Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

CentOS > SELinux > /etc/localtime error

Posted on 2014-07-18
14
Medium Priority
?
788 Views
Last Modified: 2014-07-24
How do I fix this?

SELinux is preventing tzdata-update (tzdata_t) "unlink" to localtime (etc_t).

Detailed Description:

SELinux is preventing tzdata-update (tzdata_t) "unlink" to localtime (etc_t).
The SELinux type etc_t, is a generic type for all files in the directory and
very few processes (SELinux Domains) are allowed to write to this SELinux type.
This type of denial usual indicates a mislabeled file. By default a file created
in a directory has the gets the context of the parent directory, but SELinux
policy has rules about the creation of directories, that say if a process
running in one SELinux Domain (D1) creates a file in a directory with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to write,
unlink, and append on (F2). But if for some reason a file (localtime) was
created with the wrong context, this domain will be denied. The usual solution
to this problem is to reset the file context on the target file, restorecon -v
'localtime'. If the file context does not change from etc_t, then this is
probably a bug in policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file or moving
the file from a different directory, if the file keeps getting mislabeled, check
the init scripts to see if they are doing something to mislabel the file.

Allowing Access:

You can attempt to fix file context by executing restorecon -v 'localtime'

The following command will allow this access:

restorecon 'localtime'

Additional Information:

Source Context                root:system_r:tzdata_t:SystemLow-SystemHigh
Target Context                root:object_r:etc_t
Target Objects                localtime [ lnk_file ]
Source                        tzdata-update
Source Path                   /usr/sbin/tzdata-update
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           glibc-common-2.5-118.el5_10.2
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-346.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   mislabeled_file
Host Name                     www.t1shopper.com
Platform                      Linux www.t1shopper.com 2.6.18-371.8.1.el5 #1 SMP
                              Thu Apr 24 18:19:36 EDT 2014 x86_64 x86_64
Alert Count                   1
First Seen                    Fri Jul 18 21:16:23 2014
Last Seen                     Fri Jul 18 21:16:23 2014
Local ID                      7c273cdf-e822-48f4-90a3-2e13b6e1996e
Line Numbers                  16744, 16745

Raw Audit Messages

type=AVC msg=audit(1405718183.87:560873): avc:  denied  { unlink } for  pid=2777 comm="tzdata-update" name="localtime" dev=dm-0 ino=29262001 scontext=root:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=root:object_r:etc_t:s0 tclass=lnk_file

type=SYSCALL msg=audit(1405718183.87:560873): arch=c000003e syscall=82 success=no exit=-13 a0=7fff66233ca0 a1=400cf9 a2=76 a3=6094e0 items=0 ppid=29416 pid=2777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=
92051 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=root:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)

Open in new window

0
Comment
Question by:Geoff Millikan
  • 6
  • 5
  • 3
14 Comments
 
LVL 13

Expert Comment

by:duncanb7
ID: 40205604
The attachment you posted  said try to

You can attempt to fix file context by executing restorecon -v 'localtime'

And  it suggests to use restorecon '/etc/localtime'  in this blog that is similar to your issue at

https://bugzilla.redhat.com/show_bug.cgi?id=517452

What command or utility tool recently  you ran so that you have such issue ?

Duncan
0
 

Author Comment

by:Geoff Millikan
ID: 40205722
What command or utility tool recently  you ran so that you have such issue ?
Probably when the system ran yum update it tried to update the timezone files.

Here's the steps I took to fix it which didn't seem to work because the security settings on the file didn't change.
[root@www ~]# ls -Z /etc/localtime
lrwxrwxrwx  root root root:object_r:etc_t              /etc/localtime -> /usr/share/zoneinfo/GMT

[root@www ~]# restorecon '/etc/localtime'
[root@www ~]# restorecon -v 'localtime'
lstat(localtime) failed: No such file or directory

[root@www ~]# ls -Z /etc/localtime
lrwxrwxrwx  root root root:object_r:etc_t              /etc/localtime -> /usr/share/zoneinfo/GMT

[root@www ~]# ls -Z /usr/share/zoneinfo/GMT
-rw-r--r--  root root system_u:object_r:locale_t       /usr/share/zoneinfo/GMT

Open in new window

0
 
LVL 13

Expert Comment

by:duncanb7
ID: 40205727
You are already in root access, why it will have issue ? could you do sudo with the command ?

