Source: refpolicy
Version: 2:2.20140206-1
Severity: normal
This seems to happen on any invocation of restorecon (as the unconfined
superuser):
type=AVC msg=audit(1393898218.762:233): avc: denied { getattr } for pid=3902
comm="setfiles" name="/" dev=sysfs ino=1
scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1393898218.762:233): arch=c000003e syscall=137
success=yes exit=0 a0=7f74fdd8d296 a1=7fffe0d11a70 a2=7f74fdd8d296
a3=75736f6e2c6c6562 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295
comm="setfiles" exe="/sbin/setfiles"
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1393898218.762:234): avc: denied { getattr } for pid=3902
comm="setfiles" name="/" dev=devtmpfs ino=1025
scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1393898218.762:234): arch=c000003e syscall=137
success=yes exit=0 a0=7f74fdd8d295 a1=7fffe0d11a70 a2=7f74fdd8d295
a3=6f6d2c3738353332 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295
comm="setfiles" exe="/sbin/setfiles"
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1393898218.762:235): avc: denied { getattr } for pid=3902
comm="setfiles" name="/" dev=devpts ino=1
scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1393898218.762:235): arch=c000003e syscall=137
success=yes exit=0 a0=7f74fdd8d297 a1=7fffe0d11a70 a2=7f74fdd8d297
a3=3d65646f6d2c353d items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295
comm="setfiles" exe="/sbin/setfiles"
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1393898218.762:236): avc: denied { getattr } for pid=3902
comm="setfiles" name="/" dev=tmpfs ino=5056
scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1393898218.762:236): arch=c000003e syscall=137
success=yes exit=0 a0=7f74fdd8d296 a1=7fffe0d11a70 a2=7f74fdd8d296
a3=6f6d2c6b38323032 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295
comm="setfiles" exe="/sbin/setfiles"
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
This is one of the last things I need to correct before I can switch to
enforcing mode, but I'm at a complete loss as to what might be wrong.
Possibly relevant:
# mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs
(rw,relatime,seclabel,size=10240k,nr_inodes=123587,mode=755)
devpts on /dev/pts type devpts
(rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs
(rw,nosuid,noexec,relatime,seclabel,size=102028k,mode=755)
/dev/xvda on / type ext3
(rw,noatime,seclabel,errors=remount-ro,barrier=1,data=ordered)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
tmpfs on /run/lock type tmpfs
(rw,nosuid,nodev,noexec,relatime,rootcontext=system_u:object_r:var_lock_t:s0,seclabel,size=5120k)
tmpfs on /run/shm type tmpfs
(rw,nosuid,nodev,noexec,relatime,rootcontext=system_u:object_r:tmpfs_t:s0,seclabel,size=256480k)
tmpfs on /tmp type tmpfs
(rw,nosuid,nodev,relatime,rootcontext=system_u:object_r:tmp_t:s0,seclabel,size=256480k)
# ls -ldZ / /sys /proc /dev /dev/pts /run /run/lock /run/shm /tmp
drwxr-xr-x. 22 root root system_u:object_r:root_t:SystemLow 4096 Mar 2
23:23 /
drwxr-xr-x. 11 root root system_u:object_r:device_t:SystemLow 2580 Mar 4
01:17 /dev
drwxr-xr-x. 2 root root system_u:object_r:devpts_t:SystemLow 0 Mar 4
01:16 /dev/pts
dr-xr-xr-x. 95 root root system_u:object_r:proc_t:SystemLow 0 Mar 4
01:16 /proc
drwxr-xr-x. 15 root root system_u:object_r:var_run_t:SystemLow 600 Mar 4
01:17 /run
drwxrwxrwt. 3 root root system_u:object_r:var_lock_t:SystemLow 60 Mar 4
01:17 /run/lock
drwxrwxrwt. 2 root root system_u:object_r:tmpfs_t:SystemLow 60 Mar 4
01:16 /run/shm
drwxr-xr-x. 13 root root system_u:object_r:sysfs_t:SystemLow 0 Mar 4
01:16 /sys
drwxrwxrwt. 2 root root system_u:object_r:tmp_t:SystemLow 40 Mar 4
02:02 /tmp
# ls -lZ /sbin/setfiles
-rwxr-xr-x. 1 root root system_u:object_r:setfiles_exec_t:SystemLow 26488 Dec
29 13:44 /sbin/setfiles
I'm running a mostly-stable system with selected things from testing:
in particular, everything to do with SELinux is from testing. I cannot
run the kernel from testing because the cloud provider's pv-grub is too
old for it.
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'stable'), (100, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
