boot in permissive mode to boot 2.6.28-0.106.rc6.git4.fc11.i686
by Antonio Olivares
Dear fellow selinux experts,
Thanks to Tom London for the tip to boot the new kernel, using enforcing=0, I see some denied avc's at startup
SELinux: initialized (dev sda3, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Adding 1574328k swap on /dev/sda5. Priority:-1 extents:1 across:1574328k
Adding 1540088k swap on /dev/mapper/VolGroup00-LogVol01. Priority:-2 extents:1 across:1540088k
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
type=1400 audit(1228436635.068:4): avc: denied { sys_tty_config } for pid=1536 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
ip6_tables: (C) 2000-2006 Netfilter Core Team
type=1400 audit(1228436636.405:5): avc: denied { write } for pid=1562 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
eth0: no IPv6 routers present
eth1: setting full-duplex.
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
Bluetooth: Core ver 2.13
NET: Registered protocol family 31
Bluetooth: HCI device and connection manager initialized
Bluetooth: HCI socket layer initialized
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
Bluetooth: L2CAP ver 2.11
Bluetooth: L2CAP socket layer initialized
Bluetooth: BNEP (Ethernet Emulation) ver 1.3
Bluetooth: BNEP filters: protocol multicast
Bridge firewalling registered
Bluetooth: SCO (Voice Link) ver 0.6
Bluetooth: SCO socket layer initialized
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
eth1: no IPv6 routers present
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b0
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
fuse init (API version 7.10)
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
type=1400 audit(1228436728.479:6): avc: denied { read open } for pid=3011 comm="kded4" name="Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=1400 audit(1228436728.500:7): avc: denied { lock } for pid=3011 comm="kded4" path="/home/olivares/.config/Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
type=1400 audit(1228436734.312:8): avc: denied { search open } for pid=3018 comm="polkit-read-aut" name="dbus" dev=dm-0 ino=3276848 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
type=1400 audit(1228436734.312:9): avc: denied { write } for pid=3018 comm="polkit-read-aut" name="system_bus_socket" dev=dm-0 ino=3276857 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=1400 audit(1228436734.312:10): avc: denied { connectto } for pid=3018 comm="polkit-read-aut" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c180
type=1400 audit(1228436738.188:11): avc: denied { write } for pid=3009 comm="klauncher" name="gkrellm.desktop" dev=dm-0 ino=6161169 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
type=1400 audit(1228436768.597:12): avc: denied { read open } for pid=3092 comm="gkrellm" name="eth0" dev=dm-0 ino=6062973 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=1400 audit(1228436769.217:13): avc: denied { write } for pid=3092 comm="gkrellm" name="eth0" dev=dm-0 ino=6062973 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=1400 audit(1228436770.787:14): avc: denied { lock } for pid=3100 comm="python" path="/home/olivares/.config/Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
type=1400 audit(1228436860.935:15): avc: denied { write } for pid=3092 comm="gkrellm" name=".gkrellm2" dev=dm-0 ino=6062959 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=dir
type=1400 audit(1228436860.935:16): avc: denied { add_name } for pid=3092 comm="gkrellm" name="user-config.new" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=dir
type=1400 audit(1228436860.954:17): avc: denied { remove_name } for pid=3092 comm="gkrellm" name="user-config.new" dev=dm-0 ino=15368195 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=dir
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
type=1400 audit(1228437353.337:18): avc: denied { read open } for pid=3525 comm="bash" name=".bash_history" dev=dm-0 ino=1507343 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1228437402.855:19): avc: denied { read open } for pid=3488 comm="konsole" name="Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
[root@localhost ~]# tail -f /var/log/messages
Dec 4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
Dec 4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
Dec 4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec 4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec 4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec 4 18:35:52 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1b6
Dec 4 18:35:53 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec 4 18:35:53 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec 4 18:35:53 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec 4 18:35:53 localhost kernel: type=1400 audit(1228437353.337:18): avc: denied { read open } for pid=3525 comm="bash" name=".bash_history" dev=dm-0 ino=1507343 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
Hope this helps in some way if the policies have not been loaded. Thanks also to Mr. Dan Walsh in the troubles with iptables and selinux:
[olivares@localhost ~]$ dmesg | grep 'iptables'
type=1400 audit(1228436636.405:5): avc: denied { write } for pid=1562 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
I hope this also gets fixed to get the dhcp server going :)
Regards,
Antonio
15 years, 4 months
selinux is denying iptables still :(
by Antonio Olivares
Dear fellow selinux experts,
selinux is still denying iptables :(
type=1400 audit(1228351277.178:4): avc: denied { write } for pid=1351 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
It also interferes with the booting of newer kernel with many messages of denying stuff with Permission denied.
