gconf alert
by Valent Turkovic
Hi.
I'm seeing lots of these alerts in rawhide.
Is this "normal" or is it a gnome or selinux issue or is my system problematic?
Valent.
--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic
16 years, 1 month
setroubleshoot exiting on AVC's
by Pad Hosmane
Hi,
I am on Red Hat enterprise 5. setroubleshoot is exiting and I cannot
run sealert. I see below messages in logs. Any help in this regard would
be of great help.
Mar 22 11:17:52 myhost setroubleshoot: SELinux is preventing
/usr/sbin/automount (automount_t) "search" access to /proc/142/cmdline
(kernel_t). For complete SELinux messages. run sealert -l
c7e49db5-9d5f-4ffb-afdc-82708db53ee4
Mar 22 11:17:53 myhost setroubleshoot: 2008-03-22 11:17:52,416
[program.ERROR] Can not handle AVC'S related to dispatcher. exiting
setroubleshoot context=system_u:system_r:setroubleshootd_t:s0, AVC
scontext=system_u:system_r:setroubleshootd_t:s0
Mar 22 11:17:52 myhost setroubleshoot: SELinux is preventing
/usr/sbin/automount (automount_t) "search" access to /proc/145/cmdline
(kernel_t). For complete SELinux messages. run sealert -l
89399382-a3bf-4efd-9bfa-51ebdc28217d
Mar 22 11:17:53 myhost setroubleshoot: 2008-03-22 11:17:52,462
[program.ERROR] Can not handle AVC'S related to dispatcher. exiting
setroubleshoot context=system_u:system_r:setroubleshootd_t:s0, AVC
scontext=system_u:system_r:setroubleshootd_t:s0
Mar 22 11:17:53 myhost setroubleshoot: 2008-03-22 11:17:52,475
[program.ERROR] Can not handle AVC'S related to dispatcher. exiting
setroubleshoot context=system_u:system_r:setroubleshootd_t:s0, AVC
scontext=system_u:system_r:setroubleshootd_t:s0
Mar 22 11:17:52 myhost : SELinux is preventing /usr/sbin/automount
(automount_t) "search" access to /proc/25/cmdline (kernel_t). For
complete SELinux messages. run sealert -l
4db5f9d7-949a-4fb6-b7eb-3a3762d35684
Mar 22 11:17:52 myhost audispd: Socket error (32, 'Broken pipe')
Mar 22 11:18:08 myhost gpm[3069]: *** info [startup.c(95)]:
Mar 22 11:18:08 myhost gpm[3069]: Started gpm successfully. Entered
daemon mode.
Mar 22 11:18:11 myhost rhnsd[3154]: Red Hat Network Services Daemon
starting up.
Mar 22 12:18:29 myhost dbus: Can't send to audit system: USER_AVC avc:
received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?,
addr=?, terminal=?)
Mar 22 12:18:30 myhost setsebool: The httpd_enable_homedirs policy
boolean was changed to true by root
Mar 22 12:19:23 myhost auditd[2494]: dispatch err (pipe full) event lost
Mar 22 12:22:20 myhost dbus: Can't send to audit system: USER_AVC avc:
received policyload notice (seqno=3) : exe="?" (sauid=81, hostname=?,
addr=?, terminal=?)
Mar 22 12:22:21 myhost setsebool: The use_nfs_home_dirs policy boolean
was changed to 1 by root
Thanks in advance.
16 years, 1 month
F9 dhcp client cannot backup resolv.conf, nor write ntp.conf
by Chuck Anderson
It seems the policy needs an update to allow the dhclient-script to
work properly:
type=1400 audit(1206128117.122:4): avc: denied { write } for
pid=2475 comm="cp" name="resolv.conf.predhclient.eth3" dev=dm-0
ino=26088 scontext=system_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.122:5): avc: denied { unlink } for
pid=2475 comm="cp" name="resolv.conf.predhclient.eth3" dev=dm-0
ino=26088 scontext=system_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.252:6): avc: denied { rename } for
pid=2485 comm="mv" name="ntp.conf" dev=dm-0 ino=26089
scontext=system_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.255:7): avc: denied { write } for
pid=2486 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089
scontext=system_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.255:8): avc: denied { write } for
pid=2486 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089
scontext=system_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.256:9): avc: denied { append } for
pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089
scontext=system_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.257:10): avc: denied { append } for
pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089
scontext=system_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.257:11): avc: denied { append } for
pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089
scontext=system_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.257:12): avc: denied { append } for
pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089
scontext=system_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.258:13): avc: denied { append } for
pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089
scontext=system_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
# audit2allow -R < audit.log
require {
type var_run_t;
type dhcpc_t;
type hald_acl_t;
type etc_t;
class dir write;
class file { write rename unlink append };
}
#============= dhcpc_t ==============
allow dhcpc_t etc_t:file { write rename unlink append };
#============= hald_acl_t ==============
allow hald_acl_t var_run_t:dir write;
16 years, 1 month
rawhide yum denied for transition bootloader_t, two alerts
by Andrew Farris
These happen on two machines during updates, I'm also noticing many
%post scriptlets failing when these pop up, though I don't know if
they are related or not.
