March 2004 - selinux - Fedora Mailing-Lists

by Aleksey Nogin

This is from the slocate's updatedb cron job, if I am not mistaken. audit(1079205055.953:0): avc: denied { getattr } for pid=4254 exe=/usr/bin/slocate path=/dev/cfs0 dev=hda2 ino=2681888 scontext=system_u:system_r:locate_t tcontext=system_u:object_r:device_t tclass=chr_file audit(1079205058.981:0): avc: denied { getattr } for pid=4254 exe=/usr/bin/slocate path=/dev/scramdisk/master dev=hda2 ino=3581551 scontext=system_u:system_r:locate_t tcontext=system_u:object_r:device_t tclass=blk_file audit(1079205059.464:0): avc: denied { getattr } for pid=4254 exe=/usr/bin/slocate path=/var/lib/rpc_pipes dev= ino=5855 scontext=system_u:system_r:locate_t tcontext=system_u:object_r:rpc_pipefs_t tclass=dir audit(1079205061.343:0): avc: denied { read } for pid=4254 exe=/usr/bin/slocate dev= ino=5855 scontext=system_u:system_r:locate_t tcontext=system_u:object_r:rpc_pipefs_t tclass=dir audit(1079205061.343:0): avc: denied { search } for pid=4254 exe=/usr/bin/slocate dev= ino=5855 scontext=system_u:system_r:locate_t tcontext=system_u:object_r:rpc_pipefs_t tclass=dir -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

20 years, 1 month

2
1
0 / 0

AVCs on bringing up a network device via hotplug.

by Aleksey Nogin

audit(1079019200.094:0): avc: denied { net_admin } for pid=18206 exe=/sbin/nameif capability=12 scontext=system_u:system_r:hotplug_t tcontext=system_u:system_r:hotplug_t tclass=capability audit(1079019200.519:0): avc: denied { getattr } for pid=18144 exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079019200.521:0): avc: denied { write } for pid=18221 exe=/bin/bash name=etc dev=hda2 ino=228929 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=dir audit(1079019200.521:0): avc: denied { add_name } for pid=18221 exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=dir audit(1079019200.521:0): avc: denied { create } for pid=18221 exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=file audit(1079019200.541:0): avc: denied { read } for pid=18221 exe=/bin/grep name=dhclient.conf dev=hda2 ino=231943 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079019200.542:0): avc: denied { search } for pid=17337 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1079019200.542:0): avc: denied { getattr } for pid=17337 exe=/usr/bin/fam path=/etc/mtab dev=hda2 ino=229229 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:etc_runtime_t tclass=file audit(1079019200.572:0): avc: denied { write } for pid=18221 exe=/bin/grep path=/etc/dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=file audit(1079019200.574:0): avc: denied { write } for pid=18222 exe=/bin/bash name=dhclient.conf dev=hda2 ino=231943 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079019200.580:0): avc: denied { remove_name } for pid=18223 exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=dir audit(1079019200.580:0): avc: denied { unlink } for pid=18223 exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=file audit(1079019200.778:0): avc: denied { dac_override } for pid=18241 exe=/bin/bash capability=1 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability audit(1079019203.873:0): avc: denied { fsetid } for pid=18339 exe=/bin/chmod capability=4 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability % ls --context /etc/dhclient* -rw-r--r--+ root root system_u:object_r:dhcp_etc_t /etc/dhclient.conf lrwxrwxrwx root root system_u:object_r:etc_t /etc/dhclient-eth0.conf -> dhclient.conf lrwxrwxrwx root root system_u:object_r:etc_t /etc/dhclient-wvlan0.conf -> dhclient.conf -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

20 years, 1 month

3
3
0 / 0

AVC messages at boot and kdm login (latest Rawhide)

