<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Greetings fellow travellers.<br>
<br>
<br>
Could someone please help me with the following errors:<br>
<br>
<b>audit(1129788324.500:0): avc: denied { execute } for pid=3105
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t<br>
context=root:object_r:usr_t tclass=file<br>
audit(1129788324.501:0): avc: denied { execute } for pid=3106
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t<br>
context=root:object_r:usr_t tclass=file<br>
audit(1129788324.507:0): avc: denied { execute } for pid=3107
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t<br>
context=root:object_r:usr_t tclass=file<br>
audit(1129788324.510:0): avc: denied { execute } for pid=3108
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t<br>
context=root:object_r:usr_t tclass=file<br>
audit(1129788324.514:0): avc: denied { execute } for pid=3109
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t<br>
context=root:object_r:usr_t tclass=file<br>
audit(1129788324.517:0): avc: denied { execute } for pid=3110
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t<br>
context=root:object_r:usr_t tclass=file<br>
audit(1129788324.521:0): avc: denied { execute } for pid=3111
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t<br>
context=root:object_r:usr_t tclass=file<br>
audit(1129788324.522:0): avc: denied { execute } for pid=3112
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t<br>
context=root:object_r:usr_t tclass=file<br>
audit(1129788324.528:0): avc: denied { execute } for pid=3113
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t<br>
context=root:object_r:usr_t tclass=file<br>
audit(1129788324.529:0): avc: denied { execute } for pid=3114
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t<br>
context=root:object_r:usr_t tclass=file</b><br>
<br>
<br>
These errors are from dmesg, and occured after compiling and installing
squidclam from source.<br>
<br>
Here is the output of selinuxconf:<br>
<br>
[<b>root@shiva jay]# selinuxconfig<br>
selinux state="enforcing"<br>
policypath="/etc/selinux/targeted"<br>
default_type_path="/etc/selinux/targeted/contexts/default_type"<br>
default_context_path="/etc/selinux/targeted/contexts/default_contexts"<br>
default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context"<br>
binary_policy_path="/etc/selinux/targeted/policy/policy"<br>
user_contexts_path="/etc/selinux/targeted/contexts/users/"<br>
contexts_path="/etc/selinux/targeted/contexts"</b><br>
<br>
Output of uname -a:<br>
<b>[root@shiva jay]# uname -a<br>
Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 i686
i386 GNU/Linux</b><br>
<br>
Any help would be greatly appreciated.<br>
<br>
God bless.<br>
<pre class="moz-signature" cols="72">
</pre>
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:fedora-selinux-list-request@redhat.com">fedora-selinux-list-request@redhat.com</a> wrote:
<blockquote cite="mid20051020160014.31DF97407D@hormel.redhat.com"
type="cite">
<pre wrap="">Send fedora-selinux-list mailing list submissions to
<a class="moz-txt-link-abbreviated" href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a>
To subscribe or unsubscribe via the World Wide Web, visit
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-selinux-list">https://www.redhat.com/mailman/listinfo/fedora-selinux-list</a>
or, via email, send a message with subject or body 'help' to
<a class="moz-txt-link-abbreviated" href="mailto:fedora-selinux-list-request@redhat.com">fedora-selinux-list-request@redhat.com</a>
You can reach the person managing the list at
<a class="moz-txt-link-abbreviated" href="mailto:fedora-selinux-list-owner@redhat.com">fedora-selinux-list-owner@redhat.com</a>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."
Today's Topics:
1. Re: mailman cgi-bin denied search (Tim Fenn)
2. Preserving Context with tar (W. Scott wilburn)
3. Re: mailman cgi-bin denied search (Daniel J Walsh)
4. Re: Preserving Context with tar (Daniel J Walsh)
5. Re: mailman cgi-bin denied search (Tim Fenn)
6. Re: Preserving Context with tar (Stephen Smalley)
----------------------------------------------------------------------
Message: 1
Date: Wed, 19 Oct 2005 13:49:47 -0700
From: Tim Fenn <a class="moz-txt-link-rfc2396E" href="mailto:fenn@stanford.edu"><fenn@stanford.edu></a>
Subject: Re: mailman cgi-bin denied search
To: Daniel J Walsh <a class="moz-txt-link-rfc2396E" href="mailto:dwalsh@redhat.com"><dwalsh@redhat.com></a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:20051019204947.GC6466@stanford.edu"><20051019204947.GC6466@stanford.edu></a>
Content-Type: text/plain; charset=us-ascii
On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Tim Fenn wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I recently installed mailman on my FC3 box (using the redhat based
RPMs), and it seems to be working just fine, except for the numerous
avc messages it cranks out whenever I run one of the cgi scripts
associated with mailman (e.g. via the web interface):
Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
{ search } for pid=18761 comm="listinfo" name="run" dev=sda1
ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
u:object_r:var_run_t tclass=dir
</pre>
</blockquote>
<pre wrap="">Why would mailman listinfo be searching /var/log directory?