Summary:
SELinux is preventing yum (bootloader_t) "transition" to /sbin/ldconfig
(rpm_script_t).
Detailed Description:
SELinux denied access requested by yum. It is not expected that this access is
required by yum and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context user_u:system_r:bootloader_t:s0
Target Context user_u:system_r:rpm_script_t:s0
Target Objects /sbin/ldconfig [ process ]
Source yum
Source Path /usr/bin/python
Port <Unknown>
Host durthangnix
Source RPM Packages python-2.5.1-23.fc9
Target RPM Packages glibc-2.7.90-9
Policy RPM selinux-policy-3.3.1-14.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name durthangnix
Platform Linux durthangnix 2.6.25-0.105.rc5.fc9 #1 SMP Mon
Mar 10 20:59:23 EDT 2008 x86_64 x86_64
Alert Count 35
First Seen Thu 13 Mar 2008 11:19:15 PM PDT
Last Seen Thu 13 Mar 2008 11:32:48 PM PDT
Local ID 36d70abc-d12d-42f2-96bf-ab7250e29da1
Line Numbers
Raw Audit Messages
host=durthangnix type=AVC msg=audit(1205476368.460:1339): avc: denied
{ transition } for pid=28100 comm="yum" path="/sbin/ldconfig"
dev=sda3 ino=858775 scontext=user_u:system_r:bootloader_t:s0
tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
host=durthangnix type=SYSCALL msg=audit(1205476368.460:1339):
arch=c000003e syscall=59 success=no exit=-13 a0=7ff2034c2aca
a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144
pid=28100 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python"
subj=user_u:system_r:bootloader_t:s0 key=(null)
Summary:
SELinux is preventing yum (bootloader_t) "transition" to /bin/bash
(rpm_script_t).
Detailed Description:
SELinux denied access requested by yum. It is not expected that this access is
required by yum and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context user_u:system_r:bootloader_t:s0
Target Context user_u:system_r:rpm_script_t:s0
Target Objects /bin/bash [ process ]
Source rpm
Source Path /bin/rpm
Port <Unknown>
Host durthangnix
Source RPM Packages python-2.5.1-23.fc9
Target RPM Packages bash-3.2-21.fc9
Policy RPM selinux-policy-3.3.1-14.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name durthangnix
Platform Linux durthangnix 2.6.25-0.105.rc5.fc9 #1 SMP Mon
Mar 10 20:59:23 EDT 2008 x86_64 x86_64
Alert Count 48
First Seen Thu 13 Mar 2008 10:00:05 AM PDT
Last Seen Thu 13 Mar 2008 11:32:48 PM PDT
Local ID 75a34bf7-d467-444b-bfb4-9a931b3af238
Line Numbers
Raw Audit Messages
host=durthangnix type=AVC msg=audit(1205476368.64:1338): avc: denied
{ transition } for pid=28099 comm="yum" path="/bin/bash" dev=sda3
ino=835647 scontext=user_u:system_r:bootloader_t:s0
tcontext=user_u:system_r:rpm_script_t:s0 tclass=process
host=durthangnix type=SYSCALL msg=audit(1205476368.64:1338):
arch=c000003e syscall=59 success=no exit=-13 a0=7ff20063e90d
a1=7fff1bd22350 a2=7ff20aa927d0 a3=3b8896c9f0 items=0 ppid=27144
pid=28099 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=4 comm="yum" exe="/usr/bin/python"
subj=user_u:system_r:bootloader_t:s0 key=(null)
--
--
Andrew Farris <lordmorgul(a)gmail.com> www.lordmorgul.net
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
16 years, 1 month
Re: aduitd failing to start
by Steve G
> Can I know why email option is not working?
The email option should work assuming that SE Linux policy allows it. I just checked the source code. If the email address has a '@' symbol, auditd calls gethostbyname to make sure that you don't have a typo in the email address and it can't send an email when it needs to. Since SE Linux policy fails that, it rejects that address and then in turn fails the startup to let you know that you have something wrong in the configuration.
There's possibly a workaround where you use a local alias that sendmail/postfix resolves into your real email address. This way you do not need an email address with a '@' in it. This should be temporary until policy is fixed.
Also, when it does come time for auditd to send its first email, we still need a transition from auditd to a mta domain. Auditd calls /usr/lib/sendmail if that matters to anyone.
-Steve
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
16 years, 1 month
Re: aduitd failing to start
by Steve G
> space_left = 75
> #space_left_action = SYSLOG
> space_left_action = email
> action_mail_acct = scook(a)ntis.gov
^^^
This is where you are getting the DNS issues running from a child.
