FAQ
CentOS-6.1 KVM guest on CentOS-6.1 host.

I am seeing this SEAlert in the /var/log/audit/audit.log
file a new guest immediately after startup. Can someone
tell me what it means and what I should do about it? A
Google search reveals a number of Fedora issues with
similar errors dating back a few years; most of which seem
to have something to do with package ownership.

This guest starts without activating any Ethernet i/f if
that has any bearing on the matter.

# sealert -a /var/log/audit/audit.log | more
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------


Summary:

SELinux is preventing /usr/bin/chcon "mac_admin" access .

Detailed Description:

SELinux denied access requested by chcon. It is not
expected that this access is required by chcon and this
access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this
access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)
Please file a bug report.

Additional Information:

Source Context system_u:system_r:initrc_t:s0
Target Context system_u:system_r:initrc_t:s0
Target Objects None [ capability2 ]
Source chcon
Source Path /usr/bin/chcon
Port <Unknown>
Host <Unknown>
Source RPM Packages coreutils-8.4-13.el6
Target RPM Packages
Policy RPM
selinux-policy-3.7.19-93.el6_1.7
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name
pas-redmine.hamilton.harte-lyne.ca
Platform Linux
pas-redmine.hamilton.harte-lyne.ca
2.6.32-131.21.1.el6.x86_64
#1 SMP Tue Nov 22
19:48:09 GMT 2011 x86_64 x86_64
Alert Count 1
First Seen Tue Dec 20 09:16:12 2011
Last Seen Tue Dec 20 09:16:12 2011
Local ID
6a24c9e4-3fb9-4524-ae04-a0cf0b31cce4
Line Numbers 10, 11

Raw Audit Messages

type=AVC msg=audit(1324390572.917:12): avc: denied {
mac_admin } for pid43 comm="chcon" capability3
scontext=system_u:system_r:initrc_t:s0 tcontext=sys
tem_u:system_r:initrc_t:s0 tclassÊpability2

type=SYSCALL msg=audit(1324390572.917:12): archÀ00003e
syscall8 success=no exit=-22 a0Ò81c0 a102f81e8259
a2Ò9580 a3 items=0 ppid42 pid43 auidB94967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) sesB94967295 comm="chcon"
exe="/usr/bin/chcon" subj=system_u:system_r:initrc_t:s0
key=(null)

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

Search Discussions

  • Daniel J Walsh at Dec 20, 2011 at 9:49 am

    On 12/20/2011 02:44 PM, James B. Byrne wrote:
    CentOS-6.1 KVM guest on CentOS-6.1 host.

    I am seeing this SEAlert in the /var/log/audit/audit.log file a new
    guest immediately after startup. Can someone tell me what it means
    and what I should do about it? A Google search reveals a number of
    Fedora issues with similar errors dating back a few years; most of
    which seem to have something to do with package ownership.

    This guest starts without activating any Ethernet i/f if that has
    any bearing on the matter.

    # sealert -a /var/log/audit/audit.log | more found 1 alerts in
    /var/log/audit/audit.log
    --------------------------------------------------------


    Summary:

    SELinux is preventing /usr/bin/chcon "mac_admin" access .

    Detailed Description:

    SELinux denied access requested by chcon. It is not expected that
    this access is required by chcon and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require
    additional access.

    Allowing Access:

    You can generate a local policy module to allow this access - see
    FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)
    Please file a bug report.

    Additional Information:

    Source Context system_u:system_r:initrc_t:s0 Target
    Context system_u:system_r:initrc_t:s0 Target Objects
    None [ capability2 ] Source chcon Source
    Path /usr/bin/chcon Port
    <Unknown> Host <Unknown> Source RPM
    Packages coreutils-8.4-13.el6 Target RPM Packages Policy
    RPM selinux-policy-3.7.19-93.el6_1.7 Selinux Enabled
    True Policy Type targeted Enforcing Mode
    Enforcing Plugin Name catchall Host Name
    pas-redmine.hamilton.harte-lyne.ca Platform
    Linux pas-redmine.hamilton.harte-lyne.ca
    2.6.32-131.21.1.el6.x86_64 #1 SMP Tue Nov 22 19:48:09 GMT 2011
    x86_64 x86_64 Alert Count 1 First Seen
    Tue Dec 20 09:16:12 2011 Last Seen Tue Dec 20
    09:16:12 2011 Local ID 6a24c9e4-3fb9-4524-ae04-a0cf0b31cce4 Line
    Numbers 10, 11

