more latest selinux policy change problems
by Peter Magnusson
A little script that runs in cron complained about stuff after I turned on
selinux for apache again;
mv: cannot set setfscreatecon `user_u:object_r:httpd_sys_script_rw_t':
Permission denied
so I changed the selinux perms on these files. Hope it will work next time
I turn on selinux for apache. Because now its off again because of this:
Tested what gallery (http://gallery.sourceforge.net/) would think about
selinux. It didnt like it at all. It said that it has no rights to write in
the userfile.
And how would I know what I should set the perms to get it working?
Jun 21 06:27:25 sysbabe kernel: audit(1119328045.441:0): avc: denied {
write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2
ino=688180 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Jun 21 06:27:25 sysbabe kernel: audit(1119328045.442:0): avc: denied {
write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2
ino=688180 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
is what is says. Same problem on an other vhost with an counter, just other
name= of course.
This is thing above is just the mainpage. It must be able to write dirs
also, when creating new albums. It must also be able to execute
/usr/bin/convert and maybe other programs also. Hmm, and it stores tmp
files in /tmp also. httpd_sys_content_execute_tmpfiles_t on /tmp maybe? :)
I have no idea how many fixes that are needed to get everything working.
Is it any *generic* for apache-can-write-whatever-it wants in selinux?
As long that apache cant write in *system files* or execute anything as
root Im quite happy.
Did the fedora team expect problems like this to be created with the latest
selinux policy change or is it a suprise for you? Its fine to have it by
default in new release of fedora but not CHANGE it in a update.
18 years, 10 months
Re: selinux and logrotate
by Ted Rule
I found a similar set of problems with FC3/FC4 strict policy arising
from my local decision to make /tmp a noexec partition. It led me to
find various nasty interactions between cups, logrotate, and
glibc-secure-mode when running with and without SELinux in enforcing
mode.
My current solution goes as follows:
a) Modify /etc/cron.daily/logrotate to explicitly set TMPDIR
to a new logrotate specific location
$ cat /etc/cron.daily/logrotate
#!/bin/sh
# Use EXEC capable temp area for logrotate to run scripts within.
if [ -d /var/spool/logrotate/tmp ]; then
if [ -w /var/spool/logrotate/tmp ]; then
# SELinux currently forbids chmod on the tmp dir itself
#chmod 700 /var/spool/logrotate/tmp
export TMPDIR=/var/spool/logrotate/tmp
else
exit 1
fi
else
exit 1
fi
/usr/sbin/logrotate -v /etc/logrotate.conf
$
b) Label the Cron Daily script as logrotate_exec_t and the new tmp area
as tmp_t. Without this, the script suffers a secure mode transition as
it executes /usr/sbin/logrotate, and the TMPDIR env variable setting is
lost. The temporary script is already dynamically created as
logrotate_tmp_t by the policy, and the policy already has
"can_exec(logrotate_t, logrotate_tmp_t)" to allow logrotate to exec its
own creations.
$ cat /etc/selinux/strict/src/policy/file_contexts/program/logrotate.fc
# logrotate
/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t
/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t
ifdef(`distro_debian', `
/usr/bin/savelog -- system_u:object_r:logrotate_exec_t
/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t
', `
/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t
')
# For TMPDIR workround
ifdef(`distro_redhat', `
/etc/cron.daily/logrotate -- system_u:object_r:logrotate_exec_t
')
/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t
/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t
# using a hard-coded name under /var/tmp is a bug - new version fixes it
/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t
# For TMPDIR workround
/var/spool/logrotate/tmp -d system_u:object_r:tmp_t
$
c) Add policy to SELinux to allow logrotate_exec_t to exec itself under
Fedora/Redhat so as to allow the cron.daily script to
exec /usr/sbin/logrotate
$ sudo diff -u logrotate.te.strict.fc4.orig
logrotate.te.strict.fc4.patched
--- logrotate.te.strict.fc4.orig 2005-05-20 19:53:12.000000000
+0100
+++ logrotate.te.strict.fc4.patched 2005-06-23 13:38:38.000000000
+0100
@@ -33,6 +33,11 @@
can_exec(logrotate_t, logrotate_exec_t)
')
+ifdef(`distro_redhat', `
+# for /etc/cron.daily/logrotate TMPDIR workround
+can_exec(logrotate_t, logrotate_exec_t)
+')
+
# for perl
allow logrotate_t usr_t:file { getattr read ioctl };
allow logrotate_t usr_t:lnk_file read;
$
d) Make sure cups logrotate uses service.
