James B. Byrne
2011-Dec-20 14:44 UTC
[CentOS] SELinux is preventing /usr/bin/chcon "mac_admin" access
CentOS-6.1 KVM guest on CentOS-6.1 host.
I am seeing this SEAlert in the /var/log/audit/audit.log
file a new guest immediately after startup. Can someone
tell me what it means and what I should do about it? A
Google search reveals a number of Fedora issues with
similar errors dating back a few years; most of which seem
to have something to do with package ownership.
This guest starts without activating any Ethernet i/f if
that has any bearing on the matter.
# sealert -a /var/log/audit/audit.log | more
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------
Summary:
SELinux is preventing /usr/bin/chcon "mac_admin" access .
Detailed Description:
SELinux denied access requested by chcon. It is not
expected that this access is required by chcon and this
access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this
access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)
Please file a bug report.
Additional Information:
Source Context system_u:system_r:initrc_t:s0
Target Context system_u:system_r:initrc_t:s0
Target Objects None [ capability2 ]
Source chcon
Source Path /usr/bin/chcon
Port <Unknown>
Host <Unknown>
Source RPM Packages coreutils-8.4-13.el6
Target RPM Packages
Policy RPM
selinux-policy-3.7.19-93.el6_1.7
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name
pas-redmine.hamilton.harte-lyne.ca
Platform Linux
pas-redmine.hamilton.harte-lyne.ca
2.6.32-131.21.1.el6.x86_64
#1 SMP Tue Nov 22
19:48:09 GMT 2011 x86_64 x86_64
Alert Count 1
First Seen Tue Dec 20 09:16:12 2011
Last Seen Tue Dec 20 09:16:12 2011
Local ID
6a24c9e4-3fb9-4524-ae04-a0cf0b31cce4
Line Numbers 10, 11
Raw Audit Messages
type=AVC msg=audit(1324390572.917:12): avc: denied {
mac_admin } for pid=1443 comm="chcon" capability=33
scontext=system_u:system_r:initrc_t:s0 tcontext=sys
tem_u:system_r:initrc_t:s0 tclass=capability2
type=SYSCALL msg=audit(1324390572.917:12): arch=c000003e
syscall=188 success=no exit=-22 a0=d281c0 a1=7f02f81e8259
a2=d29580 a3=20 items=0 ppid=1442 pid=1443 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="chcon"
exe="/usr/bin/chcon" subj=system_u:system_r:initrc_t:s0
key=(null)
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Daniel J Walsh
2011-Dec-20 14:49 UTC
[CentOS] SELinux is preventing /usr/bin/chcon "mac_admin" access
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/20/2011 02:44 PM, James B. Byrne wrote:> CentOS-6.1 KVM guest on CentOS-6.1 host. > > I am seeing this SEAlert in the /var/log/audit/audit.log file a new > guest immediately after startup. Can someone tell me what it means > and what I should do about it? A Google search reveals a number of > Fedora issues with similar errors dating back a few years; most of > which seem to have something to do with package ownership. > > This guest starts without activating any Ethernet i/f if that has > any bearing on the matter. > > # sealert -a /var/log/audit/audit.log | more found 1 alerts in > /var/log/audit/audit.log > -------------------------------------------------------- > > > Summary: > > SELinux is preventing /usr/bin/chcon "mac_admin" access . > > Detailed Description: > > SELinux denied access requested by chcon. It is not expected that > this access is required by chcon and this access may signal an > intrusion attempt. It is also possible that the specific version or > configuration of the application is causing it to require > additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see > FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) > Please file a bug report. > > Additional Information: > > Source Context system_u:system_r:initrc_t:s0 Target > Context system_u:system_r:initrc_t:s0 Target Objects > None [ capability2 ] Source chcon Source > Path /usr/bin/chcon Port > <Unknown> Host <Unknown> Source RPM > Packages coreutils-8.4-13.el6 Target RPM Packages Policy > RPM selinux-policy-3.7.19-93.el6_1.7 Selinux Enabled > True Policy Type targeted Enforcing Mode > Enforcing Plugin Name catchall Host Name > pas-redmine.hamilton.harte-lyne.ca Platform > Linux pas-redmine.hamilton.harte-lyne.ca > 2.6.32-131.21.1.el6.x86_64 #1 SMP Tue Nov 22 19:48:09 GMT 2011 > x86_64 x86_64 Alert Count 1 First Seen > Tue Dec 20 09:16:12 2011 Last Seen Tue Dec 20 > 09:16:12 2011 Local ID 6a24c9e4-3fb9-4524-ae04-a0cf0b31cce4 Line > Numbers 10, 11 > > Raw Audit Messages > > type=AVC msg=audit(1324390572.917:12): avc: denied { mac_admin } > for pid=1443 comm="chcon" capability=33 > scontext=system_u:system_r:initrc_t:s0 tcontext=sys > tem_u:system_r:initrc_t:s0 tclass=capability2 > > type=SYSCALL msg=audit(1324390572.917:12): arch=c000003e > syscall=188 success=no exit=-22 a0=d281c0 a1=7f02f81e8259 a2=d29580 > a3=20 items=0 ppid=1442 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="chcon" exe="/usr/bin/chcon" > subj=system_u:system_r:initrc_t:s0 key=(null) >This means somebody is executing a chcon with a context that the kernel does not understand. I would look for a chcon in an init script. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7woIYACgkQrlYvE4MpobNEMQCfWnOyTacQHtMZKa2Qk0tBwTF4 hUYAnRJhYbMH3I7ru8073mc+y4z6V7Na =3Mx6 -----END PGP SIGNATURE-----