avc denied messages from microcode_ctl
by Richard Hally
While booting the 427 kernel in enforcing mode with
selinux-policy-strict-1.13.4-5,
the following avc denied messages occur:
Jun 13 21:04:03 new2 kernel: audit(1087175026.816:0): avc: denied {
write } for pid=1247 exe=/sbin/microcode_ctl name=microcode dev=hda2
ino=1070659 scontext=system_u:system_r:cpucontrol_t
tcontext=system_u:object_r:device_t tclass=chr_file
HTH
Richard Hally
19 years, 10 months
avc denied messages from system cron
by Richard Hally
While running the 427 kernel in enforcing mode and
selinux-policy-strict-1.13.4-5,
the following avc denied messages occur from the system cron hourly job:
Jun 13 22:01:00 new2 kernel: audit(1087178460.748:0): avc: denied {
read } for pid=3306 exe=/bin/bash name=mtab dev=hda2 ino=869481
scontext=system_u:system_r:crond_t
tcontext=system_u:object_r:etc_runtime_t tclass=file
Jun 13 22:01:00 new2 kernel: audit(1087178460.748:0): avc: denied {
getattr }
for pid=3306 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:proc_t
tclass=file
Jun 13 22:01:00 new2 kernel: audit(1087178460.792:0): avc: denied {
getattr }
for pid=3306 exe=/bin/bash path=/usr/bin/run-parts dev=hda2 ino=55784
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
HTH
Richard Hally
19 years, 10 months
avc denied messages from rhgb
by Richard Hally
While booting the 427 kernel in enforcing mode with
selinux-policy-strict-1.13.4-5,
the following avc denied messages occur:
Jun 13 21:04:03 new2 kernel: audit(1087160614.345:0): avc: denied {
search } for pid=535 exe=/usr/bin/rhgb name=root dev=hda2 ino=130305
scontext=system_u:system_r:rhgb_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
Jun 13 21:04:03 new2 last message repeated 9 times
Jun 13 21:04:03 new2 kernel: audit(1087160614.346:0): avc: denied {
search } for pid=535 exe=/usr/bin/rhgb name=root dev=hda2 ino=130305
scontext=system_u:system_r:rhgb_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
Jun 13 21:04:03 new2 last message repeated 3 times
Jun 13 21:04:03 new2 kernel: audit(1087160614.706:0): avc: denied {
search } for pid=535 exe=/usr/bin/rhgb name=root dev=hda2 ino=130305
scontext=system_u:system_r:rhgb_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
Jun 13 21:04:03 new2 last message repeated 2 times
Jun 13 21:04:03 new2 kernel: audit(1087160614.707:0): avc: denied {
search } for pid=535 exe=/usr/bin/rhgb name=root dev=hda2 ino=130305
scontext=system_u:system_r:rhgb_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
Jun 13 21:04:03 new2 kernel: audit(1087160615.167:0): avc: denied {
search } for pid=535 exe=/usr/bin/rhgb name=root dev=hda2 ino=130305
scontext=system_u:system_r:rhgb_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
Jun 13 21:04:03 new2 last message repeated 7 times
HTH
Richard Hally
19 years, 10 months
avc denied messages from gnome-vfs-daemon and nautilus
by Richard Hally
While booting to run level 5 and logging in, with the 427 kernel in
enforcing mode and selinux-policy-strict-1.13.4-5,
the following avc denied messages occur:
Jun 13 21:05:09 new2 kernel: audit(1087175109.179:0): avc: denied {
getattr }
for pid=3137 exe=/usr/libexec/gnome-vfs-daemon path=/initrd dev=ram0
ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t
tclass=dir
Jun 13 21:05:09 new2 kernel: audit(1087175109.839:0): avc: denied {
getattr }
for pid=3148 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2
scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t
tclass=dir
Jun 13 21:05:09 new2 kernel: audit(1087175109.957:0): avc: denied {
getattr }
for pid=3149 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2
scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t
tclass=dir
HTH
Richard Hally
19 years, 10 months
avc denied messages from ssh-agent
by Richard Hally
While booting to run level 5 with the 427 kernel in enforcing mode and
selinux-policy-strict-1.13.4-5,
the following avc denied messages occur:
Jun 13 21:04:52 new2 gdm(pam_unix)[2828]: session opened for user
richard by (uid=0)
Jun 13 21:04:52 new2 kernel: audit(1087175092.764:0): avc: denied {
search } for pid=2923 exe=/usr/bin/ssh-agent name=selinux dev=hda2
ino=913073 scontext=richard:staff_r:staff_ssh_agent_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
Jun 13 21:04:52 new2 kernel: audit(1087175092.764:0): avc: denied {
read } for pid=2923 exe=/usr/bin/ssh-agent name=mounts dev=proc
ino=-268435447 scontext=richard:staff_r:staff_ssh_agent_t
tcontext=system_u:object_r:proc_t tclass=lnk_file
HTH
Richard Hally
19 years, 10 months
avc denied messages from umount
by Richard Hally
While booting the 427 kernel in enforcing mode with
selinux-policy-strict-1.13.4-5,
the following avc denied messages occur:
Jun 13 21:04:22 new2 kernel: audit(1087175062.270:0): avc: denied {
use } for
pid=2392 exe=/bin/umount path=/dev/ptmx dev=hda2 ino=1064811
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:rhgb_gph_t
tclass=fd
Jun 13 21:04:22 new2 kernel: audit(1087175062.270:0): avc: denied {
read write } for pid=2392 exe=/bin/umount path=socket:[1429] dev=sockfs
ino=1429 scontext=system_u:system_r:mount_t
tcontext=system_u:system_r:rhgb_t tclass=unix_stream_socket
HTH
Richard Hally
19 years, 10 months
Re: avc denied from kernel 427 update
by Tom London
Hmmm.... worked for me. I'm running 427 on two machines. One with the
'old policy' stuff, the other with all the latest packages from the
development tree (including 'new selinux-policy' stuff).
A suggestion from Stephen Smalley may help you. I haven't tried to
install a new kernel since doing this. Also, I noticed an updated rpm
package in the development tree.....
tom
------------------------------------------------------------------------
* /From/: Stephen Smalley <sds epoch ncsc mil>
* /Date/: Thu, 10 Jun 2004 15:30:09 -0400
------------------------------------------------------------------------
On Tue, 2004-06-08 at 23:25, Tom London wrote:
> [On my system, yum/rpm seem not to be correctly labeling installed
> files, so I manually check and change via 'fixfiles' or 'setfiles' as
> appropriate.
This is because rpm hasn't been updated for the new policy layout, so it
cannot find the file_contexts configuration. Until it is updated, I
have just created a symlink, i.e.
ln -sf /etc/selinux/strict/contexts/files/file_contexts /etc/security/selinux/file_contexts
--
Stephen Smalley <sds epoch ncsc mil>
National Security Agency
19 years, 10 months
Re: avc denied from kernel 427 update
by Tom London
The warnings seem to be caused by 'rpm' not assigning the proper
contexts to 'installed' files.
The 'FATAL' message from 'mkinitrd' seems to be due to a problem with
'ulimit' defaults.
A workaround until fixed, install/update kernel only in permissive mode,
and make sure you do a 'ulimit -l unlimited' before running 'yum' (so
you'll enter 'setenforce 0; ulimit -l unlimited'). I think you'll still
get the warnings, but the command will succeed without the fatal error.
After the yum 'succeeds', you probably will need to correct the context
labels for the kernel files. Easiest way to do that is to run
FC=/etc/selinux/strict/contexts/files/file_contexts
setfiles -v $FC /lib/modules/2.6.6-1.427
setfiles -v $FC /boot
BEFORE you reboot, or to reboot single-user, permissive mode (by adding
'single enforcing=0' to the boot params) and then running 'fixfiles
relabel'. Then you can reboot multi-user as usual.
If you've updated more than just the kernel package, you probably want
to do the 'boot single-user/permissive, run fixfiles' path.
tom
--------------------------------------
* From: Richard Hally <rhallyx mindspring com>
* To: fedora-selinux-list redhat com
* Subject: avc denied from kernel 427 update
* Date: Sun, 13 Jun 2004 02:29:05 -0400
Below a few of the over 100 warning and error messages from doing yum
update today.(6/12/04) Of the ones that didn't scroll off, they are all
about the 427/build directory tree.
