On Fri, 2006-06-30 at 14:19 +0100, Paul Howarth wrote:
Marc Schwartz wrote:
> I just got home and noted the following avc's which appear to be a
> post-reboot scenario.
>
> There are some that appear to be networking related, which may indeed be
> associated with the kernel related reports. I have more than one network
> profile, where I used one at home that has a fixed IP address behind a
> router. At work, I use NM with DHCP. As I noted in a prior post, some
> network things have been flaky with the new kernel.
>
> Is this an indication that I should consider the 'updates testing'
> initscripts update as referenced in other threads on the general lists?
Possibly; my understanding of the update is that it fixes the order of
assignment of network devices at boot time. This is useful to me for
instance, as I have a two-interface firewall, which doesn't work if it
boots with the internal and external interfaces the wrong way around.
Yeah, eth0 (should be a hardwired connection) and eth1 (which should be
a wireless connection) have been frequently switching back and forth.
Under the former kernel, the wireless was wlan0 when using ndiswrapper.
OK. I updated the rpm.
I have not fully tested the updated scripts, but what was interesting is
that I had modified rc.sysinit to handle my LUKS partitions during boot,
but the update (which includes the default file) did not overwrite my
modified version. I presume that there may be an entry in the spec file
for the rpm to check for this, though I have not taken the time to
review it.
> Up until the reboot, there were no other avc's.
>
> Note also what appears to be a double "//" in the path to the
> razor-agent.log. Not sure where that comes from, as the mods that I
> made in the config files are:
>
> local.cf:
> razor_config /etc/mail/spamassassin/razor/razor-agent.conf
>
> razor-agent.conf :
> razorhome = /etc/mail/spamassassin/razor/
>
> The trailing '/' in the second file was there previously.
You could try it without the trailing slash and see what happens. Double
slashes aren't usually an issue though.
I'll leave it for now and see if it continues to show.
> New avc's:
>
> type=AVC msg=audit(1151607255.655:1577): avc: denied { signal } for pid=2283
comm="spamd" scontext=system_u:system_r:spamd_t:s0 t
context=system_u:system_r:dcc_client_t:s0 tclass=process
> type=SYSCALL msg=audit(1151607255.655:1577): arch=40000003 syscall=37 success=no
exit=-13 a0=780b a1=f a2=2b5b8c a3=90e7894 items=0 pid=2283 auid=4294967295 uid=0 gid=0
euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd"
exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
Spamassassin signalling dcc_client. I wonder if the "a1" value is the
signal number? If so, that's SIGTERM.
> type=AVC msg=audit(1151620643.074:452): avc: denied { append } for pid=2312
comm="spamd" name="razor-agent.log" dev=hdc7 ino=1081 390
scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:etc_mail_t:s0 tclass=file
> type=SYSCALL msg=audit(1151620643.074:452): arch=40000003 syscall=5 success=no
exit=-13 a0=b5c6ee0 a1=8441 a2=1b6 a3=8441 items=1 pi d=2312 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="spamd"
exe="/usr/bin/perl" subj=syst em_u:system_r:spamd_t:s0
> type=CWD msg=audit(1151620643.074:452): cwd="/"
> type=PATH msg=audit(1151620643.074:452): item=0
name="/etc/mail/spamassassin/razor//razor-agent.log" parent=1081385 dev=16:07
mode=0 40755 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:etc_mail_t:s0
Trying to append to /etc/mail/spamassassin/razor/razor-agent.log, which
of course is etc_mail_t. Is there any way to persuade razor to put this
log in /var/log instead?
Yep. Done. I made a change in:
/etc/mail/spamassassin/razor/razor-agent.conf
Now with a line:
logfile = /var/log/razor-agent.log
which was just
logfile = razor-agent.log
Specifying the full path overrides the normal home dir for razor files.
After a spamassassin service restart, the log file is now:
ls -lZ /var/log/razor-agent.log
-rw-r--r-- root root user_u:object_r:var_log_t /var/log/razor-agent.log
Note the change in context below.
> type=AVC msg=audit(1151620645.415:453): avc: denied { setgid }
for pid=2410 comm="dccproc" capability=6 scontext=system_u:system_
r:dcc_client_t:s0 tcontext=system_u:system_r:dcc_client_t:s0 tclass=capability
> type=SYSCALL msg=audit(1151620645.415:453): arch=40000003 syscall=210 success=yes
exit=0 a0=ffffffff a1=0 a2=ffffffff a3=47fcfcc0 it ems=0 pid=2410 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dccproc"
exe="/usr/local/bin /dccproc" subj=system_u:system_r:dcc_client_t:s0
dccproc changing its group ID.
