October 2006 - selinux - Fedora Mailing-Lists

by Norm

What does this message mean, should I edit or modify some of my settings somewhere? -------------------- Selinux Audit Begin ------------------------ *** Denials *** system_u system_u (dir): 10 times system_u system_u (file): 7 times

17 years, 1 month

2
1
0 / 0

denied avc's for hald, hpiod and mplayer plugin

by Antonio Olivares

SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts audit(1161244617.541:4): avc: denied { name_bind } for pid=2074 comm="hpiod" src=2208 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket eth0: no IPv6 routers present audit(1161244622.801:5): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161244622.801:6): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161244622.801:7): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161244622.801:8): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161244622.801:9): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161246948.355:10): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.355:11): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.391:12): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.391:13): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.403:14): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.403:15): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.415:16): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.415:17): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:18): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:19): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:20): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:21): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:22): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:23): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:24): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:25): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.070:26): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.070:27): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:28): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:29): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:30): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:31): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:32): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:33): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:34): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:35): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:36): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:37): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:38): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:39): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:40): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:41): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process I have tried audit2allow but returns the following [olivares@localhost ~]$ grep avc /var/log/audit/audit.log | audit2allow -M local grep: /var/log/audit/audit.log: No such file or directory Generating type enforcment file: local.te /usr/bin/audit2allow: No AVC messages found. I have run yum update and it should have fixed the hald and hpiod but it has not. as for the mplayer plugin, I installed from source code, and did not want to disable selinux just to install it. I want to know how to enable it the hard way. Thanks, Antonio

17 years, 1 month

2
4
0 / 0

Avc´s while running rkhunter

by pi

Hashes seems OK when i turn selinux protection off, as soon as i turn selinux on while running rkhunter, they show up as BAD. So i figure they are okey, but rkhunter is denied access to something. Can someone explain what i ahev to do to make it right? I´m on fc5, and i think it´s fully updated if i havent missed out on any new repos. dries.repo fedora-extras.repo freshrpms.repo fedora-core.repo fedora-legacy.repo livna.repo fedora-development.repo fedora-updates.repo macromedia.repo fedora-extras-development.repo fedora-updates-testing.repo nuu.repo -------------------------------------------------------- SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted -------------------------------------------------------- SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 21 Policy from config file: targeted -------------------------------------------------------- type=AVC msg=audit(1161332509.183:234): avc: denied { read write } for pid=28899 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1161332509.183:234): avc: denied { read write } for pid=28899 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1161332509.183:234): avc: denied { write } for pid=28899 comm="prelink" name="prelink.tst" dev=dm-0 ino=1277164 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1161332509.183:234): avc: denied { read write } for pid=28899 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1161332509.183:234): arch=40000003 syscall=11 success=yes exit=0 a0=8fd6ec8 a1=8fd6ae0 a2=8f4b3b8 a3=8fd6d38 items=0 ppid=28898 pid=28899 auid=523 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink" subj=user_u:system_r:prelink_t:s0 key=(null) type=AVC_PATH msg=audit(1161332509.183:234): path="/dev/pts/0" type=AVC_PATH msg=audit(1161332509.183:234): path="/var/rkhunter/tmp/prelink.tst" type=AVC_PATH msg=audit(1161332509.183:234): path="/dev/pts/0" type=AVC msg=audit(1161332509.859:235): avc: denied { read write } for pid=28959 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1161332509.859:235): avc: denied { read write } for pid=28959 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1161332509.859:235): avc: denied { write } for pid=28959 comm="prelink" name="prelink.tst" dev=dm-0 ino=1277164 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1161332509.859:235): avc: denied { read write } for pid=28959 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1161332509.859:235): arch=40000003 syscall=11 success=yes exit=0 a0=8fd66f0 a1=8fd6ae0 a2=8f4b3b8 a3=8fd6ea0 items=0 ppid=28958 pid=28959 auid=523 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink" subj=user_u:system_r:prelink_t:s0 key=(null) type=AVC_PATH msg=audit(1161332509.859:235): path="/dev/pts/0" type=AVC_PATH msg=audit(1161332509.859:235): path="/var/rkhunter/tmp/prelink.tst" type=AVC_PATH msg=audit(1161332509.859:235): path="/dev/pts/0" Regards /pi

17 years, 1 month

2
1
0 / 0

roles

by Gene Czarcinski

I have been fooling around with RBAC and roles to see how it works and could be used. If I understand correctly, either ` 1. In order to add a new roles, you need to modify the source in the src.rpm and create a "new" policy: gop or "Gene'c Own Policy". or 2. I do not know the correct "magic dance" to perform to add a new role definition to an existing policy. Comment? Gene

