir
tcontext=system_u:object_r:dbusd_etc_t:s0 tty=(none) uid=81

More information about the fedora-test-list mailing list