-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/20/2011 02:44 PM, James B. Byrne wrote: > CentOS-6.1 KVM guest on CentOS-6.1 host. > > I am seeing this SEAlert in the /var/log/audit/audit.log file a new > guest immediately after startup. Can someone tell me what it means > and what I should do about it? A Google search reveals a number of > Fedora issues with similar errors dating back a few years; most of > which seem to have something to do with package ownership. > > This guest starts without activating any Ethernet i/f if that has > any bearing on the matter. > > # sealert -a /var/log/audit/audit.log | more found 1 alerts in > /var/log/audit/audit.log > -------------------------------------------------------- > > > Summary: > > SELinux is preventing /usr/bin/chcon "mac_admin" access . > > Detailed Description: > > SELinux denied access requested by chcon. It is not expected that > this access is required by chcon and this access may signal an > intrusion attempt. It is also possible that the specific version or > configuration of the application is causing it to require > additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see > FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) > Please file a bug report. > > Additional Information: > > Source Context system_u:system_r:initrc_t:s0 Target > Context system_u:system_r:initrc_t:s0 Target Objects > None [ capability2 ] Source chcon Source > Path /usr/bin/chcon Port > <Unknown> Host <Unknown> Source RPM > Packages coreutils-8.4-13.el6 Target RPM Packages Policy > RPM selinux-policy-3.7.19-93.el6_1.7 Selinux Enabled > True Policy Type targeted Enforcing Mode > Enforcing Plugin Name catchall Host Name > pas-redmine.hamilton.harte-lyne.ca Platform > Linux pas-redmine.hamilton.harte-lyne.ca > 2.6.32-131.21.1.el6.x86_64 #1 SMP Tue Nov 22 19:48:09 GMT 2011 > x86_64 x86_64 Alert Count 1 First Seen > Tue Dec 20 09:16:12 2011 Last Seen Tue Dec 20 > 09:16:12 2011 Local ID 6a24c9e4-3fb9-4524-ae04-a0cf0b31cce4 Line > Numbers 10, 11 > > Raw Audit Messages > > type=AVC msg=audit(1324390572.917:12): avc: denied { mac_admin } > for pid=1443 comm="chcon" capability=33 > scontext=system_u:system_r:initrc_t:s0 tcontext=sys > tem_u:system_r:initrc_t:s0 tclass=capability2 > > type=SYSCALL msg=audit(1324390572.917:12): arch=c000003e > syscall=188 success=no exit=-22 a0=d281c0 a1=7f02f81e8259 a2=d29580 > a3=20 items=0 ppid=1442 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="chcon" exe="/usr/bin/chcon" > subj=system_u:system_r:initrc_t:s0 key=(null) > This means somebody is executing a chcon with a context that the kernel does not understand. I would look for a chcon in an init script. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7woIYACgkQrlYvE4MpobNEMQCfWnOyTacQHtMZKa2Qk0tBwTF4 hUYAnRJhYbMH3I7ru8073mc+y4z6V7Na =3Mx6 -----END PGP SIGNATURE-----