But auditd should write to syslog why it was exiting. My guess is disk is full.
-Steve
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
16 years, 1 month
Re: aduitd failing to start
by Steve G
> space_left = 75
> > #space_left_action = SYSLOG
> > space_left_action = email
> > action_mail_acct = scook(a)ntis.gov
>
> ^^^
> This is where you are getting the DNS issues running from a child.
To be a little more concrete, it would seem that policy is missing a transition from auditd_t to sendmail's context and this is causing your avcs. But the reason this is happening in the first place is that your audit partition is likely full. Besides clearing space, you might want to change from email notification to something else until a new policy can be made with the auto transition.
-Steve
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
16 years, 1 month
aduitd failing to start
by Pad Hosmane
Hi,
I am on Red Hat Linux enterprise 5 (Dell 1950). Auditing is failing to
start. This is the message in messages file
Mar 19 10:14:08 myhost kernel: input: USB HID v1.00 Keyboard [Silitek
Standard USB Keyboard ] on usb-0000:00:1d.7-5.1
Mar 19 10:14:36 myhost restorecond: Will not restore a file with more than
one hard link (/etc/resolv.conf) No such file or directory
Mar 19 10:19:10 myhost restorecond: Will not restore a file with more than
one hard link (/etc/resolv.conf) Invalid argument
Mar 19 10:20:22 myhost restorecond: Will not restore a file with more than
one hard link (/etc/resolv.conf) Invalid argument
Mar 19 12:20:01 myhost dbus: Can't send to audit system: USER_AVC avc:
received policyload notice (seqno=14) : exe="?" (sauid=81, hostname=?,
addr=?, terminal=?)
Mar 19 12:27:42 myhost kernel: audit(1205944062.921:39): avc: denied {
getattr } for pid=32443 comm="auditd" path="/etc/resolv.conf" dev=sda3
ino=15124046 scontext=user_u:system_r:auditd_t:s0
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
Mar 19 12:27:42 myhost kernel: audit(1205944062.922:40): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost kernel: audit(1205944062.922:41): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost kernel: audit(1205944062.922:42): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost kernel: audit(1205944062.923:43): avc: denied {
connect } for pid=32443 comm="auditd" scontext=user_u:system_r:auditd_t:s0
tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 12:27:42 myhost auditd: The audit daemon is exiting.
then i did the following
get auditd /var/log/messages|audit2allow -M auditsocket
semodule -i auditsocket.pp
i tried starting auditd again, it kept giving me messages for auditd denied,
right now i see this
Mar 19 14:05:37 myhost kernel: audit(1205949937.512:117): avc: denied {
getattr } for pid=3899 comm="auditd" path="socket:[21080]" dev=sockfs
ino=21080 scontext=user_u:system_
r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0 tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.512:118): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.513:119): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.514:120): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 myhost kernel: audit(1205949937.515:121): avc: denied {
read } for pid=3899 comm="auditd" laddr=xx.xx.xx.xx lport=32769
faddr=xx.xx.xx.xx fport=53 scontex
t=user_u:system_r:auditd_t:s0 tcontext=user_u:system_r:auditd_t:s0
tclass=udp_socket
Mar 19 14:05:37 learn6 auditd: The audit daemon is exiting.
I need help to resolve this above issue. Am i doing something wrong? Can
someone help me please.
i do not want to disable SELinux.
Thanks in advance.
--
View this message in context: http://www.nabble.com/aduitd-failing-to-start-tp16148276p16148276.html
Sent from the Fedora SELinux List mailing list archive at Nabble.com.
16 years, 1 month
Performance difference
by Rahul Sundaram
Hi,
Is there any performance differences between having selinux disabled via
a the configuration file vs disabling it in the bootloader? If so. is
this considered a bug?
Rahul
16 years, 1 month
Re: aduitd failing to start
by Steve G
> Thank you for the reply. Current version is audit-1.5.5-7.el5.
OK, I thought you were running something newer from 5.2 beta. This uses the old event dispatcher which doesn't do anything fancy. Maybe you would want to try disabling the dispatcher and see if you are still having a problem. Add a # at the beginning of the line for dispatcher= in /etc/audit/auditd.conf. This will affect setroubleshoot, though.
But I got to admit that I haven't seen this kind of behavior before for the older software. Do you have auditd.conf setup to send email alerts? Also, avcs don't tell you the whole story alone. You may need to temporarily add a simple rule like, "-w /etc/shadow -p w", to /etc/audit/audit.rules to trigger more detailed information. This sounds like a program that is being run from auditd doesn't have an auto transition and therefore appears as if it were auditd_t.
> Man pages for auditd.conf do not show name_format option. Anyway I tried
> both options name_format = none and name_format = hostname and still
> auditd fails to startup.
Yeah, that's for the newer 5.2 version.
-Steve
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
16 years, 1 month
