touch from 'write' accesses on the file shorewall

Dario Lesca Sun, 17 Dec 2017 09:14:05 -0800

Il giorno ven, 15/12/2017 alle 10.10 -0500, Bill Shirley ha scritto:
> He should at least do a 'ls -lZ' on the file and report to the list.


I have activate this log:

    [    root@s-virt     ~]# tail -f /var/log/audit/audit.log | grep 
--color=auto denied &
    [1] 7937


This is the result:

    [    root@s-virt     ~]# ls -lZ  /run/lock/subsys/shorewall 
/run/lock/subsys/
    -rw-------. root root unconfined_u:object_r:var_lock_t:s0 
/run/lock/subsys/shorewall

    /run/lock/subsys/:
    -rw-r--r--. root root system_u:object_r:var_lock_t:s0  libvirt-guests
    -rw-r--r--. root root system_u:object_r:var_lock_t:s0  network
    -rw-------. root root unconfined_u:object_r:var_lock_t:s0 shorewall
    [    root@s-virt     ~]# chcon system_u:object_r:var_lock_t:s0 
/run/lock/subsys/shorewall
    [    root@s-virt     ~]# service shorewall restart
    Redirecting to /bin/systemctl restart shorewall.service
    type=AVC msg=audit(1513528726.972:629): avc:  denied  { getattr } for  
pid=6475 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=40257 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513528726.972:630): avc:  denied  { unlink } for  
pid=6475 comm="rm" name="shorewall" dev="tmpfs" ino=40257 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513528727.363:674): avc:  denied  { write } for  
pid=6724 comm="touch" name="shorewall" dev="tmpfs" ino=40257 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513528727.363:675): avc:  denied  { write } for  
pid=6724 comm="touch" name="shorewall" dev="tmpfs" ino=40257 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
    [    root@s-virt     ~]# ls -lZ  /run/lock/subsys/shorewall
    -rw-------. root root system_u:object_r:var_lock_t:s0  
/run/lock/subsys/shorewall
    [    root@s-virt     ~]# chcon system_u:system_r:shorewall_t:s0 
/run/lock/subsys/shorewall
    type=AVC msg=audit(1513528816.785:684): avc:  denied  { relabelto } for  
pid=6791 comm="chcon" name="shorewall" dev="tmpfs" ino=40257 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:shorewall_t:s0 tclass=file
    chcon: cambio del contesto di "/run/lock/subsys/shorewall" in 
"system_u:system_r:shorewall_t:s0" non riuscito: Permesso negato

> Also a 'grep denied /var/log/audit/audit.log'.

This is output of selinux error 

    [    root@s-virt     ~]# grep -E 'denied.*shorewall' 
/var/log/audit/audit.log|tail -16
    type=AVC msg=audit(1513182259.328:11708): avc:  denied  { getattr } for  
pid=25598 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513182259.328:11709): avc:  denied  { unlink } for  
pid=25598 comm="rm" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513182259.738:11753): avc:  denied  { write } for  
pid=25858 comm="touch" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513182259.738:11754): avc:  denied  { write } for  
pid=25858 comm="touch" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513183584.000:11776): avc:  denied  { getattr } for  
pid=26688 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513183584.000:11777): avc:  denied  { unlink } for  
pid=26688 comm="rm" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513183584.415:11821): avc:  denied  { write } for  
pid=26941 comm="touch" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513183584.415:11822): avc:  denied  { write } for  
pid=26941 comm="touch" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513260511.403:13267): avc:  denied  { getattr } for  
pid=29332 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513260511.403:13268): avc:  denied  { unlink } for  
pid=29332 comm="rm" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513260511.846:13312): avc:  denied  { write } for  
pid=29584 comm="touch" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513260511.846:13313): avc:  denied  { write } for  
pid=29584 comm="touch" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513260551.697:13321): avc:  denied  { getattr } for  
pid=29928 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513260551.697:13322): avc:  denied  { unlink } for  
pid=29928 comm="rm" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513260552.125:13366): avc:  denied  { write } for  
pid=30181 comm="touch" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513260552.125:13367): avc:  denied  { write } for  
pid=30181 comm="touch" name="shorewall" dev="tmpfs" ino=192726 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file