    Raw Audit Messages

    type=AVC msg=audit(1324390572.917:12): avc: denied { mac_admin }
    for pid43 comm="chcon" capability3
    scontext=system_u:system_r:initrc_t:s0 tcontext=sys
    tem_u:system_r:initrc_t:s0 tclassÊpability2

    type=SYSCALL msg=audit(1324390572.917:12): archÀ00003e
    syscall8 success=no exit=-22 a0Ò81c0 a102f81e8259 a2Ò9580
    a3 items=0 ppid42 pid43 auidB94967295 uid=0 gid=0 euid=0
    suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) sesB94967295
    comm="chcon" exe="/usr/bin/chcon"
    subj=system_u:system_r:initrc_t:s0 key=(null)
    This means somebody is executing a chcon with a context that the
    kernel does not understand. I would look for a chcon in an init script.
  • James B. Byrne at Dec 20, 2011 at 11:55 am

    On Tue, December 20, 2011 09:49, Daniel J Walsh wrote:
    This means somebody is executing a chcon with a context
    that the kernel does not understand. I would look for a
    chcon in an init script.
    I tried this and did not find any in the init scripts:

    find /etc/rc.d -print | xargs grep chcon

    --
    *** E-Mail is NOT a SECURE channel ***
    James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
    Harte & Lyne Limited http://www.harte-lyne.ca
    9 Brockley Drive vox: +1 905 561 1241
    Hamilton, Ontario fax: +1 905 561 0757
    Canada L8E 3C3
  • Daniel J Walsh at Dec 20, 2011 at 1:40 pm

    On 12/20/2011 04:55 PM, James B. Byrne wrote:
    On Tue, December 20, 2011 09:49, Daniel J Walsh wrote:


    This means somebody is executing a chcon with a context that the
    kernel does not understand. I would look for a chcon in an init
    script.
    I tried this and did not find any in the init scripts:

    find /etc/rc.d -print | xargs grep chcon
    grep -R chcon /etc/rc.d

    Would be an easier way to do this...

    ps -eZ | grep initrc
  • James B. Byrne at Dec 20, 2011 at 2:33 pm

    On Tue, December 20, 2011 13:40, Daniel J Walsh wrote:
    grep -R chcon /etc/rc.d

    Would be an easier way to do this...

    ps -eZ | grep initrc
    # grep -R chcon /etc/rc.d
    # ps -eZ | grep initrc
    system_u:system_r:initrc_t:s0 1211 ? 00:00:01
    miniserv.pl

    No chcon found in /etc/rc.d

    miniserv.pl is the Webmin httpd server. Is this causing
    the problem?

    --
    *** E-Mail is NOT a SECURE channel ***
    James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
    Harte & Lyne Limited http://www.harte-lyne.ca
    9 Brockley Drive vox: +1 905 561 1241
    Hamilton, Ontario fax: +1 905 561 0757
    Canada L8E 3C3
  • Daniel J Walsh at Dec 20, 2011 at 2:42 pm

    On 12/20/2011 07:33 PM, James B. Byrne wrote:
    On Tue, December 20, 2011 13:40, Daniel J Walsh wrote:
    grep -R chcon /etc/rc.d

    Would be an easier way to do this...

    ps -eZ | grep initrc
    # grep -R chcon /etc/rc.d # ps -eZ | grep initrc
    system_u:system_r:initrc_t:s0 1211 ? 00:00:01
    miniserv.pl

    No chcon found in /etc/rc.d

    miniserv.pl is the Webmin httpd server. Is this causing the
    problem?
    It could be. Basically a program running as initrc_t executed the
    chcon command, probably mistakenly thinking it is fixing an SELinux
    problem. but it is using an invalid context.
  • James B. Byrne at Dec 20, 2011 at 3:11 pm

    On Tue, December 20, 2011 14:42, Daniel J Walsh wrote:
    On 12/20/2011 07:33 PM, James B. Byrne wrote:

    # grep -R chcon /etc/rc.d # ps -eZ | grep initrc
    system_u:system_r:initrc_t:s0 1211 ? 00:00:01
    miniserv.pl

    No chcon found in /etc/rc.d

    miniserv.pl is the Webmin httpd server. Is this causing
    the problem?
    It could be. Basically a program running as initrc_t
    executed the chcon command, probably mistakenly thinking
    it is fixing an SELinux problem. but it is using an
    invalid context.
    I do not think that this is a webmin problem as I have
    webmin also running on the kvm host and that server does
    not report the mac_admin chcon error. Both the host and
    the guest are running the same version of CentOS (6.1).

    I will keep looking.

    Thank you for the assistance. It is always useful to
    learn how to properly use a few more commands.

    --
    *** E-Mail is NOT a SECURE channel ***
    James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
    Harte & Lyne Limited http://www.harte-lyne.ca
    9 Brockley Drive vox: +1 905 561 1241
    Hamilton, Ontario fax: +1 905 561 0757
    Canada L8E 3C3

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedDec 20, '11 at 9:44a
activeDec 20, '11 at 3:11p
posts7
users2
websitecentos.org
irc#centos

2 users in discussion

James B. Byrne: 4 posts Daniel J Walsh: 3 posts

People

Translate

site design / logo © 2022 Grokbase