17 years, 1 month

3
2
0 / 0

FC6 SELinux issues

by Gene Czarcinski

I have been running FC6T3 plus updates and an even more recent install from FC6 development (selinux targeted and enforcing) and everything is looking very good. Since I follow the LSPP list and know that a lot of work has been done with the mls policy for RHEL 5 (and FC6), I thought I would give it a try. Before I spend time putting in bugzilla reports since it going to take time to gather the documentation, I am hoping some of this is known. This testing was done with clean installs on hardware and using vmware. 1. install selinux-policy-mls and switch to it using the system-config-security tool ... then reboot and do the relabeling (enforcing=0). Then reboot again (enforcing=1) ... oops, an almost immediate kernel panic! 2. OK, get the system back up in targeted mode. I then thought I would try strict ... install selinx-policy-strict ... then reboot and do the relabeling (enforcing=0). Ten reboot again (enforcing=1) ... better ... no kernel panic ... but not much better since some services fail starting and, when I logon as root, I cannot do anything. This is NOT GOOD!!! 3. While doing the above tests, I tried using the system-config-security gui tool to change the policy. I booted up with enforcing=0 and then tried the tool to change back to targeted. Since I run targeted with enforcing, I left the tool specification as enforcing. Unfortunately, the tool sets enforcing for the runtime system BEFORE it changes /etc/sysconfig/selinux file. Folks, this does not look ready for prime time as close as we are to final! While I do not expect everything to work, I do expect a bit more than what I got. From what I saw, this should be easily repeatable by developers. As I said, it is going to take me a bit of time to gather documentation for bugzilla reports. I hope that someone out there can give these policies a try to see if they can duplicate what I experienced. -- Gene Czarcinski

17 years, 1 month

5
15
0 / 0

List of operations

by Göran Uddeborg

Maybe this is a FAQ, but I haven't found it answered in any of the FAQ:s I've looked through: Is there some kind of documentation list over the available classes and operations (permissions)? Other concepts, like types and roles are defined in the policy, with some luck together with a comment. In some cases there are even manual pages, like httpd_selinux. But the list of available classes and operations must be defined by the kernel module if I understand things correctly. I could extract a list from the flask/access_vectors file. But I would have liked something with a sentence or so of explanation. Some names may be self-explanatory, but many are not obvious. I'm imagining some kind of list like the appendices of the O'Reilley book, but updated for the current version. Does such a list exist somewhere? Or is it just in my imagination? :-)

17 years, 1 month

4
4
0 / 0

xen, selinux, FC5

by Robin Bowes

Hi, I'm trying to get xen working on FC5 with SELinux enabled. # rpm -q kernel-xen0 xen selinux-policy kernel-xen0-2.6.17-1.2187_FC5 xen-3.0.2-3.FC5 selinux-policy-2.3.7-2.fc5 I'm doing it by running stuff and seeing what AVC msgs I get and creating a custom module to allow them. e.g, I run this command: audit2allow -M local -l -i /var/log/audit/audit.log Then merge any new entries from local.te into xen.te and rebuild the module: export SEAPP=xen checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod semodule -i ${SEAPP}.pp This seems to be working fine - I have FC5 installed as a host, with a guest install of FC5 running as a guest. The "snapshot" capability also works (xm save ...). This is the module I'm using: module local 1.0; require { class chr_file { read write }; class dir { add_name create search setattr write }; class fd use; class file { append create read write }; class unix_stream_socket { read write }; type home_root_t; type ifconfig_t; type local_login_t; type netutils_t; type proc_xen_t; type tmp_t; type tty_device_t; type user_home_dir_t; type user_home_t; type var_log_t; type var_run_t; type xend_t; type xend_var_log_t; role system_r; }; allow ifconfig_t var_log_t:file append; allow netutils_t proc_xen_t:file { read write }; allow netutils_t xend_t:unix_stream_socket { read write }; allow netutils_t xend_var_log_t:file { append write }; allow xend_t home_root_t:dir { search write }; allow xend_t local_login_t:fd use; allow xend_t tmp_t:dir search; allow xend_t tty_device_t:chr_file { read write }; allow xend_t user_home_dir_t:dir { search write }; allow xend_t user_home_t:dir { add_name search write }; allow xend_t user_home_t:file { create write }; allow xend_t var_run_t:dir { create setattr }; My question is: is this the right approach to getting xen (or any app) working under selinux? Or is there an easier way? Am I opening up any major security holes doing this? On other problem I've noticed is that the xendomains init script didn't start the domains at boot, or from the command-line. I've copied the new one from https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=120075 but I was seeing this error: # service xendomains start Starting auto Xen domains:Error: Disk isn't accessible This is the context of that file: -rwxr-xr-x root root system_u:object_r:initrc_exec_t xendomains I copied xendomains to xendomains.new so it has this context: -rwxr-xr-x root root root:object_r:etc_t xendomains.new And the script now works. Again, is this the (or a) correct fix? Any security problems with this? Thanks, R.