I'm just reporting this, I have this machine running rawhide and it was also to serve as a mini-dhcp server to get internet to the machines in the classroom. I got help from fedora-list to get the correct file and all, but selinux is denying this, and I have to keep trying to get it right, and for other people it just works .
Thanks,
Antonio
15 years, 4 months
How can i call a function which is usually used by root?
by wk
I want write a c program.And a common user(not in root group) will run this program.
In this program,I call fread(/dev/sdc...) and fwrite(/dev/sdc),but this call will return "permission no allow".If I use the root user,will be ok.
How to change to the authority to root's?
I know the root's password.
15 years, 4 months
spamc / spamd communication problem
by Bob Richmond
I'm trying to make spamd listen on a unix domain socket, and let spamc
connect to it. The question is, I can't figure out the intended
destination for the spamd socket file (as specified via --socketpath
passed to spamd and -U to spamc). I see that spamc_t has permission to
connect to a socket with a type of spamd_tmp_t, but there doesn't appear
to be an fc rule for where a new socket file would inherit that type.
It makes sense to me that the socket file should exist in
/var/run/spamassassin/spamd.sock to be consistent, but
/var/run/spamassassin has a type of spamd_var_run_t, where spamc has no
permission to connect to a sock_file under. Any help?
I'm running F10, policy version selinux-policy-targeted-3.5.13-18.fc10.
Thanks!
15 years, 4 months
selinux denying a cups printer
by Gene Heskett
Greetings;
Uptodate F8, targeted setting
host=coyote.coyote.den type=AVC msg=audit(1227891049.940:679): avc: denied {
execute } for pid=6486 comm="cupsd" name="lp3" dev=sda3 ino=104400725
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
host=coyote.coyote.den type=SYSCALL msg=audit(1227891049.940:679):
arch=40000003 syscall=33 success=no exit=-13 a0=bff13656 a1=1 a2=b7f17ff4
a3=b7f18a3c items=0 ppid=6485 pid=6486 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd"
exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
key=(null)
The troubleshooters recommended fix is a restorecon -v './lp3'
The only ./lp3 I could find was in /etc/cups.d/interfaces/lp3, and while it
did change the context of the file, it does not fix the problem. This
particular driver ppd is the lpr and cupswrapper of the HL2140 driver kit
from Brother, and apparently is installed in a /usr/local/Brother subdir by
their rpms.
All this did work flawlessly before I had a drive failure, and it worked after
an Fu8 install, but failed sometime in the nearly 2 weeks uptime, as did all
my other printer profiles, which I have now deleted and rebuilt, and work
except for this one.
I am going to try touching /.autorelabel and reboot again see if that helps.
However, nothing happened the last time I tried that 2 weeks ago...
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Q: How many IBM CPU's does it take to do a logical right shift?
A: 33. 1 to hold the bits and 32 to push the register.
15 years, 4 months
SELinux is preventing npviewer.bin (nsplugin_t) "read" to ./pulse-shm-4180703699
by Antonio Olivares
Dear fellow selinux experts,
Net avc for npviewer :(
Summary:
SELinux is preventing npviewer.bin (nsplugin_t) "read" to ./pulse-shm-4180703699
(tmpfs_t).
Detailed Description:
SELinux denied access requested by npviewer.bin. It is not expected that this
access is required by npviewer.bin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./pulse-shm-4180703699,
restorecon -v './pulse-shm-4180703699'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
3
Target Context unconfined_u:object_r:tmpfs_t:s0
Target Objects ./pulse-shm-4180703699 [ file ]
Source npviewer.bin
Source Path /usr/lib/nspluginwrapper/npviewer.bin
Port <Unknown>
Host riohigh
Source RPM Packages nspluginwrapper-1.1.4-1.fc11
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name riohigh
Platform Linux riohigh 2.6.27.5-117.fc10.i686 #1 SMP Tue
Nov 18 12:19:59 EST 2008 i686 athlon
Alert Count 1
First Seen Tue 02 Dec 2008 06:57:09 AM CST
Last Seen Tue 02 Dec 2008 06:57:09 AM CST
Local ID c049e765-9d3b-4384-927a-19797fb78d8d
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1228222629.565:217): avc: denied { read } for pid=4625 comm="npviewer.bin" name="pulse-shm-4180703699" dev=tmpfs ino=36988 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
node=riohigh type=SYSCALL msg=audit(1228222629.565:217): arch=40000003 syscall=5 success=no exit=-13 a0=bfda08d0 a1=a0000 a2=0 a3=bfda08d0 items=0 ppid=4427 pid=4625 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=13 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
I try the fix and i get:
[olivares@riohigh ~]$ su -
Password:
[root@riohigh ~]# restorecon -v './pulse-shm-4180703699'
restorecon: stat error on ./pulse-shm-4180703699: No such file or directory
[root@riohigh ~]#
Thanks,
Antonio
15 years, 4 months
iptables denials on Centos
by Tony Molloy
Hi,
I'm running several fully updated CentOS 5.2 servers and am trying to get all
the SELinux denials sorted out.