If I use old "service shorewall restart" or new "systemctl restart
shorewall.service" the error some time (not always) occur

If i restart shorewall via "shorewall -q restart" this error seem do
not occur
 
Thanks

Dario

> On 12/15/2017 9:56 AM, cac...@quantum-sci.com wrote:
> > 
> > /run is cleared on every boot so a restorecon wouldn't last. If a reboot 
> > doesn't fix it, it's likely a problem in a script of 
> > the repo.
> > 
> > OP doesn't say how he's pulling these messages, but I can't find them in 
> > CentOS7.
> > 
> > 
> > On 12/15/2017 03:12 AM, Bill Shirley wrote:
> > > Perhaps /run/lock/subsys/shorewall has become mis-labeled? (Fedora 25):
> > > drwxr-xr-x. 45 root root system_u:object_r:var_run_t:s0 1280 Dec 13 09:53 
> > > /run
> > > drwxr-xr-x.  6 root root system_u:object_r:var_lock_t:s0 120 Dec  7 01:10 
> > > /run/lock
> > > drwxr-xr-x.  2 root root system_u:object_r:var_lock_t:s0 120 Dec  7 17:01 
> > > /run/lock/subsys
> > > -rw-------.  1 root root unconfined_u:object_r:var_lock_t:s0 0 Dec  7 
> > > 17:00 /run/lock/subsys/shorewall
> > > 
> > > Have you tried running restorecon on the file?
> > > 
> > > Bill
> > > 
> > > On 12/15/2017 5:18 AM, Dario Lesca wrote:
> > > > How to resolve this issue?
> > > > 
> > > >      dic 14 15:09:12 s-virt.to.loc setroubleshoot[29931]: failed to 
> > > > retrieve rpm info for /run/lock/subsys/shorewall
> > > >      dic 14 15:09:12 s-virt.to.loc setroubleshoot[29931]: SELinux is 
> > > > preventing /usr/bin/rm from getattr access on the file 
> > > > /run/lock/subsys/shorewall. For complete SELinux messages run: sealert 
> > > > -l 0c3dda49-0ea8-49ab-9dbd-6a7c3d40e4a1
> > > >      dic 14 15:09:12 s-virt.to.loc python[29931]: SELinux is preventing 
> > > > /usr/bin/rm from getattr access on the file 
> > > > /run/lock/subsys/shorewall.
> > > >      ...
> > > >      dic 14 15:09:12 s-virt.to.loc setroubleshoot[29931]: SELinux is 
> > > > preventing /usr/bin/touch from write access on the file 
> > > > shorewall. For complete SELinux messages run: sealert -l 
> > > > e1a41afa-da77-4c29-ae1e-782146cb825a
> > > >      dic 14 15:09:12 s-virt.to.loc python[29931]: SELinux is preventing 
> > > > /usr/bin/touch from write access on the file shorewall.
> > > > 
> > > >      although apparently everything works well
> > > > 
> > > >      Many thanks
> > > > 
> > > >      --
> > > >      Dario Lesca
> > > >      (inviato dal mio Linux Fedora 27 Workstation)
> > > > 
> > > > ------------------------------------------------------------------------------
> > > > Check out the vibrant tech community on one of the world's most
> > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > > _______________________________________________
> > > > Shorewall-users mailing list
> > > > Shorewall-users@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> > > 
> > > 
> > > ------------------------------------------------------------------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > Shorewall-users mailing list
> > > Shorewall-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> > 
> > 
> > 
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > 
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-- 
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Centos7: SELinux is preventing /usr/bin/touch from 'write' accesses on the file shorewall

Reply via email to