[CentOS] SELinux is preventing /usr/bin/chcon "mac_admin" access

Tue Dec 20 14:49:42 UTC 2011
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/20/2011 02:44 PM, James B. Byrne wrote:
> CentOS-6.1 KVM guest on CentOS-6.1 host.
> 
> I am seeing this SEAlert in the /var/log/audit/audit.log file a new
> guest immediately after startup. Can someone tell me what it means
> and what I should do about it?  A Google search reveals a number of
> Fedora issues with similar errors dating back a few years; most of
> which seem to have something to do with package ownership.
> 
> This guest starts without activating any Ethernet i/f if that has
> any bearing on the matter.
> 
> # sealert -a /var/log/audit/audit.log | more found 1 alerts in
> /var/log/audit/audit.log 
> --------------------------------------------------------
> 
> 
> Summary:
> 
> SELinux is preventing /usr/bin/chcon "mac_admin" access .
> 
> Detailed Description:
> 
> SELinux denied access requested by chcon. It is not expected that
> this access is required by chcon and this access may signal an
> intrusion attempt. It is also possible that the specific version or
> configuration of the application is causing it to require
> additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see
> FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) 
> Please file a bug report.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:initrc_t:s0 Target
> Context                system_u:system_r:initrc_t:s0 Target Objects
> None [ capability2 ] Source                        chcon Source
> Path                   /usr/bin/chcon Port
> <Unknown> Host                          <Unknown> Source RPM
> Packages           coreutils-8.4-13.el6 Target RPM Packages Policy
> RPM selinux-policy-3.7.19-93.el6_1.7 Selinux Enabled
> True Policy Type                   targeted Enforcing Mode
> Enforcing Plugin Name                   catchall Host Name
>  pas-redmine.hamilton.harte-lyne.ca Platform
> Linux pas-redmine.hamilton.harte-lyne.ca 
> 2.6.32-131.21.1.el6.x86_64 #1 SMP Tue Nov 22 19:48:09 GMT 2011
> x86_64 x86_64 Alert Count                   1 First Seen
> Tue Dec 20 09:16:12 2011 Last Seen                     Tue Dec 20
> 09:16:12 2011 Local ID 6a24c9e4-3fb9-4524-ae04-a0cf0b31cce4 Line
> Numbers                  10, 11
> 
> Raw Audit Messages
> 
> type=AVC msg=audit(1324390572.917:12): avc:  denied  { mac_admin }
> for  pid=1443 comm="chcon" capability=33 
> scontext=system_u:system_r:initrc_t:s0 tcontext=sys 
> tem_u:system_r:initrc_t:s0 tclass=capability2
> 
> type=SYSCALL msg=audit(1324390572.917:12): arch=c000003e 
> syscall=188 success=no exit=-22 a0=d281c0 a1=7f02f81e8259 a2=d29580
> a3=20 items=0 ppid=1442 pid=1443 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="chcon" exe="/usr/bin/chcon"
> subj=system_u:system_r:initrc_t:s0 key=(null)
> 

This means somebody is executing a chcon with a context that the
kernel does not understand.  I would look for a chcon in an init script.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7woIYACgkQrlYvE4MpobNEMQCfWnOyTacQHtMZKa2Qk0tBwTF4
hUYAnRJhYbMH3I7ru8073mc+y4z6V7Na
=3Mx6
-----END PGP SIGNATURE-----