temp files & debugging
by Steve Blackwell
I am attempting to figure out why my dhclient process sometimes gets the correct hostname from the server and sometimes it doesn't. I want to do this by turning on logging and sending the output to a temp file. I am running F9 and so I changed the line in /etc/sysconfig/network-scripts/ifup-eth from:
if /sbin/dhclient ${DHCLIENTARGS} ${DEVICE}; then
if /sbin/dhclient ${DHCLIENTARGS} ${DEVICE} > /var/log/dhclient.log 2>&1; then
after changing the DHCLIENTARGS switch -q to -v. When this runs at boot time I get an empty /var/log/dhclient.log file. When I try to run dhclient manually I get a SELinux denial:
SELinux is preventing dhclient (dhcpc_t) "write" to /var/log/dhclient.log (var_log_t).
OK, that makes sense so what do I have to modify to allow the log file to be written? This is just temporary so I'm hoping that I don't have to modify policies, rule files etc, etc. The simplest thing I can think of is to change to permissive mode but is there a better way?
Here is the raw data:
Source Context: unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh
Target Context: system_u:object_r:var_log_t
Target Objects: /var/log/dhclient.log [ file ]
Source: dhclient
Source Path: /sbin/dhclient
Port: <Unknown>
Host: localhost.localdomain
Source RPM Packages: dhclient-4.0.0-22.fc9
Target RPM Packages:
Policy RPM: selinux-policy-3.3.1-119.fc9
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: mislabeled_file
Host Name: localhost.localdomain
Platform: Linux localhost.localdomain 2.6.27.12-78.2.8.fc9.x86_64 #1 SMP Mon Jan 19 19:25:03 EST 2009 x86_64 x86_64
Alert Count: 1
First Seen: Fri 06 Feb 2009 10:15:51 AM EST
Last Seen: Fri 06 Feb 2009 10:15:51 AM EST
Local ID: f7b088b4-ffa8-4a8a-bd23-e075bf806d23
Line Numbers:
Raw Audit Messages :node=localhost.localdomain type=AVC msg=audit(1233933351.918:23): avc: denied { write } for pid=3311 comm="dhclient" path="/var/log/dhclient.log" dev=dm-0 ino=49873259 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=localhost.localdomain type=AVC msg=audit(1233933351.918:23): avc: denied { write } for pid=3311 comm="dhclient" path="/var/log/dhclient.log" dev=dm-0 ino=49873259 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1233933351.918:23): arch=c000003e syscall=59 success=yes exit=0 a0=1ba6ba0 a1=1ba70e0 a2=1b8eba0 a3=3ff9d67a70 items=0 ppid=3175 pid=3311 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Thanks,
Steve
15 years, 2 months
on machine with CPU -> 100%, lots of avc's
by Antonio Olivares
Dear selinux experts and fellow testers,
on the machine with CPU hogging, the following avc's are present:
type=1400 audit(1233758357.144:4): avc: denied { create } for pid=2580 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir
fuse init (API version 7.11)
SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
type=1400 audit(1233758390.012:5): avc: denied { write } for pid=2893 comm="devkit-power-da" name="timer_stats" dev=proc ino=4026531963 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233758390.013:6): avc: denied { open } for pid=2893 comm="devkit-power-da" name="timer_stats" dev=proc ino=4026531963 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233758390.013:7): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/timer_stats" dev=proc ino=4026531963 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233758392.002:8): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233758392.004:9): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2511" dev=proc ino=10480 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=dir
type=1400 audit(1233758392.004:10): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=10502 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file
type=1400 audit(1233758392.005:11): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=10502 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file
type=1400 audit(1233758392.005:12): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2511/cmdline" dev=proc ino=10502 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file
type=1400 audit(1233758392.005:13): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2620" dev=proc ino=11289 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=dir
__ratelimit: 129 callbacks suppressed
type=1400 audit(1233758396.000:57): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233758396.000:58): avc: denied { open } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233758396.000:59): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233758396.010:60): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2921" dev=proc ino=14735 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=dir
type=1400 audit(1233758396.010:61): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=14736 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233758396.010:62): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=14736 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233758396.011:63): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2921/cmdline" dev=proc ino=14736 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233758398.004:64): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2653" dev=proc ino=11813 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=dir
type=1400 audit(1233758398.005:65): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=14993 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233758398.005:66): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=14993 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=file
__ratelimit: 27 callbacks suppressed
type=1400 audit(1233758402.005:76): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2280" dev=proc ino=8832 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=dir
type=1400 audit(1233758402.005:77): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9580 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233758402.005:78): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9580 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233758402.005:79): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2280/cmdline" dev=proc ino=9580 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file
kjournald starting. Commit interval 5 seconds
EXT3-fs warning: maximal mount count reached, running e2fsck is recommended
EXT3 FS on sda6, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev sda6, type ext3), uses xattr
type=1400 audit(1233758404.004:80): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2423" dev=proc ino=9745 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=dir
type=1400 audit(1233758404.004:81): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=15758 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file
type=1400 audit(1233758404.004:82): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=15758 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file
type=1400 audit(1233758404.004:83): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2423/cmdline" dev=proc ino=15758 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file
type=1400 audit(1233758448.005:84): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2348" dev=proc ino=9659 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=dir
