View Issue Details

IDProjectCategoryView StatusLast Update
0017707CentOS-7selinux-policypublic2020-09-02 07:52
ReporterYvesBellefeuille 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionno change required 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0017707: SELinux is preventing /usr/bin/rm from 'unlink' accesses on the fichier /etc/prelink.cache.
DescriptionDescription of problem:
SELinux is preventing /usr/bin/rm from 'unlink' accesses on the fichier /etc/prelink.cache.

***** Plugin restorecon (94.8 confidence) suggests ************************

Si vous souhaitez corriger l'étiquette.
L'étiquette par défaut de /etc/prelink.cache devrait être prelink_cache_t.
Then vous pouvez lancer restorecon. La tentative d’accès pourrait avoir été stoppée due à des permissions insuffisantes d’accès au dossier parent, auquel cas essayez de changer la commande suivante en conséquence.
Do
# /sbin/restorecon -v /etc/prelink.cache

***** Plugin catchall_labels (5.21 confidence) suggests *******************

Si vous souhaitez autoriser rm à accéder à unlink sur prelink.cache file
Then l'étiquette sur /etc/prelink.cache doit être modifiée.
Do
# semanage fcontext -a -t FILE_TYPE '/etc/prelink.cache'
où FILE_TYPE est l'une des valeurs suivantes : prelink_cache_t, prelink_log_t, prelink_var_lib_t, systemd_passwd_var_run_t.
Puis exécutez :
restorecon -v '/etc/prelink.cache'


***** Plugin catchall (1.44 confidence) suggests **************************

Si vous pensez que rm devrait être autorisé à accéder unlink sur prelink.cache file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# ausearch -c "rm" --raw | audit2allow -M my-rm
# semodule -X 300 -i my-rm.pp

Additional Information:
Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Target Context unconfined_u:object_r:etc_t:s0
Target Objects /etc/prelink.cache [ file ]
Source rm
Source Path /usr/bin/rm
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-1127.18.2.el7.x86_64 #1 SMP
                              Sun Jul 26 15:27:06 UTC 2020 x86_64 x86_64
Alert Count 2
First Seen 2020-08-25 03:50:24 EDT
Last Seen 2020-09-01 20:32:12 EDT
Local ID 1ead3f68-2bb4-4139-b7b6-00c711f5b202

Raw Audit Messages
type=AVC msg=audit(1599006732.147:272): avc: denied { unlink } for pid=10047 comm="rm" name="prelink.cache" dev="sda4" ino=1308734 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0


Hash: rm,prelink_cron_system_t,etc_t,file,unlink

Version-Release number of selected component:
selinux-policy-3.13.1-266.el7_8.1.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-1127.18.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hasha1eb7ac95f9934360795b166127d50a8ebbf7ebaf8b19c063b890e119e630d66
URL

Activities

YvesBellefeuille

YvesBellefeuille

2020-09-02 00:49

reporter   ~0037616

I'm guessing I'm the first to notice this bug because nobody uses prelink anymore.
ManuelWolfshant

ManuelWolfshant

2020-09-02 02:09

manager   ~0037617

I'm guessing your system is labeled incorrectly. Can you please do a restorecon -Rv /etc or, preferably touch /.autorelabel && reboot ?
YvesBellefeuille

YvesBellefeuille

2020-09-02 02:53

reporter   ~0037618

I've already done semanage fcontext -a -t prelink_cache_t '/etc/prelink.cache' as suggested. Do you still want me to do touch /.autorelabel && reboot?
ManuelWolfshant

ManuelWolfshant

2020-09-02 07:52

manager   ~0037621

I have asked you to relabel the entire system because I knew for sure that the label for the prelink cache was incorrect. The default selinux policy already includes this, even in CentOS 6:

[wolfy@wolfy ~]$ sudo semanage fcontext -l|grep etc\.prelink
/etc/prelink\.cache regular file system_u:object_r:prelink_cache_t:s0

Which , incidentally, is exactly what you added. So either your system uses an incorrect policy which misses this rule ( which I strongly doubt ) or somehow that file was labeled incorrectly and a simple restorecon as suggested both by the error message and by me would have solved the problem. I suggested a full system restorecon only because other files might be labeled incorrectly as well. It is up to you to evaluate if you need this or not.

Issue History

Date Modified Username Field Change
2020-09-02 00:45 YvesBellefeuille New Issue
2020-09-02 00:49 YvesBellefeuille Note Added: 0037616
2020-09-02 02:09 ManuelWolfshant Note Added: 0037617
2020-09-02 02:53 YvesBellefeuille Note Added: 0037618
2020-09-02 07:52 ManuelWolfshant Note Added: 0037621
2020-09-02 07:52 ManuelWolfshant Status new => closed
2020-09-02 07:52 ManuelWolfshant Resolution open => no change required