by Aleksey Nogin

After "update -u"; "load_policy /etc/security/selinux/policy.15"; reboot into single user; "setfiles /etc/security/selinux/file_contexts / /boot"; reboot, I see Mar 11 04:19:44 dell kernel: audit(1079007536.909:0): avc: denied { execute } for pid=15 exe=/sbin/init name=bash dev=hda2 ino=3662881 scontext=system_u:system_r:init_t tcontext=system_u:object_r:shell_exec_t tclass=file Mar 11 04:19:49 dell kernel: audit(1079007547.555:0): avc: denied { mounton } for pid=327 exe=/bin/mount path=/var/lib/rpc_pipes dev=hda2 ino=425580 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_lib_t tclass=dir Mar 11 04:19:49 dell kernel: audit(1079007550.054:0): avc: denied { execute } for pid=378 exe=/sbin/init name=bash dev=hda2 ino=3662881 scontext=system_u:system_r:init_t tcontext=system_u:object_r:shell_exec_t tclass=file Mar 11 04:19:49 dell kernel: audit(1079007582.402:0): avc: denied { mounton } for pid=1179 exe=/bin/mount path=/var/lib/rpc_pipes dev=hda2 ino=425580 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_lib_t tclass=dir Mar 11 04:19:49 dell kernel: audit(1079007583.849:0): avc: denied { dac_override } for pid=1296 exe=/bin/bash capability=1 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability Mar 11 04:19:50 dell kernel: audit(1079007590.445:0): avc: denied { fsetid } for pid=1504 exe=/bin/chmod capability=4 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability Mar 11 04:19:53 dell kernel: audit(1079007591.541:0): avc: denied { dac_override } for pid=1614 exe=/usr/sbin/sendmail.sendmail capability=1 scontext=system_u:system_r:sendmail_t tcontext=system_u:system_r:sendmail_t tclass=capability Mar 11 04:19:53 dell kernel: audit(1079007592.875:0): avc: denied { read write } for pid=1661 exe=/usr/sbin/gpm name=gpmdata dev=hda2 ino=72912 scontext=system_u:system_r:gpm_t tcontext=system_u:object_r:device_t tclass=fifo_file Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { read write } for pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2 ino=4219044 scontext=system_u:system_r:gpm_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { ioctl } for pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2 ino=4219044 scontext=system_u:system_r:gpm_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:20:25 dell kernel: audit(1079007625.518:0): avc: denied { execute } for pid=2098 exe=/sbin/init name=bash dev=hda2 ino=3662881 scontext=system_u:system_r:init_t tcontext=system_u:object_r:shell_exec_t tclass=file Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc: denied { read } for pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:memory_device_t tclass=chr_file Mar 11 04:20:36 dell kernel: audit(1079007636.465:0): avc: denied { read } for pid=2112 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:20:36 dell kernel: audit(1079007636.466:0): avc: denied { ioctl } for pid=2112 exe=/usr/X11R6/bin/XFree86 path=/dev/input/event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:20:36 dell kernel: audit(1079007636.466:0): avc: denied { write } for pid=2112 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:20:38 dell kernel: audit(1079007638.174:0): avc: denied { getattr } for pid=2112 exe=/usr/X11R6/bin/XFree86 path=/dev/input/event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:20:39 dell kernel: audit(1079007639.611:0): avc: denied { search } for pid=2113 exe=/usr/bin/kdm name=root dev=hda2 ino=294337 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:default_t tclass=dir Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc: denied { write } for pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2 ino=670527 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:lib_t tclass=file Mar 11 04:20:47 dell kernel: audit(1079007647.551:0): avc: denied { write } for pid=2122 exe=/usr/bin/krootimage name=.qtrc.lock dev=hda2 ino=670527 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:lib_t tclass=file Mar 11 04:20:52 dell kernel: audit(1079007652.672:0): avc: denied { setattr } for pid=2113 exe=/usr/bin/kdm name=sg0 dev=hda2 ino=2688146 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file Mar 11 04:20:52 dell kernel: audit(1079007652.936:0): avc: denied { entrypoint } for pid=2131 exe=/usr/bin/kdm path=/etc/kde/kdm/Xsession dev=hda2 ino=1226634 scontext=user_u:user_r:user_t tcontext=system_u:object_r:etc_t tclass=file Mar 11 04:20:54 dell kernel: audit(1079007654.232:0): avc: denied { getattr } for pid=2131 exe=/bin/tcsh path=/var/log/messages dev=hda2 ino=3613840 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_log_t tclass=file And another interesting one I saw later: Mar 11 04:21:32 dell kernel: audit(1079007691.925:0): avc: denied { search } for pid=2363 exe=/usr/bin/ksysguardd scontext=user_u:user_r:user_t tcontext=system_u:object_r:sysctl_dev_t tclass=dir -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

20 years, 1 month

5
8
0 / 0

Can the CTRL+ALT+F1 login and its list be annotated?

by Tom Mitchell

If I confuse X (as I may have right now) I can still login on at a tty with one of: Control+Alt+F1 Control+Alt+F2 .... Control+Alt+F6 Then as root I am presented with a question, then a selection list of rolls to login with. Is it possible to annotate these in a way that invites new users to make the most appropriate selection? Assuming I am close, something like this. [1]root:sysadm_r:sysadm_t (default) administration and user management roll [2]root:staff_r:staff_t minimum privilege for root, "newrole -r role" expected [3]root:system_r:system_t "DO NOT USE -- reserved init, daemons and kernel." -- T o m M i t c h e l l /dev/null the ultimate in secure storage.

