December 2004 - selinux - Fedora Mailing-Lists

new kernel, new policy installed as .rpmnew

by Chuck Anderson

I just yum updated, and got the latest testing kernel and policy files: Install: kernel.i686 0:2.6.9-1.715_FC3 Install: kernel-smp.i686 0:2.6.9-1.715_FC3 [...] Update: selinux-policy-targeted.noarch 0:1.17.30-2.58 Update: selinux-policy-targeted-sources.noarch 0:1.17.30-2.58 [...] Installing: kernel-smp 100 % done 1/160 warning: /etc/selinux/targeted/contexts/files/file_contexts created as /etc/selinux/targeted/contexts/files/file_contexts.rpmnew warning: /etc/selinux/targeted/policy/policy.18 created as /etc/selinux/targeted/policy/policy.18.rpmnew Updating: selinux-policy-targeted 100 % done 2/160 The FAQ says that the policy reloads automatically, and that a manual relabel may be necessary. It doesn't say anything about fixing the filenames that were named .rpmnew. How can the policy automatically reload when the file isn't named correctly? Since policy is tied to the kernel, what happens when I have more than one kernel installed, and I boot an older one from grub?

19 years, 3 months

2
1
0 / 0

.te and .fc files for postfix and fedora

by Diego Woitasen

Somebody have the policy files for postfix? I tried with Debian ones but fails in policy compilation. Where can i get these files? thanks!!! -- Diego Woitasen <diegows(a)xtech.com.ar> XTECH

19 years, 3 months

2
8
0 / 0

transition problems

by Oleg Museyko

Hello, Although innd.te is the usual example of policy, i still can't get it start right from the init-script. (Fedora Core 2, policy-sources-1.11.3-3). The problem is near the 'su', IMHO. Namely, when innd runs from script as su -s /bin/bash - news -c /etc/rc.news it obtains context user_u:user_r:user_t and no domain_auto_trans together with default_contexts tuning could resolve it, until i've added the new user: user news roles system_r; After that the context of innd became user_u:system_r:innd_t (not news:system_r:innd_t, as i hoped, but anyway...) Besides, the same problem in other place occured to be more persistent: regular cron job running nntpsend leads to the following (permissive mode): avc: denied { transition } for pid=24801 exe=/bin/su path=/bin/bash dev=sda1 ino=895926 scontext=system_u:system_r:system_crond_su_t tcontext=user_u:sysadm_r:sysadm_t tclass=process avc: denied { siginh } for pid=24801 exe=/bin/bash scontext=system_u:system_r:system_crond_su_t tcontext=user_u:sysadm_r:sysadm_t tclass=process (same for 'rlimitinh' and 'noatsecure'). This caused by su - news -c "unset LANG; unset LC_COLLATE; /usr/lib/news/bin/nntpsend" I've tried to force the domain_auto_trans to initrc_t etc, also added corresponding records to default_contexts system_r:system_crond_su_t system_r:initrc_t but without any effect! (And no conflicts with other policy rules, as far as i could see). I'm eager to get any help on this, please. Also, i'd like to ask the reason of why some file type transitions doesn't work on sockets. E.g., when winbindd (runs in smbd_t) creates the socket in the directory of samba_var_t type and clients try to use it, the log file are full of deny { connectto } unix_stream_socket with smbd_t in tcontext. At the same time the /path/to/socket/file has correct samba_var_t type. The situation doesn't change if i write file_type_auto_trans(smbd_t, samba_var_t, samba_var_t, sock_file) The unix domain socket still has smbd_t, not samba_var_t, when someone tries to 'connectto'. Same situation with some other sockets of different domains. Is it the possible to change this behavior, or unix domain socket always has the type of creating process ? -- Best regards, Oleg

19 years, 3 months

2
2
0 / 0

firefox and timidity...

by Tom London

Running strict/enforcing, latest Rawhide. If i click on, say, a pdf URL in firefox, I get the following AVC: Dec 28 08:11:05 fedora kernel: audit(1104250265.322:0): avc: denied { getattr } for pid=3067 exe=/usr/lib/firefox-1.0/firefox-bin path=/usr/bin/timidity dev=hda2 ino=427077 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:timidity_exec_t tclass=file implying that user_mozilla needs allow user_mozilla_t timidity_exec_t:file getattr; If I set permissive mode, I get the same (and only) AVC. Since it doesn't seem to affect anything, my inclination would be to dontaudit user_mozilla_t timidity_exec_t:file getattr; Would this break firefox sounds? Something else? tom -- Tom London