FC4 default /etc/logrotate.d/cups has
/var/log/cups/*_log {
missingok
notifempty
sharedscripts
postrotate
/etc/init.d/cups condrestart >/dev/null 2>&1 || true
endscript
}
my one has:
$ cat /etc/logrotate.d/cups
/var/log/cups/*_log {
missingok
notifempty
sharedscripts
postrotate
/sbin/service cups condrestart >/dev/null 2>&1 || true
endscript
}
$
The problem here is that cups ALSO interprets TMPDIR.
If restarted with /sbin/service, the environment is cleansed
by /sbin/service itself before launching cups irrespective of
SELinux mode, so that the overnight restart has the same
environment as the boot sequence.
If restarted with /etc/init.d/cups, cups inherits TMPDIR
rom /etc/cron.daily/logrotate if SELinux is not enforcing,
and all sorts of nonsense arises.
Another safety measure here is to explicitly set the tmp
directory in cupsd.conf so that it doesn't even try to use TMPDIR.
A longer term thought is that logrotate should allow the setting of the
tmp directory directly in logrotate.conf and should ignore TMPDIR,
Likewise cups should ignore TMPDIR and cupsd.conf should have
an explicit tmp dir setting uncommented as distributed in the rpm.
Similary, persons should avoid using calls to /etc/init.d/xxxx in logrotate scripts and
always use /sbin/service so that the environment is clean even when SELinux is not enforcing.
A wider feeling I got from investigating this on my machine is
that the SELinux FAQ should contain some more explicit information
on what is and isn't saved across a secure-mode transition.
As far as I could tell, SELinux doesn't perform a secure-mode transition when
running in permissive mode; the consequence is that when a program
passes environment variables to a child process, the child will see a different
environment depending on whether running permissive or enforcing - this
had me very confused until I realised what was going on.
Perhaps there could be a global setting (boolean?) to force permissive mode
to perform secure-mode transitions so that programs always see the same
environment?
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
18 years, 10 months
selinux and logrotate
by Aleksandar Milivojevic
I've asked once earlier about this, but was never able to fix it. I have tried
so far versions 1.17.30-2.52.1 and 1.17.30-3.6 of targeted policy.
Basically, each night logrotate fails with following logged to
/var/log/messages:
kernel: audit(1120381322.870:0): avc: denied { associate } for pid=28612
exe=/usr/sbin/logrotate name=logrotate.OEFymP
scontext=system_u:object_r:var_log_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
My /tmp is tmpfs mounted filesystem (as might be guessed by the above output.
Logrotate seems to save pre/post-rotate scripts into /tmp/logrotate.xxxxxx
files prior to executing them, so I guess the problem is that those get labeled
as tmpfs_t.
Most of pre/post-rotate scripts are just the standard ones (as installed by
distribution RPM packages). On some systems I also have some custom post
rotate scripts that write some info into files in /var/log/mystuff directory
and execute logwatch filters on it for creating and mailing reports. I'm
finding the same audit messages on both the systems with only the standard
logrotate configuration and on the system with additional custom postrotate
scripts. However, I'm still curious if I need to allow anything additional for
my custom postrotate scripts?
Thanks for any and all help,
Aleksandar Milivojevic
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
18 years, 10 months
SELinux and Thinkpad ACPI (part 2: suspend to RAM)
by Matthew Saltzman
The ACPI script that I use to suspend to RAM stopped functioning when
I upgraded to FC4 (worked fine in FC3). This time
(selinux-policy-targeted-1.23.18-17--forgot to mention that in my
previous message on screen blanking), the script does actually supend
and resume, but it appears not to update the hardware clock.