17 years, 1 month

3
12
0 / 0

AVC deny message from sendmail?

by Bill

I've been looking at SELinux under FC5 using the 'strict' policy and was surprised to see that even in in standard desktop install 'sendmail' appears to produce a number of deny messages. I took a look at the messages to see of they were part of the policy and the first thing I found was I couldn't find the source for the policy, just if 'if' files and various modules. I did take a look at the reference policy sources, and the messages seem to be covered by various allows in that version of the strict policy, so I am a bit confused as to what is happening here. I'd like to be able to run 'strict' and not see any policy denies; but am not sure what I can do about it other than loading a brand new sendmail.te? Bill

17 years, 1 month

1
0
0 / 0

AVCs from pup(let) on kernel package installs

by Tom London

Running yesterday's rawhide, targeted/permissive. Installing today's rawhide updates using the pup system tray icon (e.g., selecting 'Apply updates' from the icon): [root@localhost ~]# audit2allow -i log allow bootloader_t xdm_t:fifo_file { getattr write }; allow depmod_t xdm_t:fifo_file write; allow lvm_t xdm_t:fifo_file write; [root@localhost ~]# Appears to be a problem (missing transition?) when installing kernel packages. In today's updates, I updated kernel, kernel-PAE and kernel-xen packages and got the following. I tried to associate the AVC's with the packages (not 100% sure on the associations): kernel: type=AVC msg=audit(1160573358.763:32): avc: denied { write } for pid=3714 comm="depmod" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573358.763:32): arch=40000003 syscall=11 success=yes exit=0 a0=9d1c318 a1=9d0e4d8 a2=9d11ce0 a3=9d1c648 items=0 ppid=3706 pid=3714 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0 key=(null) type=AVC_PATH msg=audit(1160573358.763:32): path="pipe:[12557]" type=AVC msg=audit(1160573359.115:33): avc: denied { write } for pid=3715 comm="mkinitrd" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573359.115:33): arch=40000003 syscall=11 success=yes exit=0 a0=9d1be40 a1=9d0e4d8 a2=9d11ce0 a3=9d1c358 items=0 ppid=3706 pid=3715 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mkinitrd" exe="/bin/bash" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573359.115:33): path="pipe:[12557]" type=AVC msg=audit(1160573359.159:34): avc: denied { getattr } for pid=3722 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573359.159:34): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bf999684 a2=4765cff4 a3=bf999684 items=0 ppid=3720 pid=3722 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573359.159:34): path="pipe:[12557]" type=AVC msg=audit(1160573362.655:35): avc: denied { write } for pid=4181 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573362.655:35): arch=40000003 syscall=11 success=yes exit=0 a0=870f468 a1=873e160 a2=8736d88 a3=873dec8 items=0 ppid=4180 pid=4181 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573362.655:35): path="pipe:[12557]" kernel-PAE type=AVC msg=audit(1160573388.537:36): avc: denied { getattr } for pid=5609 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573388.537:36): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bff0dc04 a2=4765cff4 a3=bff0dc04 items=0 ppid=5606 pid=5609 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573388.537:36): path="pipe:[12557]" type=AVC msg=audit(1160573389.721:37): avc: denied { write } for pid=5905 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573389.721:37): arch=40000003 syscall=11 success=yes exit=0 a0=8c961c0 a1=8ca0818 a2=8c97da0 a3=8c6bae0 items=0 ppid=5904 pid=5905 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573389.721:37): path="pipe:[12557]" kernel-xen type=AVC msg=audit(1160573388.537:36): avc: denied { getattr } for pid=5609 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573388.537:36): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bff0dc04 a2=4765cff4 a3=bff0dc04 items=0 ppid=5606 pid=5609 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573388.537:36): path="pipe:[12557]" type=AVC msg=audit(1160573389.721:37): avc: denied { write } for pid=5905 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573389.721:37): arch=40000003 syscall=11 success=yes exit=0 a0=8c961c0 a1=8ca0818 a2=8c97da0 a3=8c6bae0 items=0 ppid=5904 pid=5905 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573389.721:37): path="pipe:[12557]" type=AVC msg=audit(1160573445.578:38): avc: denied { write } for pid=7354 