20 years, 1 month

1
0
0 / 0

Re: ntp.... was Re: Fresh rawhide install / AVC messages

by Steve Bonneville

Tom Mitchell <mitch48(a)yahoo.com> wrote: > I might trust my dhcp server to give me an IP address but do I also > want it to set the time of day. Then what else do I trust it to do? > How do I manage the list of things that dhcp might update? > > For example if I have a well crafted /etc/ntp.conf file will that file > be lost if I move to a different DHCP served net. I don't have FC2t1 handy at the moment, but on RHEL 3 I believe that you can set the following options in /etc/sysconfig/network-scripts/ifcfg-* files: PEERDNS=no (/etc/resolv.conf) PEERNTP=no (/etc/ntp.conf, /etc/ntp/step-tickers) PEERNIS=no (/etc/yp.conf) If set to no, then those files won't get modified even if appropriate DHCP options are sent. See /sbin/dhclient-script for details. -- Steve Bonneville

20 years, 1 month

2
1
0 / 0

Re: Installing new policy

by Jeff Johnson

> At the moment rpm_script_t has access to so much that there's no point in > trying to impose any serious restriction on it. > I suspect that limiting rpm_script_t in any significant way will have > to wait until we have multiple domains for rpm for installing packages > with different signatures. What is the logical connection between rpm_scriptlet_t has too much access. and rpm needs multiple domains based on signature "trust". Are there alternatives is what I'm asking. 73 de Jeff

20 years, 1 month

2
3
0 / 0

kdeinit avcs

by Josh Boyer

I get these avcs when running kopete: avc: denied { write } for pid=4371 exe=/usr/bin/kdeinit name=cleaned dev=hda5 ino=1567855 scontext=jwboyer:user_r:user_t tcontext=system_u:object_r:file_t tclass=file avc: denied { write } for pid=4371 exe=/usr/bin/kdeinit name=l dev=hda5 ino=1567856 scontext=jwboyer:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir avc: denied { add_name } for pid=4371 exe=/usr/bin/kdeinit name=loginnet.passport.com_login.srf_42a239b5.new scontext=jwboyer:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir avc: denied { create } for pid=4371 exe=/usr/bin/kdeinit name=loginnet.passport.com_login.srf_42a239b5.new scontext=jwboyer:user_r:user_t tcontext=jwboyer:object_r:file_t tclass=file avc: denied { write } for pid=4371 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jwboyer/http/l/loginnet.passport.com_login.srf_42a239b5.new dev=hda5 ino=1571952 scontext=jwboyer:user_r:user_t tcontext=jwboyer:object_r:file_t tclass=file to solve issues like this, should i define a new policy for kdeinit, put kdeinit into a different domain, define some dontaudit rules, etc? there are lots of avcs to deal with, and i am just trying to determine what an appropriate fix for some of them are. thx, josh