The suspend script is invoked on Fn-F4 and contains:
#!/bin/sh
# test script for measuring power drain during suspend-to-ram with ACPI
# from http://www.thinkwiki.org
# Changelog:
# added sync before S3
# changed sign of difference (positive drain)
# remove USB for external mouse before sleeping
if lsmod | grep '^usbhid' >/dev/null ; then
/sbin/modprobe -r -s usbhid
fi
if lsmod | grep '^uhci_hcd' >/dev/null ; then
/sbin/modprobe -r -s uhci_hcd
fi
if lsmod | grep '^ehci_hcd' >/dev/null ; then
/sbin/modprobe -r -s ehci_hcd
fi
hwclock --systohc
LOG=/var/log/battery.log
date >> $LOG
DATE_BEFORE=`date +%s`
BAT_BEFORE=`grep 'remaining capacity' /proc/acpi/battery/BAT0/state | awk '{print $3}'`
echo "before: $BAT_BEFORE mWh" >> $LOG
sync
echo 3 > /proc/acpi/sleep
DATE_AFTER=`date +%s`
BAT_AFTER=`grep 'remaining capacity' /proc/acpi/battery/BAT0/state | awk '{print $3}'`
echo "after: $BAT_AFTER mWh" >> $LOG
DIFF=`echo "$BAT_AFTER - $BAT_BEFORE" | bc`
SECONDS=`echo "$DATE_AFTER - $DATE_BEFORE" | bc`
echo "diff: $DIFF mWh" >> $LOG
echo "seconds: $SECONDS sec" >> $LOG
USAGE=`echo "(-1 * $DIFF * 60 * 60) / ($SECONDS)" | bc`
echo "result: $USAGE mW" >> $LOG
if [ $USAGE -lt 1000 ]
then
echo "Congratulations, your model seems NOT to be affected." >> $LOG
else
echo "Your model seems to be affected." >> $LOG
fi
if [ $SECONDS -lt 1200 ]
then
echo "!!! The notebook was suspended less than 20 minutes." >> $LOG
echo "!!! To get representative values please let the notebook sleep" >> $LOG
echo "!!! for at least 20 minutes." >> $LOG
fi
echo "" >> $LOG
if !(lsmod | grep '^ehci_hcd') >/dev/null ; then
/sbin/modprobe -s ehci_hcd
fi
if !(lsmod | grep '^uhci_hcd') >/dev/null ; then
/sbin/modprobe -s uhci_hcd
fi
if !(lsmod | grep '^usbhid') >/dev/null ; then
/sbin/modprobe -s usbhid
fi
hwclock --hctosys
When the script is invoked, the following messages are generated in
/var/log/acpid:
[Sun Jul 3 16:33:39 2005] received event "ibm/hotkey HKEY 00000080 00001004"
[Sun Jul 3 16:33:39 2005] notifying client 2531[0:0]
[Sun Jul 3 16:33:39 2005] notifying client 3068[500:500]
[Sun Jul 3 16:33:39 2005] executing action "/etc/acpi/actions/thinkpad-T4x-suspend"
[Sun Jul 3 16:33:39 2005] BEGIN HANDLER MESSAGES
[Sun Jul 3 16:34:15 2005] END HANDLER MESSAGES
[Sun Jul 3 16:34:15 2005] action exited with status 0
[Sun Jul 3 16:34:15 2005] completed event "ibm/hotkey HKEY 00000080 00001004"
[Sun Jul 3 16:34:15 2005] received event "processor CPU 00000081 00000000"
[Sun Jul 3 16:34:15 2005] notifying client 2531[0:0]
[Sun Jul 3 16:34:15 2005] notifying client 3068[500:500]
[Sun Jul 3 16:34:15 2005] completed event "processor CPU 00000081 00000000"
And the following are generated in /var/log/audit/audit.log:
type=PATH msg=audit(1120422820.446:4072964): item=1 flags=101 inode=357483 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1120422820.446:4072964): item=0 name="/sbin/hwclock" flags=101 inode=194377 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=Unknown msg=audit(1120422820.446:4072964): cwd="/"
type=AVC_PATH msg=audit(1120422820.446:4072964): path="/var/log/acpid"
type=AVC_PATH msg=audit(1120422820.446:4072964): path="/var/log/acpid"
type=AVC_PATH msg=audit(1120422820.446:4072964): path="socket:[7894]"
type=AVC_PATH msg=audit(1120422820.446:4072964): path="socket:[10575]"
type=SYSCALL msg=audit(1120422820.446:4072964): arch=40000003 syscall=11 success=yes exit=0 a0=9533338 a1=9533dd8 a2=9533738 a3=0 items=2 pid=28046 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hwclock" exe="/sbin/hwclock"
type=AVC msg=audit(1120422820.446:4072964): avc: denied { read write } for pid=28046 comm="hwclock" name="[10575]" dev=sockfs ino=10575 scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:apmd_t tclass=unix_stream_socket
