Where's the bug
by mark
I wrote:
<SNIP>
> I've done a chcon. I did an semanage and the restorecon. The system was
rebooted
> after the chcon; sshd was restarted after the semanage and restorecon. I
just did
> restorecon -R /etc/ssh again.
> Is the audit program buggy?
Dan - thanks. Good catch: changing the role from system_r to object_r on
the ssh_host* keys finally stopped the AVCs. Haven't seen a thing since I
did it this time yesterday.
mark
11 years, 3 months
AVC question
by David Highley
I get the following avc from using mythtv's web interface.
----
time->Tue Jan 8 19:14:57 2013
type=SYSCALL msg=audit(1357701297.336:4077): arch=c000003e syscall=109
success=no exit=-13 a0=0 a1=0 a2=1340cb0 a3=0 items=0 ppid=5777 pid=8018
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl"
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1357701297.336:4077): avc: denied { setpgid } for
pid=8018 comm="mythweb.pl"
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
----
time->Tue Jan 8 19:17:56 2013
type=SYSCALL msg=audit(1357701476.763:4085): arch=c000003e syscall=109
success=no exit=-13 a0=0 a1=0 a2=22c5b10 a3=0 items=0 ppid=5774 pid=8113
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl"
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1357701476.763:4085): avc: denied { setpgid } for
pid=8113 comm="mythweb.pl"
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
I checked the script, ls -Z /usr/share/mythweb/mythweb.pl
-rwxr-xr-x. apache apache system_u:object_r:httpd_sys_script_exec_t:s0
/usr/share/mythweb/mythweb.pl
Should I need to define the following?
require {
type httpd_sys_script_t;
class process setpgid;
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:process setpgid;
11 years, 3 months
Where's the bug
by mark
FC 17. Just built last week.
ll -Z /etc/ssh:
-rw-------. root root system_u:object_r:etc_t:s0 moduli
-rw-r--r--. root root system_u:system_u:etc_t:s0 ssh_config
-rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_dsa_key
-rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_dsa_key.pub
-rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_key
-rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_key.pub
-rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_rsa_key
-rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_rsa_key.pub
-rw-r--r--. root root system_u:system_u:etc_t:s0 ssh_known_hosts
-rw-------. root root system_u:system_u:etc_t:s0 sshd_config
-rw-------. root root system_u:system_u:etc_t:s0 sshd_config.rpmnew
ll -Z /usr/sbin/sshd:
-rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd
ps -efZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 6321 1 0 11:48 ?
00:00:00 /usr/sbin/sshd -D
Alert 1:
***** Plugin restorecon (94.8 confidence) suggests
*************************
If you want to fix the label.
/etc/ssh/ssh_host_rsa_key default label should be sshd_key_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/ssh/ssh_host_rsa_key
Alert 2:
***** Plugin restorecon (94.8 confidence) suggests
*************************
If you want to fix the label.
/etc/ssh/ssh_host_rsa_key default label should be sshd_key_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/ssh/ssh_host_rsa_key
***** Plugin catchall_labels (5.21 confidence) suggests
********************
If you want to allow sshd to have getattr access on the ssh_host_rsa_key file
Then you need to change the label on /etc/ssh/ssh_host_rsa_key
grep -i avc | tail
<snip>
type=AVC msg=audit(1358182127.469:291): avc: denied { read } for
pid=6321 comm="sshd" name="ssh_host_rsa_key" dev="sda3" ino=11372820
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1358182127.469:291): avc: denied { open } for
pid=6321 comm="sshd" path="/etc/ssh/ssh_host_rsa_key" dev="sda3"
ino=11372820 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1358182127.469:292): avc: denied { getattr } for
pid=6321 comm="sshd" path="/etc/ssh/ssh_host_rsa_key" dev="sda3"
ino=11372820 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
I've done a chcon. I did an semanage and the restorecon. The system was
rebooted after the chcon; sshd was restarted after the semanage and
restorecon. I just did restorecon -R /etc/ssh again.