19 years, 3 months

1
0
0 / 0

xfs file system w/ selinux?

by Justin Conover

Is there any downside to running xfs with selinux? I'm just testing(playing) with test2 and I was thinking of using lvm/xfs/selinux. Choosing xfs because it is a good fs and easier to grow online than ext3. Plus I'm just testing :)

19 years, 3 months

5
5
0 / 0

ldconfig and var?

by Tom London

Running strict/enforcing, latest Rawhide. Actually during today's 'yum update': Running Transaction Installing: kernel 100 % done 1/39 /bin/bash: /root/.bashrc: Permission denied Updating: guile 100 % done 2/39 /sbin/ldconfig: relative path `2' used to build cache error: %post(guile-1.6.4-16.i386) scriptlet failed, exit status 1 Updating: inews 100 % done 3/39 Log shows the following AVC: Dec 23 07:34:52 fedora kernel: audit(1103816092.011:0): avc: denied { search } for pid=8079 exe=/sbin/ldconfig name=var dev=hda2 ino=4456449 scontext=root:sysadm_r:ldconfig_t tcontext=system_u:object_r:var_t tclass=dir ldconfig.te has: ifdef(`distro_suse', ` # because of libraries in /var/lib/samba/bin allow ldconfig_t { var_t var_lib_t }:dir search; ') For fedora too? guile rpm broken? tom -- Tom London

19 years, 3 months

2
2
0 / 0

initrc, md0, mapper

by Tom London

Running strict/enforcing, latest rawhide (selinux-policy-strict-1.19.10-1) Booting produces following avc: Dec 3 08:23:45 fedora kernel: audit(1102090997.316:0): avc: denied { create } for pid=1348 exe=/sbin/nash name=md0 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=blk_file Dec 3 08:23:45 fedora kernel: device-mapper: 4.1.0-ioctl (2003-12-10) initialised: dm(a)uk.sistina.com Dec 3 08:23:45 fedora kernel: audit(1102090997.383:0): avc: denied { create } for pid=1354 exe=/sbin/nash name=mapper scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=dir Does initrc get create perms for this? tom -- Tom London

19 years, 3 months

2
2
0 / 0

initrc/ptal ...

by Tom London

Running strict/enforcing off of latest Rawhide: initrc runs hpoj which runs /usr/sbin/ptal-init which produces the following avc's. [I tried changing the type of /usr/sbin/ptal-init to ptal_exec_t, but that didn't work ;-( ] tom Dec 2 06:45:39 fedora kernel: audit(1101998713.227:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series dev=hda2 ino=38214 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__1 dev=hda2 ino=38215 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__2 dev=hda2 ino=38216 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__3 dev=hda2 ino=38217 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__4 dev=hda2 ino=38218 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__5 dev=hda2 ino=38219 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__6 dev=hda2 ino=38220 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.229:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__7 dev=hda2 ino=38221 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.229:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__8 dev=hda2 ino=38222 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.229:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__9 dev=hda2 ino=38223 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998739.288:0): avc: denied { rmdir } for pid=1980 exe=/bin/rm name=ptal-mlcd dev=hda2 ino=38157 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=dir -- Tom London

19 years, 3 months

2
2
0 / 0

Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail...

