View Issue Details

IDProjectCategoryView StatusLast Update
0010628CentOS-7selinux-policypublic2016-03-31 12:42
Reporterlrineau Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version7.2.1511 
Summary0010628: [SELinux AVC Alert] SELinux is preventing /usr/bin/id from mounton access on the directory /proc.
DescriptionEvery day, a test script of mines launches new containers, and everyday, since 2016/03/22, I receive the mail below.

On 2016/03/21, I have rebooted to the kernel 3.10.0-327.10.1.el7.x86_64, after an upgrade. That must be related.

Now the mail:
=============== quote =================
From: SELinux_Troubleshoot@example.com
To: laurent@example.com, sebastien@example.com
Date: 2016/03/22 Tue 15:32
SELinux is preventing /usr/bin/id from mounton access on the directory /proc.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that id should be allowed mounton access on the proc directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep id /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:svirt_lxc_net_t:s0:c121,c379
Target Context system_u:object_r:proc_t:s0
Target Objects /proc [ dir ]
Source id
Source Path /usr/bin/id
Port <Unknown>
Host cgal.geometryfactory.com
Source RPM Packages coreutils-8.22-15.el7_2.1.x86_64
Target RPM Packages filesystem-3.2-20.el7.x86_64
Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name cgal.geometryfactory.com
Platform Linux cgal.geometryfactory.com
                              3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
                              17:03:50 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-03-22 15:31:58 CET
Last Seen 2016-03-22 15:31:58 CET
Local ID 93da552e-6673-4857-809a-433607c3a00e

Raw Audit Messages
type=AVC msg=audit(1458657118.393:90225): avc: denied { mounton } for pid=5174 comm="id" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:svirt_lxc_net_t:s0:c121,c379 tcontext=system_u:object_r:proc_t:s0 tclass=dir


type=SYSCALL msg=audit(1458657118.393:90225): arch=x86_64 syscall=mount success=no exit=EACCES a0=7f17b7535c86 a1=7f17b7535c85 a2=7f17b7535c86 a3=0 items=0 ppid=5173 pid=5174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=id exe=/usr/bin/id subj=system_u:system_r:svirt_lxc_net_t:s0:c121,c379 key=(null)

Hash: id,svirt_lxc_net_t,proc_t,dir,mounton
============end of quote =================
TagsNo tags attached.
abrt_hash
URL

Activities

lrineau

lrineau

2016-03-29 13:14

reporter   ~0026161

Oops. Can an admin modify my first message, and obfuscate the `From:` and `To:` field of the mail I quoted?

user430

2016-03-29 13:21

  ~0026162

Done.
lrineau

lrineau

2016-03-31 12:42

reporter   ~0026181

I have also reported this bug to https://bugzilla.redhat.com/show_bug.cgi?id=1322845

Issue History

Date Modified Username Field Change
2016-03-29 13:11 lrineau New Issue
2016-03-29 13:14 lrineau Note Added: 0026161
2016-03-29 13:21 user430 Description Updated
2016-03-29 13:21 user430 Note Added: 0026162
2016-03-31 12:42 lrineau Note Added: 0026181