Actions
Bug #44943
opentype=AVC msg=audit(1585577327.291:6403): avc: denied { execute_no_trans } for pid=27385 comm="admin_socket" path="/usr/bin/sudo" dev="sda1" ino=590 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1
Status:
New
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:
0%
Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
# sealert -l c8b2592f-2adc-45fc-bf80-2b7d610188b2 SELinux is preventing /usr/bin/sudo from execute access on the file sudo. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sudo should be allowed execute access on the sudo file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sudo' --raw | audit2allow -M my-sudo # semodule -X 300 -i my-sudo.pp Additional Information: Source Context system_u:system_r:ceph_t:s0 Target Context system_u:object_r:sudo_exec_t:s0 Target Objects sudo [ file ] Source sudo Source Path /usr/bin/sudo Port <Unknown> Host smithi203 Source RPM Packages sudo-1.8.25p1-8.el8_1.1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.14.3-20.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name smithi203 Platform Linux smithi203 4.18.0-147.el8.x86_64 #1 SMP Wed Dec 4 21:51:45 UTC 2019 x86_64 x86_64 Alert Count 4 First Seen 2020-04-06 01:37:58 UTC Last Seen 2020-04-06 01:37:58 UTC Local ID c8b2592f-2adc-45fc-bf80-2b7d610188b2 Raw Audit Messages type=AVC msg=audit(1586137078.851:3323): avc: denied { execute } for pid=18582 comm="admin_socket" name="sudo" dev="sda1" ino=6951 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1586137078.851:3323): avc: denied { read open } for pid=18582 comm="admin_socket" path="/usr/bin/sudo" dev="sda1" ino=6951 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1586137078.851:3323): avc: denied { execute_no_trans } for pid=18582 comm="admin_socket" path="/usr/bin/sudo" dev="sda1" ino=6951 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1586137078.851:3323): avc: denied { map } for pid=18582 comm="sudo" path="/usr/bin/sudo" dev="sda1" ino=6951 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1586137078.851:3323): arch=x86_64 syscall=execve success=yes exit=0 a0=7fe7fea32260 a1=56497a265000 a2=564978f3a8c0 a3=2b24b0000 items=0 ppid=18581 pid=18582 auid=4294967295 uid=167 gid=167 euid=0 suid=0 fsuid=0 egid=167 sgid=167 fsgid=167 tty=(none) ses=4294967295 comm=sudo exe=/usr/bin/sudo subj=system_u:system_r:ceph_t:s0 key=(null) Hash: sudo,ceph_t,sudo_exec_t,file,execute # ausearch -c 'sudo' --raw | audit2allow -M my-sudo && cat my-sudo.te ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-sudo.pp module my-sudo 1.0; require { type sudo_exec_t; type initrc_var_run_t; type ceph_t; class file { execute execute_no_trans lock map open read }; class capability { audit_write sys_resource }; class process setrlimit; class netlink_audit_socket { create nlmsg_relay }; } #============= ceph_t ============== allow ceph_t initrc_var_run_t:file { lock open read }; allow ceph_t self:capability { audit_write sys_resource }; allow ceph_t self:netlink_audit_socket { create nlmsg_relay }; allow ceph_t self:process setrlimit; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow ceph_t sudo_exec_t:file map; allow ceph_t sudo_exec_t:file { execute execute_no_trans open read };
No data to display
Actions