by Valdis.Kletnieks＠vt.edu

Running Fedora Core Rawhide as of the other night, so fairly recent. Using 'strict/permissive' at the moment... So I set up 'smartd' to monitor the hard drive in my laptop - I *know* there's one bad spot of about 10 blocks long on it, and want to be told if it decides to start getting bigger. And sure enough, at boot it tries to e-mail me and tell me there's bad blocks. Unfortunately, it seems to invoke 'sh -c mail' or something like that, so even the ugly hack of adding an exec_auto_trans(sendmail_t) doesn't look like it will help. Any good ideas on how to deal with this one? (And I have *NO* idea why it pops the first 5-6 while trying to find resolv.conf) Is it trying to open port 25 to send the mail, and if there's no sendmail running, it invokes 'sh -c mail'? If so, the solution (or part of it) would simply be to have smartd start after sendmail does..... Oddly curious - the failed read for pipe:[9756] - both ends appear to be fsdaemon_t ;) The messages (almost 70 of them): Dec 3 11:07:42 turing-police kernel: audit(1102089972.656:0): avc: denied { search } for pid=17328 exe=/usr/sbin/smartd name=/ dev=tmpfs ino=3131 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir Dec 3 11:07:42 turing-police kernel: audit(1102089972.697:0): avc: denied { write } for pid=17328 exe=/usr/sbin/smartd name=log dev=tmpfs ino=9084 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file Dec 3 11:07:42 turing-police kernel: audit(1102089974.784:0): avc: denied { read } for pid=17328 exe=/usr/sbin/smartd name=resolv.conf dev=dm-5 ino=24648 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:net_conf_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089974.784:0): avc: denied { getattr } for pid=17328 exe=/usr/sbin/smartd path=/etc/resolv.conf dev=dm-5 ino=24648 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:net_conf_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089974.839:0): avc: denied { create } for pid=17328 exe=/usr/sbin/smartd scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=unix_stream_socket Dec 3 11:07:42 turing-police kernel: audit(1102089974.839:0): avc: denied { connect } for pid=17328 exe=/usr/sbin/smartd scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=unix_stream_socket Dec 3 11:07:42 turing-police kernel: audit(1102089974.947:0): avc: denied { search } for pid=8202 exe=/usr/sbin/smartd name=bin dev=dm-5 ino=26670 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=dir Dec 3 11:07:42 turing-police kernel: audit(1102089974.947:0): avc: denied { read } for pid=8202 exe=/usr/sbin/smartd name=sh dev=dm-5 ino=57489 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=lnk_file Dec 3 11:07:42 turing-police kernel: audit(1102089975.002:0): avc: denied { execute } for pid=8202 exe=/usr/sbin/smartd name=bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.002:0): avc: denied { execute_no_trans } for pid=8202 exe=/usr/sbin/smartd path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.058:0): avc: denied { read } for pid=8202 exe=/usr/sbin/smartd path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.089:0): avc: denied { read } for pid=8202 exe=/bin/bash name=meminfo dev=proc ino=-268435454 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:proc_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.089:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:proc_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.149:0): avc: denied { search } for pid=8202 exe=/bin/bash name=sbin dev=dm-5 ino=47195 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:sbin_t tclass=dir Dec 3 11:07:42 turing-police kernel: audit(1102089975.149:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.213:0): avc: denied { getattr } for pid=17328 exe=/usr/sbin/smartd path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file Dec 3 11:07:42 turing-police kernel: audit(1102089975.213:0): avc: denied { read } for pid=17328 exe=/usr/sbin/smartd path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file Dec 3 11:07:42 turing-police kernel: audit(1102089975.280:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.280:0): avc: denied { execute } for pid=8202 exe=/bin/bash name=mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.346:0): avc: denied { getattr } for pid=7644 exe=/bin/bash path=/tmp dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:42 turing-police kernel: audit(1102089975.346:0): avc: denied { search } for pid=7644 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:42 turing-police kernel: audit(1102089975.415:0): avc: denied { write } for pid=7644 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089975.449:0): avc: denied { add_name } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089975.449:0): avc: denied { create } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.517:0): avc: denied { write } for pid=7644 exe=/bin/bash path=/tmp/sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.567:0): avc: denied { read } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.610:0): avc: denied { remove_name } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089975.610:0): avc: denied { unlink } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.679:0): avc: denied { execute_no_trans } for pid=7644 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.679:0): avc: denied { read } for pid=7644 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.783:0): avc: denied { setgid } for pid=7644 exe=/bin/mail capability=6 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=capability Dec 3 11:07:43 turing-police kernel: audit(1102089975.831:0): avc: denied { ioctl } for pid=7644 exe=/bin/mail path=/tmp/sh-thd-1102109337 (deleted) dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.866:0): avc: denied { ioctl } for pid=7644 exe=/bin/mail path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file Dec 3 11:07:43 turing-police kernel: audit(1102089975.901:0): avc: denied { getattr } for pid=7644 exe=/bin/mail path=/tmp/Rsx6eaR5 dev=dm-10 ino=6151 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089976.007:0): avc: denied { execute } for pid=13925 exe=/bin/mail name=sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089976.007:0): avc: denied { execute_no_trans } for pid=13925 exe=/bin/mail path=/usr/sbin/sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089976.091:0): avc: denied { read } for pid=13925 exe=/bin/mail path=/usr/sbin/sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089976.683:0): avc: denied { create } for pid=13925 exe=/usr/sbin/sendmail scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=tcp_socket Dec 3 11:07:43 turing-police kernel: audit(1102089976.813:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=mail dev=dm-5 ino=43015 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089976.865:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/etc/mail/submit.cf dev=dm-5 ino=43033 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089976.865:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/etc/mail dev=dm-5 ino=43015 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089976.947:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=submit.cf dev=dm-5 ino=43033 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.097:0): avc: denied { setuid } for pid=13925 exe=/usr/sbin/sendmail capability=7 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=capability Dec 3 11:07:43 turing-police kernel: audit(1102089977.174:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=spool dev=dm-3 ino=34821 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:var_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.218:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.218:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.371:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool dev=dm-3 ino=34821 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:var_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.466:0): avc: denied { write } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.509:0): avc: denied { add_name } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.509:0): avc: denied { create } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.580:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.580:0): avc: denied { lock } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.678:0): avc: denied { write } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.771:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.809:0): avc: denied { connect } for pid=13925 exe=/usr/sbin/sendmail scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=tcp_socket Dec 3 11:07:43 turing-police kernel: audit(1102089977.809:0): avc: denied { tcp_send } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t tclass=netif Dec 3 11:07:43 turing-police kernel: audit(1102089977.879:0): avc: denied { tcp_send } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t tclass=node Dec 3 11:07:43 turing-police kernel: audit(1102089977.879:0): avc: denied { send_msg } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { tcp_recv } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t tclass=netif Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { tcp_recv } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t tclass=node Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { recv_msg } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { remove_name } for pid=13925 exe=/usr/sbin/sendmail name=tfiB3G6HJS013925 dev=dm-3 ino=55327 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { rename } for pid=13925 exe=/usr/sbin/sendmail name=tfiB3G6HJS013925 dev=dm-3 ino=55327 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { unlink } for pid=13925 exe=/usr/sbin/sendmail name=qfiB3G6HJS013925 dev=dm-3 ino=55326 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089978.366:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089978.595:0): avc: denied { getattr } for pid=10722 exe=/bin/bash path=/tmp dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089978.633:0): avc: denied { search } for pid=10722 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089978.633:0): avc: denied { write } for pid=10722 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:44 turing-police kernel: audit(1102089978.701:0): avc: denied { add_name } for pid=10722 exe=/bin/bash name=sh-thd-1102111169 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:44 turing-police kernel: audit(1102089978.701:0): avc: denied { remove_name } for pid=10722 exe=/bin/bash name=sh-thd-1102111169 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:36:19 turing-police kernel: audit(1102091779.951:0): avc: denied { search } for pid=16629 exe=/usr/sbin/smartd name=/ dev=tmpfs ino=3131 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir Dec 3 11:36:20 turing-police kernel: audit(1102091780.816:0): avc: denied { write } for pid=16629 exe=/usr/sbin/smartd name=log dev=tmpfs ino=9084 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file

19 years, 3 months

4
5
0 / 0

adds for latest policy...cups.te, udev.te?

by Tom London

Running strict/enforcing, latest rawhide. Rebooting after updating to latest policy (selinux-policy-strict-1.19.15-7), noticed the following AVCs: Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc: denied { connect } for pid=2679 exe=/usr/sbin/hal_lpadmin scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket and Dec 24 11:50:52 fedora kernel: audit(1103917852.996:0): avc: denied { connect } for pid=3070 exe=/usr/bin/lpoptions scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket Adding the following seems to fix it: allow cupsd_config_t self:tcp_socket connect; Also: Dec 24 11:47:51 fedora kernel: IPv6 over IPv4 tunneling driver Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora kernel: audit(1103888840.736:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora kernel: audit(1103888840.737:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora last message repeated 3 times Dec 24 11:47:51 fedora kernel: audit(1103888840.738:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora last message repeated 4 times Dec 24 11:47:51 fedora kernel: ACPI: Power Button (FF) [PWRF] The following change seems to fix: allow udev_t mnt_t:dir search; to allow udev_t mnt_t:dir r_dir_perms; But I'm not sure why pam_console_apply wants to read /mnt. Should this be a dontaudit? tom -- Tom London

19 years, 3 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2004