type=AVC msg=audit(1120422820.446:4072964): avc: denied { read write } for pid=28046 comm="hwclock" name="[7894]" dev=sockfs ino=7894 scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:apmd_t tclass=unix_stream_socket
type=AVC msg=audit(1120422820.446:4072964): avc: denied { append } for pid=28046 comm="hwclock" name="acpid" dev=dm-0 ino=909761 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:apmd_log_t tclass=file
type=AVC msg=audit(1120422820.446:4072964): avc: denied { append } for pid=28046 comm="hwclock" name="acpid" dev=dm-0 ino=909761 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:apmd_log_t tclass=file
type=PATH msg=audit(1120422852.678:4306524): item=1 flags=101 inode=357483 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1120422852.678:4306524): item=0 name="/sbin/hwclock" flags=101 inode=194377 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=Unknown msg=audit(1120422852.678:4306524): cwd="/"
type=AVC_PATH msg=audit(1120422852.678:4306524): path="/var/log/acpid"
type=AVC_PATH msg=audit(1120422852.678:4306524): path="/var/log/acpid"
type=AVC_PATH msg=audit(1120422852.678:4306524): path="socket:[7894]"
type=AVC_PATH msg=audit(1120422852.678:4306524): path="socket:[10575]"
type=SYSCALL msg=audit(1120422852.678:4306524): arch=40000003 syscall=11 success=yes exit=0 a0=9534440 a1=95344d8 a2=9533738 a3=0 items=2 pid=28207 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hwclock" exe="/sbin/hwclock"
type=AVC msg=audit(1120422852.678:4306524): avc: denied { read write } for pid=28207 comm="hwclock" name="[10575]" dev=sockfs ino=10575 scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:apmd_t tclass=unix_stream_socket
type=AVC msg=audit(1120422852.678:4306524): avc: denied { read write } for pid=28207 comm="hwclock" name="[7894]" dev=sockfs ino=7894 scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:apmd_t tclass=unix_stream_socket
type=AVC msg=audit(1120422852.678:4306524): avc: denied { append } for pid=28207 comm="hwclock" name="acpid" dev=dm-0 ino=909761 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:apmd_log_t tclass=file
type=AVC msg=audit(1120422852.678:4306524): avc: denied { append } for pid=28207 comm="hwclock" name="acpid" dev=dm-0 ino=909761 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:apmd_log_t tclass=file
Thanks.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
18 years, 10 months
selinux fedora 3 selinux-policy-targeted-1.17.30-3.15 update breaks some programs
by alberto passariello
while this update fixes some problems there are some still open.
Jun 30 17:14:58 tiger kernel: audit(1120144498.202:0): avc: denied
{ execmod } for pid=6950 comm=python
path=/usr/lib/wingide2.0/bin/2.3/external/pyscintilla2/_scintilla.so
dev=sda2 ino=8555070 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:bin_t tclass=file
this was caught while starting wing IDE ( a python RAD software )
----------------------------------------
Alberto Passariello
Byte Works Sistemi S.r.l.
Cisco Systems partner Premier certified
Viale Liegi 44,
00198 Roma
Tel: +39 6 863.863.22
Fax: +39 6 863.863.23
Email: apassariello(a)byworks.com
-----------------------------------------------
18 years, 10 months
Firestarter startup and FC4 SE Linux Errors - LONG
by David Niemi
(Sorry for the length, I included all error messages)
With the version of Firestarter from FC4 Extras myself and other users
are experiencing starter up error messages with SE Linux though
firestarter appears to start.
There messages during bootup that permission is denied to:
touch - touch /var/lock/firestarter
remove - rm /var/lock/firestarter
and that there is a "fatal error, your kernel does not support
iptables". At the end of this message is the errors from messages and I
couldn't locate any corresponding entries in audit. There could be
audit entries but I couldn't tell from my VERY LIMITED SE Linux and
audit knowledge.
