These happen on two machines during updates, I'm also noticing many %post scriptlets failing when these pop up, though I don't know if they are related or not.
Summary:
SELinux is preventing yum (bootloader_t) "transition" to /sbin/ldconfig (rpm_script_t).
Detailed Description:
SELinux denied access requested by yum. It is not expected that this access is required by yum and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context user_u:system_r:bootloader_t:s0 Target Context user_u:system_r:rpm_script_t:s0 Target Objects /sbin/ldconfig [ process ] Source yum Source Path /usr/bin/python Port <Unknown> Host durthangnix Source RPM Packages python-2.5.1-23.fc9 Target RPM Packages glibc-2.7.90-9 Policy RPM selinux-policy-3.3.1-14.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name durthangnix Platform Linux durthangnix 2.6.25-0.105.rc5.fc9 #1 SMP Mon Mar 10 20:59:23 EDT 2008 x86_64 x86_64 Alert Count 35 First Seen Thu 13 Mar 2008 11:19:15 PM PDT Last Seen Thu 13 Mar 2008 11:32:48 PM PDT Local ID 36d70abc-d12d-42f2-96bf-ab7250e29da1 Line Numbers
Raw Audit Messages
host=durthangnix type=AVC msg=audit(1205476368.460:1339): avc: denied { transition } for pid=28100 comm="yum" path="/sbin/ldconfig" dev=sda3 ino=858775 scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
host=durthangnix type=SYSCALL msg=audit(1205476368.460:1339): arch=c000003e syscall=59 success=no exit=-13 a0=7ff2034c2aca a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144 pid=28100 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python" subj=user_u:system_r:bootloader_t:s0 key=(null)
Summary:
SELinux is preventing yum (bootloader_t) "transition" to /bin/bash (rpm_script_t).
Detailed Description:
SELinux denied access requested by yum. It is not expected that this access is required by yum and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context user_u:system_r:bootloader_t:s0 Target Context user_u:system_r:rpm_script_t:s0 Target Objects /bin/bash [ process ] Source rpm Source Path /bin/rpm Port <Unknown> Host durthangnix Source RPM Packages python-2.5.1-23.fc9 Target RPM Packages bash-3.2-21.fc9 Policy RPM selinux-policy-3.3.1-14.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name durthangnix Platform Linux durthangnix 2.6.25-0.105.rc5.fc9 #1 SMP Mon Mar 10 20:59:23 EDT 2008 x86_64 x86_64 Alert Count 48 First Seen Thu 13 Mar 2008 10:00:05 AM PDT Last Seen Thu 13 Mar 2008 11:32:48 PM PDT Local ID 75a34bf7-d467-444b-bfb4-9a931b3af238 Line Numbers
Raw Audit Messages
host=durthangnix type=AVC msg=audit(1205476368.64:1338): avc: denied { transition } for pid=28099 comm="yum" path="/bin/bash" dev=sda3 ino=835647 scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
host=durthangnix type=SYSCALL msg=audit(1205476368.64:1338): arch=c000003e syscall=59 success=no exit=-13 a0=7ff20063e90d a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144 pid=28099 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python" subj=user_u:system_r:bootloader_t:s0 key=(null)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Andrew Farris wrote:
These happen on two machines during updates, I'm also noticing many %post scriptlets failing when these pop up, though I don't know if they are related or not.
Summary:
SELinux is preventing yum (bootloader_t) "transition" to /sbin/ldconfig (rpm_script_t).
Detailed Description:
SELinux denied access requested by yum. It is not expected that this access is required by yum and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context user_u:system_r:bootloader_t:s0 Target Context user_u:system_r:rpm_script_t:s0 Target Objects /sbin/ldconfig [ process ] Source yum Source Path /usr/bin/python Port <Unknown> Host durthangnix Source RPM Packages python-2.5.1-23.fc9 Target RPM Packages glibc-2.7.90-9 Policy RPM selinux-policy-3.3.1-14.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name durthangnix Platform Linux durthangnix 2.6.25-0.105.rc5.fc9 #1 SMP Mon Mar 10 20:59:23 EDT 2008 x86_64 x86_64 Alert Count 35 First Seen Thu 13 Mar 2008 11:19:15 PM PDT Last Seen Thu 13 Mar 2008 11:32:48 PM PDT Local ID 36d70abc-d12d-42f2-96bf-ab7250e29da1 Line Numbers
Raw Audit Messages
host=durthangnix type=AVC msg=audit(1205476368.460:1339): avc: denied { transition } for pid=28100 comm="yum" path="/sbin/ldconfig" dev=sda3 ino=858775 scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
host=durthangnix type=SYSCALL msg=audit(1205476368.460:1339): arch=c000003e syscall=59 success=no exit=-13 a0=7ff2034c2aca a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144 pid=28100 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python" subj=user_u:system_r:bootloader_t:s0 key=(null)
Summary:
SELinux is preventing yum (bootloader_t) "transition" to /bin/bash (rpm_script_t).
