SELinux is preventing /sbin/runuser from 'write' accesses on the key

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 6.5

Issue

  • SELinux is preventing /sbin/runuser from 'write' accesses on the key
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         2.6.32-431.23.3.el6.x86_64
last_occurrence: 1410465782
time:           Thu 11 Sep 2014 04:03:02 PM EDT

description:
:SELinux is preventing /sbin/runuser from 'write' accesses on the key .
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that runuser should be allowed write access on the  key by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep runuser /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
:Target Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
:Target Objects                 [ key ]
:Source                        runuser
:Source Path                   /sbin/runuser
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           coreutils-8.4-31.el6_5.2.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.7.19-231.el6_5.3.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 2.6.32-431.23.3.el6.x86_64 #1 SMP Wed
:                              Jul 16 06:12:23 EDT 2014 x86_64 x86_64
:Alert Count                   2
:First Seen                    Mon 25 Aug 2014 03:24:14 AM EDT
:Last Seen                     Mon 25 Aug 2014 03:24:14 AM EDT
:Local ID                      b2262ec5-583b-46c4-a56b-6244dbdf71bf
:
:Raw Audit Messages
:type=AVC msg=audit(1408951454.375:4825): avc:  denied  { write } for  pid=13000 comm="runuser" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=key
:
:
:type=SYSCALL msg=audit(1408951454.375:4825): arch=x86_64 syscall=keyctl success=yes exit=0 a0=3 a1=23b3eac7 a2=ffffffffffffffff a3=ca items=0 ppid=12999 pid=13000 auid=0 uid=0 gid=0 euid=488 suid=0 fsuid=488 egid=475 sgid=475 fsgid=475 tty=(none) ses=774 comm=runuser exe=/sbin/runuser subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
:
:Hash: runuser,logrotate_t,logrotate_t,key,write
:
:audit2allow
:
:#============= logrotate_t ==============
:allow logrotate_t self:key write;
:
:audit2allow -R
:
:#============= logrotate_t ==============
:allow logrotate_t self:key write;
:

Resolution

Root Cause

  • We allow this in the upstream policy. 
#============= logrotate_t ==============

#!!!! This avc is allowed in the current policy
allow logrotate_t self:key write;

  • A private Bugzilla - Bug 1140887 was filed to get this fix in RHEL6.

  • In the interim

1) Create a file mylogrotate.te with the following content:

policy_module(mylogrotate, 1.0)

require {
    type logrotate_t;
    class key { write view read write search link setattr create };
}

#============= logrotate_t ==============
allow logrotate_t logrotate_t:key { write view read write search link setattr create };


2) Then make and install the policy file

# make -f /usr/share/selinux/devel/include/Makefile
# semodule -i mylogrotate.pp

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.