new kernel, new policy installed as .rpmnew
by Chuck Anderson
I just yum updated, and got the latest testing kernel and policy
files:
Install: kernel.i686 0:2.6.9-1.715_FC3
Install: kernel-smp.i686 0:2.6.9-1.715_FC3
[...]
Update: selinux-policy-targeted.noarch 0:1.17.30-2.58
Update: selinux-policy-targeted-sources.noarch 0:1.17.30-2.58
[...]
Installing: kernel-smp 100 % done 1/160
warning: /etc/selinux/targeted/contexts/files/file_contexts created as /etc/selinux/targeted/contexts/files/file_contexts.rpmnew
warning: /etc/selinux/targeted/policy/policy.18 created as /etc/selinux/targeted/policy/policy.18.rpmnew
Updating: selinux-policy-targeted 100 % done 2/160
The FAQ says that the policy reloads automatically, and that a manual
relabel may be necessary. It doesn't say anything about fixing the
filenames that were named .rpmnew. How can the policy automatically
reload when the file isn't named correctly?
Since policy is tied to the kernel, what happens when I have more than
one kernel installed, and I boot an older one from grub?
19 years, 3 months
.te and .fc files for postfix and fedora
by Diego Woitasen
Somebody have the policy files for postfix? I tried with Debian ones but
fails in policy compilation.
Where can i get these files?
thanks!!!
--
Diego Woitasen <diegows(a)xtech.com.ar>
XTECH
19 years, 3 months
transition problems
by Oleg Museyko
Hello,
Although innd.te is the usual example of policy, i still can't
get it start right from the init-script. (Fedora Core 2,
policy-sources-1.11.3-3).
The problem is near the 'su', IMHO. Namely, when innd runs from
script as
su -s /bin/bash - news -c /etc/rc.news
it obtains context user_u:user_r:user_t and no
domain_auto_trans together with default_contexts tuning
could resolve it, until i've added the new user:
user news roles system_r;
After that the context of innd became user_u:system_r:innd_t
(not news:system_r:innd_t, as i hoped, but anyway...)
Besides, the same problem in other place occured to be more
persistent: regular cron job running nntpsend leads to the
following (permissive mode):
avc: denied { transition } for pid=24801 exe=/bin/su path=/bin/bash
dev=sda1 ino=895926 scontext=system_u:system_r:system_crond_su_t
tcontext=user_u:sysadm_r:sysadm_t tclass=process
avc: denied { siginh } for pid=24801 exe=/bin/bash
scontext=system_u:system_r:system_crond_su_t
tcontext=user_u:sysadm_r:sysadm_t tclass=process
(same for 'rlimitinh' and 'noatsecure').
This caused by
su - news -c "unset LANG; unset LC_COLLATE; /usr/lib/news/bin/nntpsend"
I've tried to force the domain_auto_trans to initrc_t etc,
also added corresponding records to default_contexts
system_r:system_crond_su_t system_r:initrc_t
but without any effect! (And no conflicts with other policy
rules, as far as i could see).
I'm eager to get any help on this, please.
Also, i'd like to ask the reason of why some file type
transitions doesn't work on sockets. E.g., when
winbindd (runs in smbd_t) creates the socket in the
directory of samba_var_t type and clients try to use it,
the log file are full of deny { connectto } unix_stream_socket
with smbd_t in tcontext. At the same time the /path/to/socket/file
has correct samba_var_t type. The situation doesn't
change if i write
file_type_auto_trans(smbd_t, samba_var_t, samba_var_t, sock_file)
The unix domain socket still has smbd_t, not samba_var_t, when
someone tries to 'connectto'. Same situation with some other sockets
of different domains. Is it the possible to change this
behavior, or unix domain socket always has the type of
creating process ?
--
Best regards,
Oleg
19 years, 3 months
firefox and timidity...
by Tom London
Running strict/enforcing, latest Rawhide.
If i click on, say, a pdf URL in firefox, I get the following
AVC:
Dec 28 08:11:05 fedora kernel: audit(1104250265.322:0): avc: denied
{ getattr } for pid=3067 exe=/usr/lib/firefox-1.0/firefox-bin
path=/usr/bin/timidity dev=hda2 ino=427077
scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:timidity_exec_t tclass=file
implying that user_mozilla needs
allow user_mozilla_t timidity_exec_t:file getattr;
If I set permissive mode, I get the same (and only) AVC.
Since it doesn't seem to affect anything, my inclination
would be to
dontaudit user_mozilla_t timidity_exec_t:file getattr;
Would this break firefox sounds? Something else?
tom
--
Tom London
19 years, 3 months
xfs file system w/ selinux?
by Justin Conover
Is there any downside to running xfs with selinux?