Detailed Description:
SELinux denied access requested by yum. It is not expected that this access is required by yum and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context user_u:system_r:bootloader_t:s0 Target Context user_u:system_r:rpm_script_t:s0 Target Objects /bin/bash [ process ] Source rpm Source Path /bin/rpm Port <Unknown> Host durthangnix Source RPM Packages python-2.5.1-23.fc9 Target RPM Packages bash-3.2-21.fc9 Policy RPM selinux-policy-3.3.1-14.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name durthangnix Platform Linux durthangnix 2.6.25-0.105.rc5.fc9 #1 SMP Mon Mar 10 20:59:23 EDT 2008 x86_64 x86_64 Alert Count 48 First Seen Thu 13 Mar 2008 10:00:05 AM PDT Last Seen Thu 13 Mar 2008 11:32:48 PM PDT Local ID 75a34bf7-d467-444b-bfb4-9a931b3af238 Line Numbers
Raw Audit Messages
host=durthangnix type=AVC msg=audit(1205476368.64:1338): avc: denied { transition } for pid=28099 comm="yum" path="/bin/bash" dev=sda3 ino=835647 scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
host=durthangnix type=SYSCALL msg=audit(1205476368.64:1338): arch=c000003e syscall=59 success=no exit=-13 a0=7ff20063e90d a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144 pid=28099 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python" subj=user_u:system_r:bootloader_t:s0 key=(null)
THis looks like you are logged in as bootloader_t? Something is very wrong with your system.
What does id -Z
Show?
You might need to relabel. Are you using a different login program?
On Mon, Mar 17, 2008 at 7:33 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Andrew Farris wrote:
These happen on two machines during updates, I'm also noticing many %post scriptlets failing when these pop up, though I don't know if they are related or not.
Raw Audit Messages
host=durthangnix type=AVC msg=audit(1205476368.460:1339): avc: denied { transition } for pid=28100 comm="yum" path="/sbin/ldconfig" dev=sda3 ino=858775 scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
host=durthangnix type=SYSCALL msg=audit(1205476368.460:1339): arch=c000003e syscall=59 success=no exit=-13 a0=7ff2034c2aca a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144 pid=28100 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python" subj=user_u:system_r:bootloader_t:s0 key=(null)
Raw Audit Messages
host=durthangnix type=AVC msg=audit(1205476368.64:1338): avc: denied { transition } for pid=28099 comm="yum" path="/bin/bash" dev=sda3 ino=835647 scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
host=durthangnix type=SYSCALL msg=audit(1205476368.64:1338): arch=c000003e syscall=59 success=no exit=-13 a0=7ff20063e90d a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144 pid=28099 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python" subj=user_u:system_r:bootloader_t:s0 key=(null)
THis looks like you are logged in as bootloader_t? Something is very wrong with your system.
What does id -Z
Show?
