[policy-sources-1.8-10] slocate AVCs.
by Aleksey Nogin
This is from the slocate's updatedb cron job, if I am not mistaken.
audit(1079205055.953:0): avc: denied { getattr } for pid=4254
exe=/usr/bin/slocate path=/dev/cfs0 dev=hda2 ino=2681888
scontext=system_u:system_r:locate_t tcontext=system_u:object_r:device_t
tclass=chr_file
audit(1079205058.981:0): avc: denied { getattr } for pid=4254
exe=/usr/bin/slocate path=/dev/scramdisk/master dev=hda2 ino=3581551
scontext=system_u:system_r:locate_t tcontext=system_u:object_r:device_t
tclass=blk_file
audit(1079205059.464:0): avc: denied { getattr } for pid=4254
exe=/usr/bin/slocate path=/var/lib/rpc_pipes dev= ino=5855
scontext=system_u:system_r:locate_t
tcontext=system_u:object_r:rpc_pipefs_t tclass=dir
audit(1079205061.343:0): avc: denied { read } for pid=4254
exe=/usr/bin/slocate dev= ino=5855 scontext=system_u:system_r:locate_t
tcontext=system_u:object_r:rpc_pipefs_t tclass=dir
audit(1079205061.343:0): avc: denied { search } for pid=4254
exe=/usr/bin/slocate dev= ino=5855 scontext=system_u:system_r:locate_t
tcontext=system_u:object_r:rpc_pipefs_t tclass=dir
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
AVCs on bringing up a network device via hotplug.
by Aleksey Nogin
audit(1079019200.094:0): avc: denied { net_admin } for pid=18206
exe=/sbin/nameif capability=12 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=capability
audit(1079019200.519:0): avc: denied { getattr } for pid=18144
exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:dhcp_etc_t tclass=file
audit(1079019200.521:0): avc: denied { write } for pid=18221
exe=/bin/bash name=etc dev=hda2 ino=228929
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t
tclass=dir
audit(1079019200.521:0): avc: denied { add_name } for pid=18221
exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t
tclass=dir
audit(1079019200.521:0): avc: denied { create } for pid=18221
exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1079019200.541:0): avc: denied { read } for pid=18221
exe=/bin/grep name=dhclient.conf dev=hda2 ino=231943
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:dhcp_etc_t tclass=file
audit(1079019200.542:0): avc: denied { search } for pid=17337
exe=/usr/bin/fam name=sys dev= ino=4120
scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:sysctl_t tclass=dir
audit(1079019200.542:0): avc: denied { getattr } for pid=17337
exe=/usr/bin/fam path=/etc/mtab dev=hda2 ino=229229
scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:etc_runtime_t tclass=file
audit(1079019200.572:0): avc: denied { write } for pid=18221
exe=/bin/grep path=/etc/dhclient-wvlan0.conf.ifupnew dev=hda2
ino=2191270 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1079019200.574:0): avc: denied { write } for pid=18222
exe=/bin/bash name=dhclient.conf dev=hda2 ino=231943
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:dhcp_etc_t tclass=file
audit(1079019200.580:0): avc: denied { remove_name } for pid=18223
exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t
tclass=dir
audit(1079019200.580:0): avc: denied { unlink } for pid=18223
exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1079019200.778:0): avc: denied { dac_override } for pid=18241
exe=/bin/bash capability=1 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:system_r:dhcpc_t tclass=capability
audit(1079019203.873:0): avc: denied { fsetid } for pid=18339
exe=/bin/chmod capability=4 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:system_r:dhcpc_t tclass=capability
% ls --context /etc/dhclient*
-rw-r--r--+ root root system_u:object_r:dhcp_etc_t
/etc/dhclient.conf
lrwxrwxrwx root root system_u:object_r:etc_t
/etc/dhclient-eth0.conf -> dhclient.conf
lrwxrwxrwx root root system_u:object_r:etc_t
