denied avcs Rawhide how to troubleshoot
by Antonio Olivares
Dear list,
I am running rawhide and I get these denied avcs
[olivares@localhost ~]$ cat /etc/fedora-release
Fedora release 6.92 (Rawhide)
[olivares@localhost ~]$
There is a tool semanage, but I do not know how to use it. Is there any reference to this new tool.
How do I fix this using chcon -? or other tools to troubleshoot this.
audit(1176209974.281:4): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1440" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:5): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1680" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:6): avc: denied { create } for pid=991 comm="cIreate_floppy_d" name="fd0u1722" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:7): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1743" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:8): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1760" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:9): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1920" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:10): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1840" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:11): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1600" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:12): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u360" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:13): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u720" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:14): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u820" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:15): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u830" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:16): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1040" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:17): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1120" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
audit(1176209974.281:18): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u800" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file
Thanks,
Antonio
____________________________________________________________________________________
Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html
17 years
cups-lpd: Unable to reserve port: Permission denied
by Garry Williams
I recently noted that print jobs from my FC6 machine sent to my remote
lpd print server take over five minutes to actually be spooled to
print server. When I strace the cups process that connects to the
remote lpd, I see repeated attempts to bind() to port numbers below
1024. Each attempt fails with EACCES even though the process is
running as root. After each failure, the lpd client waits for one
second, then decrements the port number and tries again. This
sequence repeats until port number 631 is tried. That succeeds and
the client calls connect() and the print job is sent to the remote
printer.
My theory (based on suggestions from the fedora-user mailing list) is
that there is a new selinux policy that restricts the cupsd process
and its children to only be able to bind to port 631. If this is
true, I believe it is incorrect.
I think that there are some older lpd servers that insist on
validating clients based on their source port numbers, refusing to
allow connections from clients using ports over 1024. This behavior
will probably be judged silly (at best) these days, but there seems to
be a need to support it even today. Consequently, the default
behavior of cups-lpd seems to insist on a low port number before
calling connect().
I got around the problem by specifying a printer URI that suppresses
that behavior. (That wasn't obvious to me -- I got there from a
suggestion from David Hull, replying to my question on the fedora-user
list.) But the cups developers think this is OK behavior for their
client when it needs to talk to some servers.
I think the new policy is wrong. Regardless, why don't I see avc log
messages on this?
--
Garry T. Williams --- +1 678 656-4579
17 years