selinux February 2009

selinux@lists.fedoraproject.org

43 participants
57 discussions

temp files & debugging
by Steve Blackwell 09 Feb '09

09 Feb '09

I am attempting to figure out why my dhclient process sometimes gets the correct hostname from the server and sometimes it doesn't. I want to do this by turning on logging and sending the output to a temp file. I am running F9 and so I changed the line in /etc/sysconfig/network-scripts/ifup-eth from: if /sbin/dhclient ${DHCLIENTARGS} ${DEVICE}; then if /sbin/dhclient ${DHCLIENTARGS} ${DEVICE} > /var/log/dhclient.log 2>&1; then after changing the DHCLIENTARGS switch -q to -v. When this runs at boot time I get an empty /var/log/dhclient.log file. When I try to run dhclient manually I get a SELinux denial: SELinux is preventing dhclient (dhcpc_t) "write" to /var/log/dhclient.log (var_log_t). OK, that makes sense so what do I have to modify to allow the log file to be written? This is just temporary so I'm hoping that I don't have to modify policies, rule files etc, etc. The simplest thing I can think of is to change to permissive mode but is there a better way? Here is the raw data: Source Context: unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh Target Context: system_u:object_r:var_log_t Target Objects: /var/log/dhclient.log [ file ] Source: dhclient Source Path: /sbin/dhclient Port: <Unknown> Host: localhost.localdomain Source RPM Packages: dhclient-4.0.0-22.fc9 Target RPM Packages: Policy RPM: selinux-policy-3.3.1-119.fc9 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: mislabeled_file Host Name: localhost.localdomain Platform: Linux localhost.localdomain 2.6.27.12-78.2.8.fc9.x86_64 #1 SMP Mon Jan 19 19:25:03 EST 2009 x86_64 x86_64 Alert Count: 1 First Seen: Fri 06 Feb 2009 10:15:51 AM EST Last Seen: Fri 06 Feb 2009 10:15:51 AM EST Local ID: f7b088b4-ffa8-4a8a-bd23-e075bf806d23 Line Numbers: Raw Audit Messages :node=localhost.localdomain type=AVC msg=audit(1233933351.918:23): avc: denied { write } for pid=3311 comm="dhclient" path="/var/log/dhclient.log" dev=dm-0 ino=49873259 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=localhost.localdomain type=AVC msg=audit(1233933351.918:23): avc: denied { write } for pid=3311 comm="dhclient" path="/var/log/dhclient.log" dev=dm-0 ino=49873259 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1233933351.918:23): arch=c000003e syscall=59 success=yes exit=0 a0=1ba6ba0 a1=1ba70e0 a2=1b8eba0 a3=3ff9d67a70 items=0 ppid=3175 pid=3311 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) Thanks, Steve