type=1400 audit(1233758448.005:85): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9685 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=file
type=1400 audit(1233758448.005:86): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9685 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=file
type=1400 audit(1233758448.005:87): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2348/cmdline" dev=proc ino=9685 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=file
type=1400 audit(1233758464.004:88): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2140" dev=proc ino=16016 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:automount_t:s0 tclass=dir
type=1400 audit(1233758464.004:89): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16017 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:automount_t:s0 tclass=file
type=1400 audit(1233758464.004:90): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16017 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:automount_t:s0 tclass=file
type=1400 audit(1233758464.004:91): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2140/cmdline" dev=proc ino=16017 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:automount_t:s0 tclass=file
type=1400 audit(1233758698.005:92): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3008" dev=proc ino=16691 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=dir
type=1400 audit(1233758706.005:93): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2545" dev=proc ino=16472 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=dir
type=1400 audit(1233758706.005:94): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16764 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file
type=1400 audit(1233758706.005:95): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16764 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file
type=1400 audit(1233758706.005:96): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2545/cmdline" dev=proc ino=16764 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file
type=1400 audit(1233758950.004:97): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2312" dev=proc ino=9576 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xfs_t:s0 tclass=dir
type=1400 audit(1233758950.005:98): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9583 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xfs_t:s0 tclass=file
type=1400 audit(1233758950.005:99): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9583 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xfs_t:s0 tclass=file
type=1400 audit(1233758950.005:100): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2312/cmdline" dev=proc ino=9583 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xfs_t:s0 tclass=file
type=1400 audit(1233759040.010:101): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3027" dev=proc ino=16799 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=dir
type=1400 audit(1233759040.010:102): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16872 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233759040.010:103): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16872 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233759040.010:104): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3027/cmdline" dev=proc ino=16872 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233759042.005:105): avc: denied { search } for pid=2893 comm="devkit-power-da" name="1975" dev=proc ino=16970 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=dir
type=1400 audit(1233759042.005:106): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16971 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=1400 audit(1233759042.005:107): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16971 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=1400 audit(1233759042.005:108): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/1975/cmdline" dev=proc ino=16971 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=1400 audit(1233759080.002:109): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233759080.002:110): avc: denied { open } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233759080.002:111): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233759082.005:112): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3033" dev=proc ino=17816 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=dir
type=1400 audit(1233759082.005:113): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=17817 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=1400 audit(1233759082.005:114): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=17817 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=1400 audit(1233759082.005:115): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3033/cmdline" dev=proc ino=17817 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=1400 audit(1233759084.005:116): avc: denied { search } for pid=2893 comm="devkit-power-da" name="705" dev=proc ino=2040 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
type=1400 audit(1233759084.005:117): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=2136 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=file
type=1400 audit(1233759084.006:118): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=2136 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=file
__ratelimit: 3 callbacks suppressed
type=1400 audit(1233760156.006:120): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2536" dev=proc ino=16471 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=dir
type=1400 audit(1233760156.006:121): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=18948 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=file
type=1400 audit(1233760156.007:122): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=18948 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=file
type=1400 audit(1233760156.011:123): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2536/cmdline" dev=proc ino=18948 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=file
type=1400 audit(1233760404.007:124): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3148" dev=proc ino=19176 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=dir
type=1400 audit(1233760404.007:125): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19177 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233760404.007:126): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19177 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233760404.007:127): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3148/cmdline" dev=proc ino=19177 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233760410.008:128): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19714 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233760410.008:129): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19714 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233760410.008:130): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3149/cmdline" dev=proc ino=19714 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233760414.008:131): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3169" dev=proc ino=19766 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=dir
npviewer.bin[3204] general protection ip:1361c2c sp:bf837860 error:0 in libflashplayer.so[ff5000+952000]