Is the audit program buggy?
mark
11 years, 3 months
numad policy
by Dominick Grift
I needed to add the following so that numad can do its job:
policy_module(mynumad, 1.0.0)
gen_require(` type numad_t, svirt_t; ')
domain_read_all_domains_state(numad_t)
domain_setpriority_all_domains(numad_t)
fs_manage_cgroup_dirs(numad_t)
fs_rw_cgroup_files(numad_t)
allow numad_t self:capability sys_ptrace;
allow numad_t svirt_t:process ptrace;
11 years, 3 months
setools-console.x86_64 depends on setools-libs.i686
by Dominick Grift
This is what i get when i do " yum install setools-console " :
> Loaded plugins: langpacks, presto, refresh-packagekit
> Resolving Dependencies
> --> Running transaction check
> ---> Package setools-console.x86_64 0:3.3.7-28.fc18 will be installed
> --> Processing Dependency: setools-libs = 3.3.7-28.fc18 for package: setools-console-3.3.7-28.fc18.x86_64
> --> Running transaction check
> ---> Package setools-libs.i686 0:3.3.7-28.fc18 will be installed
> --> Processing Dependency: libxml2.so.2(LIBXML2_2.5.0) for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libxml2.so.2(LIBXML2_2.4.30) for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libxml2.so.2 for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libstdc++.so.6(GLIBCXX_3.4) for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libstdc++.so.6(CXXABI_1.3) for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libstdc++.so.6 for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libsqlite3.so.0 for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libsepol.so.1 for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libselinux.so.1 for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libm.so.6 for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libgcc_s.so.1(GCC_3.0) for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libgcc_s.so.1 for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libc.so.6(GLIBC_2.8) for package: setools-libs-3.3.7-28.fc18.i686
> --> Processing Dependency: libbz2.so.1 for package: setools-libs-3.3.7-28.fc18.i686
> --> Running transaction check
> ---> Package bzip2-libs.i686 0:1.0.6-7.fc18 will be installed
> ---> Package glibc.i686 0:2.16-24.fc18 will be installed
> --> Processing Dependency: glibc-common = 2.16-24.fc18 for package: glibc-2.16-24.fc18.i686
> --> Processing Dependency: libfreebl3.so(NSSRAWHASH_3.12.3) for package: glibc-2.16-24.fc18.i686
> --> Processing Dependency: libfreebl3.so for package: glibc-2.16-24.fc18.i686
> ---> Package libgcc.i686 0:4.7.2-8.fc18 will be installed
> ---> Package libselinux.i686 0:2.1.12-7.fc18 will be installed
> --> Processing Dependency: libpcre.so.1 for package: libselinux-2.1.12-7.fc18.i686
> ---> Package libsepol.i686 0:2.1.8-2.fc18 will be installed
> ---> Package libstdc++.i686 0:4.7.2-8.fc18 will be installed
> ---> Package libxml2.i686 0:2.9.0-3.fc18 will be installed
> --> Processing Dependency: libz.so.1(ZLIB_1.2.3.3) for package: libxml2-2.9.0-3.fc18.i686
> --> Processing Dependency: libz.so.1(ZLIB_1.2.2.3) for package: libxml2-2.9.0-3.fc18.i686
> --> Processing Dependency: libz.so.1 for package: libxml2-2.9.0-3.fc18.i686
> --> Processing Dependency: liblzma.so.5(XZ_5.0) for package: libxml2-2.9.0-3.fc18.i686
> --> Processing Dependency: liblzma.so.5 for package: libxml2-2.9.0-3.fc18.i686
> ---> Package sqlite.i686 0:3.7.13-2.fc18 will be installed
> --> Processing Dependency: libtinfo.so.5 for package: sqlite-3.7.13-2.fc18.i686
> --> Processing Dependency: libreadline.so.6 for package: sqlite-3.7.13-2.fc18.i686
> --> Processing Dependency: libncurses.so.5 for package: sqlite-3.7.13-2.fc18.i686
> --> Running transaction check
> ---> Package glibc.i686 0:2.16-24.fc18 will be installed
> --> Processing Dependency: glibc-common = 2.16-24.fc18 for package: glibc-2.16-24.fc18.i686
> ---> Package ncurses-libs.i686 0:5.9-7.20121017.fc18 will be installed
> ---> Package nss-softokn-freebl.i686 0:3.14-5.fc18 will be installed
> ---> Package pcre.i686 0:8.31-2.fc18 will be installed
> ---> Package readline.i686 0:6.2-5.fc18 will be installed
> ---> Package xz-libs.i686 0:5.1.2-2alpha.fc18 will be installed
> ---> Package zlib.i686 0:1.2.7-9.fc18 will be installed
> --> Finished Dependency Resolution
> You could try using --skip-broken to work around the problem
> You could try running: rpm -Va --nofiles --nodigest
11 years, 3 months
Reg. postgres running in unconfined_t after enabling selinux
by Ramkumar Raghavan
Hi,
I am doing testing of implementing selinux in our application.
I am using RHEL6.2 and the selinux enforced in targeted mode.
All the application/postgresql data is in the NFS mount with all the
contents labeled as nfs_t.
I have given httpd Boolean access to nfs.
When I start the postgres it starts as unconfined_t domain.
ps -eZ | egrep 'httpd|java|postmaster'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5853 ? 00:00:01
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5854 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5860 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5861 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5862 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5863 ? 00:00:00
postmaster
unconfined_u:system_r:httpd_t:s0 14794 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14796 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14797 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14798 ? 00:00:18 httpd
unconfined_u:system_r:httpd_t:s0 14799 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14800 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14801 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14802 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14803 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 14851 ? 00:00:06
java
unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 14978 ? 00:02:57
java
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16426 ? 00:00:01
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16521 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16522 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16523 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16524 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16525 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16526 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16527 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16528 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16529 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16530 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16633 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16634 ? 00:00:00
postmaster
unconfined_u:system_r:httpd_t:s0 16702 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 17129 ? 00:00:06
java
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17201 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17205 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17206 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17207 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17208 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17209 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17216 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17217 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17218 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17219 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17220 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17221 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 17260 pts/1
00:00:05 java
unconfined_u:system_r:httpd_t:s0 20918 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 20921 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 20922 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 22851 ? 00:00:13
java
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22910 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22911 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22912 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22913 ? 00:00:00
postmaster
Please advice if this fine or should I change the it..
--
Ramkumar Raghavan
11 years, 3 months
sshd key context
by mark
Is this a bug? It's certainly a real inconsistancy, IMO.
I just built a user's workstation, new, as fc-17.
ll -Z /usr/sbin/sshd
-rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd*
ll -Z /etc/ssh/
drwxr-xr-x. root root system_u:object_r:etc_t:s0 ./
drwxr-xr-x. root root system_u:object_r:etc_t:s0 ../
-rw-------. root root system_u:object_r:etc_t:s0 moduli
-rw-r--r--. root root system_u:system_u:etc_t:s0 ssh_config
-rw-------. root root system_u:system_u:etc_t:s0 sshd_config
-rw-------. root root system_u:system_u:etc_t:s0 sshd_config.rpmnew
-rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_dsa_key
-rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_dsa_key.pub
-rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_key
-rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_key.pub
-rw-------. root root system_u:system_u:sshd_key_t:s0 ssh_host_rsa_key
-rw-r--r--. root root system_u:system_u:sshd_key_t:s0 ssh_host_rsa_key.pub
-rw-r--r--. root root system_u:system_u:etc_t:s0 ssh_known_hosts
sealert tells me that the ssh_host_*_key should be etc_t, not, as I set
it, sshd_key_t.
mark
11 years, 3 months
transition to sysadm_u fails
by richard -rw- weinberger
Hi!
On my CentOS6 test box I'm facing a strange problem.
I'd like to have an uid!=0 user which is mapped to the selinux
sysadm_u user.
To achieve this I did "semanage login -a -s sysadm_u setest".
But "runcon -t sysadm_t -u sysadm_u -r sysadm_r /bin/bash" failed.
The transition got blocked for the following reason:
type=AVC msg=audit(1357223866.943:29): avc: denied { transition }
for pid=1105 comm="runcon" path="/bin/bash" dev=dm-0 ino=130087
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
Using audit2allow I've created an allow rule to allow the transition.
---cut---
[root@selinuxbox ~]# cat sysadm.te
module sysadm 1.0;
require {
type unconfined_t;
type sysadm_t;
class process transition;
}
#============= unconfined_t ==============
allow unconfined_t sysadm_t:process transition;
---cut---
I've loaded the new rule using "semodule -i sysadm.pp".
---cut---
[root@selinuxbox ~]# sesearch --all | grep "allow unconfined_t sysadm_t"
allow unconfined_t sysadm_t : process { transition sigchld } ;
---cut---
As you can observe a transition from unconfined_t to sysadm_t is now allowed.
But runcon still fails and audit logs the same deny message.
Also audit2allow created exactly the same allow rule again.
