hald AVCs from today's rawhide
by Tom London
Running today's rawhide, targeted/enforcing.
Noticed the following.
----
type=PATH msg=audit(03/03/2006 07:07:50.170:13) : item=0
name=/proc/sys/vm/ flags=follow,access inode=4026531930 dev=00:03
mode=dir,555 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/03/2006 07:07:50.170:13) : cwd=/usr/share/hal/scripts
type=SYSCALL msg=audit(03/03/2006 07:07:50.170:13) : arch=i386
syscall=access success=no exit=-13(Permission denied) a0=8566400 a1=2
a2=2 a3=8565878 items=1 pid=2489 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=pm-powersave exe=/bin/bash
type=AVC msg=audit(03/03/2006 07:07:50.170:13) : avc: denied { write
} for pid=2489 comm=pm-powersave name=vm dev=proc ino=-268435366
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
----
type=PATH msg=audit(03/03/2006 07:07:51.358:14) : item=0
name=/proc/sys/vm/ flags=follow,access inode=4026531930 dev=00:03
mode=dir,555 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/03/2006 07:07:51.358:14) : cwd=/usr/share/hal/scripts
type=SYSCALL msg=audit(03/03/2006 07:07:51.358:14) : arch=i386
syscall=access success=no exit=-13(Permission denied) a0=9d16400 a1=2
a2=2 a3=9d15878 items=1 pid=2520 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=pm-powersave exe=/bin/bash
type=AVC msg=audit(03/03/2006 07:07:51.358:14) : avc: denied { write
} for pid=2520 comm=pm-powersave name=vm dev=proc ino=-268435366
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
----
tom
--
Tom London
18 years, 1 month
AVC when configuring printer.....
by Tom London
Running latest Rawhide, targeted/enforcing.
System->Administration->Printing, and hitting 'Apply' on the currently
configured printer produces the following:
----
type=PATH msg=audit(02/27/2006 08:04:15.126:101) : item=2
flags=follow,open inode=1045697 dev=fd:00 mode=file,755 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(02/27/2006 08:04:15.126:101) : item=1
flags=follow,open inode=5786615 dev=fd:00 mode=file,755 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(02/27/2006 08:04:15.126:101) : item=0
name=/usr/sbin/printconf-backend flags=follow,open inode=5790576
dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(02/27/2006 08:04:15.126:101) : cwd=/
type=AVC_PATH msg=audit(02/27/2006 08:04:15.126:101) : path=pipe:[21844]
type=AVC_PATH msg=audit(02/27/2006 08:04:15.126:101) :
path=/root/.rh-fontconfig/.fonts.cache-2
type=SYSCALL msg=audit(02/27/2006 08:04:15.126:101) : arch=i386
syscall=execve success=yes exit=0 a0=899cdc8 a1=899ce18 a2=899cf20
a3=8999d70 items=3 pid=5773 auid=tbl uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root
comm=printconf-backe exe=/usr/bin/python
type=AVC msg=audit(02/27/2006 08:04:15.126:101) : avc: denied { read
} for pid=5773 comm=printconf-backe name=.fonts.cache-2 dev=dm-0
ino=555510 scontext=system_u:system_r:cupsd_config_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(02/27/2006 08:04:15.126:101) : avc: denied {
write } for pid=5773 comm=printconf-backe name=[21844] dev=pipefs
ino=21844 scontext=system_u:system_r:cupsd_config_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_file
----
tom
--
Tom London
18 years, 1 month
Re: FC4 + samba + selinux
by Ivan Gyurdiev
>
>> I think we should allow smbd to search all directories if this is the
>> case. Alternatively we can have system-config-samba generate policy for
>> this on the fly, and alert the user, but that will be a pain, and seems
>> unnecessary.
>>
>>
> Maybe have system-config-samba make sure the directory is properly
> labeled with mnt_t or samba_share_t?
I think Eric's point was that smbd needs directory search access on the
entire path to the directory. I haven't verified that this is correct,
but from past experience I suspect it's true. Labeling everything on the
path as samba_share_t or mnt_t is usually not possible.
18 years, 1 month
FC4 + samba + selinux
by Louis Garcia
I am setting up an FC4 samba server and can't get my shares accessed.
With selinux off samba works normally.
I have created a dir:
drwxrwsrwx root root
system_u:object_r:samba_share_t /data/public
The is the error I get:
type=AVC msg=audit(1140923608.645:86): avc: denied { search } for
pid=3338 comm="smbd" name="/" dev=hda5 ino=2
scontext=root:system_r:smbd_t tcontext=system_u:object_r:default_t
tclass=dir
type=SYSCALL msg=audit(1140923608.645:86): arch=40000003 syscall=195
success=no exit=-13 a0=88b85f8 a1=bff9aec4 a2=7fbff4 a3=bff9aec4 items=1
pid=3338 auid=500 uid=502 gid=0 euid=502 suid=0 fsuid=502 egid=100
sgid=100 fsgid=100 comm="smbd" exe="/usr/sbin/smbd"
type=CWD msg=audit(1140923608.645:86): cwd="/"
type=PATH msg=audit(1140923608.645:86): item=0 name="/data/public"
flags=1 inode=2 dev=03:05 mode=040755 ouid=0 ogid=0 rdev=00:00
why does smbd_t want access to default_t when the dir is labeled
samba_share_t?
Does smbd_t have access to samba_share_t by default?
Any advise, --Louis
18 years, 1 month