January 2013 - selinux - Fedora Mailing-Lists

by mark

I wrote: <SNIP> > I've done a chcon. I did an semanage and the restorecon. The system was rebooted > after the chcon; sshd was restarted after the semanage and restorecon. I just did > restorecon -R /etc/ssh again. > Is the audit program buggy? Dan - thanks. Good catch: changing the role from system_r to object_r on the ssh_host* keys finally stopped the AVCs. Haven't seen a thing since I did it this time yesterday. mark

11 years, 3 months

1
0
0 / 0

AVC question

by David Highley

I get the following avc from using mythtv's web interface. ---- time->Tue Jan 8 19:14:57 2013 type=SYSCALL msg=audit(1357701297.336:4077): arch=c000003e syscall=109 success=no exit=-13 a0=0 a1=0 a2=1340cb0 a3=0 items=0 ppid=5777 pid=8018 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1357701297.336:4077): avc: denied { setpgid } for pid=8018 comm="mythweb.pl" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process ---- time->Tue Jan 8 19:17:56 2013 type=SYSCALL msg=audit(1357701476.763:4085): arch=c000003e syscall=109 success=no exit=-13 a0=0 a1=0 a2=22c5b10 a3=0 items=0 ppid=5774 pid=8113 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1357701476.763:4085): avc: denied { setpgid } for pid=8113 comm="mythweb.pl" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process I checked the script, ls -Z /usr/share/mythweb/mythweb.pl -rwxr-xr-x. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /usr/share/mythweb/mythweb.pl Should I need to define the following? require { type httpd_sys_script_t; class process setpgid; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t self:process setpgid;

11 years, 3 months

3
8
0 / 0

Where's the bug

by mark

FC 17. Just built last week. ll -Z /etc/ssh: -rw-------. root root system_u:object_r:etc_t:s0 moduli -rw-r--r--. root root system_u:system_u:etc_t:s0 ssh_config -rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_dsa_key -rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_dsa_key.pub -rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_key -rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_key.pub -rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_rsa_key -rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_rsa_key.pub -rw-r--r--. root root system_u:system_u:etc_t:s0 ssh_known_hosts -rw-------. root root system_u:system_u:etc_t:s0 sshd_config -rw-------. root root system_u:system_u:etc_t:s0 sshd_config.rpmnew ll -Z /usr/sbin/sshd: -rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd ps -efZ | grep sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 root 6321 1 0 11:48 ? 00:00:00 /usr/sbin/sshd -D Alert 1: ***** Plugin restorecon (94.8 confidence) suggests ************************* If you want to fix the label. /etc/ssh/ssh_host_rsa_key default label should be sshd_key_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/ssh/ssh_host_rsa_key Alert 2: ***** Plugin restorecon (94.8 confidence) suggests ************************* If you want to fix the label. /etc/ssh/ssh_host_rsa_key default label should be sshd_key_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/ssh/ssh_host_rsa_key ***** Plugin catchall_labels (5.21 confidence) suggests ******************** If you want to allow sshd to have getattr access on the ssh_host_rsa_key file Then you need to change the label on /etc/ssh/ssh_host_rsa_key grep -i avc | tail <snip> type=AVC msg=audit(1358182127.469:291): avc: denied { read } for pid=6321 comm="sshd" name="ssh_host_rsa_key" dev="sda3" ino=11372820 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file type=AVC msg=audit(1358182127.469:291): avc: denied { open } for pid=6321 comm="sshd" path="/etc/ssh/ssh_host_rsa_key" dev="sda3" ino=11372820 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file type=AVC msg=audit(1358182127.469:292): avc: denied { getattr } for pid=6321 comm="sshd" path="/etc/ssh/ssh_host_rsa_key" dev="sda3" ino=11372820 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file I've done a chcon. I did an semanage and the restorecon. The system was rebooted after the chcon; sshd was restarted after the semanage and restorecon. I just did restorecon -R /etc/ssh again. Is the audit program buggy? mark

11 years, 3 months

2
1
0 / 0

numad policy

by Dominick Grift

I needed to add the following so that numad can do its job: policy_module(mynumad, 1.0.0) gen_require(` type numad_t, svirt_t; ') domain_read_all_domains_state(numad_t) domain_setpriority_all_domains(numad_t) fs_manage_cgroup_dirs(numad_t) fs_rw_cgroup_files(numad_t) allow numad_t self:capability sys_ptrace; allow numad_t svirt_t:process ptrace;