20 years, 1 month

2
2
0 / 0

Fresh rawhide install / AVC messages

by Dax Kelson

Last night I did a fresh "Everything" rawhide install. On the first boot, I got the following AVC messages. Is enforcing mode expected to work? Is this helpful? audit(1078849141.136:0): avc: denied { create } for pid=942 exe=/usr/sbin/updfstab name=floppy scontext=system_u:system_r:updfstab_t tcontext=system_u:object_r:mnt_t tclass=dir audit(1078849141.160:0): avc: denied { read write } for pid=943 exe=/sbin/pam_console_apply path=/dev/pts/0 dev= ino=2 scontext=system_u:system_r:pam_console_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file audit(1078849141.979:0): avc: denied { write } for pid=953 exe=/usr/sbin/cpuspeed name=scaling_governor dev= ino=335 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=file audit(1078849148.792:0): avc: denied { getattr } for pid=1141 exe=/bin/bash path=/etc/ntp.conf dev=hda8 ino=19690 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t tclass=file audit(1078849148.796:0): avc: denied { rename } for pid=1160 exe=/bin/mv name=ntp.conf dev=hda8 ino=19690 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t tclass=file audit(1078849148.797:0): avc: denied { getattr } for pid=1161 exe=/bin/bash path=/tmp dev=hda8 ino=588673 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir audit(1078849148.798:0): avc: denied { search } for pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir audit(1078849148.798:0): avc: denied { write } for pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir audit(1078849148.798:0): avc: denied { add_name } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir audit(1078849148.798:0): avc: denied { create } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file audit(1078849148.825:0): avc: denied { getattr } for pid=1161 exe=/bin/bash path=/tmp/sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file audit(1078849148.825:0): avc: denied { write } for pid=1161 exe=/bin/bash path=/tmp/sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file audit(1078849148.825:0): avc: denied { read } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file audit(1078849148.825:0): avc: denied { remove_name } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir audit(1078849148.825:0): avc: denied { unlink } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file audit(1078849148.832:0): avc: denied { rename } for pid=1162 exe=/bin/mv name=step-tickers dev=hda8 ino=164396 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file audit(1078849162.352:0): avc: denied { write } for pid=954 exe=/usr/sbin/cpuspeed name=scaling_setspeed dev= ino=339 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=file audit(1078849214.284:0): avc: denied { read } for pid=3923 exe=/usr/bin/python name=backend.pyo dev=hda8 ino=148720 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t tclass=file audit(1078849214.285:0): avc: denied { getattr } for pid=3923 exe=/usr/bin/python path=/usr/share/printconf/util/backend.pyo dev=hda8 ino=148720 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t tclass=file audit(1078849230.652:0): avc: denied { write } for pid=4290 exe=/usr/sbin/sendmail.sendmail name=aliases.db dev=hda8 ino=19435 scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t tclass=file audit(1078849230.652:0): avc: denied { lock } for pid=4290 exe=/usr/sbin/sendmail.sendmail path=/etc/aliases.db dev=hda8 ino=19435 scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t tclass=file audit(1078849246.286:0): avc: denied { create } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): avc: denied { unix_read unix_write } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): avc: denied { read write } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.287:0): avc: denied { unix_read unix_write } for pid=51 exe=/usr/X11R6/bin/XFree86 key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.287:0): avc: denied { read write } for pid=51 exe=/usr/X11R6/bin/XFree86 key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.287:0): avc: denied { getattr associate } for pid=51 exe=/usr/X11R6/bin/XFree86 key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.287:0): avc: denied { destroy } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849252.927:0): avc: denied { execute } for pid=4547 path=/dev/zero dev=hda8 ino=1614427 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:zero_device_t tclass=chr_file audit(1078849252.927:0): avc: denied { execute } for pid=4547 path=/dev/mem dev=hda8 ino=1602518 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:memory_device_t tclass=chr_file audit(1078849255.467:0): avc: denied { read } for pid=4526 exe=/usr/bin/python name=shadow dev=hda8 ino=19457 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file audit(1078849255.468:0): avc: denied { lock } for pid=4526 exe=/usr/bin/python path=/etc/shadow dev=hda8 ino=19457 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file audit(1078849262.589:0): avc: denied { write } for pid=954 exe=/usr/sbin/cpuspeed name=scaling_setspeed dev= ino=339 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=file audit(1078849274.909:0): avc: denied { ioctl } for pid=4583 exe=/bin/bash path=/dev/pts/0 dev= ino=2 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file audit(1078849274.910:0): avc: denied { search } for pid=4583 exe=/bin/bash dev= ino=1 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1078849375.870:0): avc: denied { write } for pid=4858 exe=/bin/dmesg path=/root/first-dmesg.txt dev=hda8 ino=1095620 scontext=root:system_r:dmesg_t tcontext=root:object_r:sysadm_home_t tclass=file

20 years, 1 month

5
9
0 / 0

After my date today...WARNING: Multiple same specifications

by Tom Mitchell

In /etc/security/selinux/src # make policy; make install; make load; make relabel I see a lot of these, they look harmless, are they? .... WARNING: Multiple same specifications for /etc/issue\.net. WARNING: Multiple same specifications for /etc/sysconfig/hwconf. WARNING: Multiple same specifications for /etc/asound\.state. WARNING: Multiple same specifications for /etc/ld\.so\.cache. WARNING: Multiple same specifications for /etc/ld\.so\.preload. .... -- T o m M i t c h e l l /dev/null the ultimate in secure storage.

20 years, 1 month

1
0
0 / 0

Re: Fresh rawhide install / AVC messages

by Steve Bonneville

Russell Coker <russell(a)coker.com.au> wrote: > > > The problem we face is that the dhcp client as a standard function will > > > replace /etc/resolv.conf. The /etc/resolv.conf file is given the type > > > resolv_conf_t because so many programs want to re-write it. > > > > > > Now we can give the ntpd config file the same type. But in that case we > > > will probably want to rename it to net_conf_t or something. > > > > > > This is all conditional on this being standard functionality of the dhcp > > > client. If it's your customisation then you can just change ntpd.fc to > > > label the file as resolv_conf_t. Although I suspect that if this is a > > > customisation of yours it'll become a standard thing soon enough, it > > > sounds like a good idea! > > > > net_conf_t sounds good. I'd imagine we are going to encouter other cases > > besides resolv.conf and ntp.conf. > > What else might we have? > > net_conf_t doesn't seem ideal to me, but I can't think of anything better at > the moment. > > Also one other thing to note is that /etc/yp.conf has the same type, this may > not be what we want. As far as /etc/yp.conf goes, that's exactly what we want. I was going to add that dhclient may also mess with /etc/yp.conf if it gets the right options in the DHCP response. -- Steve Bonneville

20 years, 1 month

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux March 2004