/etc/dhclient-wvlan0.conf -> dhclient.conf
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
AVC messages at boot and kdm login (latest Rawhide)
by Aleksey Nogin
After "update -u"; "load_policy /etc/security/selinux/policy.15"; reboot
into single user; "setfiles /etc/security/selinux/file_contexts /
/boot"; reboot, I see
Mar 11 04:19:44 dell kernel: audit(1079007536.909:0): avc: denied {
execute } for pid=15 exe=/sbin/init name=bash dev=hda2 ino=3662881
scontext=system_u:system_r:init_t
tcontext=system_u:object_r:shell_exec_t tclass=file
Mar 11 04:19:49 dell kernel: audit(1079007547.555:0): avc: denied {
mounton } for pid=327 exe=/bin/mount path=/var/lib/rpc_pipes dev=hda2
ino=425580 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:var_lib_t tclass=dir
Mar 11 04:19:49 dell kernel: audit(1079007550.054:0): avc: denied {
execute } for pid=378 exe=/sbin/init name=bash dev=hda2 ino=3662881
scontext=system_u:system_r:init_t
tcontext=system_u:object_r:shell_exec_t tclass=file
Mar 11 04:19:49 dell kernel: audit(1079007582.402:0): avc: denied {
mounton } for pid=1179 exe=/bin/mount path=/var/lib/rpc_pipes dev=hda2
ino=425580 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:var_lib_t tclass=dir
Mar 11 04:19:49 dell kernel: audit(1079007583.849:0): avc: denied {
dac_override } for pid=1296 exe=/bin/bash capability=1
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
tclass=capability
Mar 11 04:19:50 dell kernel: audit(1079007590.445:0): avc: denied {
fsetid } for pid=1504 exe=/bin/chmod capability=4
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
tclass=capability
Mar 11 04:19:53 dell kernel: audit(1079007591.541:0): avc: denied {
dac_override } for pid=1614 exe=/usr/sbin/sendmail.sendmail
capability=1 scontext=system_u:system_r:sendmail_t
tcontext=system_u:system_r:sendmail_t tclass=capability
Mar 11 04:19:53 dell kernel: audit(1079007592.875:0): avc: denied {
read write } for pid=1661 exe=/usr/sbin/gpm name=gpmdata dev=hda2
ino=72912 scontext=system_u:system_r:gpm_t
tcontext=system_u:object_r:device_t tclass=fifo_file
Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied {
read write } for pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2
ino=4219044 scontext=system_u:system_r:gpm_t
tcontext=system_u:object_r:device_t tclass=chr_file
Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied {
ioctl } for pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2
ino=4219044 scontext=system_u:system_r:gpm_t
tcontext=system_u:object_r:device_t tclass=chr_file
Mar 11 04:20:25 dell kernel: audit(1079007625.518:0): avc: denied {
execute } for pid=2098 exe=/sbin/init name=bash dev=hda2 ino=3662881
scontext=system_u:system_r:init_t
tcontext=system_u:object_r:shell_exec_t tclass=file
Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc: denied {
read } for pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
Mar 11 04:20:36 dell kernel: audit(1079007636.465:0): avc: denied {
read } for pid=2112 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2
ino=4219044 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:device_t tclass=chr_file
Mar 11 04:20:36 dell kernel: audit(1079007636.466:0): avc: denied {
ioctl } for pid=2112 exe=/usr/X11R6/bin/XFree86 path=/dev/input/event0
dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:device_t tclass=chr_file
Mar 11 04:20:36 dell kernel: audit(1079007636.466:0): avc: denied {
write } for pid=2112 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2
ino=4219044 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:device_t tclass=chr_file
Mar 11 04:20:38 dell kernel: audit(1079007638.174:0): avc: denied {
getattr } for pid=2112 exe=/usr/X11R6/bin/XFree86
path=/dev/input/event0 dev=hda2 ino=4219044
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:device_t tclass=chr_file