Here are two of the ones that I've got left. I can generate local policy to
allow these but is that the best way. The full sealert messages have been
cut.
1. SELinux is preventing iptables (iptables_t) "read write" to socket
(initrc_t). For complete SELinux messages. run sealert -l
80760bb0-da8f-4fe8-855a-1cfc5789a597
[root@garryowen ~]# sealert -l 80760bb0-da8f-4fe8-855a-1cfc5789a597
Summary:
SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this
...
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
...
Additional Information:
Source Context system_u:system_r:iptables_t
Target Context system_u:system_r:initrc_t
Target Objects socket [ packet_socket ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host garryowen.xx.xx.xx
Source RPM Packages iptables-1.3.5-4.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name garryowen.xx.xx.xx
Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
Raw Audit Messages
host=garryowen.xx.xx.xx type=AVC msg=audit(1227684250.838:20268): avc: denied
{ read write } for pid=22829 comm="iptables" path="socket:[18015]"
dev=sockfs ino=18015 scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=packet_socket
host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1227684250.838:20268):
arch=40000003 syscall=11 success=yes exit=0 a0=9c95470 a1=9c956f8 a2=9c95610
a3=40 items=0 ppid=5571 pid=22829 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables"
exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
2. SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t). For
complete SELinux messages. run sealert -l
879c2152-44ee-4594-96c6-96716fda722b
[root@garryowen ~]# sealert -l 879c2152-44ee-4594-96c6-96716fda722b
Summary:
SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t).
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this
...
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
...
Additional Information:
Source Context root:system_r:iptables_t
Target Context system_u:system_r:crond_t:SystemLow-SystemHigh
Target Objects pipe [ fifo_file ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host garryowen.xx.xx.xx
Source RPM Packages iptables-1.3.5-4.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name garryowen.xx.xx.xx
Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
Raw Audit Messages
host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
{ read } for pid=14428 comm="iptables" path="pipe:[1462004]" dev=pipefs
ino=1462004 scontext=root:system_r:iptables_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
{ write } for pid=14428 comm="iptables" path="pipe:[1462005]" dev=pipefs
ino=1462005 scontext=root:system_r:iptables_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1228007101.709:31231):
arch=40000003 syscall=11 success=yes exit=0 a0=9985ab8 a1=9985698 a2=996d5d0
a3=0 items=0 ppid=14416 pid=14428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=5147 comm="iptables"
exe="/sbin/iptables" subj=root:system_r:iptables_t:s0 key=(null)
Thanks,
Tony
15 years, 4 months
nspluginwrapper and .PDF files
by Paul C. Rauser
Over the past several days, I have begin to experiment with enabling the allow_unconfined_nsplugin_transition boolean in a F10 test environment.
One of the most consistent demands from my test users/potential security threats is the ability to open .PDF files. Using mozplugger to do this launches evince, which throws AVCs all over and is probably undesirable anyway for the reasons listed in Dan Walsh's Nov 4 blog post on http://danwalsh.livejournal.com/
On the other hand, removing mozplugger and using the Adobe Acrobat 8.1.3 Firefox plugin throws lots of AVCs of its own -- and even more when doing things like printing -- and thus may not be the way to go.
If allow_unconfined_nsplugin_transition is to be useful in user land, it seems that the boolean should allow .PDF opening/saving/printing out of the box using either evince or Adobe's reader. I am happy to bugzilla the AVCs for one or the other and help with testing -- any preference in the community for which one?
Paul C. Rauser
ægis law group LLP
901 F Street, N.W.
Suite 500
Washington, D.C. 20004
T: 202 737 3375
F: 202 737 3330
E: prauser(a)aegislawgroup.com
NOTICE: This communication from Aegis Law Group LLP may contain information that is legally privileged, confidential, or exempt from disclosure. If you are not the intended recipient, please note that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by return e-mail and delete all copies.
15 years, 4 months
interface file
by Konrad Azzopardi
hi there,
A simple question - if i want to create some interface like
corenet_tcp_connect_yule_port(), would it be ok to put it in the
interface file cause i saw a lot of similar macros depracated inside
the interface files ?. If it is not the right place, would the
corenetwork.if.in be the right place ? what is the best way to go
about it ? tnx a lot
15 years, 4 months