On Sun, Apr 25, 2010 at 07:20:12PM +0100, Arthur Dent wrote:
Hello Dominick,
I don't know if you remember all the painful details of the thread where
you helped me solve my mlogc problems but, after running for a couple of
weeks in enforcing mode I occasionally get these AVCs when my
ModSecurity rule triggers a block which is reported in mlogc:
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1271810736.442:85299): avc: denied { read } for
pid=30941 comm="mlogc" name="stat" dev=proc ino=4026531985
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1271810736.442:85299): arch=40000003 syscall=5
success=no exit=-13 a0=ceeb6e a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=30941
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1271810736.446:85300): avc: denied { read } for
pid=30941 comm="mlogc" name="cpuinfo" dev=proc ino=4026531980
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1271810736.446:85300): arch=40000003 syscall=5
success=no exit=-13 a0=ceeb79 a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=30941
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1272206914.57:99302): avc: denied { read } for
pid=2650 comm="mlogc" name="stat" dev=proc ino=4026531985
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1272206914.57:99302): arch=40000003 syscall=5
success=no exit=-13 a0=24bb6e a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=2650
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1272206914.61:99303): avc: denied { read } for
pid=2650 comm="mlogc" name="cpuinfo" dev=proc ino=4026531980
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1272206914.61:99303): arch=40000003 syscall=5
success=no exit=-13 a0=24bb79 a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=2650
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Audit2allow suggests:
require {
type mlogc_t;
type proc_t;
class file read;
}
#============= mlogc_t ==============
allow mlogc_t proc_t:file read;
But when I try to add that to my mlogc.te it chokes during the build
process...
Chokes? what exactly gets printed to the screen?
try adding "kernel_read_system_state(mlogc_t) to your mlogc.te file and rebuild,
reinstall.
I should point out that, as far as I can tell, everything still works
despite the AVC denial...
Thanks yet again for your patient help!
Mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux