CentOS-6.1 KVM guest on CentOS-6.1 host.
I am seeing this SEAlert in the /var/log/audit/audit.log file a new guest immediately after startup. Can someone tell me what it means and what I should do about it? A Google search reveals a number of Fedora issues with similar errors dating back a few years; most of which seem to have something to do with package ownership.
This guest starts without activating any Ethernet i/f if that has any bearing on the matter.
# sealert -a /var/log/audit/audit.log | more found 1 alerts in /var/log/audit/audit.log --------------------------------------------------------
Summary:
SELinux is preventing /usr/bin/chcon "mac_admin" access .
Detailed Description:
SELinux denied access requested by chcon. It is not expected that this access is required by chcon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context system_u:system_r:initrc_t:s0 Target Context system_u:system_r:initrc_t:s0 Target Objects None [ capability2 ] Source chcon Source Path /usr/bin/chcon Port <Unknown> Host <Unknown> Source RPM Packages coreutils-8.4-13.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-93.el6_1.7 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name pas-redmine.hamilton.harte-lyne.ca Platform Linux pas-redmine.hamilton.harte-lyne.ca 2.6.32-131.21.1.el6.x86_64 #1 SMP Tue Nov 22 19:48:09 GMT 2011 x86_64 x86_64 Alert Count 1 First Seen Tue Dec 20 09:16:12 2011 Last Seen Tue Dec 20 09:16:12 2011 Local ID 6a24c9e4-3fb9-4524-ae04-a0cf0b31cce4 Line Numbers 10, 11
Raw Audit Messages
type=AVC msg=audit(1324390572.917:12): avc: denied { mac_admin } for pid=1443 comm="chcon" capability=33 scontext=system_u:system_r:initrc_t:s0 tcontext=sys tem_u:system_r:initrc_t:s0 tclass=capability2
type=SYSCALL msg=audit(1324390572.917:12): arch=c000003e syscall=188 success=no exit=-22 a0=d281c0 a1=7f02f81e8259 a2=d29580 a3=20 items=0 ppid=1442 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chcon" exe="/usr/bin/chcon" subj=system_u:system_r:initrc_t:s0 key=(null)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/20/2011 02:44 PM, James B. Byrne wrote:
CentOS-6.1 KVM guest on CentOS-6.1 host.
I am seeing this SEAlert in the /var/log/audit/audit.log file a new guest immediately after startup. Can someone tell me what it means and what I should do about it? A Google search reveals a number of Fedora issues with similar errors dating back a few years; most of which seem to have something to do with package ownership.
This guest starts without activating any Ethernet i/f if that has any bearing on the matter.
# sealert -a /var/log/audit/audit.log | more found 1 alerts in /var/log/audit/audit.log
Summary:
SELinux is preventing /usr/bin/chcon "mac_admin" access .
Detailed Description:
SELinux denied access requested by chcon. It is not expected that this access is required by chcon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context system_u:system_r:initrc_t:s0 Target Context system_u:system_r:initrc_t:s0 Target Objects None [ capability2 ] Source chcon Source Path /usr/bin/chcon Port <Unknown> Host <Unknown> Source RPM Packages coreutils-8.4-13.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-93.el6_1.7 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name pas-redmine.hamilton.harte-lyne.ca Platform Linux pas-redmine.hamilton.harte-lyne.ca 2.6.32-131.21.1.el6.x86_64 #1 SMP Tue Nov 22 19:48:09 GMT 2011 x86_64 x86_64 Alert Count 1 First Seen Tue Dec 20 09:16:12 2011 Last Seen Tue Dec 20 09:16:12 2011 Local ID 6a24c9e4-3fb9-4524-ae04-a0cf0b31cce4 Line Numbers 10, 11
Raw Audit Messages
type=AVC msg=audit(1324390572.917:12): avc: denied { mac_admin } for pid=1443 comm="chcon" capability=33 scontext=system_u:system_r:initrc_t:s0 tcontext=sys tem_u:system_r:initrc_t:s0 tclass=capability2
type=SYSCALL msg=audit(1324390572.917:12): arch=c000003e syscall=188 success=no exit=-22 a0=d281c0 a1=7f02f81e8259 a2=d29580 a3=20 items=0 ppid=1442 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chcon" exe="/usr/bin/chcon" subj=system_u:system_r:initrc_t:s0 key=(null)
This means somebody is executing a chcon with a context that the kernel does not understand. I would look for a chcon in an init script.
On Tue, December 20, 2011 09:49, Daniel J Walsh wrote:
This means somebody is executing a chcon with a context that the kernel does not understand. I would look for a chcon in an init script.
I tried this and did not find any in the init scripts:
find /etc/rc.d -print | xargs grep chcon
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/20/2011 04:55 PM, James B. Byrne wrote:
On Tue, December 20, 2011 09:49, Daniel J Walsh wrote:
This means somebody is executing a chcon with a context that the kernel does not understand. I would look for a chcon in an init script.
I tried this and did not find any in the init scripts:
find /etc/rc.d -print | xargs grep chcon
grep -R chcon /etc/rc.d
Would be an easier way to do this...
ps -eZ | grep initrc
On Tue, December 20, 2011 13:40, Daniel J Walsh wrote:
grep -R chcon /etc/rc.d
Would be an easier way to do this...
ps -eZ | grep initrc
# grep -R chcon /etc/rc.d # ps -eZ | grep initrc system_u:system_r:initrc_t:s0 1211 ? 00:00:01 miniserv.pl
No chcon found in /etc/rc.d
miniserv.pl is the Webmin httpd server. Is this causing the problem?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/20/2011 07:33 PM, James B. Byrne wrote:
On Tue, December 20, 2011 13:40, Daniel J Walsh wrote:
grep -R chcon /etc/rc.d
Would be an easier way to do this...
ps -eZ | grep initrc
# grep -R chcon /etc/rc.d # ps -eZ | grep initrc system_u:system_r:initrc_t:s0 1211 ? 00:00:01 miniserv.pl
No chcon found in /etc/rc.d
miniserv.pl is the Webmin httpd server. Is this causing the problem?
It could be. Basically a program running as initrc_t executed the chcon command, probably mistakenly thinking it is fixing an SELinux problem. but it is using an invalid context.
On Tue, December 20, 2011 14:42, Daniel J Walsh wrote:
On 12/20/2011 07:33 PM, James B. Byrne wrote:
# grep -R chcon /etc/rc.d # ps -eZ | grep initrc system_u:system_r:initrc_t:s0 1211 ? 00:00:01 miniserv.pl
No chcon found in /etc/rc.d
miniserv.pl is the Webmin httpd server. Is this causing the problem?
It could be. Basically a program running as initrc_t executed the chcon command, probably mistakenly thinking it is fixing an SELinux problem. but it is using an invalid context.
I do not think that this is a webmin problem as I have webmin also running on the kvm host and that server does not report the mac_admin chcon error. Both the host and the guest are running the same version of CentOS (6.1).
I will keep looking.
Thank you for the assistance. It is always useful to learn how to properly use a few more commands.
-
Daniel J Walsh -
James B. Byrne