What is the meaning of "avc: denied { nosuid_transition }" message in audit log?
Issue
-
A custom-written web application is generating the following SELinux denial: "SELinux is preventing /usr/bin/python3.4 from using the nosuid_transition access on a process."
type=SYSCALL msg=audit(...): arch=x86_64 syscall=execve success=yes exit=0 ... pid=XXX ... comm=... exe=/usr/bin/python3.4 subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(...): avc: denied { nosuid_transition } for pid=XXX comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process2
-
A standard service available in Red Hat Software Collections (RHSCL) is generating the following SELinux denial when starting (example with
rh-nginx116-nginx.service
)type=SYSCALL msg=audit(...): syscall=59 success=yes exit=0 ... comm="nginx" exe="/opt/rh/rh-nginx116/root/usr/sbin/nginx" subj=system_u:system_r:init_t:s0 key=(null) type=SELINUX_ERR msg=audit(...): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:httpd_t:s0 type=AVC msg=audit(...): avc: denied { nosuid_transition } for pid=XXX comm="nginx-scl-helpe" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process2 permissive=0
This results in having
nginx
processes not run inhttpd_t
context butinit_t
context:# ps -eafZ | grep nginx | grep -v grep system_u:system_r:init_t:s0 root [...] nginx: master process /opt/rh/rh-nginx116/root/usr/sbin/nginx system_u:system_r:init_t:s0 nginx [...] nginx: worker process
Environment
- Red Hat Enterprise Linux 7
- SELinux
- File systems mounted with
nosuid
option
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.