[CentOS] CentOS 7 selinux policy bug

Fri May 29 15:25:26 UTC 2015
m.roth at 5-cent.us <m.roth at 5-cent.us>

Conley, Matthew M CTR GXM wrote:
> What is your environment set up for? Is this just straight out of the box,
> or have you harden the systems any?
>
Straight out of the box policy. I've just looked, and I don't think I've
even created any local policies to shut up selinux for things my users
might do.

I can tell, since I always create the local policies in /root. Luckily,
we're in permissive mode - these aren't production servers, they're work
machines, compute nodes or research.

     mark "one of my annual goals: shut up selinux babble"
>
> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of Earl A Ramirez
> Sent: Friday, May 29, 2015 10:53 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] CentOS 7 selinux policy bug
>
> On 29 May 2015 at 16:27, <m.roth at 5-cent.us> wrote:
>
>> Hi, folks,
>>
>>    CentOS 7.1. Selinux policy, and targetted, updated two days ago.
>>
>> May 28 17:02:41 <servername> python: SELinux is preventing
>> /usr/bin/bash from execute access on the file
>> /usr/bin/bash.#012#012***** <...> May 28 17:02:45 <servername> python:
>> SELinux is preventing /usr/bin/bash from execute access on the file
>> /usr/bin/uname.#012#012*****  <...> May 28
>> 17:02:45 <servername> python: SELinux is preventing /usr/bin/uname
>> from execute_no_trans access on the file /usr/bin/uname.#012#012*****
>> <...> May 28 17:02:47 <servername> python: SELinux is preventing
>> /usr/bin/bash from execute access on the file
>> /usr/bin/mailx.#012#012*****  <...>
>>
>> I did do an ll =Z /usr/bin, and everything looks correct
>> (system_u:object_r:bin_t:s0). Given that, looks to me like a policy bug.
>> No? Yes? File a bug report?
>>
>>         mark
>>
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
> I saw the same behaviour this morning, however the labels changed to
> "unlabelled" for a number of programs; e.g. /etc/ssh/sshd_config,
> /etc/shadow, /etc/pam/* and a few others. I saw this after I was not able
> to login to my laptop, login to single user mode and saw tonnes of SELinux
> errors and changed it from enforcing to permissive and then I was able to
> restore the labels.
>
> Most certainly believe its a bug.
>
>
> --
> Kind Regards
> Earl Ramirez
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>