Hi, folks,
CentOS 7.1. Selinux policy, and targetted, updated two days ago.
May 28 17:02:41 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/uname from execute_no_trans access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:47 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/mailx.#012#012***** <...>
I did do an ll =Z /usr/bin, and everything looks correct (system_u:object_r:bin_t:s0). Given that, looks to me like a policy bug. No? Yes? File a bug report?
mark
On 05/29/2015 09:20 AM, m.roth@5-cent.us wrote:
Hi, folks,
CentOS 7.1. Selinux policy, and targetted, updated two days ago.
May 28 17:02:41 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/uname from execute_no_trans access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:47 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/mailx.#012#012***** <...>
I did do an ll =Z /usr/bin, and everything looks correct (system_u:object_r:bin_t:s0). Given that, looks to me like a policy bug. No? Yes? File a bug report?
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What is the avc that you are seeing?
ausearch -m avc -ts recent
Daniel J Walsh wrote:
On 05/29/2015 09:20 AM, m.roth@5-cent.us wrote:
CentOS 7.1. Selinux policy, and targetted, updated two days ago.
May 28 17:02:41 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/uname from execute_no_trans access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:47 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/mailx.#012#012***** <...>
I did do an ll =Z /usr/bin, and everything looks correct (system_u:object_r:bin_t:s0). Given that, looks to me like a policy bug. No? Yes? File a bug report?
What is the avc that you are seeing?
ausearch -m avc -ts recent
Hmmm, that ausearch gives no matches. However, in /var/log/audit/audit.log type=AVC msg=audit(1432846954.621:112734): avc: denied { execute } for pid=1984 comm="rsync" name="bash" dev="sda3" ino=23075548 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1432846954.628:112735): avc: denied { execute } for pid=1987 comm="sh" name="uname" dev="sda3" ino=23071676 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1432846954.629:112737): avc: denied { execute } for pid=1986 comm="sh" name="mailx" dev="sda3" ino=23072424 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Now, my manager thinks that it's complaining that it's complaining because we have an rsync daemon running, and every time there's an upload, the daemon sends an email to a user.
mark
On 05/29/2015 01:03 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 05/29/2015 09:20 AM, m.roth@5-cent.us wrote:
CentOS 7.1. Selinux policy, and targetted, updated two days ago.
May 28 17:02:41 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/uname from execute_no_trans access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:47 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/mailx.#012#012***** <...>
I did do an ll =Z /usr/bin, and everything looks correct (system_u:object_r:bin_t:s0). Given that, looks to me like a policy bug. No? Yes? File a bug report?
What is the avc that you are seeing?
ausearch -m avc -ts recent
Hmmm, that ausearch gives no matches. However, in /var/log/audit/audit.log type=AVC msg=audit(1432846954.621:112734): avc: denied { execute } for pid=1984 comm="rsync" name="bash" dev="sda3" ino=23075548 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1432846954.628:112735): avc: denied { execute } for pid=1987 comm="sh" name="uname" dev="sda3" ino=23071676 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1432846954.629:112737): avc: denied { execute } for pid=1986 comm="sh" name="mailx" dev="sda3" ino=23072424 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Now, my manager thinks that it's complaining that it's complaining because we have an rsync daemon running, and every time there's an upload, the daemon sends an email to a user.
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Is the rsync set up as a client or server? Does it copy off or copy too?
selinux@lists.fedoraproject.org