4 5

on machine with CPU -> 100%, lots of avc's
by Antonio Olivares 04 Feb '09

04 Feb '09

Dear selinux experts and fellow testers, on the machine with CPU hogging, the following avc's are present: type=1400 audit(1233758357.144:4): avc: denied { create } for pid=2580 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir fuse init (API version 7.11) SELinux: initialized (dev fuse, type fuse), uses genfs_contexts type=1400 audit(1233758390.012:5): avc: denied { write } for pid=2893 comm="devkit-power-da" name="timer_stats" dev=proc ino=4026531963 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233758390.013:6): avc: denied { open } for pid=2893 comm="devkit-power-da" name="timer_stats" dev=proc ino=4026531963 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233758390.013:7): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/timer_stats" dev=proc ino=4026531963 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233758392.002:8): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233758392.004:9): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2511" dev=proc ino=10480 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=dir type=1400 audit(1233758392.004:10): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=10502 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file type=1400 audit(1233758392.005:11): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=10502 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file type=1400 audit(1233758392.005:12): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2511/cmdline" dev=proc ino=10502 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file type=1400 audit(1233758392.005:13): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2620" dev=proc ino=11289 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=dir __ratelimit: 129 callbacks suppressed type=1400 audit(1233758396.000:57): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233758396.000:58): avc: denied { open } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233758396.000:59): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233758396.010:60): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2921" dev=proc ino=14735 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=dir type=1400 audit(1233758396.010:61): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=14736 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233758396.010:62): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=14736 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233758396.011:63): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2921/cmdline" dev=proc ino=14736 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233758398.004:64): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2653" dev=proc ino=11813 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=dir type=1400 audit(1233758398.005:65): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=14993 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233758398.005:66): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=14993 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=file __ratelimit: 27 callbacks suppressed type=1400 audit(1233758402.005:76): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2280" dev=proc ino=8832 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=dir type=1400 audit(1233758402.005:77): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9580 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233758402.005:78): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9580 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233758402.005:79): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2280/cmdline" dev=proc ino=9580 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file kjournald starting. Commit interval 5 seconds EXT3-fs warning: maximal mount count reached, running e2fsck is recommended EXT3 FS on sda6, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev sda6, type ext3), uses xattr type=1400 audit(1233758404.004:80): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2423" dev=proc ino=9745 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=dir type=1400 audit(1233758404.004:81): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=15758 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file type=1400 audit(1233758404.004:82): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=15758 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file type=1400 audit(1233758404.004:83): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2423/cmdline" dev=proc ino=15758 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=file type=1400 audit(1233758448.005:84): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2348" dev=proc ino=9659 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=dir type=1400 audit(1233758448.005:85): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9685 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=file type=1400 audit(1233758448.005:86): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9685 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=file type=1400 audit(1233758448.005:87): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2348/cmdline" dev=proc ino=9685 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=file type=1400 audit(1233758464.004:88): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2140" dev=proc ino=16016 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:automount_t:s0 tclass=dir type=1400 audit(1233758464.004:89): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16017 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:automount_t:s0 tclass=file type=1400 audit(1233758464.004:90): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16017 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:automount_t:s0 tclass=file type=1400 audit(1233758464.004:91): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2140/cmdline" dev=proc ino=16017 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:automount_t:s0 tclass=file type=1400 audit(1233758698.005:92): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3008" dev=proc ino=16691 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=dir type=1400 audit(1233758706.005:93): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2545" dev=proc ino=16472 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=dir type=1400 audit(1233758706.005:94): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16764 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file type=1400 audit(1233758706.005:95): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16764 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file type=1400 audit(1233758706.005:96): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2545/cmdline" dev=proc ino=16764 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file type=1400 audit(1233758950.004:97): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2312" dev=proc ino=9576 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xfs_t:s0 tclass=dir type=1400 audit(1233758950.005:98): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9583 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xfs_t:s0 tclass=file type=1400 audit(1233758950.005:99): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9583 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xfs_t:s0 tclass=file type=1400 audit(1233758950.005:100): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2312/cmdline" dev=proc ino=9583 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xfs_t:s0 tclass=file type=1400 audit(1233759040.010:101): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3027" dev=proc ino=16799 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=dir type=1400 audit(1233759040.010:102): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16872 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233759040.010:103): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16872 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233759040.010:104): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3027/cmdline" dev=proc ino=16872 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233759042.005:105): avc: denied { search } for pid=2893 comm="devkit-power-da" name="1975" dev=proc ino=16970 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=dir type=1400 audit(1233759042.005:106): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16971 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file type=1400 audit(1233759042.005:107): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=16971 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file type=1400 audit(1233759042.005:108): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/1975/cmdline" dev=proc ino=16971 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file type=1400 audit(1233759080.002:109): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233759080.002:110): avc: denied { open } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233759080.002:111): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233759082.005:112): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3033" dev=proc ino=17816 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=dir type=1400 audit(1233759082.005:113): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=17817 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file type=1400 audit(1233759082.005:114): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=17817 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file type=1400 audit(1233759082.005:115): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3033/cmdline" dev=proc ino=17817 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=file type=1400 audit(1233759084.005:116): avc: denied { search } for pid=2893 comm="devkit-power-da" name="705" dev=proc ino=2040 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=dir type=1400 