This is in enforcing mode using the most recent strict policy that
existed before todays update to
selinux-policy-strict-sources-1.13.4-5. The avc denied messages are
further below.
HTH
Richard Hally
-----------------------------------------------------------------------------------------------------
from yum update:
...
WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/.config:
Permission denied
WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/init/Makefile:
Permission denied
WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/init/Kconfig:
Permission denied
FATAL: Could not open /lib/modules/2.6.6-1.427/modules.dep.temp for
writing: Permission denied
/bin/bash: /root/.bashrc: Permission denied
No dep file found for kernel 2.6.6-1.427
mkinitrd failed
-------------------------------------------------------------------
And here are some of the avc denied messages
Jun 12 19:27:20 new2 kernel: audit(1087082831.128:0): avc: denied {
getattr }
for pid=5774 exe=/sbin/depmod
path=/lib/modules/2.6.6-1.427/build/net/ipv4/Kconfig dev=hda2 ino=543312
scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file
Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied {
getattr }
for pid=5774 exe=/sbin/depmod
path=/lib/modules/2.6.6-1.427/build/.config dev=hda2 ino=525543
scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t
tclass=file
Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied {
getattr }
for pid=5774 exe=/sbin/depmod
path=/lib/modules/2.6.6-1.427/build/init/Makefile dev=hda2 ino=525592
scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file
Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied {
getattr }
for pid=5774 exe=/sbin/depmod
path=/lib/modules/2.6.6-1.427/build/init/Kconfig
dev=hda2 ino=525591 scontext=root:sysadm_r:depmod_t
tcontext=system_u:object_r:lib_t tclass=file
Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied {
write } for pid=5774 exe=/sbin/depmod name=2.6.6-1.427 dev=hda2
ino=525541 scontext=root:sysadm_r:depmod_t
tcontext=system_u:object_r:lib_t tclass=dir
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index]
[Date Index] [Author Index]
Copyright © 2004 Red Hat, Inc. All rights reserved. Search by Google
Privacy Policy : Careers at Red Hat : Legal statement : Patent promise :
Contact Red Hat
Log in to Your Account
19 years, 10 months
multiple context error from updating sysklogd
by Richard Hally
Here is a error from updating the sysklogd package that appearently
comes from some file context problem. The last line about the post
script failing has to do with being in enforcing mode but the
catch-22 is that the avc denied messages are incomplete which is the
reason I am replacing the sysklogd package in the first place. The
partial avc denied messages are further below. When doing the same rpm
command in permissive mode, the context error is still produce but the
post script runs.
HTH
Richard Hally
--------------------------------------shell
messages------------------------------------------------------------
[root@new2 richard]# rpm -U --oldpackage sysklogd-1.4.1-16.i386.rpm
ERROR: Multiple different specifications for /usr/sbin/imapd
(system_u:object_r:imapd_exec_t and system_u:object_r:inetd_child_exec_t).
warning: sysklogd-1.4.1-16.i386.rpm: V3 DSA signature: NOKEY, key ID
4f2a6fd2
error: %post(sysklogd-1.4.1-16) scriptlet failed, exit status 255
[root@new2 richard]# setenforce 0
----------------------------var log
messages---------------------------------------------------------------------
Jun 13 02:34:31 new2 last message repeated 3 times
Jun 13 02:34:31 new2 exiting on signal 15
Jun 13 02:34:31 new2 syslogd 1.4.1: restart.
Jun 13 02:34:31 new2 syslog: syslogd startup succeeded
Jun 13 02:34:31 new2 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Jun 13 02:34:31 new2 kernel:
audit(1087108471.340:0): avc: denied { getattr } for
pid=1 exe=/sbin/init
Jun 13 02:34:31 new2 kernel:
audit(1087108471.340:0): avc: denied { read write } for
pid=1 exe=/sbin/init
Jun 13 02:34:31 new2 syslog: klogd startup succeeded
Jun 13 02:34:31 new2 syslog: syslogd shutdown succeeded
19 years, 10 months