Mar 11 04:20:39 dell kernel: audit(1079007639.611:0): avc: denied {
search } for pid=2113 exe=/usr/bin/kdm name=root dev=hda2 ino=294337
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:default_t
tclass=dir
Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc: denied {
write } for pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2
ino=670527 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:lib_t tclass=file
Mar 11 04:20:47 dell kernel: audit(1079007647.551:0): avc: denied {
write } for pid=2122 exe=/usr/bin/krootimage name=.qtrc.lock dev=hda2
ino=670527 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:lib_t tclass=file
Mar 11 04:20:52 dell kernel: audit(1079007652.672:0): avc: denied {
setattr } for pid=2113 exe=/usr/bin/kdm name=sg0 dev=hda2 ino=2688146
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file
Mar 11 04:20:52 dell kernel: audit(1079007652.936:0): avc: denied {
entrypoint } for pid=2131 exe=/usr/bin/kdm path=/etc/kde/kdm/Xsession
dev=hda2 ino=1226634 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:etc_t tclass=file
Mar 11 04:20:54 dell kernel: audit(1079007654.232:0): avc: denied {
getattr } for pid=2131 exe=/bin/tcsh path=/var/log/messages dev=hda2
ino=3613840 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:var_log_t tclass=file
And another interesting one I saw later:
Mar 11 04:21:32 dell kernel: audit(1079007691.925:0): avc: denied {
search } for pid=2363 exe=/usr/bin/ksysguardd
scontext=user_u:user_r:user_t tcontext=system_u:object_r:sysctl_dev_t
tclass=dir
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
Can the CTRL+ALT+F1 login and its list be annotated?
by Tom Mitchell
If I confuse X (as I may have right now) I can still login on at a tty
with one of:
Control+Alt+F1
Control+Alt+F2
....
Control+Alt+F6
Then as root I am presented with a question, then a selection list of
rolls to login with.
Is it possible to annotate these in a way that invites new users to
make the most appropriate selection?
Assuming I am close, something like this.
[1]root:sysadm_r:sysadm_t (default) administration and user management roll
[2]root:staff_r:staff_t minimum privilege for root, "newrole -r role" expected
[3]root:system_r:system_t "DO NOT USE -- reserved init, daemons and kernel."
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
20 years, 1 month
Re: ntp.... was Re: Fresh rawhide install / AVC messages
by Steve Bonneville
Tom Mitchell <mitch48(a)yahoo.com> wrote:
> I might trust my dhcp server to give me an IP address but do I also
> want it to set the time of day. Then what else do I trust it to do?
> How do I manage the list of things that dhcp might update?
>
> For example if I have a well crafted /etc/ntp.conf file will that file
> be lost if I move to a different DHCP served net.
I don't have FC2t1 handy at the moment, but on RHEL 3 I believe that you can
set the following options in /etc/sysconfig/network-scripts/ifcfg-* files:
PEERDNS=no (/etc/resolv.conf)
PEERNTP=no (/etc/ntp.conf, /etc/ntp/step-tickers)
PEERNIS=no (/etc/yp.conf)
If set to no, then those files won't get modified even if appropriate
DHCP options are sent. See /sbin/dhclient-script for details.
-- Steve Bonneville
20 years, 1 month
Re: Installing new policy
by Jeff Johnson
> At the moment rpm_script_t has access to so much that there's no point in
> trying to impose any serious restriction on it.
> I suspect that limiting rpm_script_t in any significant way will have
> to wait until we have multiple domains for rpm for installing packages
> with different signatures.
What is the logical connection between
rpm_scriptlet_t has too much access.
and
rpm needs multiple domains based on signature "trust".
Are there alternatives is what I'm asking.