audit(1233759084.005:117): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=2136 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=file type=1400 audit(1233759084.006:118): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=2136 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=file __ratelimit: 3 callbacks suppressed type=1400 audit(1233760156.006:120): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2536" dev=proc ino=16471 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=dir type=1400 audit(1233760156.006:121): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=18948 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=file type=1400 audit(1233760156.007:122): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=18948 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=file type=1400 audit(1233760156.011:123): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2536/cmdline" dev=proc ino=18948 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=file type=1400 audit(1233760404.007:124): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3148" dev=proc ino=19176 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=dir type=1400 audit(1233760404.007:125): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19177 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233760404.007:126): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19177 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233760404.007:127): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3148/cmdline" dev=proc ino=19177 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233760410.008:128): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19714 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233760410.008:129): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19714 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233760410.008:130): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3149/cmdline" dev=proc ino=19714 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233760414.008:131): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3169" dev=proc ino=19766 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=dir npviewer.bin[3204] general protection ip:1361c2c sp:bf837860 error:0 in libflashplayer.so[ff5000+952000] type=1400 audit(1233760540.001:132): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233760540.001:133): avc: denied { open } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233760540.001:134): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file npviewer.bin[3492] general protection ip:1166c2c sp:bfbdcc00 error:0 in libflashplayer.so[dfa000+952000] npviewer.bin[3605] general protection ip:12d5c2c sp:bfa72a90 error:0 in libflashplayer.so[f69000+952000] npviewer.bin[3740]: segfault at 2d ip 01764086 sp bfae7530 error 4 in libflashplayer.so[110b000+952000] npviewer.bin[3822]: segfault at 13 ip 0216b177 sp bffd3194 error 4 in libflashplayer.so[1ac5000+952000] npviewer.bin[3848]: segfault at 13 ip 0160f177 sp bfa06bd4 error 4 in libflashplayer.so[f69000+952000] npviewer.bin[3875] general protection ip:60acc2c sp:bfff9020 error:0 in libflashplayer.so[5d40000+952000] type=1400 audit(1233761948.018:135): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2268" dev=proc ino=8803 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sendmail_t:s0 tclass=dir type=1400 audit(1233761948.019:136): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=8809 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sendmail_t:s0 tclass=file type=1400 audit(1233761948.019:137): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=8809 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sendmail_t:s0 tclass=file type=1400 audit(1233761948.019:138): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2268/cmdline" dev=proc ino=8809 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sendmail_t:s0 tclass=file type=1400 audit(1233761950.017:139): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2332" dev=proc ino=16469 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=dir type=1400 audit(1233761950.017:140): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19913 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233761950.017:141): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=19913 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233761950.018:142): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2332/cmdline" dev=proc ino=19913 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233761958.016:143): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2543" dev=proc ino=10645 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=dir type=1400 audit(1233761958.016:144): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=10646 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file type=1400 audit(1233761958.016:145): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=10646 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file type=1400 audit(1233761958.017:146): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2543/cmdline" dev=proc ino=10646 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file type=1400 audit(1233761990.017:147): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3936" dev=proc ino=38966 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=dir type=1400 audit(1233761990.018:148): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=38967 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file type=1400 audit(1233761990.018:149): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=38967 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file type=1400 audit(1233761990.019:150): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3936/cmdline" dev=proc ino=38967 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=file type=1400 audit(1233761994.081:151): avc: denied { search } for pid=2893 comm="devkit-power-da" name="305" dev=proc ino=2034 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=dir type=1400 audit(1233761994.081:152): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=2112 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=file type=1400 audit(1233761994.081:153): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=2112 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=file type=1400 audit(1233761994.081:154): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/305/cmdline" dev=proc ino=2112 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=file type=1400 audit(1233762106.025:155): avc: denied { search } for pid=2893 comm="devkit-power-da" name="3984" dev=proc ino=40607 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=dir type=1400 audit(1233762106.025:156): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40612 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233762106.025:157): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40612 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233762106.025:158): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/3984/cmdline" dev=proc ino=40612 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233762250.018:159): avc: denied { search } for pid=2893 comm="devkit-power-da" name="2322" dev=proc ino=9577 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=dir type=1400 audit(1233762250.019:160): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9586 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=file type=1400 audit(1233762250.019:161): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=9586 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=file type=1400 audit(1233762250.020:162): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/2322/cmdline" dev=proc ino=9586 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=file type=1400 audit(1233762258.019:163): avc: denied { search } for pid=2893 comm="devkit-power-da" name="4009" dev=proc ino=40911 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0 tclass=dir type=1400 audit(1233762258.020:164): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40919 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0 tclass=file type=1400 audit(1233762258.020:165): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40919 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0 tclass=file type=1400 audit(1233762258.020:166): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/4009/cmdline" dev=proc ino=40919 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0 tclass=file type=1400 audit(1233762298.001:167): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233762298.001:168): avc: denied { open } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233762298.001:169): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233762298.020:170): avc: denied { search } for pid=2893 comm="devkit-power-da" name="4013" dev=proc ino=40938 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=dir type=1400 audit(1233762298.020:171): avc: denied { read } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40949 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233762298.020:172): avc: denied { open } for pid=2893 comm="devkit-power-da" name="cmdline" dev=proc ino=40949 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233762298.022:173): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/4013/cmdline" dev=proc ino=40949 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=file type=1400 audit(1233763262.000:174): avc: denied { read } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233763262.000:175): avc: denied { open } for pid=2893 comm="devkit-power-da" name="interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1233763262.000:176): avc: denied { getattr } for pid=2893 comm="devkit-power-da" path="/proc/interrupts" dev=proc ino=4026531984 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file [olivares@localhost ~]$ setroubleshooter does not kick in and I find these via dmesg. Thanks for help/advice provided. Regards, Antonio