On one system I am logged in as bootloader_t: My user id -Z: user_u:system_r:bootloader_t:s0 And root (su - from my user): user_u:system_r:bootloader_t:s0
On the other system I am not, instead I am: unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
The first is kernel-2.6.25-0.121.rc5.git4.fc9.x86_64 and look at this:
04:11:39 |root.durthangnix:1| |28 files:848K@yum| |0 jobs| - rpm -q selinux-policy-targeted package selinux-policy-targeted is not installed
04:12:00 |root.durthangnix:1| |28 files:848K@yum| |0 jobs| - rpm -qa | grep selinux libselinux-python-2.0.57-1.fc9.x86_64 libselinux-2.0.59-1.fc9.x86_64 selinux-policy-3.3.1-16.fc9.noarch selinux-policy-devel-3.3.1-16.fc9.noarch libselinux-2.0.57-1.fc9.x86_64 libselinux-python-2.0.59-1.fc9.x86_64 libselinux-2.0.59-1.fc9.i386 selinux-policy-3.3.1-14.fc9.noarch
04:12:08 |root.durthangnix:1| |28 files:848K@yum| |0 jobs| - yum list selinux-policy-targeted Loaded plugins: basearchonly, fastestmirror, fedorakmod, priorities, security, : versionlock Loading mirror speeds from cached hostfile * livna-development: mirrors.tummy.com * livna-development-debuginfo: mirrors.tummy.com * rawhide: limestone.uoregon.edu * upstart-debuginfo: notting.fedorapeople.org * upstart: notting.fedorapeople.org Reading version lock configuration Available Packages selinux-policy-targeted.noarch 3.3.1-16.fc9 rawhide
04:12:36 |root.durthangnix:1| |28 files:848K@yum| |0 jobs| - cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0
So the configured policy is not even installed... it was previously, so I'm not sure where it went. This is from /var/log/yum.log: - cat /var/log/yum.log | grep selinux Mar 13 23:21:49 Updated: selinux-policy-3.3.1-16.fc9.noarch Mar 13 23:24:46 Updated: selinux-policy-targeted-3.3.1-16.fc9.noarch Mar 13 23:24:51 Updated: selinux-policy-devel-3.3.1-16.fc9.noarch Mar 13 23:31:17 selinux-policy-targeted: ts_done name in te is yum should be selinux-policy-targeted Mar 13 23:31:17 rpm: ts_done name in te is selinux-policy-targeted should be rpm Mar 13 23:31:20 selinux-policy-devel: ts_done name in te is totem-gstreamer should be selinux-policy-devel Mar 13 23:31:49 xulrunner-debuginfo: ts_done name in te is selinux-policy-devel should be xulrunner-debuginfo Mar 13 23:32:37 selinux-policy: ts_done name in te is mesa-libGL should be selinux-policy Mar 13 23:32:49 pulseaudio-module-gconf: ts_done name in te is selinux-policy should be pulseaudio-module-gconf
The second system does have selinux-policy-targeted installed and thats the one chosen in config. This is the system that is logged in unconfined.
You might need to relabel. Are you using a different login program?
Was logged in from gdm on both systems, AFTER a fresh autorelabel on both that I did yesterday. I'll try it again after I pull today's updates and autorelabel.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Andrew Farris wrote:
On Mon, Mar 17, 2008 at 7:33 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Andrew Farris wrote:
These happen on two machines during updates, I'm also noticing many %post scriptlets failing when these pop up, though I don't know if they are related or not.
Raw Audit Messages
host=durthangnix type=AVC msg=audit(1205476368.460:1339): avc: denied { transition } for pid=28100 comm="yum" path="/sbin/ldconfig" dev=sda3 ino=858775 scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
host=durthangnix type=SYSCALL msg=audit(1205476368.460:1339): arch=c000003e syscall=59 success=no exit=-13 a0=7ff2034c2aca a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144 pid=28100 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python" subj=user_u:system_r:bootloader_t:s0 key=(null)
Raw Audit Messages
host=durthangnix type=AVC msg=audit(1205476368.64:1338): avc: denied { transition } for pid=28099 comm="yum" path="/bin/bash" dev=sda3 ino=835647 scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
host=durthangnix type=SYSCALL msg=audit(1205476368.64:1338): arch=c000003e syscall=59 success=no exit=-13 a0=7ff20063e90d a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144 pid=28099 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python" subj=user_u:system_r:bootloader_t:s0 key=(null)
THis looks like you are logged in as bootloader_t? Something is very wrong with your system.
What does id -Z
Show?
