View Issue Details

IDProjectCategoryView StatusLast Update
0013650CentOS-7selinux-policypublic2018-02-28 07:39
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0013650: SELinux is preventing clh from 'execute' accesses on the file /SYSV0000d2f0 (deleted).
DescriptionDescription of problem:
I did not mv files from /tmp to another place.
And I don't know 'SYSV0000d2f0' file.

I want use shared memory(shmget, shmat systemcall) with multi processes in docker container.
But shmat() is failed with error(permission denied).

After below command, I succeded shmat().
# ausearch -c 'clh' --raw | audit2allow -M my-clh
# semodule -i my-clh.pp

Please help me.

SELinux is preventing clh from 'execute' accesses on the file /SYSV0000d2f0 (deleted).

***** Plugin restorecon (99.5 confidence) suggests ************************

If 레이블을 수정하고자 합니다.
/SYSV0000d2f0 (deleted) 디폴트 레이블은 etc_runtime_t이 되어야 합니다.
Then restorecon을 실행할 수 있습니다.
# /sbin/restorecon -v /SYSV0000d2f0 (deleted)

***** Plugin catchall (1.49 confidence) suggests **************************

If clh는 디폴트로 SYSV0000d2f0 (deleted) file에서 execute 액세스를 허용해야 합니다.
Then 이 버그를 보고해야 합니다.
이러한 액세스를 허용하기 위해 로컬 정채 모듈을 생성할 수 있습니다.
allow this access for now by executing:
# ausearch -c 'clh' --raw | audit2allow -M my-clh
# semodule -i my-clh.pp

Additional Information:
Source Context system_u:system_r:svirt_lxc_net_t:s0:c180,c600
Target Context system_u:object_r:tmpfs_t:s0
Target Objects /SYSV0000d2f0 (deleted) [ file ]
Source clh
Source Path clh
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-514.16.1.el7.x86_64 #1 SMP
                              Wed Apr 12 15:04:24 UTC 2017 x86_64 x86_64
Alert Count 8
First Seen 2017-08-07 20:32:10 KST
Last Seen 2017-08-09 17:32:04 KST
Local ID 94aaeebd-2c4b-4a46-bd5a-9ec78b7dd892

Raw Audit Messages
type=AVC msg=audit(1502267524.14:4604): avc: denied { execute } for pid=17007 comm="hth" path=2F535953563030303064326630202864656C6574656429 dev="tmpfs" ino=2097152 scontext=system_u:system_r:svirt_lxc_net_t:s0:c180,c600 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file

type=SYSCALL msg=audit(1502267524.14:4604): arch=x86_64 syscall=shmat per=400000 success=no exit=EACCES a0=200000 a1=0 a2=0 a3=7ffe9bcfb920 items=0 ppid=17004 pid=17007 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=4294967295 comm=hth exe=/root/webtob/bin/hth subj=system_u:system_r:svirt_lxc_net_t:s0:c180,c600 key=(null)

Hash: clh,svirt_lxc_net_t,tmpfs_t,file,execute

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-514.16.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2017-08-11 01:17

reporter   ~0029849

[The contents of my-clh.te]

module my-clh 1.0;

require {
    type tmpfs_t;
    type svirt_lxc_net_t;
    class file execute;

#============= svirt_lxc_net_t ==============
allow svirt_lxc_net_t tmpfs_t:file execute;


2017-08-11 08:57

reporter   ~0029854

audit log:
type=SYSCALL msg=audit(1502179428.382:2250): arch=c000003e syscall=30 per=400000 success=no exit=-13 a0=1b0000 a1=0 a2=0 a3=7ffe27a5c4c0 items=0 ppid=25882 pid=25885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=4294967295 comm="clh" exe="/root/tmax/bin/clh" subj=system_u:system_r:svirt_lxc_net_t:s0:c180,c600 key=(null)


2018-02-28 07:39

reporter   ~0031336

[Solved] use docker-1.12.6-71 instead of docker-1.12.6-32 (this version does not seem stable..)

Issue History

Date Modified Username Field Change
2017-08-09 12:10 younghwi_jang New Issue
2017-08-11 01:17 younghwi_jang Note Added: 0029849
2017-08-11 08:57 younghwi_jang Note Added: 0029854
2018-02-28 07:39 younghwi_jang Note Added: 0031336