I'm just testing(playing) with test2 and I was thinking of using
lvm/xfs/selinux. Choosing xfs because it is a good fs and easier to
grow online than ext3. Plus I'm just testing :)
19 years, 3 months
ldconfig and var?
by Tom London
Running strict/enforcing, latest Rawhide.
Actually during today's 'yum update':
Running Transaction
Installing: kernel 100 % done 1/39
/bin/bash: /root/.bashrc: Permission denied
Updating: guile 100 % done 2/39
/sbin/ldconfig: relative path `2' used to build cache
error: %post(guile-1.6.4-16.i386) scriptlet failed, exit status 1
Updating: inews 100 % done 3/39
Log shows the following AVC:
Dec 23 07:34:52 fedora kernel: audit(1103816092.011:0): avc: denied
{ search } for pid=8079 exe=/sbin/ldconfig name=var dev=hda2
ino=4456449 scontext=root:sysadm_r:ldconfig_t
tcontext=system_u:object_r:var_t tclass=dir
ldconfig.te has:
ifdef(`distro_suse', `
# because of libraries in /var/lib/samba/bin
allow ldconfig_t { var_t var_lib_t }:dir search;
')
For fedora too? guile rpm broken?
tom
--
Tom London
19 years, 3 months
initrc, md0, mapper
by Tom London
Running strict/enforcing, latest rawhide
(selinux-policy-strict-1.19.10-1)
Booting produces following avc:
Dec 3 08:23:45 fedora kernel: audit(1102090997.316:0): avc: denied
{ create } for pid=1348 exe=/sbin/nash name=md0
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:device_t tclass=blk_file Dec 3 08:23:45
fedora kernel: device-mapper: 4.1.0-ioctl (2003-12-10) initialised:
dm(a)uk.sistina.com
Dec 3 08:23:45 fedora kernel: audit(1102090997.383:0): avc: denied
{ create } for pid=1354 exe=/sbin/nash name=mapper
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:device_t tclass=dir
Does initrc get create perms for this?
tom
--
Tom London
19 years, 3 months
initrc/ptal ...
by Tom London
Running strict/enforcing off of latest Rawhide:
initrc runs hpoj which runs /usr/sbin/ptal-init
which produces the following avc's.
[I tried changing the type of /usr/sbin/ptal-init
to ptal_exec_t, but that didn't work ;-( ]
tom
Dec 2 06:45:39 fedora kernel: audit(1101998713.227:0): avc: denied
{ unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series
dev=hda2 ino=38214 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file
Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied
{ unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__1
dev=hda2 ino=38215 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file
Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied
{ unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__2
dev=hda2 ino=38216 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file
Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied
{ unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__3
dev=hda2 ino=38217 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file
Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied
{ unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__4
dev=hda2 ino=38218 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file
Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied
{ unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__5
dev=hda2 ino=38219 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file
Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied
{ unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__6
dev=hda2 ino=38220 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file
Dec 2 06:45:39 fedora kernel: audit(1101998713.229:0): avc: denied
{ unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__7
dev=hda2 ino=38221 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file
Dec 2 06:45:39 fedora kernel: audit(1101998713.229:0): avc: denied
{ unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__8
dev=hda2 ino=38222 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file
Dec 2 06:45:39 fedora kernel: audit(1101998713.229:0): avc: denied
{ unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__9
dev=hda2 ino=38223 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file
Dec 2 06:45:39 fedora kernel: audit(1101998739.288:0): avc: denied
{ rmdir } for pid=1980 exe=/bin/rm name=ptal-mlcd dev=hda2 ino=38157
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ptal_var_run_t tclass=dir
--
Tom London
19 years, 3 months
Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail...
by Valdis.Kletnieks@vt.edu
Running Fedora Core Rawhide as of the other night, so fairly recent.
Using 'strict/permissive' at the moment...
So I set up 'smartd' to monitor the hard drive in my laptop - I *know* there's
one bad spot of about 10 blocks long on it, and want to be told if it decides
to start getting bigger. And sure enough, at boot it tries to e-mail me and
tell me there's bad blocks. Unfortunately, it seems to invoke 'sh -c mail' or
something like that, so even the ugly hack of adding an
exec_auto_trans(sendmail_t) doesn't look like it will help. Any good ideas on
how to deal with this one?
(And I have *NO* idea why it pops the first 5-6 while trying to find resolv.conf)
Is it trying to open port 25 to send the mail, and if there's no sendmail running,
it invokes 'sh -c mail'? If so, the solution (or part of it) would simply be to
have smartd start after sendmail does.....