On one system I am logged in as bootloader_t: My user id -Z: user_u:system_r:bootloader_t:s0 And root (su - from my user): user_u:system_r:bootloader_t:s0
On the other system I am not, instead I am: unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
The first is kernel-2.6.25-0.121.rc5.git4.fc9.x86_64 and look at this:
04:11:39 |root.durthangnix:1| |28 files:848K@yum| |0 jobs|
- rpm -q selinux-policy-targeted
package selinux-policy-targeted is not installed
04:12:00 |root.durthangnix:1| |28 files:848K@yum| |0 jobs|
- rpm -qa | grep selinux
libselinux-python-2.0.57-1.fc9.x86_64 libselinux-2.0.59-1.fc9.x86_64 selinux-policy-3.3.1-16.fc9.noarch selinux-policy-devel-3.3.1-16.fc9.noarch libselinux-2.0.57-1.fc9.x86_64 libselinux-python-2.0.59-1.fc9.x86_64 libselinux-2.0.59-1.fc9.i386 selinux-policy-3.3.1-14.fc9.noarch
04:12:08 |root.durthangnix:1| |28 files:848K@yum| |0 jobs|
- yum list selinux-policy-targeted
Loaded plugins: basearchonly, fastestmirror, fedorakmod, priorities, security, : versionlock Loading mirror speeds from cached hostfile
- livna-development: mirrors.tummy.com
- livna-development-debuginfo: mirrors.tummy.com
- rawhide: limestone.uoregon.edu
- upstart-debuginfo: notting.fedorapeople.org
- upstart: notting.fedorapeople.org
Reading version lock configuration Available Packages selinux-policy-targeted.noarch 3.3.1-16.fc9 rawhide
04:12:36 |root.durthangnix:1| |28 files:848K@yum| |0 jobs|
- cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0
So the configured policy is not even installed... it was previously, so I'm not sure where it went. This is from /var/log/yum.log:
- cat /var/log/yum.log | grep selinux
Mar 13 23:21:49 Updated: selinux-policy-3.3.1-16.fc9.noarch Mar 13 23:24:46 Updated: selinux-policy-targeted-3.3.1-16.fc9.noarch Mar 13 23:24:51 Updated: selinux-policy-devel-3.3.1-16.fc9.noarch Mar 13 23:31:17 selinux-policy-targeted: ts_done name in te is yum should be selinux-policy-targeted Mar 13 23:31:17 rpm: ts_done name in te is selinux-policy-targeted should be rpm Mar 13 23:31:20 selinux-policy-devel: ts_done name in te is totem-gstreamer should be selinux-policy-devel Mar 13 23:31:49 xulrunner-debuginfo: ts_done name in te is selinux-policy-devel should be xulrunner-debuginfo Mar 13 23:32:37 selinux-policy: ts_done name in te is mesa-libGL should be selinux-policy Mar 13 23:32:49 pulseaudio-module-gconf: ts_done name in te is selinux-policy should be pulseaudio-module-gconf
The second system does have selinux-policy-targeted installed and thats the one chosen in config. This is the system that is logged in unconfined.
You might need to relabel. Are you using a different login program?
Was logged in from gdm on both systems, AFTER a fresh autorelabel on both that I did yesterday. I'll try it again after I pull today's updates and autorelabel.
Well install selinux-policy-targeted on both machine/
Daniel J Walsh wrote:
Well install selinux-policy-targeted on both machine/
I already had the policy installed on one machine, it was only uninstalled from the second.
I installed the targeted policy on the second machine, so both now have it. I rebooted and relabeled both. They both login as bootloader_t when logging in from gdm.
On the other hand if I use startx I get logged in with unconfined_t, but no gnome settings daemon connection.
Andrew Farris wrote:
Daniel J Walsh wrote:
Well install selinux-policy-targeted on both machine/
I already had the policy installed on one machine, it was only uninstalled from the second.
I installed the targeted policy on the second machine, so both now have it. I rebooted and relabeled both. They both login as bootloader_t when logging in from gdm.
On the other hand if I use startx I get logged in with unconfined_t, but no gnome settings daemon connection.
Let me add I am now seeing both systems behave the same way as above, gdm logins have context bootloader_t and that remains through /bin/su - root but startx logins have unconfined_t and remains unconfined through /bin/su - root.
Andrew Farris wrote:
Let me add I am now seeing both systems behave the same way as above, gdm logins have context bootloader_t and that remains through /bin/su - root but startx logins have unconfined_t and remains unconfined through /bin/su - root.
Problem has resolved itself on one machine, I'm away from the other and cannot check yet but I would expect with the same updates it will be fixed as well. I've got selinux-policy-targeted-3.3.1-22 and gdm-2.21.10-0.2008.03.18.2 and logged in with normal unconfined contexts.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Andrew Farris wrote:
Daniel J Walsh wrote:
Well install selinux-policy-targeted on both machine/
I already had the policy installed on one machine, it was only uninstalled from the second.
I installed the targeted policy on the second machine, so both now have it. I rebooted and relabeled both. They both login as bootloader_t when logging in from gdm.
On the other hand if I use startx I get logged in with unconfined_t, but no gnome settings daemon connection.
ps -eZ | grep gdm
selinux@lists.fedoraproject.org