11 years, 3 months

2
1
0 / 0

setools-console.x86_64 depends on setools-libs.i686

by Dominick Grift

This is what i get when i do " yum install setools-console " : > Loaded plugins: langpacks, presto, refresh-packagekit > Resolving Dependencies > --> Running transaction check > ---> Package setools-console.x86_64 0:3.3.7-28.fc18 will be installed > --> Processing Dependency: setools-libs = 3.3.7-28.fc18 for package: setools-console-3.3.7-28.fc18.x86_64 > --> Running transaction check > ---> Package setools-libs.i686 0:3.3.7-28.fc18 will be installed > --> Processing Dependency: libxml2.so.2(LIBXML2_2.5.0) for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libxml2.so.2(LIBXML2_2.4.30) for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libxml2.so.2 for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libstdc++.so.6(GLIBCXX_3.4) for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libstdc++.so.6(CXXABI_1.3) for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libstdc++.so.6 for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libsqlite3.so.0 for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libsepol.so.1 for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libselinux.so.1 for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libm.so.6 for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libgcc_s.so.1(GCC_3.0) for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libgcc_s.so.1 for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libc.so.6(GLIBC_2.8) for package: setools-libs-3.3.7-28.fc18.i686 > --> Processing Dependency: libbz2.so.1 for package: setools-libs-3.3.7-28.fc18.i686 > --> Running transaction check > ---> Package bzip2-libs.i686 0:1.0.6-7.fc18 will be installed > ---> Package glibc.i686 0:2.16-24.fc18 will be installed > --> Processing Dependency: glibc-common = 2.16-24.fc18 for package: glibc-2.16-24.fc18.i686 > --> Processing Dependency: libfreebl3.so(NSSRAWHASH_3.12.3) for package: glibc-2.16-24.fc18.i686 > --> Processing Dependency: libfreebl3.so for package: glibc-2.16-24.fc18.i686 > ---> Package libgcc.i686 0:4.7.2-8.fc18 will be installed > ---> Package libselinux.i686 0:2.1.12-7.fc18 will be installed > --> Processing Dependency: libpcre.so.1 for package: libselinux-2.1.12-7.fc18.i686 > ---> Package libsepol.i686 0:2.1.8-2.fc18 will be installed > ---> Package libstdc++.i686 0:4.7.2-8.fc18 will be installed > ---> Package libxml2.i686 0:2.9.0-3.fc18 will be installed > --> Processing Dependency: libz.so.1(ZLIB_1.2.3.3) for package: libxml2-2.9.0-3.fc18.i686 > --> Processing Dependency: libz.so.1(ZLIB_1.2.2.3) for package: libxml2-2.9.0-3.fc18.i686 > --> Processing Dependency: libz.so.1 for package: libxml2-2.9.0-3.fc18.i686 > --> Processing Dependency: liblzma.so.5(XZ_5.0) for package: libxml2-2.9.0-3.fc18.i686 > --> Processing Dependency: liblzma.so.5 for package: libxml2-2.9.0-3.fc18.i686 > ---> Package sqlite.i686 0:3.7.13-2.fc18 will be installed > --> Processing Dependency: libtinfo.so.5 for package: sqlite-3.7.13-2.fc18.i686 > --> Processing Dependency: libreadline.so.6 for package: sqlite-3.7.13-2.fc18.i686 > --> Processing Dependency: libncurses.so.5 for package: sqlite-3.7.13-2.fc18.i686 > --> Running transaction check > ---> Package glibc.i686 0:2.16-24.fc18 will be installed > --> Processing Dependency: glibc-common = 2.16-24.fc18 for package: glibc-2.16-24.fc18.i686 > ---> Package ncurses-libs.i686 0:5.9-7.20121017.fc18 will be installed > ---> Package nss-softokn-freebl.i686 0:3.14-5.fc18 will be installed > ---> Package pcre.i686 0:8.31-2.fc18 will be installed > ---> Package readline.i686 0:6.2-5.fc18 will be installed > ---> Package xz-libs.i686 0:5.1.2-2alpha.fc18 will be installed > ---> Package zlib.i686 0:1.2.7-9.fc18 will be installed > --> Finished Dependency Resolution > You could try using --skip-broken to work around the problem > You could try running: rpm -Va --nofiles --nodigest

11 years, 3 months

1
1
0 / 0

Reg. postgres running in unconfined_t after enabling selinux

by Ramkumar Raghavan

Hi, I am doing testing of implementing selinux in our application. I am using RHEL6.2 and the selinux enforced in targeted mode. All the application/postgresql data is in the NFS mount with all the contents labeled as nfs_t. I have given httpd Boolean access to nfs. When I start the postgres it starts as unconfined_t domain. ps -eZ | egrep 'httpd|java|postmaster' unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5853 ? 00:00:01 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5854 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5860 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5861 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5862 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5863 ? 00:00:00 postmaster unconfined_u:system_r:httpd_t:s0 14794 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 14796 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 14797 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 14798 ? 00:00:18 httpd unconfined_u:system_r:httpd_t:s0 14799 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 14800 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 14801 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 14802 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 14803 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 14851 ? 00:00:06 java unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 14978 ? 00:02:57 java unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16426 ? 00:00:01 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16521 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16522 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16523 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16524 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16525 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16526 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16527 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16528 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16529 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16530 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16633 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16634 ? 00:00:00 postmaster unconfined_u:system_r:httpd_t:s0 16702 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 17129 ? 00:00:06 java unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17201 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17205 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17206 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17207 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17208 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17209 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17216 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17217 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17218 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17219 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17220 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17221 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 17260 pts/1 00:00:05 java unconfined_u:system_r:httpd_t:s0 20918 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 20921 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 20922 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 22851 ? 00:00:13 java unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22910 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22911 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22912 ? 00:00:00 postmaster unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22913 ? 00:00:00 postmaster Please advice if this fine or should I change the it.. -- Ramkumar Raghavan

11 years, 3 months

2
1
0 / 0

sshd key context

by mark

Is this a bug? It's certainly a real inconsistancy, IMO. I just built a user's workstation, new, as fc-17. ll -Z /usr/sbin/sshd -rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd* ll -Z /etc/ssh/ drwxr-xr-x. root root system_u:object_r:etc_t:s0 ./ drwxr-xr-x. root root system_u:object_r:etc_t:s0 ../ -rw-------. root root system_u:object_r:etc_t:s0 moduli -rw-r--r--. root root system_u:system_u:etc_t:s0 ssh_config -rw-------. root root system_u:system_u:etc_t:s0 sshd_config -rw-------. root root system_u:system_u:etc_t:s0 sshd_config.rpmnew -rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_dsa_key -rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_dsa_key.pub -rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_key -rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_key.pub -rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_rsa_key -rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_rsa_key.pub -rw-r--r--. root root system_u:system_u:etc_t:s0 ssh_known_hosts sealert tells me that the ssh_host_*_key should be etc_t, not, as I set it, sshd_key_t. mark

11 years, 3 months

2
7
0 / 0

transition to sysadm_u fails

by richard -rw- weinberger

Hi! On my CentOS6 test box I'm facing a strange problem. I'd like to have an uid!=0 user which is mapped to the selinux sysadm_u user. To achieve this I did "semanage login -a -s sysadm_u setest". But "runcon -t sysadm_t -u sysadm_u -r sysadm_r /bin/bash" failed. The transition got blocked for the following reason: type=AVC msg=audit(1357223866.943:29): avc: denied { transition } for pid=1105 comm="runcon" path="/bin/bash" dev=dm-0 ino=130087 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process Using audit2allow I've created an allow rule to allow the transition. ---cut--- [root@selinuxbox ~]# cat sysadm.te module sysadm 1.0; require { type unconfined_t; type sysadm_t; class process transition; } #============= unconfined_t ============== allow unconfined_t sysadm_t:process transition; ---cut--- I've loaded the new rule using "semodule -i sysadm.pp". ---cut--- [root@selinuxbox ~]# sesearch --all | grep "allow unconfined_t sysadm_t" allow unconfined_t sysadm_t : process { transition sigchld } ; ---cut--- As you can observe a transition from unconfined_t to sysadm_t is now allowed. But runcon still fails and audit logs the same deny message. Also audit2allow created exactly the same allow rule again. What is preventing runcon to work? -- Thanks, //richard