The latest policies update does not appear to have made a difference.
The quick fix of coarse is to set enforcing=0 or using SELINUX=disabled
in /etc/selinux/config, but this sort of defeats the purpose. As a test
I set enforcing=0 during a reboot and didn't get the boot errors though
there was still many messages (appended) about permission denied
in /var/log/messages.
Messages during regular boot
Jul 1 06:17:50 localhost kernel: audit(1120213067.173:2): avc: denied
{ execute } for pid=1832 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.173:3): avc: denied
{ getattr } for pid=1832 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.173:4): avc: denied
{ getattr } for pid=1832 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.174:5): avc: denied
{ execute } for pid=1833 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.174:6): avc: denied
{ getattr } for pid=1833 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.174:7): avc: denied
{ getattr } for pid=1833 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.174:8): avc: denied
{ execute } for pid=1834 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.174:9): avc: denied
{ getattr } for pid=1834 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.174:10): avc: denied
{ getattr } for pid=1834 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.175:11): avc: denied
{ execute } for pid=1835 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.175:12): avc: denied
{ getattr } for pid=1835 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.175:13): avc: denied
{ getattr } for pid=1835 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.176:14): avc: denied
{ execute } for pid=1836 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.176:15): avc: denied
{ getattr } for pid=1836 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.176:16): avc: denied
{ getattr } for pid=1836 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.176:17): avc: denied
{ execute } for pid=1837 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.176:18): avc: denied
{ getattr } for pid=1837 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.176:19): avc: denied
{ getattr } for pid=1837 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.177:20): avc: denied
{ execute } for pid=1838 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.177:21): avc: denied
{ getattr } for pid=1838 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.177:22): avc: denied
{ getattr } for pid=1838 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.177:23): avc: denied
{ execute } for pid=1839 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.177:24): avc: denied
{ getattr } for pid=1839 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.177:25): avc: denied
{ getattr } for pid=1839 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.178:26): avc: denied
{ execute } for pid=1840 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.178:27): avc: denied
{ getattr } for pid=1840 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.178:28): avc: denied
{ getattr } for pid=1840 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.179:29): avc: denied
{ execute } for pid=1841 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.179:30): avc: denied
{ getattr } for pid=1841 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.179:31): avc: denied
{ getattr } for pid=1841 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.179:32): avc: denied
{ execute } for pid=1842 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.179:33): avc: denied
{ getattr } for pid=1842 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.179:34): avc: denied
{ getattr } for pid=1842 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.180:35): avc: denied
{ execute } for pid=1843 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.180:36): avc: denied
{ getattr } for pid=1843 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.180:37): avc: denied
{ getattr } for pid=1843 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.180:38): avc: denied
{ execute } for pid=1844 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.180:39): avc: denied
{ getattr } for pid=1844 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.180:40): avc: denied
{ getattr } for pid=1844 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.181:41): avc: denied
{ execute } for pid=1845 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.181:42): avc: denied
{ getattr } for pid=1845 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.181:43): avc: denied
{ getattr } for pid=1845 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.181:44): avc: denied
{ execute } for pid=1846 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.182:45): avc: denied
{ getattr } for pid=1846 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.182:46): avc: denied
{ getattr } for pid=1846 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.192:47): avc: denied
{ create } for pid=1847 comm="iptables"
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
tclass=rawip_socket
Jul 1 06:17:50 localhost kernel: audit(1120213067.192:48): avc: denied
{ read } for pid=1847 comm="iptables" name=modprobe dev=proc
ino=-268435402 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:sysctl_modprobe_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.193:49): avc: denied