comm="depmod" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573445.578:38): arch=40000003 syscall=11 success=yes exit=0 a0=842e460 a1=84204d8 a2=8423d78 a3=842e6c8 items=0 ppid=7341 pid=7354 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0 key=(null) type=AVC_PATH msg=audit(1160573445.578:38): path="pipe:[12557]" type=AVC msg=audit(1160573445.854:39): avc: denied { write } for pid=7355 comm="mkinitrd" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573445.854:39): arch=40000003 syscall=11 success=yes exit=0 a0=842dfb0 a1=84204d8 a2=8423d78 a3=842e2f0 items=0 ppid=7341 pid=7355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mkinitrd" exe="/bin/bash" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573445.854:39): path="pipe:[12557]" type=AVC msg=audit(1160573449.574:40): avc: denied { getattr } for pid=7523 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573449.574:40): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bfd34a34 a2=4765cff4 a3=bfd34a34 items=0 ppid=7520 pid=7523 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573449.574:40): path="pipe:[12557]" type=AVC msg=audit(1160573450.622:41): avc: denied { write } for pid=7819 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573450.622:41): arch=40000003 syscall=11 success=yes exit=0 a0=9f6d1c0 a1=9f77818 a2=9f6eda0 a3=9f42ae0 items=0 ppid=7818 pid=7819 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573450.622:41): path="pipe:[12557]" couldn't tell which one: type=AVC msg=audit(1160573388.537:36): avc: denied { getattr } for pid=5609 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573388.537:36): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bff0dc04 a2=4765cff4 a3=bff0dc04 items=0 ppid=5606 pid=5609 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573388.537:36): path="pipe:[12557]" type=AVC msg=audit(1160573389.721:37): avc: denied { write } for pid=5905 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573389.721:37): arch=40000003 syscall=11 success=yes exit=0 a0=8c961c0 a1=8ca0818 a2=8c97da0 a3=8c6bae0 items=0 ppid=5904 pid=5905 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573389.721:37): path="pipe:[12557]" type=AVC msg=audit(1160573445.578:38): avc: denied { write } for pid=7354 comm="depmod" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573445.578:38): arch=40000003 syscall=11 success=yes exit=0 a0=842e460 a1=84204d8 a2=8423d78 a3=842e6c8 items=0 ppid=7341 pid=7354 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0 key=(null) type=AVC_PATH msg=audit(1160573445.578:38): path="pipe:[12557]" type=AVC msg=audit(1160573445.854:39): avc: denied { write } for pid=7355 comm="mkinitrd" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573445.854:39): arch=40000003 syscall=11 success=yes exit=0 a0=842dfb0 a1=84204d8 a2=8423d78 a3=842e2f0 items=0 ppid=7341 pid=7355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mkinitrd" exe="/bin/bash" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573445.854:39): path="pipe:[12557]" type=AVC msg=audit(1160573449.574:40): avc: denied { getattr } for pid=7523 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573449.574:40): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bfd34a34 a2=4765cff4 a3=bfd34a34 items=0 ppid=7520 pid=7523 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573449.574:40): path="pipe:[12557]" type=AVC msg=audit(1160573450.622:41): avc: denied { write } for pid=7819 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573450.622:41): arch=40000003 syscall=11 success=yes exit=0 a0=9f6d1c0 a1=9f77818 a2=9f6eda0 a3=9f42ae0 items=0 ppid=7818 pid=7819 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573450.622:41): path="pipe:[12557]" tom -- Tom London

17 years, 1 month

1
0
0 / 0

FC5, SELinux strict, and kickstart

by David Nedrow

Has anyone successfully installed FC5 while specifying the strict policy via kickstart? I've made the changes recommended in the FC5 SELinux FAQ (adding % package entry for selinux-policy-strict and lokkit/touch lines to kickstart), but when the system boots everything seems to hang. If I boot permissive, I see a ton of entries in the audit log that appear to relate to virtually every step of the boot process. The odd thing is, if I install manually from the DVD, everything works fine. It's only when I try an automated network build that things seem to fall apart. Does this question more properly belong to the kickstart list? Any help will be appreciated. -David

17 years, 1 month

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux October 2006