73 de Jeff
20 years, 1 month
kdeinit avcs
by Josh Boyer
I get these avcs when running kopete:
avc: denied { write } for pid=4371 exe=/usr/bin/kdeinit name=cleaned
dev=hda5 ino=1567855 scontext=jwboyer:user_r:user_t
tcontext=system_u:object_r:file_t tclass=file
avc: denied { write } for pid=4371 exe=/usr/bin/kdeinit name=l dev=hda5
ino=1567856 scontext=jwboyer:user_r:user_t tcontext=system_u:object_r:file_t
tclass=dir
avc: denied { add_name } for pid=4371 exe=/usr/bin/kdeinit
name=loginnet.passport.com_login.srf_42a239b5.new
scontext=jwboyer:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir
avc: denied { create } for pid=4371 exe=/usr/bin/kdeinit
name=loginnet.passport.com_login.srf_42a239b5.new
scontext=jwboyer:user_r:user_t tcontext=jwboyer:object_r:file_t tclass=file
avc: denied { write } for pid=4371 exe=/usr/bin/kdeinit
path=/var/tmp/kdecache-jwboyer/http/l/loginnet.passport.com_login.srf_42a239b5.new
dev=hda5 ino=1571952 scontext=jwboyer:user_r:user_t
tcontext=jwboyer:object_r:file_t tclass=file
to solve issues like this, should i define a new policy for kdeinit, put
kdeinit into a different domain, define some dontaudit rules, etc?
there are lots of avcs to deal with, and i am just trying to determine what an
appropriate fix for some of them are.
thx,
josh
20 years, 1 month
Fresh rawhide install / AVC messages
by Dax Kelson
Last night I did a fresh "Everything" rawhide install.
On the first boot, I got the following AVC messages. Is enforcing mode
expected to work? Is this helpful?
audit(1078849141.136:0): avc: denied { create } for pid=942 exe=/usr/sbin/updfstab name=floppy scontext=system_u:system_r:updfstab_t tcontext=system_u:object_r:mnt_t tclass=dir
audit(1078849141.160:0): avc: denied { read write } for pid=943 exe=/sbin/pam_console_apply path=/dev/pts/0 dev= ino=2 scontext=system_u:system_r:pam_console_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
audit(1078849141.979:0): avc: denied { write } for pid=953 exe=/usr/sbin/cpuspeed name=scaling_governor dev= ino=335 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=file
audit(1078849148.792:0): avc: denied { getattr } for pid=1141 exe=/bin/bash path=/etc/ntp.conf dev=hda8 ino=19690 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t tclass=file
audit(1078849148.796:0): avc: denied { rename } for pid=1160 exe=/bin/mv name=ntp.conf dev=hda8 ino=19690 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t tclass=file
audit(1078849148.797:0): avc: denied { getattr } for pid=1161 exe=/bin/bash path=/tmp dev=hda8 ino=588673 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir
audit(1078849148.798:0): avc: denied { search } for pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir
audit(1078849148.798:0): avc: denied { write } for pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir
audit(1078849148.798:0): avc: denied { add_name } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir
audit(1078849148.798:0): avc: denied { create } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file
audit(1078849148.825:0): avc: denied { getattr } for pid=1161 exe=/bin/bash path=/tmp/sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file
audit(1078849148.825:0): avc: denied { write } for pid=1161 exe=/bin/bash path=/tmp/sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file
audit(1078849148.825:0): avc: denied { read } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file
audit(1078849148.825:0): avc: denied { remove_name } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir
audit(1078849148.825:0): avc: denied { unlink } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file
audit(1078849148.832:0): avc: denied { rename } for pid=1162 exe=/bin/mv name=step-tickers dev=hda8 ino=164396 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file
audit(1078849162.352:0): avc: denied { write } for pid=954 exe=/usr/sbin/cpuspeed name=scaling_setspeed dev= ino=339 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=file
audit(1078849214.284:0): avc: denied { read } for pid=3923 exe=/usr/bin/python name=backend.pyo dev=hda8 ino=148720 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t tclass=file
audit(1078849214.285:0): avc: denied { getattr } for pid=3923 exe=/usr/bin/python path=/usr/share/printconf/util/backend.pyo dev=hda8 ino=148720 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t tclass=file
audit(1078849230.652:0): avc: denied { write } for pid=4290 exe=/usr/sbin/sendmail.sendmail name=aliases.db dev=hda8 ino=19435 scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t tclass=file