{ create } for pid=1848 comm="iptables"
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
tclass=rawip_socket
Jul 1 06:17:50 localhost kernel: audit(1120213067.193:50): avc: denied
{ read } for pid=1848 comm="iptables" name=modprobe dev=proc
ino=-268435402 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:sysctl_modprobe_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.194:51): avc: denied
{ create } for pid=1849 comm="iptables"
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
tclass=rawip_socket
Jul 1 06:17:50 localhost kernel: audit(1120213067.194:52): avc: denied
{ read } for pid=1849 comm="iptables" name=modprobe dev=proc
ino=-268435402 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:sysctl_modprobe_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.195:53): avc: denied
{ create } for pid=1850 comm="iptables"
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
tclass=rawip_socket
Jul 1 06:17:50 localhost kernel: audit(1120213067.195:54): avc: denied
{ read } for pid=1850 comm="iptables" name=modprobe dev=proc
ino=-268435402 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:sysctl_modprobe_t tclass=file
Jul 1 06:17:50 localhost kernel: audit(1120213067.202:55): avc: denied
{ create } for pid=1852 comm="iptables"
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
tclass=rawip_socket
Jul 1 06:17:50 localhost kernel: audit(1120213067.202:56): avc: denied
{ read } for pid=1852 comm="iptables" name=modprobe dev=proc
ino=-268435402 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:sysctl_modprobe_t tclass=file
*******************************************************************
Messages with enforcing=0
Jul 1 07:05:38 localhost kernel: audit(1120215935.141:2): avc: denied
{ read } for pid=1792 comm="cp" name=config dev=hda3 ino=681198
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.141:3): avc: denied
{ getattr } for pid=1792 comm="cp" name=config dev=hda3 ino=681198
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.223:4): avc: denied
{ getattr } for pid=1800 comm="sh" name=subsys dev=hda3 ino=940095
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lock_t
tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215935.224:5): avc: denied
{ write } for pid=1829 comm="touch" name=subsys dev=hda3 ino=940095
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lock_t
tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215935.224:6): avc: denied
{ add_name } for pid=1829 comm="touch" name=firestarter
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lock_t
tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215935.224:7): avc: denied
{ create } for pid=1829 comm="touch" name=firestarter
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lock_t
tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.224:8): avc: denied
{ write } for pid=1829 comm="touch" name=firestarter dev=hda3
ino=940966 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:var_lock_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.233:9): avc: denied
{ execute } for pid=1832 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.233:10): avc: denied
{ execute_no_trans } for pid=1832 comm="sh" name=modprobe dev=hda3
ino=129716 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.233:11): avc: denied
{ read } for pid=1832 comm="sh" name=modprobe dev=hda3 ino=129716
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:insmod_exec_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.234:12): avc: denied
{ read } for pid=1832 comm="modprobe" name=modprobe.conf.dist dev=hda3
ino=680929 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:modules_conf_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.234:13): avc: denied
{ getattr } for pid=1832 comm="modprobe" name=modprobe.conf.dist
dev=hda3 ino=680929 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:modules_conf_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.235:14): avc: denied
{ search } for pid=1832 comm="modprobe" name=modules dev=hda3
ino=453828 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:modules_object_t tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215935.235:15): avc: denied
{ read } for pid=1832 comm="modprobe" name=modules.dep dev=hda3
ino=454981 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:modules_object_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.235:16): avc: denied
{ getattr } for pid=1832 comm="modprobe" name=modules.dep dev=hda3
ino=454981 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:modules_object_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.258:17): avc: denied
{ write } for pid=1832 comm="modprobe" name=ip_tables.ko dev=hda3
ino=486540 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:modules_object_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.258:18): avc: denied
{ lock } for pid=1832 comm="modprobe" name=ip_tables.ko dev=hda3
ino=486540 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:modules_object_t tclass=file
Jul 1 07:05:38 localhost kernel: ip_tables: (C) 2000-2002 Netfilter
core team
Jul 1 07:05:38 localhost kernel: audit(1120215935.284:19): avc: denied
{ read } for pid=1836 comm="modprobe" name=modprobe.conf.dist dev=hda3
ino=680929 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:modules_conf_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.284:20): avc: denied
