SELinux is preventing the groupadd from using potentially mislabeled files (/tmp/yum.temp).

Thu, 23 Jul 2009 19:20:03 -0700

The suggested resolution doesn't seem appropriate. Are others seeing this, and what are they doing about it? 


Summary:

SELinux is preventing the groupadd from using potentially mislabeled files
(/tmp/yum.temp).

Detailed Description:

SELinux has denied groupadd access to potentially mislabeled file(s)

(/tmp/yum.temp). This means that SELinux will not allow groupadd to use 
these

files. It is common for users to edit files in their home directory or tmp

directories and then move (mv) them to system directories. The problem 
is that
the files end up with the wrong file context which confined applications 
are not

allowed to access.

Allowing Access:

If you want groupadd to access this files, you need to relabel them using

restorecon -v '/tmp/yum.temp'. You might want to relabel the entire 
directory

using restorecon -R -v '/tmp'.

Additional Information:

Source Context                user_u:system_r:groupadd_t
Target Context                user_u:object_r:tmp_t
Target Objects                /tmp/yum.temp [ file ]
Source                        groupadd
Source Path                   /usr/sbin/groupadd
Port                          <Unknown>
Host                          bobtail.demo.lan
Source RPM Packages           shadow-utils-4.0.17-14.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     bobtail.demo.lan

Platform                      Linux bobtail.demo.lan 2.6.18-128.1.10.el5 
#1 SMP

                              Thu May 7 12:48:13 EDT 2009 x86_64 x86_64
Alert Count                   7
First Seen                    Thu Sep  4 04:36:32 2008
Last Seen                     Fri Jul 24 04:05:03 2009
Local ID                      5c97302c-0bb5-44dd-bcdf-570851410cbd
Line Numbers

Raw Audit Messages


host=bobtail.demo.lan type=AVC msg=audit(1248379503.595:3899): avc: 
denied  { write } for  pid=10117 comm="groupadd" path="/tmp/yum.temp" 
dev=dm-0 ino=16777376 scontext=user_u:system_r:groupadd_t:s0 
tcontext=user_u:object_r:tmp_t:s0 tclass=file



host=bobtail.demo.lan type=SYSCALL msg=audit(1248379503.595:3899): 
arch=c000003e syscall=59 success=yes exit=0 a0=5991d30 a1=5990380 
a2=5990120 a3=3eff751a30 items=0 ppid=10116 pid=10117 auid=0 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=707 
comm="groupadd" exe="/usr/sbin/groupadd" 
subj=user_u:system_r:groupadd_t:s0 key=(null)



Why groupadd is running at all is a mystery I've yet to resolve.


--

Cheers
John

-- spambait
[email protected]  [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)














    











					Reply via email to