4 5

Problem after upgrading to Fedora 10
by Konrad Azzopardi 03 Feb '09

03 Feb '09

Dear all, I made an upgrade from Fedora 9 to Fedora 10 using preupgrade. My modules were working fine until I decided to recompile them in Fedora 10. So basically the same .pp files generated in Fedora 9 work. when I recompile them I get the following error : [root@MALTA YULE]# make -f /usr/share/selinux/devel/Makefile yule.if:14: Error: duplicate definition of yule_domtrans(). Original definition on 14. yule.if:34: Error: duplicate definition of yule_script_domtrans(). Original definition on 34. yule.if:64: Error: duplicate definition of yule_admin(). Original definition on 64. yule.if:95: Error: duplicate definition of yule_stream_connect(). Original definition on 95. Compiling targeted yule module /usr/bin/checkmodule: loading policy configuration from tmp/yule.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 8) to tmp/yule.mod Creating targeted yule.pp policy package rm tmp/yule.mod.fc tmp/yule.mod and when I try to insert module [root@MALTA YULE]# semodule -i yule.pp libsepol.permission_copy_callback: Module yule depends on permission nlmsg_tty_audit in class netlink_audit_socket, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! I have same problem wiith another module which makes believe I have something wrong in the system. i am using the last FC10 policy : [root@MALTA YULE]# rpm -aq | grep selinux-policy selinux-policy-3.5.13-41.fc10.noarch selinux-policy-doc-3.5.13-41.fc10.noarch selinux-policy-targeted-3.5.13-41.fc10.noarch anyhelp would be appreciated. Attached pls find my files for reference. Thanks Konrad

3 3

Does SETroubleshoot speak to SEBool?
by Arthur Dent 02 Feb '09

02 Feb '09

I am currently trying to tidy up my local modules which have been in place for a number of years and which have probably been superseded by more recent policies. I put SE into permissive mode and removed the relevant local policy module. One resulting denial suggested allowing access with: setsebool -P spamd_enable_home_dirs=1 This surprised me because I thought I had this set. Sure enough: # getsebool -a | grep spam spamassassin_can_network --> off spamd_enable_home_dirs --> on Surely SETroubleshoot should realise that this bool is already set? I can of course recreate a local policy module to deal with this denial, but I just wondered why this came up as a suggested remedy? The full avc is listed below. Thank you to all involved in this this great endeavour... Mark Summary SELinux is preventing the spamd daemon from reading users' home directories. Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied the spamd daemon access to users' home directories. Someone is attempting to access your home directories via your spamd daemon. If you only setup spamd to share non-home directories, this probably signals a intrusion attempt. Allowing Access If you want spamd to share home directories you need to turn on the spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1" Fix Command setsebool -P spamd_enable_home_dirs=1 Additional Information Source Context: unconfined_u:system_r:spamd_t:s0 Target Context: system_u:object_r:user_pyzor_home_t:s0 Target Objects: /home/mark/.pyzor/servers [ file ] Source: pyzor Source Path: /usr/bin/python Port: <Unknown> Host: mydomain.com Source RPM Packages: python-2.5.1-26.fc9 Target RPM Packages: Policy RPM: selinux-policy-3.3.1-118.fc9 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: spamd_enable_home_dirs Host Name: mydomain.com Platform: Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count: 723 First Seen: Sun Nov 2 01:13:46 2008 Last Seen: Mon Feb 2 14:57:22 2009 Local ID: 22265a4e-86dd-4a61-a314-7c3fc363d5ee Line Numbers: Raw Audit Messages : node=mydomain.com type=AVC msg=audit(1233586642.291:4900): avc: denied { getattr } for pid=17929 comm="pyzor" path="/home/mark/.pyzor/servers" dev=sda8 ino=3172618 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:user_pyzor_home_t:s0 tclass=file node=mydomain.com type=SYSCALL msg=audit(1233586642.291:4900): arch=40000003 syscall=195 success=yes exit=0 a0=8774db0 a1=bfc5c3c8 a2=cd9ff4 a3=86f01b8 items=0 ppid=9197 pid=17929 auid=0 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=726 comm="pyzor" exe="/usr/bin/python" subj=unconfined_u:system_r:spamd_t:s0 key=(null)