Duncan
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:Geoff Millikan
ID: 40205729
You are already in root access, why it will have issue ?
I don't know, that's what I'm asking you!
0
 
LVL 13

Expert Comment

by:duncanb7
ID: 40205734
how about sudo ?
0
 

Author Comment

by:Geoff Millikan
ID: 40205757
No change in permissions or context.
[root@www ~]# sudo restorecon -v '/etc/localtime'
[root@www ~]# ls -Z /etc/localtime
lrwxrwxrwx  root root root:object_r:etc_t              /etc/localtime -> /usr/share/zoneinfo/GMT

[root@www ~]sudo restorecon -v '/usr/share/zoneinfo/GMT'
[root@www ~]# ls -Z '/usr/share/zoneinfo/GMT'
-rw-r--r--  root root system_u:object_r:locale_t       /usr/share/zoneinfo/GMT

Open in new window

0
 
LVL 13

Expert Comment

by:duncanb7
ID: 40205843
could you check the file or directory permisision privilege  or right on that file /etc/localtime or its link file or directory ?

Duncan
0
 

Author Comment

by:Geoff Millikan
ID: 40205866
Is this what you want?  If not, please give me exact commands to run.  Thanks.
drwxr-xr-x  root root system_u:object_r:etc_t          etc

drwxr-xr-x  root root system_u:object_r:locale_t       zoneinfo

Open in new window

0
 
LVL 13

Expert Comment

by:Sandy
ID: 40206024
Restorecon -R /etc localtime
0
 
LVL 13

Expert Comment

by:duncanb7
ID: 40206028
sandy reminds me, thanks,  Sorry, tishopper question post that it   mentioned

Allowing Access:

You can attempt to fix file context by executing restorecon -v 'localtime'

The following command will allow this access:

restorecon 'localtime'

Additional Information:

So try
- TEST-1, restorecon -v 'localtime'
-TEST-2, restorcon 'localtme'
-Test-3, restorecon -R -v  /etc 'localtime'
-TEst-4, restorecon -R   /etc 'localtime'

Probably it will work hopefully

Duncan
0
 

Author Comment

by:Geoff Millikan
ID: 40217550
I'm not sure if any of this fixed it but here's the status:
Sandy: The output of your solution is included below.
Duncanb7: Here's the output if the 4 tests.
[root@www ~]# restorecon -v 'localtime'
lstat(localtime) failed: No such file or directory
[root@www ~]# restorcon 'localtme'
-bash: restorcon: command not found
[root@www ~]# restorecon 'localtme'
lstat(localtme) failed: No such file or directory
[root@www ~]# restorecon 'localtime'
lstat(localtime) failed: No such file or directory
[root@www ~]# restorecon -R -v  /etc 'localtime'
restorecon reset /etc/aliases context root:object_r:etc_t:s0->system_u:object_r:etc_aliases_t:s0
restorecon reset /etc/dovecot.conf context root:object_r:etc_t:s0->system_u:object_r:dovecot_etc_t:s0
restorecon reset /etc/rc.d/init.d/php_mysql_memory_table_maxmind context root:object_r:etc_t:s0->system_u:object_r:initrc_exec_t:s0
restorecon reset /etc/my.cnf context root:object_r:etc_t:s0->system_u:object_r:mysqld_etc_t:s0
restorecon reset /etc/modprobe.d/anaconda.conf context system_u:object_r:file_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/aliases.original context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/openwsman/serverkey.pem context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/openwsman/servercert.pem context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/sysconfig/mkinitrd/multipath context system_u:object_r:file_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/sysconfig/iptables.2012-03-01.default.original context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables.2013-02-13 context root:object_r:etc_runtime_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables.2011-01-10 context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables_base_configuration context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/ip6tables context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables.2013-04-20 context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables.2013-08-31 context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables-config context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/my.cnf.2013-03-01.original context system_u:object_r:mysqld_etc_t:s0->system_u:object_r:etc_t:s0
restorecon:  error while labeling files under localtime
[root@www ~]# restorecon -R   /etc 'localtime'
restorecon:  error while labeling files under localtime

Open in new window

0
 
LVL 13

Accepted Solution

by:
Sandy earned 2000 total points
ID: 40218522
hold on...  you execute the correct command from wrong path

#cd /etc/
# restorecon -R   /etc 'localtime'

#ls -lZ localtime

Now check and post...

TY/SA
0
 

Author Comment

by:Geoff Millikan
ID: 40218547
That all seemed to run successfully (see below).  Should it be fixed?
[root@www ~]# cd /etc/
[root@www etc]# restorecon -R   /etc 'localtime'
[root@www etc]# ls -lZ localtime
lrwxrwxrwx  root root root:object_r:etc_t              localtime -> /usr/share/zoneinfo/GMT
[root@www etc]#

Open in new window

0
 
LVL 13

Expert Comment

by:Sandy
ID: 40218550
Seems like yes..  check and suggest

ty/sa
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Have you ever been frustrated by having to click seven times in order to retrieve a small bit of information from the web, always the same seven clicks, scrolling down and down until you reach your target? When you know the benefits of the command l…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month14 days, 20 hours left to enroll

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question