--- On Fri, 10/17/08, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
From: Stephen Smalley <sds(a)tycho.nsa.gov>
Subject: Re: selinux denies dmesg
To: olivares14031(a)yahoo.com
Cc: fedora-selinux-list(a)redhat.com
Date: Friday, October 17, 2008, 7:32 AM
On Thu, 2008-10-16 at 15:27 -0700, Antonio Olivares wrote:
> Dear fellow selinux experts,
>
> After recovering from a kernel panic to check up on
the filesystem, I run dmesg and I encounter some avc's
>
> [olivares@riohigh ~]$ dmesg | grep avc
> type=1400 audit(1224195506.669:4): avc: denied {
sys_resource } for pid=1534 comm="dmesg"
capability=24 scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.669:5): avc: denied {
sys_resource } for pid=1534 comm="dmesg"
capability=24 scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.669:6): avc: denied {
sys_resource } for pid=1534 comm="dmesg"
capability=24 scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.669:7): avc: denied {
sys_resource } for pid=1534 comm="dmesg"
capability=24 scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:8): avc: denied {
sys_resource } for pid=1534 comm="dmesg"
capability=24 scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:9): avc: denied {
sys_resource } for pid=1534 comm="dmesg"
capability=24 scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:10): avc: denied {
sys_resource } for pid=1534 comm="dmesg"
capability=24 scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:11): avc: denied {
sys_resource } for pid=1534 comm="dmesg"
capability=24 scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:12): avc: denied {
sys_resource } for pid=1534 comm="dmesg"
capability=24 scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:13): avc: denied {
sys_resource } for pid=1534 comm="dmesg"
capability=24 scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
>
>
> I have just updated to a newer kernel 2.6.27-13 and
new selinux policy updates :)
>
> [olivares@riohigh ~]$ rpm -qa selinux*
> selinux-policy-3.5.12-2.fc10.noarch
> selinux-policy-targeted-3.5.12-2.fc10.noarch
> [olivares@riohigh ~]$
>
>
> What do I do?
Enable syscall auditing and find out what syscall triggered
the
CAP_SYS_RESOURCE check.
--
Stephen Smalley
National Security Agency
How do I do that:
Enable syscall auditing and find out what syscall triggered
the
CAP_SYS_RESOURCE check.
If there is a way to do it?
I feel that Selinux should not get in the way of dmesg and other important system
commands. Why does it deny it?
Seatroubleshooter has not appeared and on other machine without ext4 I see the following
denials:
[olivares@localhost ~]$ dmesg | grep 'avc'
type=1400 audit(1224252291.136:4): avc: denied { write } for pid=1459
comm="ip6tables-resto" path="/0" dev=devpts ino=2
scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0
tclass=chr_file
type=1400 audit(1224252414.451:5): avc: denied { execstack } for pid=2951
comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
[olivares@localhost ~]$ dmesg | grep 'avcs'
[olivares@localhost ~]$ dmesg | grep avc
type=1400 audit(1224252291.136:4): avc: denied { write } for pid=1459
comm="ip6tables-resto" path="/0" dev=devpts ino=2
scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0
tclass=chr_file
type=1400 audit(1224252414.451:5): avc: denied { execstack } for pid=2951
comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
[olivares@localhost ~]$
Thanks,
Antonio
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com