Two issues
Stephen Smalley
sds at tycho.nsa.gov
Wed Sep 27 17:51:15 UTC 2006
On Wed, 2006-09-27 at 13:32 -0400, Richard Irving wrote:
> Hi,
> I am having two issues with FC5 (x86_64) and selinux....
>
> First, it appears the system is having a problem logging AVC's:
>
> ===================================================================
> Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC
> avc: received policyload notice (seqno=4) : exe="?" (sauid=81,
> hostname=?, addr=?, terminal=?)
> Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC
> avc: 2 AV entries and 2/512 buckets used, longest chain length 1 :
> exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
> Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC
> avc: received policyload notice (seqno=4) : exe="/bin/dbus-daemon"
> (sauid=500, hostname=?, addr=?, terminal=?)
> Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC
> avc: 0 AV entries and 0/512 buckets used, longest chain length 0 :
> exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?)
Not certain about this one, although I recall issues with the session
dbus (which runs with the user's identity, not as root) not being able
to generate audit messages in the past. Steve?
> ================================================================
>
> And second, I was working on a hand edited local.te, as selinux is
> preventing vsftpd from creating files in users home directories...
> When running the policy compiler, I get.....
>
> ========================================================================
> (unknown source)::ERROR 'permission write is not defined for class dir'
> at token ';' on line 22:
> allow ftpd_t user_home_dir_t:dir { getattr read search write };
> allow ftpd_t user_home_t:dir { getattr read search write };
> ===============================================================
>
> And it appears "write" is no longer a valid attribute for directories
> ? What is its replacement ? The AVC is calling it a "write" problem...
> and audit2allow says the correcting line should be:
>
> allow ftpd_t user_home_dir_t:dir write;
>
> Am I missing something ?
>
> TIA!
How was that local.te file generated? In any event, assuming you are
trying to build it as a module, it needs to declare any required
permissions in its require block, which can either be done explicitly or
by using the policy_module() macro. Otherwise, the compiler doesn't
know that it is an external dependency.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list