Ask Your Question
0

Selinux problem what can I do?

asked 2018-03-09 15:45:10 -0600

carlos albervill gravatar image

updated 2018-03-09 16:03:34 -0600

florian gravatar image

SELinux está negando a unix_chkpwd de map el acceso a archivo /etc/ld.so.cache.

*****  El complemento restorecon (94.8 confidence)
sugiere********************

Si quiere corregir la etiqueta.
La etiqueta predeterminada de /etc/ld.so.cache debería ser
ld_so_cache_t.
Entoncespuede ejecutar restorecon. Es posible que no se haya permitido
el acceso por falta de permisos a un directorio superior, en cuyo caso
tendrá que modificar el siguiente comando.
Hacer
# /sbin/restorecon -v /etc/ld.so.cache

*****  El complemento catchall_labels (5.21 confidence)
sugiere***************

Si desea permitir que unix_chkpwd tenga map acceso al ld.so.cache file
Entoncesnecesita modificar la etiqueta en /etc/ld.so.cache
Hacer
# semanage fcontext -a -t FILE_TYPE '/etc/ld.so.cache'
donde FILE_TYPE es uno de los siguientes: chkpwd_exec_t,
file_context_t, fonts_cache_t, fonts_t, ld_so_cache_t, ld_so_t, lib_t,
locale_t, prelink_exec_t, shadow_t, sssd_public_t, system_db_t,
textrel_shlib_t. 
Luego ejecute: 
restorecon -v '/etc/ld.so.cache'


*****  El complemento catchall (1.44 confidence)
sugiere**********************

Si cree que de manera predeterminada se debería permitir a unix_chkpwd
el acceso map sobre  ld.so.cache file.     
Entoncesdebería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Hacer
permita el acceso temporalmente ejecutando:
# ausearch -c 'unix_chkpwd' --raw | audit2allow -M mi-unixchkpwd
# semodule -X 300 -i mi-unixchkpwd.pp

Información adicional:
Contexto de origen            system_u:system_r:chkpwd_t:s0-s0:c0.c1023
Contexto Destino              system_u:object_r:etc_t:s0
Objetos Destino               /etc/ld.so.cache [ file ]
Origen                        unix_chkpwd
Dirección de origen           unix_chkpwd
Puerto                        <Desconocido>
Nombre de Equipo              fedora27-localdomain
Paquetes RPM Fuentes          
Paquetes RPM Destinos         glibc-2.26-26.fc27.x86_64 glibc-2.26-
26.fc27.i686
RPM de Políticas              selinux-policy-3.13.1-283.26.fc27.noarch
SELinux activado              True
Tipo de política              targeted
Modo impositivo               Enforcing
Nombre de equipo              fedora27-localdomain
Plataforma                    Linux fedora27-localdomain 4.15.6-
300.fc27.x86_64
                              #1 SMP Mon Feb 26 18:43:03 UTC 2018
x86_64 x86_64
Cantidad de alertas           26
Visto por primera vez         2018-03-08 08:56:49 CET
Visto por última vez          2018-03-09 21:28:14 CET
ID local                      b7519eb3-2bbf-4dd0-8912-9ab984cd60e7

Mensajes raw de aviso
type=AVC msg=audit(1520627294.253:320): avc:  denied  { map }
for  pid=3890 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0"
ino=395404 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0


Hash: unix_chkpwd,chkpwd_t,etc_t,file,map
edit retag flag offensive close merge delete

Comments

Is there a way to switch this to English?

toddandmargo gravatar imagetoddandmargo ( 2018-03-09 17:50:46 -0600 )edit

A bug report is currently worked on.

bbo gravatar imagebbo ( 2018-03-12 04:04:51 -0600 )edit

4 Answers

Sort by » oldest newest most voted
0

answered 2018-03-10 18:33:22 -0600

Here is the same thing in English. I had several of these messages today.

SELinux is preventing restorecon from map access on the file /etc/ld.so.cache.

Plugin restorecon (94.8 confidence) suggests *******

If you want to fix the label. /etc/ld.so.cache default label should be ldsocache_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.

Do # /sbin/restorecon -v /etc/ld.so.cache

Plugin catchall_labels (5.21 confidence) suggests ******

If you want to allow restorecon to have map access on the ld.so.cache file Then you need to change the label on /etc/ld.so.cache

Do # semanage fcontext -a -t FILE_TYPE '/etc/ld.so.cache' where FILETYPE is one of the following: filecontextt, fontscachet, fontst, initrcexect, ldsocachet, ldsot, libt, localet, prelinkexect, setfilesexect, textrelshlib_t.

Then execute: restorecon -v '/etc/ld.so.cache'

Plugin catchall (1.44 confidence) suggests *******

If you believe that restorecon should be allowed map access on the ld.so.cache file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:

# ausearch -c 'restorecon' --raw | audit2allow -M my-restorecon

# semodule -X 300 -i my-restorecon.pp

Additional Information:

Source Context systemu:systemr:setfiles_t:s0-s0:c0.c1023

Target Context systemu:objectr:etc_t:s0

Target Objects /etc/ld.so.cache [ file ]

Source restorecon

Source Path restorecon

Port <unknown>

Host localhost.localdomain

Source RPM Packages

Target RPM Packages glibc-2.26-26.fc27.x86_64 glibc-2.26-26.fc27.i686

Policy RPM selinux-policy-3.13.1-283.26.fc27.noarch

Selinux Enabled True

Policy Type targeted

Enforcing Mode Enforcing

Host Name localhost.localdomain

Platform Linux localhost.localdomain 4.15.6-300.fc27.x8664 #1 SMP Mon Feb 26 18:43:03 UTC 2018 x8664 x86_64

Alert Count 1

First Seen 2018-03-10 15:34:48 PST

Last Seen 2018-03-10 15:34:48 PST

Local ID 1cc8cd34-1ec9-43de-b088-da268ac85471

Raw Audit Messages type=AVC msg=audit(1520724888.757:319): avc: denied { map } for pid=7825 comm="restorecon" path="/etc/ld.so.cache" dev="sdb3" ino=4458754 scontext=systemu:systemr:setfilest:s0-s0:c0.c1023 tcontext=systemu:objectr:etct:s0 tclass=file permissive=0

Hash: restorecon,setfilest,etct,file,map

edit flag offensive delete link more
0

answered 2018-03-09 20:13:39 -0600

fcomida gravatar image

Ejecute el comando /sbin/restorecon -v /etc/ld.so.cache como se explica en el informe de sealert. Investigue la causa que condujo al cambio de etiqueta del archivio.

edit flag offensive delete link more
-2

answered 2018-03-09 19:38:50 -0600

Ivan Augusto gravatar image

The definitive (and controversy solution): simply disable it. Edit the /etc/selinux/config and set the "SELINUX" to "disabled"

SELINUX=disabled

Then reboot your device and you will be ready to go.

edit flag offensive delete link more

Comments

2

The solution is right there written in the sealert report.

fcomida gravatar imagefcomida ( 2018-03-09 20:18:51 -0600 )edit

Question Tools

Stats

Asked: 2018-03-09 15:45:10 -0600

Seen: 328 times

Last updated: Mar 09 '18