What is preventing runcon to work?
--
Thanks,
//richard
11 years, 3 months
How should I allow salsauthd access to shadow?
by Charles Bradshaw
I am configuring sendmail authentication using cyrus-sasl on a Fedora 17 server.
The server, when it goes live, will essentially run Apache and mail for a
number of domains.
I intend that selinux will run 'enforcing' with 'targeted' policy.
I have installed cyrus-sasl and initially test it as follows:
Modify /etc/sysconfig/saslauthd
MECH=pam -> MECH=shadow
[root@..]# systemctl restart saslauthd.service
[root@..]# make reload
[root@..]# setenforce 0
[root@..]# testsaslauthd -u foo -p foospwd
0: OK "Success."
OK saslauthd works, but I get selinux alerts, so:
[root@..]# grep saslauthd /var/log/audit/audit.log | audit2allow -M saslpol
[root@..]# cat saslpol.te
module saslpol 1.0
require {sasl_auth_t;
class capability { sys_nice dac_read_search dac_override };
class process setsched;
}
allow saslauthd_t self capability { sys_nice dac_override dac_read_search };
allow saslauthd_t self process { setsched }
Which looks fine to my un-educated eyes.
Before I semodule -i saslpol.pp, and taking seriously Bill McCarthys "evil"
warning in his discussion of the use of audit2allow in the O'Reilly book.
I need to know what I'm doing, right?
Fundamentally I'm going to allow the process saslauthd access to
/etc/shadow, which by definition is a potential security hole!
The following questions arise:
0 - I suppose the first question is: Should I be using some other
authentication mechanism rather than shadow for saslauth? Historically I've
avoided PAM, allowing only SSH server login using certificates. Therefore
avoiding the PAM learning curve.
1 - Given that, in the short term, I am getting too old to fully understand
the subtle depths and complexities of selinux! How far should I trust the
resulting above saslpol.te?
2 - Is it possible to determine what other actions sys_nice, dac_read_search,
dac_override get allowed for saslauthd?
3 - Should I test my saslpol is the minimum required? By for example, by
including each capability targets one at a time and in combination, and
testing the results at each step?
I hope that's not too many questions in one post. Thanks in advance, Charles
Bradshaw
11 years, 3 months
Re: Anyone else using Open vSwitch on F18?
by Daniel J Walsh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/30/2012 04:17 PM, Ian Pilcher wrote:
> And getting a ton of SELinux AVCs?
>
> According to https://bugzilla.redhat.com/show_bug.cgi?id=872974#c2, the
> openvswitch policy should be in selinux-policy-targeted-
> 3.11.1-66.fc18.noarch, but I'm seeing a ton of messages related to kmod,
> files in /etc/modprobe.d, and a netlink socket.
>
> type=AVC msg=audit(1356894958.32:2022): avc: denied { module_request }
> for pid=1584 comm="ovs-vswitchd" kmod="netdev-vnet6"
> scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=system
>
> type=SYSCALL msg=audit(1356894958.32:2022): arch=x86_64 syscall=ioctl
> success=no exit=ENODEV a0=10 a1=8913 a2=7fff99c842d0 a3=ffffffff items=0
> ppid=1583 pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd
> exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429
> subj=system_u:system_r:openvswitch_t:s0 key=(null)
>
> type=AVC msg=audit(1356894968.741:2209): avc: denied { nlmsg_write } for
> pid=1584 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_route_socket
>
> type=SYSCALL msg=audit(1356894968.741:2209): arch=x86_64 syscall=sendmsg
> success=yes exit=EBADE a0=25 a1=7fff99c83530 a2=0 a3=200 items=0 ppid=1583
> pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd
> exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429
> subj=system_u:system_r:openvswitch_t:s0 key=(null)
>
I see these rules in selinux-policy-3.11.1-69.fc18.noarch
audit2allow -i /tmp/t
#============= openvswitch_t ==============
#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow openvswitch_t kernel_t:system module_request;
#!!!! This avc is allowed in the current policy
allow openvswitch_t self:netlink_route_socket nlmsg_write;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDkgIcACgkQrlYvE4MpobPYyQCgyfQF9RoBytouocvxoqSVfcUw
ag4Anj8cXbce7S7v+NHhN9WMC3993ct2
=QwuT
-----END PGP SIGNATURE-----
11 years, 3 months