Oddly curious - the failed read for pipe:[9756] - both ends appear to be fsdaemon_t ;)
The messages (almost 70 of them):
Dec 3 11:07:42 turing-police kernel: audit(1102089972.656:0): avc: denied { search } for pid=17328 exe=/usr/sbin/smartd name=/ dev=tmpfs ino=3131 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir
Dec 3 11:07:42 turing-police kernel: audit(1102089972.697:0): avc: denied { write } for pid=17328 exe=/usr/sbin/smartd name=log dev=tmpfs ino=9084 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file
Dec 3 11:07:42 turing-police kernel: audit(1102089974.784:0): avc: denied { read } for pid=17328 exe=/usr/sbin/smartd name=resolv.conf dev=dm-5 ino=24648 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:net_conf_t tclass=file
Dec 3 11:07:42 turing-police kernel: audit(1102089974.784:0): avc: denied { getattr } for pid=17328 exe=/usr/sbin/smartd path=/etc/resolv.conf dev=dm-5 ino=24648 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:net_conf_t tclass=file
Dec 3 11:07:42 turing-police kernel: audit(1102089974.839:0): avc: denied { create } for pid=17328 exe=/usr/sbin/smartd scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=unix_stream_socket
Dec 3 11:07:42 turing-police kernel: audit(1102089974.839:0): avc: denied { connect } for pid=17328 exe=/usr/sbin/smartd scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=unix_stream_socket
Dec 3 11:07:42 turing-police kernel: audit(1102089974.947:0): avc: denied { search } for pid=8202 exe=/usr/sbin/smartd name=bin dev=dm-5 ino=26670 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=dir
Dec 3 11:07:42 turing-police kernel: audit(1102089974.947:0): avc: denied { read } for pid=8202 exe=/usr/sbin/smartd name=sh dev=dm-5 ino=57489 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=lnk_file
Dec 3 11:07:42 turing-police kernel: audit(1102089975.002:0): avc: denied { execute } for pid=8202 exe=/usr/sbin/smartd name=bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 3 11:07:42 turing-police kernel: audit(1102089975.002:0): avc: denied { execute_no_trans } for pid=8202 exe=/usr/sbin/smartd path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 3 11:07:42 turing-police kernel: audit(1102089975.058:0): avc: denied { read } for pid=8202 exe=/usr/sbin/smartd path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 3 11:07:42 turing-police kernel: audit(1102089975.089:0): avc: denied { read } for pid=8202 exe=/bin/bash name=meminfo dev=proc ino=-268435454 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:proc_t tclass=file
Dec 3 11:07:42 turing-police kernel: audit(1102089975.089:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:proc_t tclass=file
Dec 3 11:07:42 turing-police kernel: audit(1102089975.149:0): avc: denied { search } for pid=8202 exe=/bin/bash name=sbin dev=dm-5 ino=47195 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:sbin_t tclass=dir
Dec 3 11:07:42 turing-police kernel: audit(1102089975.149:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 3 11:07:42 turing-police kernel: audit(1102089975.213:0): avc: denied { getattr } for pid=17328 exe=/usr/sbin/smartd path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file
Dec 3 11:07:42 turing-police kernel: audit(1102089975.213:0): avc: denied { read } for pid=17328 exe=/usr/sbin/smartd path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file
Dec 3 11:07:42 turing-police kernel: audit(1102089975.280:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file
Dec 3 11:07:42 turing-police kernel: audit(1102089975.280:0): avc: denied { execute } for pid=8202 exe=/bin/bash name=mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file
Dec 3 11:07:42 turing-police kernel: audit(1102089975.346:0): avc: denied { getattr } for pid=7644 exe=/bin/bash path=/tmp dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir
Dec 3 11:07:42 turing-police kernel: audit(1102089975.346:0): avc: denied { search } for pid=7644 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir
Dec 3 11:07:42 turing-police kernel: audit(1102089975.415:0): avc: denied { write } for pid=7644 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089975.449:0): avc: denied { add_name } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089975.449:0): avc: denied { create } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089975.517:0): avc: denied { write } for pid=7644 exe=/bin/bash path=/tmp/sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089975.567:0): avc: denied { read } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089975.610:0): avc: denied { remove_name } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089975.610:0): avc: denied { unlink } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089975.679:0): avc: denied { execute_no_trans } for pid=7644 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089975.679:0): avc: denied { read } for pid=7644 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089975.783:0): avc: denied { setgid } for pid=7644 exe=/bin/mail capability=6 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=capability
Dec 3 11:07:43 turing-police kernel: audit(1102089975.831:0): avc: denied { ioctl } for pid=7644 exe=/bin/mail path=/tmp/sh-thd-1102109337 (deleted) dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089975.866:0): avc: denied { ioctl } for pid=7644 exe=/bin/mail path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file
Dec 3 11:07:43 turing-police kernel: audit(1102089975.901:0): avc: denied { getattr } for pid=7644 exe=/bin/mail path=/tmp/Rsx6eaR5 dev=dm-10 ino=6151 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089976.007:0): avc: denied { execute } for pid=13925 exe=/bin/mail name=sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089976.007:0): avc: denied { execute_no_trans } for pid=13925 exe=/bin/mail path=/usr/sbin/sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089976.091:0): avc: denied { read } for pid=13925 exe=/bin/mail path=/usr/sbin/sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089976.683:0): avc: denied { create } for pid=13925 exe=/usr/sbin/sendmail scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=tcp_socket
Dec 3 11:07:43 turing-police kernel: audit(1102089976.813:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=mail dev=dm-5 ino=43015 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089976.865:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/etc/mail/submit.cf dev=dm-5 ino=43033 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089976.865:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/etc/mail dev=dm-5 ino=43015 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089976.947:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=submit.cf dev=dm-5 ino=43033 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089977.097:0): avc: denied { setuid } for pid=13925 exe=/usr/sbin/sendmail capability=7 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=capability
Dec 3 11:07:43 turing-police kernel: audit(1102089977.174:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=spool dev=dm-3 ino=34821 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:var_spool_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089977.218:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089977.218:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089977.371:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool dev=dm-3 ino=34821 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:var_spool_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089977.466:0): avc: denied { write } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089977.509:0): avc: denied { add_name } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089977.509:0): avc: denied { create } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089977.580:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089977.580:0): avc: denied { lock } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089977.678:0): avc: denied { write } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089977.771:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089977.809:0): avc: denied { connect } for pid=13925 exe=/usr/sbin/sendmail scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=tcp_socket
Dec 3 11:07:43 turing-police kernel: audit(1102089977.809:0): avc: denied { tcp_send } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t tclass=netif
Dec 3 11:07:43 turing-police kernel: audit(1102089977.879:0): avc: denied { tcp_send } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t tclass=node
Dec 3 11:07:43 turing-police kernel: audit(1102089977.879:0): avc: denied { send_msg } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { tcp_recv } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t tclass=netif
Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { tcp_recv } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t tclass=node
Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { recv_msg } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { remove_name } for pid=13925 exe=/usr/sbin/sendmail name=tfiB3G6HJS013925 dev=dm-3 ino=55327 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { rename } for pid=13925 exe=/usr/sbin/sendmail name=tfiB3G6HJS013925 dev=dm-3 ino=55327 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { unlink } for pid=13925 exe=/usr/sbin/sendmail name=qfiB3G6HJS013925 dev=dm-3 ino=55326 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file
Dec 3 11:07:43 turing-police kernel: audit(1102089978.366:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089978.595:0): avc: denied { getattr } for pid=10722 exe=/bin/bash path=/tmp dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089978.633:0): avc: denied { search } for pid=10722 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir
Dec 3 11:07:43 turing-police kernel: audit(1102089978.633:0): avc: denied { write } for pid=10722 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir
Dec 3 11:07:44 turing-police kernel: audit(1102089978.701:0): avc: denied { add_name } for pid=10722 exe=/bin/bash name=sh-thd-1102111169 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir
Dec 3 11:07:44 turing-police kernel: audit(1102089978.701:0): avc: denied { remove_name } for pid=10722 exe=/bin/bash name=sh-thd-1102111169 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir
Dec 3 11:36:19 turing-police kernel: audit(1102091779.951:0): avc: denied { search } for pid=16629 exe=/usr/sbin/smartd name=/ dev=tmpfs ino=3131 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir
Dec 3 11:36:20 turing-police kernel: audit(1102091780.816:0): avc: denied { write } for pid=16629 exe=/usr/sbin/smartd name=log dev=tmpfs ino=9084 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file
19 years, 3 months
adds for latest policy...cups.te, udev.te?
by Tom London
Running strict/enforcing, latest rawhide.
Rebooting after updating to latest policy
(selinux-policy-strict-1.19.15-7), noticed the
following AVCs:
Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc: denied
{ connect } for pid=2679 exe=/usr/sbin/hal_lpadmin
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket
and
Dec 24 11:50:52 fedora kernel: audit(1103917852.996:0): avc: denied
{ connect } for pid=3070 exe=/usr/bin/lpoptions
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket
Adding the following seems to fix it:
allow cupsd_config_t self:tcp_socket connect;
Also:
Dec 24 11:47:51 fedora kernel: IPv6 over IPv4 tunneling driver
Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc: denied
{ read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora kernel: audit(1103888840.736:0): avc: denied
{ read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora kernel: audit(1103888840.737:0): avc: denied
{ read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora last message repeated 3 times
Dec 24 11:47:51 fedora kernel: audit(1103888840.738:0): avc: denied
{ read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora last message repeated 4 times
Dec 24 11:47:51 fedora kernel: ACPI: Power Button (FF) [PWRF]
The following change seems to fix:
allow udev_t mnt_t:dir search;
to
allow udev_t mnt_t:dir r_dir_perms;
But I'm not sure why pam_console_apply wants
to read /mnt. Should this be a dontaudit?
tom
--
Tom London
19 years, 3 months