{ getattr } for pid=1836 comm="modprobe" name=modprobe.conf.dist
dev=hda3 ino=680929 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:modules_conf_t tclass=file
Jul 1 07:05:38 localhost kernel: ip_conntrack version 2.1 (7935
buckets, 63480 max) - 272 bytes per conntrack
Jul 1 07:05:38 localhost kernel: audit(1120215935.635:21): avc: denied
{ create } for pid=1889 comm="iptables"
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
tclass=rawip_socket
Jul 1 07:05:38 localhost kernel: audit(1120215935.635:22): avc: denied
{ getopt } for pid=1889 comm="iptables" lport=255
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
tclass=rawip_socket
Jul 1 07:05:38 localhost kernel: audit(1120215935.645:23): avc: denied
{ setopt } for pid=1894 comm="iptables" lport=255
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
tclass=rawip_socket
Jul 1 07:05:38 localhost kernel: audit(1120215935.747:24): avc: denied
{ search } for pid=1800 comm="sh" name=net dev=proc ino=-268435350
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:sysctl_net_t tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215935.747:25): avc: denied
{ getattr } for pid=1800 comm="sh" name=ip_forward dev=proc
ino=-268435327 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:sysctl_net_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.747:26): avc: denied
{ write } for pid=1800 comm="sh" name=ip_forward dev=proc
ino=-268435327 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:sysctl_net_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215935.749:27): avc: denied
{ read } for pid=1800 comm="sh" name=conf dev=proc ino=-268435027
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:sysctl_net_t tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215935.749:28): avc: denied
{ getattr } for pid=1800 comm="sh" name=conf dev=proc ino=-268435027
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:sysctl_net_t tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215936.012:29): avc: denied
{ write } for pid=2094 comm="mv" name=dhcpd.conf dev=hda3 ino=684556
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:etc_runtime_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.012:30): avc: denied
{ unlink } for pid=2094 comm="mv" name=dhcpd.conf dev=hda3 ino=684556
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:etc_runtime_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.045:31): avc: denied
{ getattr } for pid=2095 comm="dhcpd" name=dhcpd dev=hda3 ino=2473744
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:dhcpd_exec_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.057:32): avc: denied
{ getattr } for pid=2095 comm="dhcpd" name=dhcpd.leases dev=hda3
ino=940974 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:dhcpd_state_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.058:33): avc: denied
{ execute } for pid=2098 comm="dhcpd" name=dhcpd dev=hda3 ino=2473744
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:dhcpd_exec_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.058:34): avc: denied
{ execute_no_trans } for pid=2098 comm="dhcpd" name=dhcpd dev=hda3
ino=2473744 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:dhcpd_exec_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.058:35): avc: denied
{ read } for pid=2098 comm="dhcpd" name=dhcpd dev=hda3 ino=2473744
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:dhcpd_exec_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.098:36): avc: denied
{ read } for pid=2099 comm="dhcpd" name=pidof dev=hda3 ino=129747
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:sbin_t
tclass=lnk_file
Jul 1 07:05:38 localhost kernel: audit(1120215936.099:37): avc: denied
{ search } for pid=2100 comm="pidof" name=1 dev=proc ino=65538
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:init_t
tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215936.099:38): avc: denied
{ read } for pid=2100 comm="pidof" name=stat dev=proc ino=65550
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:init_t
tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.099:39): avc: denied
{ getattr } for pid=2100 comm="pidof" name=stat dev=proc ino=65550
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:init_t
tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.099:40): avc: denied
{ read } for pid=2100 comm="pidof" name=exe dev=proc ino=65545
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:init_t
tclass=lnk_file
Jul 1 07:05:38 localhost kernel: audit(1120215936.099:41): avc: denied
{ search } for pid=2100 comm="pidof" name=2 dev=proc ino=131074
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:kernel_t
tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215936.099:42): avc: denied
{ read } for pid=2100 comm="pidof" name=stat dev=proc ino=131086
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:kernel_t
tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.100:43): avc: denied
{ getattr } for pid=2100 comm="pidof" name=stat dev=proc ino=131086
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:kernel_t
tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.100:44): avc: denied
{ read } for pid=2100 comm="pidof" name=exe dev=proc ino=131081
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:kernel_t
tclass=lnk_file
Jul 1 07:05:38 localhost kernel: audit(1120215936.100:45): avc: denied
