Hello,
I received the below SELinux message today and I am trying to figure out what caused it. I see what it says under Allow Access but I am not sure this is what I really want to do without know why it happened in the first place.
What should I be looking at to understand what or why this has happened?
Any help I would be most grateful for.
Here is the output form SELinux
SUMMARY: SELinux is preventing access to files with the label, file_t.
Detailed Description: SELinux permission checks on files labeled file_t are being denied. file_t is the context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled file_t. If you have just added a new disk drive to the system you can relabel it using the restorecon command. Otherwise you should relabel the entire files system.
Allowing Access: You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot"
Additional Information: Source Context: user_u:system_r:pam_console_t Target Context: system_u:object_r:file_t Target Objects: / [ dir ] Source: pam_console_appSource Path: /sbin/pam_console_apply Port: <Unknown> Host: host1.mycompany.com Source RPM Packages: pam-0.99.6.2-6.el5_5.2 Target RPM Packages: filesystem-2.4.0-3.el5.centos Policy RPM: selinux-policy-2.4.6-316.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: file Host Name: host1.mycompany.com Platform: Linux host1.mycompany.com 2.6.18-238.19.1.el5 #1 SMP Fri Jul 15 07:31:24 EDT 2011 x86_64 x86_64 Alert Count: 77 First Seen: Thu 08 Sep 2011 02:04:40 PM EDT Last Seen: Thu 08 Sep 2011 02:04:45 PM EDT Local ID: 39ba9c3c-5ac0-4b91-aab1-8d871c20162c Line Numbers:
Raw Audit Messages : host=host1.mycompany.com type=AVC msg=audit(1315505085.751:14929): avc: denied { read } for pid=690 comm="pam_console_app" name="/" dev=md4 ino=2 scontext=user_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
host=host1.mycompany.com type=SYSCALL msg=audit(1315505085.751:14929): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0f2076c0 a1=10800 a2=0 a3=7fff0f209cca items=0 ppid=631 pid=690 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pam_console_app" exe="/sbin/pam_console_apply" subj=user_u:system_r:pam_console_t:s0 key=(null)
I'm not a pro or anything, but this bug report gives a bit more info. Have you made any changes to the disk lately?
https://bugzilla.redhat.com/show_bug.cgi?id=485921
find / -context "*:file_t:*"
The above command will show you what file is causing the messages.
On 09/08/2011 04:45 PM, Robert Spangler wrote:
Hello,
I received the below SELinux message today and I am trying to figure out what caused it. I see what it says under Allow Access but I am not sure this is what I really want to do without know why it happened in the first place.
What should I be looking at to understand what or why this has happened?
Any help I would be most grateful for.
Here is the output form SELinux
SUMMARY: SELinux is preventing access to files with the label, file_t.
Detailed Description: SELinux permission checks on files labeled file_t are being denied. file_t is the context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled file_t. If you have just added a new disk drive to the system you can relabel it using the restorecon command. Otherwise you should relabel the entire files system.
Allowing Access: You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot"
Additional Information: Source Context: user_u:system_r:pam_console_t Target Context: system_u:object_r:file_t Target Objects: / [ dir ] Source: pam_console_appSource Path: /sbin/pam_console_apply Port: <Unknown> Host: host1.mycompany.com Source RPM Packages: pam-0.99.6.2-6.el5_5.2 Target RPM Packages: filesystem-2.4.0-3.el5.centos Policy RPM: selinux-policy-2.4.6-316.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: file Host Name: host1.mycompany.com Platform: Linux host1.mycompany.com 2.6.18-238.19.1.el5 #1 SMP Fri Jul 15 07:31:24 EDT 2011 x86_64 x86_64 Alert Count: 77 First Seen: Thu 08 Sep 2011 02:04:40 PM EDT Last Seen: Thu 08 Sep 2011 02:04:45 PM EDT Local ID: 39ba9c3c-5ac0-4b91-aab1-8d871c20162c Line Numbers:
Raw Audit Messages : host=host1.mycompany.com type=AVC msg=audit(1315505085.751:14929): avc: denied { read } for pid=690 comm="pam_console_app" name="/" dev=md4 ino=2 scontext=user_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
host=host1.mycompany.com type=SYSCALL msg=audit(1315505085.751:14929): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0f2076c0 a1=10800 a2=0 a3=7fff0f209cca items=0 ppid=631 pid=690 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pam_console_app" exe="/sbin/pam_console_apply" subj=user_u:system_r:pam_console_t:s0 key=(null)
On Thursday 08 September 2011 16:58, the following was written:
I'm not a pro or anything, but this bug report gives a bit more info. Have you made any changes to the disk lately?
https://bugzilla.redhat.com/show_bug.cgi?id=485921
find / -context "*:file_t:*"
The above command will show you what file is causing the messages.
Thank you for your response. I do not make changes to the disk other then software update and saving files.
I run your command above and its output is as follows:
~ $ sudo find / -context "*:file_t:*" getfilecon(/proc/29073/task/29073/fd/4): No such file or directory getfilecon(/proc/29073/task/29073/fdinfo/4): No such file or directory getfilecon(/proc/29073/fd/4): No such file or directory getfilecon(/proc/29073/fdinfo/4): No such file or directory
So it doesn't look like any files are labeled incorrectly.
Robert Spangler wrote:
On Thursday 08 September 2011 16:58, the following was written:
I'm not a pro or anything, but this bug report gives a bit more info. Have you made any changes to the disk lately?
https://bugzilla.redhat.com/show_bug.cgi?id=485921
find / -context "*:file_t:*"
The above command will show you what file is causing the messages.
Thank you for your response. I do not make changes to the disk other then software update and saving files.
I run your command above and its output is as follows:
~ $ sudo find / -context "*:file_t:*" getfilecon(/proc/29073/task/29073/fd/4): No such file or directory getfilecon(/proc/29073/task/29073/fdinfo/4): No such file or directory getfilecon(/proc/29073/fd/4): No such file or directory getfilecon(/proc/29073/fdinfo/4): No such file or directory
So it doesn't look like any files are labeled incorrectly.
That's the total output?
mark
On Friday 09 September 2011 10:21, the following was written:
That's the total output?
Yep. Nothing more. I ran it again and here is the new output:
[Fri Sep 09 10:40:20] [rjs@bms] /home/rjs
~ $ sudo find / -context "*:file_t:*" getfilecon(/proc/7408/task/7408/fd/4): No such file or directory getfilecon(/proc/7408/task/7408/fdinfo/4): No such file or directory getfilecon(/proc/7408/fd/4): No such file or directory getfilecon(/proc/7408/fdinfo/4): No such file or directory
[Fri Sep 09 10:40:44] [rjs@bms] /home/rjs
-
Aaron Krohn -
m.roth@5-cent.us -
Robert Spangler