[CentOS] SELinux is preventing /usr/bin/chcon "mac_admin" access
Daniel J Walsh
dwalsh at redhat.com
Tue Dec 20 14:49:42 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/20/2011 02:44 PM, James B. Byrne wrote:
> CentOS-6.1 KVM guest on CentOS-6.1 host.
>
> I am seeing this SEAlert in the /var/log/audit/audit.log file a new
> guest immediately after startup. Can someone tell me what it means
> and what I should do about it? A Google search reveals a number of
> Fedora issues with similar errors dating back a few years; most of
> which seem to have something to do with package ownership.
>
> This guest starts without activating any Ethernet i/f if that has
> any bearing on the matter.
>
> # sealert -a /var/log/audit/audit.log | more found 1 alerts in
> /var/log/audit/audit.log
> --------------------------------------------------------
>
>
> Summary:
>
> SELinux is preventing /usr/bin/chcon "mac_admin" access .
>
> Detailed Description:
>
> SELinux denied access requested by chcon. It is not expected that
> this access is required by chcon and this access may signal an
> intrusion attempt. It is also possible that the specific version or
> configuration of the application is causing it to require
> additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see
> FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)
> Please file a bug report.
>
> Additional Information:
>
> Source Context system_u:system_r:initrc_t:s0 Target
> Context system_u:system_r:initrc_t:s0 Target Objects
> None [ capability2 ] Source chcon Source
> Path /usr/bin/chcon Port
> <Unknown> Host <Unknown> Source RPM
> Packages coreutils-8.4-13.el6 Target RPM Packages Policy
> RPM selinux-policy-3.7.19-93.el6_1.7 Selinux Enabled
> True Policy Type targeted Enforcing Mode
> Enforcing Plugin Name catchall Host Name
> pas-redmine.hamilton.harte-lyne.ca Platform
> Linux pas-redmine.hamilton.harte-lyne.ca
> 2.6.32-131.21.1.el6.x86_64 #1 SMP Tue Nov 22 19:48:09 GMT 2011
> x86_64 x86_64 Alert Count 1 First Seen
> Tue Dec 20 09:16:12 2011 Last Seen Tue Dec 20
> 09:16:12 2011 Local ID 6a24c9e4-3fb9-4524-ae04-a0cf0b31cce4 Line
> Numbers 10, 11
>
> Raw Audit Messages
>
> type=AVC msg=audit(1324390572.917:12): avc: denied { mac_admin }
> for pid=1443 comm="chcon" capability=33
> scontext=system_u:system_r:initrc_t:s0 tcontext=sys
> tem_u:system_r:initrc_t:s0 tclass=capability2
>
> type=SYSCALL msg=audit(1324390572.917:12): arch=c000003e
> syscall=188 success=no exit=-22 a0=d281c0 a1=7f02f81e8259 a2=d29580
> a3=20 items=0 ppid=1442 pid=1443 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="chcon" exe="/usr/bin/chcon"
> subj=system_u:system_r:initrc_t:s0 key=(null)
>
This means somebody is executing a chcon with a context that the
kernel does not understand. I would look for a chcon in an init script.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7woIYACgkQrlYvE4MpobNEMQCfWnOyTacQHtMZKa2Qk0tBwTF4
hUYAnRJhYbMH3I7ru8073mc+y4z6V7Na
=3Mx6
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list