3 9

Denials from spamc and webalizer on Centos 5.2
by Richard Chapman 02 Feb '09

02 Feb '09

After some trouble getting the file-system relabelled - which was eventually solved by Daniel's suggestion to change to a 5.3 preview release of the policy packages - I now have (only) a couple of intractable denials. One seems to be related to procmail running spamc. The other seems to be webalizer being denied access to squid logs. Here is some representative troubledhooter output: Summary SELinux is preventing spamc (procmail_t) "execute" to ./spamc (spamc_exec_t). Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by spamc. It is not expected that this access is required by spamc and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./spamc, restorecon -v './spamc' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package. Additional Information Source Context: system_u:system_r:procmail_t Target Context: system_u:object_r:spamc_exec_t Target Objects: ./spamc [ file ] Source: spamc Source Path: /usr/bin/spamc Port: <Unknown> Host: C5.aardvark.com.au Source RPM Packages: spamassassin-3.2.4-1.el5 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-203.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: catchall_file Host Name: C5.aardvark.com.au Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count: 199 First Seen: Wed Jan 7 21:12:56 2009 Last Seen: Sat Jan 10 13:50:07 2009 Local ID: 72201679-d161-4d2d-8423-44b1b65a211f Line Numbers: Raw Audit Messages : host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: denied { execute_no_trans } for pid=16474 comm="procmail" path="/usr/bin/spamc" dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: denied { execute_no_trans } for pid=16474 comm="procmail" path="/usr/bin/spamc" dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:procmail_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:procmail_t:s0 key=(null) Summary SELinux is preventing webalizer (webalizer_t) "search" to ./webalizer (bin_t). Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by webalizer. It is not expected that this access is required by webalizer and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./webalizer, restorecon -v './webalizer' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package. Additional Information Source Context: root:system_r:webalizer_t:SystemLow-SystemHigh Target Context: system_u:object_r:bin_t Target Objects: ./webalizer [ dir ] Source: webalizer Source Path: /usr/bin/webalizer Port: <Unknown> Host: C5.aardvark.com.au Source RPM Packages: webalizer-2.01_10-30.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-203.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: catchall_file Host Name: C5.aardvark.com.au Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count: 119 First Seen: Wed Jan 7 22:00:02 2009 Last Seen: Sat Jan 10 14:00:01 2009 Local ID: fd879861-abb1-4e67-a190-0a721c66dc0e Line Numbers: Raw Audit Messages : host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: denied { search } for pid=16510 comm="webalizer" name="webalizer" dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: denied { search } for pid=16510 comm="webalizer" name="webalizer" dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 comm="webalizer" exe="/usr/bin/webalizer" subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 comm="webalizer" exe="/usr/bin/webalizer" subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null) I didn't think I was doing anything unusual here - so I am surprised these aren't covered by standard policy. Am I don't something strange - and if so - do I need to write my own local policy. Is there a more standard way to run spamc and/.or webalizer which will prevent these denials? Thanks Richard.

4 6

Re: Does SETroubleshoot speak to SEBool?
by Miroslav Grepl 02 Feb '09

02 Feb '09

Arthur, keep your local policy. I will fix this issue. Miroslav

1 0

Re: Denials from spamc and webalizer on Centos 5.2
by Dominick Grift 01 Feb '09

01 Feb '09

Hello, With regard to procmail, i think your policy is missing a domain transition to spamassassin. A custom policy looking something like the following may or may not fix that issue: mkdir ~/myprocmail; cd ~/myprocmail; echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te; echo "require { type procmail_t; }" >> myprocmail.te; echo "optional_policy(`" >> myprocmail.te; echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te; echo "')" >> myprocmail.te; make -f /usr/share/selinux/devel/Makefile /usr/sbin/semodule -i myprocmail.pp With regard to webalizer it looks like webalizer is searching something in a "bin" directory. If you want you can allow this. mkdir ~/mywebalizer; cd ~mywebalizer; echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te; echo "require { type webalizer_t; }" >> mywebalizer.te; echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te; make -f /usr/share/selinux/devel/Makefile /usr/sbin/semodule -i mywebalizer.pp It may be that both procmail and webalizer domains need more access after this, but you will notice that if this is the case. P.s. You may or may not need to escape some of the characters in my example. Hth, Dominick

4 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux February 2009