{ search } for pid=2100 comm="pidof" name=901 dev=proc ino=59047938
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:udev_t
tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215936.100:46): avc: denied
{ read } for pid=2100 comm="pidof" name=stat dev=proc ino=59047950
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:udev_t
tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.100:47): avc: denied
{ getattr } for pid=2100 comm="pidof" name=stat dev=proc ino=59047950
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:udev_t
tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.100:48): avc: denied
{ read } for pid=2100 comm="pidof" name=exe dev=proc ino=59047945
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:udev_t
tclass=lnk_file
Jul 1 07:05:38 localhost kernel: audit(1120215936.101:49): avc: denied
{ search } for pid=2100 comm="pidof" name=1013 dev=proc ino=66387970
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:initrc_t
tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215936.101:50): avc: denied
{ read } for pid=2100 comm="pidof" name=stat dev=proc ino=66387982
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:initrc_t
tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.101:51): avc: denied
{ getattr } for pid=2100 comm="pidof" name=stat dev=proc ino=66387982
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:initrc_t
tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.101:52): avc: denied
{ read } for pid=2100 comm="pidof" name=exe dev=proc ino=66387977
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:initrc_t
tclass=lnk_file
Jul 1 07:05:38 localhost kernel: audit(1120215936.102:53): avc: denied
{ search } for pid=2100 comm="pidof" name=1833 dev=proc ino=120127490
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:hotplug_t
tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215936.102:54): avc: denied
{ read } for pid=2100 comm="pidof" name=stat dev=proc ino=120127502
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:hotplug_t
tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.102:55): avc: denied
{ getattr } for pid=2100 comm="pidof" name=stat dev=proc ino=120127502
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:hotplug_t
tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.102:56): avc: denied
{ read } for pid=2100 comm="pidof" name=cwd dev=proc ino=120127495
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:hotplug_t
tclass=lnk_file
Jul 1 07:05:38 localhost kernel: audit(1120215936.114:57): avc: denied
{ search } for pid=2102 comm="rhgb-client" name=rhgb dev=hda3
ino=682523 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:mnt_t tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215936.114:58): avc: denied
{ search } for pid=2102 comm="rhgb-client" name=/ dev=ramfs ino=4327
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ramfs_t
tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215936.114:59): avc: denied
{ write } for pid=2102 comm="rhgb-client" name=rhgb-socket dev=ramfs
ino=4335 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:ramfs_t tclass=sock_file
Jul 1 07:05:38 localhost kernel: audit(1120215936.114:60): avc: denied
{ connectto } for pid=2102 comm="rhgb-client" name=rhgb-socket
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:initrc_t
tclass=unix_stream_socket
Jul 1 07:05:38 localhost kernel: audit(1120215936.177:61): avc: denied
{ search } for pid=2103 comm="dhcpd" name=gdm dev=hda3 ino=940237
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:xserver_log_t tclass=dir
Jul 1 07:05:38 localhost kernel: audit(1120215936.205:62): avc: denied
{ read } for pid=2107 comm="dhcpd" name=dhcpd.leases dev=hda3
ino=940974 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:dhcpd_state_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.212:63): avc: denied
{ append } for pid=2107 comm="dhcpd" name=dhcpd.leases dev=hda3
ino=940974 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:dhcpd_state_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.224:64): avc: denied
{ unlink } for pid=2107 comm="dhcpd" name=dhcpd.leases~ dev=hda3
ino=940970 scontext=system_u:system_r:dhcpc_t
tcontext=root:object_r:dhcpd_state_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.224:65): avc: denied
{ link } for pid=2107 comm="dhcpd" name=dhcpd.leases dev=hda3
ino=940974 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:dhcpd_state_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.224:66): avc: denied
{ unlink } for pid=2107 comm="dhcpd" name=dhcpd.leases dev=hda3
ino=940974 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:dhcpd_state_t tclass=file
Jul 1 07:05:38 localhost kernel: audit(1120215936.229:67): avc: denied
{ name_bind } for pid=2107 comm="dhcpd" s
18 years, 10 months
FC3: selinux-policy-targeted-1.17.30-3.15 seems to have broken gpg...
by Michael W. Carney
49# uname -a
Linux lucy-01 2.6.11-1.35_FC3smp #1 SMP Mon Jun 13 01:17:35 EDT 2005 i686
i686 i386 GNU/Linux
50#
45# gpg --list-keys
gpg: error while loading shared libraries: cannot restore segment prot after
reloc: Permission denied
46#
Jul 1 07:40:13 lucy-01 kernel: audit(1120228813.336:0): avc: denied
{ execmod } for pid=5567 comm=gpg path=/usr/bin/gpg dev=sdb5 ino=67343
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t
tclass=file
Any suggestions?
18 years, 10 months