11 years, 3 months

2
2
0 / 0

How should I allow salsauthd access to shadow?

by Charles Bradshaw

I am configuring sendmail authentication using cyrus-sasl on a Fedora 17 server. The server, when it goes live, will essentially run Apache and mail for a number of domains. I intend that selinux will run 'enforcing' with 'targeted' policy. I have installed cyrus-sasl and initially test it as follows: Modify /etc/sysconfig/saslauthd MECH=pam -> MECH=shadow [root@..]# systemctl restart saslauthd.service [root@..]# make reload [root@..]# setenforce 0 [root@..]# testsaslauthd -u foo -p foospwd 0: OK "Success." OK saslauthd works, but I get selinux alerts, so: [root@..]# grep saslauthd /var/log/audit/audit.log | audit2allow -M saslpol [root@..]# cat saslpol.te module saslpol 1.0 require {sasl_auth_t; class capability { sys_nice dac_read_search dac_override }; class process setsched; } allow saslauthd_t self capability { sys_nice dac_override dac_read_search }; allow saslauthd_t self process { setsched } Which looks fine to my un-educated eyes. Before I semodule -i saslpol.pp, and taking seriously Bill McCarthys "evil" warning in his discussion of the use of audit2allow in the O'Reilly book. I need to know what I'm doing, right? Fundamentally I'm going to allow the process saslauthd access to /etc/shadow, which by definition is a potential security hole! The following questions arise: 0 - I suppose the first question is: Should I be using some other authentication mechanism rather than shadow for saslauth? Historically I've avoided PAM, allowing only SSH server login using certificates. Therefore avoiding the PAM learning curve. 1 - Given that, in the short term, I am getting too old to fully understand the subtle depths and complexities of selinux! How far should I trust the resulting above saslpol.te? 2 - Is it possible to determine what other actions sys_nice, dac_read_search, dac_override get allowed for saslauthd? 3 - Should I test my saslpol is the minimum required? By for example, by including each capability targets one at a time and in combination, and testing the results at each step? I hope that's not too many questions in one post. Thanks in advance, Charles Bradshaw

11 years, 3 months

2
3
0 / 0

Re: Anyone else using Open vSwitch on F18?

by Daniel J Walsh

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/30/2012 04:17 PM, Ian Pilcher wrote: > And getting a ton of SELinux AVCs? > > According to https://bugzilla.redhat.com/show_bug.cgi?id=872974#c2, the > openvswitch policy should be in selinux-policy-targeted- > 3.11.1-66.fc18.noarch, but I'm seeing a ton of messages related to kmod, > files in /etc/modprobe.d, and a netlink socket. > > type=AVC msg=audit(1356894958.32:2022): avc: denied { module_request } > for pid=1584 comm="ovs-vswitchd" kmod="netdev-vnet6" > scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:system_r:kernel_t:s0 tclass=system > > type=SYSCALL msg=audit(1356894958.32:2022): arch=x86_64 syscall=ioctl > success=no exit=ENODEV a0=10 a1=8913 a2=7fff99c842d0 a3=ffffffff items=0 > ppid=1583 pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd > exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429 > subj=system_u:system_r:openvswitch_t:s0 key=(null) > > type=AVC msg=audit(1356894968.741:2209): avc: denied { nlmsg_write } for > pid=1584 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_route_socket > > type=SYSCALL msg=audit(1356894968.741:2209): arch=x86_64 syscall=sendmsg > success=yes exit=EBADE a0=25 a1=7fff99c83530 a2=0 a3=200 items=0 ppid=1583 > pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd > exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429 > subj=system_u:system_r:openvswitch_t:s0 key=(null) > I see these rules in selinux-policy-3.11.1-69.fc18.noarch audit2allow -i /tmp/t #============= openvswitch_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow openvswitch_t kernel_t:system module_request; #!!!! This avc is allowed in the current policy allow openvswitch_t self:netlink_route_socket nlmsg_write; -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDkgIcACgkQrlYvE4MpobPYyQCgyfQF9RoBytouocvxoqSVfcUw ag4Anj8cXbce7S7v+NHhN9WMC3993ct2 =QwuT -----END PGP SIGNATURE-----

11 years, 3 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux January 2013