foresee policy triggered by a process
by Henry Zhang
Hi Folks,
I want to trace policy triggered by a process from the command line. Tried
ps -Z $(pgrep cmd) ----> cmd is either command or executable file name
But it does not pick up any policy type.
Any suggestions?
Thanks.
----henry
1 month, 3 weeks
- 2
- 1
Fwd: [Bug 2170630] New: SELinux is preventing zabbix_agentd from
'getattr' accesses on the file /proc/kcore.
by Orion Poplawski
I would really appreciate some SELinux expertise with this issue. There
is a little more discussion in the report.
Thanks,
Orion
-------- Forwarded Message --------
Subject: [Bug 2170630] New: SELinux is preventing zabbix_agentd from
'getattr' accesses on the file /proc/kcore.
Date: Thu, 16 Feb 2023 20:25:15 +0000
From: bugzilla(a)redhat.com
To: orion(a)nwra.com
https://bugzilla.redhat.com/show_bug.cgi?id=2170630
Bug ID: 2170630
Summary: SELinux is preventing zabbix_agentd from 'getattr'
accesses on the file /proc/kcore.
Product: Fedora
Version: 37
Hardware: x86_64
Status: NEW
Whiteboard: abrt_hash:c24d6bdbf305be68dc05545d71227a8d033fc8ba37b3
982373781ae7fc12670e;VARIANT_ID=workstation;
Component: zabbix
Assignee: gwync(a)protonmail.com
Reporter: b.gatessucks(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: bennie.joubert(a)jsdaav.com, dan(a)danny.cz,
gwync(a)protonmail.com, orion(a)nwra.com
Target Milestone: ---
Classification: Fedora
Description of problem:
SELinux is preventing zabbix_agentd from 'getattr' accesses on the file
/proc/kcore.
***** Plugin catchall (100. confidence) suggests
**************************
If you believe that zabbix_agentd should be allowed getattr access on
the kcore
file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'zabbix_agentd' --raw | audit2allow -M my-zabbixagentd
# semodule -X 300 -i my-zabbixagentd.pp
Additional Information:
Source Context system_u:system_r:zabbix_agent_t:s0
Target Context system_u:object_r:proc_kcore_t:s0
Target Objects /proc/kcore [ file ]
Source zabbix_agentd
Source Path zabbix_agentd
Port <Unknown>
Host (removed)
Source RPM Packages Target RPM Packages SELinux
Policy RPM selinux-policy-targeted-37.19-1.fc37.noarch
Local Policy RPM zabbix-selinux-6.0.8-1.fc37.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 6.1.11-200.fc37.x86_64 #1 SMP
PREEMPT_DYNAMIC Thu Feb 9 19:20:24 UTC 2023
x86_64
x86_64
Alert Count 6
First Seen 2023-02-15 20:44:35 GMT
Last Seen 2023-02-16 19:44:35 GMT
Local ID a7f07d90-52c4-48bf-b944-2dbf3b82932b
Raw Audit Messages
type=AVC msg=audit(1676576675.836:523): avc: denied { getattr } for
pid=5913
comm="zabbix_agentd" path="/proc/kcore" dev="proc" ino=4026532075
scontext=system_u:system_r:zabbix_agent_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=0
Hash: zabbix_agentd,zabbix_agent_t,proc_kcore_t,file,getattr
Version-Release number of selected component:
selinux-policy-targeted-37.19-1.fc37.noarch
Additional info:
component: zabbix
reporter: libreport-2.17.4
hashmarkername: setroubleshoot
kernel: 6.1.11-200.fc37.x86_64
type: libreport
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2170630
--
Orion Poplawski
he/him/his - surely the least important thing about me
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
2 months
- 1
- 0
How is the upstream SELinux refpolicy tied into Fedora?
by David Sommerseth
Hi,
I had an upstream SELinux pull-request merged in autumn 2020 [1]. But I
still don't see this SELinux boolean flag (renamed [2] to
"dbus_pass_tuntap_fd") present in Fedora 38. So I wonder how the
SELinux refpolicy is consumed into Fedora's SELinux policies ... when
can I expect to see this in Fedora and RHEL SELinux policies?
[1]
<https://github.com/SELinuxProject/refpolicy/commit/79c7859a4807236693c734...>
[2]
<https://github.com/SELinuxProject/refpolicy/commit/ba3818ebcc3a627bc331c6...>
--
kind regards,
David Sommerseth
OpenVPN Inc
2 months
- 4
- 13
- ← Newer
- 1
- Older →