audit(1078849230.652:0): avc: denied { lock } for pid=4290 exe=/usr/sbin/sendmail.sendmail path=/etc/aliases.db dev=hda8 ino=19435 scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t tclass=file
audit(1078849246.286:0): avc: denied { create } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm
audit(1078849246.286:0): avc: denied { unix_read unix_write } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm
audit(1078849246.286:0): avc: denied { read write } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm
audit(1078849246.287:0): avc: denied { unix_read unix_write } for pid=51 exe=/usr/X11R6/bin/XFree86 key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:initrc_t tclass=shm
audit(1078849246.287:0): avc: denied { read write } for pid=51 exe=/usr/X11R6/bin/XFree86 key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:initrc_t tclass=shm
audit(1078849246.287:0): avc: denied { getattr associate } for pid=51 exe=/usr/X11R6/bin/XFree86 key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:initrc_t tclass=shm
audit(1078849246.287:0): avc: denied { destroy } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm
audit(1078849252.927:0): avc: denied { execute } for pid=4547 path=/dev/zero dev=hda8 ino=1614427 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:zero_device_t tclass=chr_file
audit(1078849252.927:0): avc: denied { execute } for pid=4547 path=/dev/mem dev=hda8 ino=1602518 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:memory_device_t tclass=chr_file
audit(1078849255.467:0): avc: denied { read } for pid=4526 exe=/usr/bin/python name=shadow dev=hda8 ino=19457 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file
audit(1078849255.468:0): avc: denied { lock } for pid=4526 exe=/usr/bin/python path=/etc/shadow dev=hda8 ino=19457 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file
audit(1078849262.589:0): avc: denied { write } for pid=954 exe=/usr/sbin/cpuspeed name=scaling_setspeed dev= ino=339 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=file
audit(1078849274.909:0): avc: denied { ioctl } for pid=4583 exe=/bin/bash path=/dev/pts/0 dev= ino=2 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
audit(1078849274.910:0): avc: denied { search } for pid=4583 exe=/bin/bash dev= ino=1 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:devpts_t tclass=dir
audit(1078849375.870:0): avc: denied { write } for pid=4858 exe=/bin/dmesg path=/root/first-dmesg.txt dev=hda8 ino=1095620 scontext=root:system_r:dmesg_t tcontext=root:object_r:sysadm_home_t tclass=file
20 years, 1 month
After my date today...WARNING: Multiple same specifications
by Tom Mitchell
In /etc/security/selinux/src
# make policy; make install; make load; make relabel
I see a lot of these, they look harmless, are they?
....
WARNING: Multiple same specifications for /etc/issue\.net.
WARNING: Multiple same specifications for /etc/sysconfig/hwconf.
WARNING: Multiple same specifications for /etc/asound\.state.
WARNING: Multiple same specifications for /etc/ld\.so\.cache.
WARNING: Multiple same specifications for /etc/ld\.so\.preload.
....
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
20 years, 1 month
Re: Fresh rawhide install / AVC messages
by Steve Bonneville
Russell Coker <russell(a)coker.com.au> wrote:
> > > The problem we face is that the dhcp client as a standard function will
> > > replace /etc/resolv.conf. The /etc/resolv.conf file is given the type
> > > resolv_conf_t because so many programs want to re-write it.
> > >
> > > Now we can give the ntpd config file the same type. But in that case we
> > > will probably want to rename it to net_conf_t or something.
> > >
> > > This is all conditional on this being standard functionality of the dhcp
> > > client. If it's your customisation then you can just change ntpd.fc to
> > > label the file as resolv_conf_t. Although I suspect that if this is a
> > > customisation of yours it'll become a standard thing soon enough, it
> > > sounds like a good idea!
> >
> > net_conf_t sounds good. I'd imagine we are going to encouter other cases
> > besides resolv.conf and ntp.conf.
>
> What else might we have?
>
> net_conf_t doesn't seem ideal to me, but I can't think of anything better at
> the moment.
>
> Also one other thing to note is that /etc/yp.conf has the same type, this may
> not be what we want.
As far as /etc/yp.conf goes, that's exactly what we want. I was going to
add that dhclient may also mess with /etc/yp.conf if it gets the right
options in the DHCP response.
-- Steve Bonneville
20 years, 1 month