type=1400 audit(1233760540.001:132): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233760540.001:133): avc: denied { open } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233760540.001:134): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
npviewer.bin[3492] general protection ip:1166c2c sp:bfbdcc00 error:0 in libflashplayer.so[dfa000+952000]
npviewer.bin[3605] general protection ip:12d5c2c sp:bfa72a90 error:0 in libflashplayer.so[f69000+952000]
npviewer.bin[3740]: segfault at 2d ip 01764086 sp bfae7530 error 4 in libflashplayer.so[110b000+952000]
npviewer.bin[3822]: segfault at 13 ip 0216b177 sp bffd3194 error 4 in libflashplayer.so[1ac5000+952000]
npviewer.bin[3848]: segfault at 13 ip 0160f177 sp bfa06bd4 error 4 in libflashplayer.so[f69000+952000]
npviewer.bin[3875] general protection ip:60acc2c sp:bfff9020 error:0 in libflashplayer.so[5d40000+952000]
type=1400 audit(1233761948.018:135): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2268" dev=proc ino=8803 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sendmail_t:s0 tclass=dir
type=1400 audit(1233761948.019:136): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=8809 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=1400 audit(1233761948.019:137): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=8809 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=1400 audit(1233761948.019:138): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2268/cmdline" dev=proc ino=8809 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=1400 audit(1233761950.017:139): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2332" dev=proc ino=16469 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=dir
type=1400 audit(1233761950.017:140): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19913 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233761950.017:141): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19913 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233761950.018:142): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2332/cmdline" dev=proc ino=19913 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233761958.016:143): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2543" dev=proc ino=10645 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=dir
type=1400 audit(1233761958.016:144): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=10646 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file
type=1400 audit(1233761958.016:145): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=10646 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file
type=1400 audit(1233761958.017:146): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2543/cmdline" dev=proc ino=10646 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file
type=1400 audit(1233761990.017:147): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3936" dev=proc ino=38966 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=dir
type=1400 audit(1233761990.018:148): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=38967 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file
type=1400 audit(1233761990.018:149): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=38967 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file
type=1400 audit(1233761990.019:150): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3936/cmdline" dev=proc ino=38967 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file
type=1400 audit(1233761994.081:151): avc: denied { search } for pid=2893 comm="devkit-power-da" name="305" dev=proc ino=2034 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
type=1400 audit(1233761994.081:152): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=2112 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=file
type=1400 audit(1233761994.081:153): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=2112 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=file
type=1400 audit(1233761994.081:154): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/305/cmdline" dev=proc ino=2112 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=file
type=1400 audit(1233762106.025:155): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3984" dev=proc ino=40607 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=dir
type=1400 audit(1233762106.025:156): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40612 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233762106.025:157): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40612 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233762106.025:158): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3984/cmdline" dev=proc ino=40612 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233762250.018:159): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2322" dev=proc ino=9577 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=dir
type=1400 audit(1233762250.019:160): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9586 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=file
type=1400 audit(1233762250.019:161): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9586 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=file
type=1400 audit(1233762250.020:162): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2322/cmdline" dev=proc ino=9586 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=file
type=1400 audit(1233762258.019:163): avc: denied { search } for pid=2893 comm="devkit-power-da" name="4009" dev=proc ino=40911 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0 tclass=dir
type=1400 audit(1233762258.020:164): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40919 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0 tclass=file
type=1400 audit(1233762258.020:165): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40919 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0 tclass=file
type=1400 audit(1233762258.020:166): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/4009/cmdline" dev=proc ino=40919 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0 tclass=file
type=1400 audit(1233762298.001:167): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233762298.001:168): avc: denied { open } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233762298.001:169): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233762298.020:170): avc: denied { search } for pid=2893 comm="devkit-power-da" name="4013" dev=proc ino=40938 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=dir
type=1400 audit(1233762298.020:171): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40949 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233762298.020:172): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40949 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233762298.022:173): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/4013/cmdline" dev=proc ino=40949 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file
type=1400 audit(1233763262.000:174): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233763262.000:175): avc: denied { open } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1233763262.000:176): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
[olivares@localhost ~]$
setroubleshooter does not kick in and I find these via dmesg.
Thanks for help/advice provided.
Regards,
Antonio
15 years, 2 months
Problem after upgrading to Fedora 10
by Konrad Azzopardi
Dear all,
I made an upgrade from Fedora 9 to Fedora 10 using preupgrade. My
modules were working fine until I decided to recompile them in Fedora
10. So basically the same .pp files generated in Fedora 9 work.
when I recompile them I get the following error :
[root@MALTA YULE]# make -f /usr/share/selinux/devel/Makefile
yule.if:14: Error: duplicate definition of yule_domtrans(). Original
definition on 14.
yule.if:34: Error: duplicate definition of yule_script_domtrans().
Original definition on 34.
yule.if:64: Error: duplicate definition of yule_admin(). Original
definition on 64.
yule.if:95: Error: duplicate definition of yule_stream_connect().
Original definition on 95.
Compiling targeted yule module
/usr/bin/checkmodule: loading policy configuration from tmp/yule.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 8) to tmp/yule.mod
Creating targeted yule.pp policy package
rm tmp/yule.mod.fc tmp/yule.mod
and when I try to insert module
[root@MALTA YULE]# semodule -i yule.pp
libsepol.permission_copy_callback: Module yule depends on permission
nlmsg_tty_audit in class netlink_audit_socket, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
I have same problem wiith another module which makes believe I have
something wrong in the system. i am using the last FC10 policy :
[root@MALTA YULE]# rpm -aq | grep selinux-policy
selinux-policy-3.5.13-41.fc10.noarch
selinux-policy-doc-3.5.13-41.fc10.noarch
selinux-policy-targeted-3.5.13-41.fc10.noarch
anyhelp would be appreciated. Attached pls find my files for reference.
Thanks
Konrad
15 years, 2 months
Does SETroubleshoot speak to SEBool?
by Arthur Dent
I am currently trying to tidy up my local modules which have been in
place for a number of years and which have probably been superseded by
more recent policies. I put SE into permissive mode and removed the
relevant local policy module.
One resulting denial suggested allowing access with:
setsebool -P spamd_enable_home_dirs=1
This surprised me because I thought I had this set. Sure enough:
# getsebool -a | grep spam
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
Surely SETroubleshoot should realise that this bool is already set?
I can of course recreate a local policy module to deal with this denial,
but I just wondered why this came up as a suggested remedy?
The full avc is listed below.
Thank you to all involved in this this great endeavour...
Mark
Summary
SELinux is preventing the spamd daemon from reading users' home
directories.
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]
SELinux has denied the spamd daemon access to users' home directories.
Someone is attempting to access your home directories via your spamd
daemon. If you only setup spamd to share non-home directories, this
probably signals a intrusion attempt.
Allowing Access
If you want spamd to share home directories you need to turn on the
spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1"
Fix Command
setsebool -P spamd_enable_home_dirs=1
Additional Information
Source Context: unconfined_u:system_r:spamd_t:s0
Target Context: system_u:object_r:user_pyzor_home_t:s0
Target Objects: /home/mark/.pyzor/servers [ file ]
Source: pyzor
Source Path: /usr/bin/python
Port: <Unknown>
Host: mydomain.com
Source RPM Packages: python-2.5.1-26.fc9
Target RPM Packages:
Policy RPM: selinux-policy-3.3.1-118.fc9
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: spamd_enable_home_dirs
Host Name: mydomain.com
Platform: Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct
17 14:52:14 EDT 2008 i686 i686
Alert Count: 723
First Seen: Sun Nov 2 01:13:46 2008
Last Seen: Mon Feb 2 14:57:22 2009
Local ID: 22265a4e-86dd-4a61-a314-7c3fc363d5ee
Line Numbers:
Raw Audit Messages :
node=mydomain.com type=AVC msg=audit(1233586642.291:4900): avc: denied {
getattr } for pid=17929 comm="pyzor" path="/home/mark/.pyzor/servers"
dev=sda8 ino=3172618 scontext=unconfined_u:system_r:spamd_t:s0
tcontext=system_u:object_r:user_pyzor_home_t:s0 tclass=file
node=mydomain.com type=SYSCALL msg=audit(1233586642.291:4900):
arch=40000003 syscall=195 success=yes exit=0 a0=8774db0 a1=bfc5c3c8
a2=cd9ff4 a3=86f01b8 items=0 ppid=9197 pid=17929 auid=0 uid=500 gid=0
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
ses=726 comm="pyzor" exe="/usr/bin/python"
subj=unconfined_u:system_r:spamd_t:s0 key=(null)
15 years, 2 months
Denials from spamc and webalizer on Centos 5.2
by Richard Chapman
After some trouble getting the file-system relabelled - which was
eventually solved by Daniel's suggestion to change to a 5.3 preview
release of the policy packages - I now have (only) a couple of
intractable denials.
One seems to be related to procmail running spamc. The other seems to be
webalizer being denied access to squid logs. Here is some representative
troubledhooter output:
Summary
SELinux is preventing spamc (procmail_t) "execute" to ./spamc
(spamc_exec_t).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]
SELinux denied access requested by spamc. It is not expected that this
access is required by spamc and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for ./spamc,
restorecon -v './spamc'
If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see FAQ
<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a bug report
<http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.
Additional Information
Source Context: system_u:system_r:procmail_t
Target Context: system_u:object_r:spamc_exec_t
Target Objects: ./spamc [ file ]
Source: spamc
Source Path: /usr/bin/spamc
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: spamassassin-3.2.4-1.el5
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-203.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall_file
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec
16 11:57:43 EST 2008 x86_64 x86_64
Alert Count: 199
First Seen: Wed Jan 7 21:12:56 2009
Last Seen: Sat Jan 10 13:50:07 2009
Local ID: 72201679-d161-4d2d-8423-44b1b65a211f
Line Numbers:
Raw Audit Messages :
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0
ino=31336954 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0
ino=31336954 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute_no_trans } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute_no_trans } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc"
dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc"
dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005):
arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0
a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
subj=system_u:system_r:procmail_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005):
arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0
a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
subj=system_u:system_r:procmail_t:s0 key=(null)
Summary
SELinux is preventing webalizer (webalizer_t) "search" to ./webalizer
(bin_t).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]
SELinux denied access requested by webalizer. It is not expected that
this access is required by webalizer and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for ./webalizer,
restorecon -v './webalizer'
If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see FAQ
<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a bug report
<http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.
Additional Information
Source Context: root:system_r:webalizer_t:SystemLow-SystemHigh
Target Context: system_u:object_r:bin_t
Target Objects: ./webalizer [ dir ]
Source: webalizer
Source Path: /usr/bin/webalizer
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: webalizer-2.01_10-30.1
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-203.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall_file
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec
16 11:57:43 EST 2008 x86_64 x86_64
Alert Count: 119
First Seen: Wed Jan 7 22:00:02 2009
Last Seen: Sat Jan 10 14:00:01 2009
Local ID: fd879861-abb1-4e67-a190-0a721c66dc0e
Line Numbers:
Raw Audit Messages :
host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc:
denied { search } for pid=16510 comm="webalizer" name="webalizer"
dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc:
denied { search } for pid=16510 comm="webalizer" name="webalizer"
dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027):
arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0
a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730
comm="webalizer" exe="/usr/bin/webalizer"
subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027):
arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0
a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730
comm="webalizer" exe="/usr/bin/webalizer"
subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
I didn't think I was doing anything unusual here - so I am surprised
these aren't covered by standard policy. Am I don't something strange -
and if so - do I need to write my own local policy. Is there a more
standard way to run spamc and/.or webalizer which will prevent these
denials?
Thanks
Richard.
15 years, 2 months
Re: Denials from spamc and webalizer on Centos 5.2
by Dominick Grift
Hello,
With regard to procmail, i think your policy is missing a domain
transition to spamassassin.
A custom policy looking something like the following may or may not
fix that issue:
mkdir ~/myprocmail; cd ~/myprocmail;
echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
echo "require { type procmail_t; }" >> myprocmail.te;
echo "optional_policy(`" >> myprocmail.te;
echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
echo "')" >> myprocmail.te;
make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i myprocmail.pp
With regard to webalizer it looks like webalizer is searching
something in a "bin" directory.
If you want you can allow this.
mkdir ~/mywebalizer; cd ~mywebalizer;
echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
echo "require { type webalizer_t; }" >> mywebalizer.te;
echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;
make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i mywebalizer.pp
It may be that both procmail and webalizer domains need more access
after this, but you will notice that if this is the case.
P.s. You may or may not need to escape some of the characters in my example.
Hth,
Dominick
15 years, 2 months