</pre>
</blockquote>
<pre wrap=""><!---->
Well, I get the same errors with mailmanctl:
./mailmanctl status
yields no output, and the following errors:
Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
{ read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts
ino=5 scontext=root:system_r:mailman_mail_t
tcontext=root:object_r:devpts_t tclass=chr_file
Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
{ search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
ino=1294372 scontext=root:system_r:mailman_mail_t
tcontext=system_u:object_r:var_run_t tclass=dir
Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
{ setgid } for pid=20837 comm="mailmanctl" capability=6
scontext=root:system_r:mailman_mail_t
tcontext=root:system_r:mailman_mail_t tclass=capability
However, if I comment out:
from Mailman.Logging.Syslog import syslog
in the mailmanctl script, all is well:
# ./mailmanctl status
mailman (pid 17677) is running...
and no error messages. I would assume the same is true with the
cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
Regards,
Tim
------------------------------
Message: 2
Date: Wed, 19 Oct 2005 15:56:06 -0600
From: "W. Scott wilburn" <a class="moz-txt-link-rfc2396E" href="mailto:wilburn@lanl.gov"><wilburn@lanl.gov></a>
Subject: Preserving Context with tar
To: <a class="moz-txt-link-abbreviated" href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:20051019215606.GE4717@wilburn.lanl.gov"><20051019215606.GE4717@wilburn.lanl.gov></a>
Content-Type: text/plain; charset=us-ascii
Sorry to be asking such a simple question. Is it possible to preserve
file contexts using tar? I would have thought -p would do this, but
it appears no, atleast on RHEL4 and FC4.
The reason to do this is a use tar to install modified config files on
new machines. Having to relabel after doing this is somewhat slow.
Perhaps there is a better solution?
Thanks,
Scott Wilburn
------------------------------
Message: 3
Date: Wed, 19 Oct 2005 22:31:36 -0400
From: Daniel J Walsh <a class="moz-txt-link-rfc2396E" href="mailto:dwalsh@redhat.com"><dwalsh@redhat.com></a>
Subject: Re: mailman cgi-bin denied search
To: Daniel J Walsh <a class="moz-txt-link-rfc2396E" href="mailto:dwalsh@redhat.com"><dwalsh@redhat.com></a>, <a class="moz-txt-link-abbreviated" href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:43570188.5060201@redhat.com"><43570188.5060201@redhat.com></a>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Tim Fenn wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Tim Fenn wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I recently installed mailman on my FC3 box (using the redhat based
RPMs), and it seems to be working just fine, except for the numerous
avc messages it cranks out whenever I run one of the cgi scripts
associated with mailman (e.g. via the web interface):
Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
{ search } for pid=18761 comm="listinfo" name="run" dev=sda1
ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
u:object_r:var_run_t tclass=dir
</pre>
</blockquote>
<pre wrap="">Why would mailman listinfo be searching /var/log directory?
</pre>
</blockquote>
<pre wrap="">Well, I get the same errors with mailmanctl:
./mailmanctl status
yields no output, and the following errors:
Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
{ read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts
ino=5 scontext=root:system_r:mailman_mail_t
tcontext=root:object_r:devpts_t tclass=chr_file
Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
{ search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
ino=1294372 scontext=root:system_r:mailman_mail_t
tcontext=system_u:object_r:var_run_t tclass=dir
Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
{ setgid } for pid=20837 comm="mailmanctl" capability=6
scontext=root:system_r:mailman_mail_t
tcontext=root:system_r:mailman_mail_t tclass=capability
However, if I comment out:
from Mailman.Logging.Syslog import syslog
in the mailmanctl script, all is well:
# ./mailmanctl status
mailman (pid 17677) is running...
and no error messages. I would assume the same is true with the
cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
Regards,
Tim
</pre>
</blockquote>
<pre wrap=""><!---->Yes. submit a bug. Although generating these in FC4 would be far more
interesting. Also do these AVC messages cause problems or are they just
being reported. No output from the script is fixed in FC4.
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: <a class="moz-txt-link-abbreviated" href="mailto:jayendren@mweb.co.za">jayendren@mweb.co.za</a>
</pre>
</body>
</html>