> type=AVC msg=audit(1151620795.471:481): avc: denied { use } for pid=5120
comm="dhclient" name="[10508]" dev=pipefs ino=10508 scon
text=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> type=AVC msg=audit(1151620795.471:481): avc: denied { use } for pid=5120
comm="dhclient" name="[10508]" dev=pipefs ino=10508 scon
text=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> type=SYSCALL msg=audit(1151620795.471:481): arch=40000003 syscall=11 success=yes
exit=0 a0=99120f8 a1=993b580 a2=9912608 a3=993b5f0 items=2 pid=5120 auid=500 uid=0 gid=500
euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dhclient"
exe="/sbin/dhcl ient" subj=user_u:system_r:dhcpc_t:s0
> type=AVC_PATH msg=audit(1151620795.471:481): path="pipe:[10508]"
> type=AVC_PATH msg=audit(1151620795.471:481): path="pipe:[10508]"
> type=CWD msg=audit(1151620795.471:481):
cwd="/etc/sysconfig/network-scripts"
> type=PATH msg=audit(1151620795.471:481): item=0 name="/sbin/dhclient"
inode=3542818 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:dhcpc_exec_t:s0
> type=PATH msg=audit(1151620795.471:481): item=1 name=(null) inode=754491 dev=16:07
mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_ u:object_r:ld_so_t:s0
> type=AVC msg=audit(1151620808.228:498): avc: denied { use } for pid=5217
comm="dhclient-script" name="[10508]" dev=pipefs ino=105 08
scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255
tclass=fd
> type=AVC msg=audit(1151620808.228:498): avc: denied { use } for pid=5217
comm="dhclient-script" name="[10508]" dev=pipefs ino=105 08
scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255
tclass=fd
> type=SYSCALL msg=audit(1151620808.228:498): arch=40000003 syscall=11 success=yes
exit=0 a0=9fdff30 a1=a0044c8 a2=9fe1378 a3=a002498 items=3 pid=5217 auid=500 uid=0 gid=500
euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="dhclient-script" exe="/bi n/bash"
subj=user_u:system_r:dhcpc_t:s0
> type=AVC_PATH msg=audit(1151620808.228:498): path="pipe:[10508]"
> type=AVC_PATH msg=audit(1151620808.228:498): path="pipe:[10508]"
> type=CWD msg=audit(1151620808.228:498):
cwd="/etc/sysconfig/network-scripts"
> type=PATH msg=audit(1151620808.228:498): item=0
name="/sbin/dhclient-script" inode=3548518 dev=16:07 mode=0100755 ouid=0 ogid=0
rdev =00:00 obj=system_u:object_r:dhcpc_exec_t:s0
> type=PATH msg=audit(1151620808.228:498): item=1 name=(null) inode=1966191 dev=16:07
mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:shell_exec_t:s0
> type=PATH msg=audit(1151620808.228:498): item=2 name=(null) inode=754491 dev=16:07
mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_ u:object_r:ld_so_t:s0
These appear to be unrelated network issues.
Could be allowed by having
xserver_use_xdm_fds(dhcpc_t)
in the sysnetwork policy but I'm not sure what's happening there and if
that would be the right thing to do.
Updated policy:
::::::::::::::
mydcc.if
::::::::::::::
########################################
## <summary>
## Signal the dcc client
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`dcc_signal_client',`
gen_require(`
type dcc_client_t;
')
allow $1 dcc_client_t:process signal;
')
::::::::::::::
myspamassassin.te
::::::::::::::
policy_module(myspamassassin, 0.1.2)
require {
type spamd_t;
}
# This will be included in FC5 policy when dcc module is included
dcc_domtrans_client(spamd_t)
# This is already supposed to be included but doesn't seem to be working
pyzor_domtrans(spamd_t)
# This will be included in FC5 policy when razor module is included
razor_domtrans(spamd_t)
# Signal the dcc client (SIGTERM is used?)
dcc_signal_client(spamd_t)
::::::::::::::
mydcc.te
::::::::::::::
policy_module(mydcc, 0.1.9)
# ==================================================
# Declarations
# ==================================================
require {
type dcc_client_t;
}
# ==================================================
# DCC client local policy
# ==================================================
allow dcc_client_t self:capability setgid;
allow dcc_client_t self:netlink_route_socket r_netlink_socket_perms;
corenet_udp_bind_inaddr_any_node(dcc_client_t)
# dcc_client probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(dcc_client_t)
kernel_dontaudit_read_system_state(dcc_client_t)
spamassassin_read_spamd_tmp_files(dcc_client_t)
Policies updated:
amavis 1.0.4
clamav 1.0.1
dcc 1.0.0
myclamav 0.1.5
mydcc 0.1.9
mypostfix 0.1.0
mypyzor 0.2.3
myspamassassin 0.1.2
procmail 0.5.4
pyzor 1.0.1
razor 1.0.0
I also ran a restorecon on /var/log/razor-agent.log, which is now:
ls -lZ /var/log/razor-agent.log
-rw-r--r-- root root system_u:object_r:razor_log_t /var/log/razor-agent.log
New avc's so far, after manually running all relevant cron jobs and a
re-boot:
type=AVC msg=audit(1151774266.909:5311): avc: denied { search } for pid=11652
comm="spamd" name="log" dev=dm-1 ino=73126
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1151774266.909:5311): arch=40000003 syscall=5 success=no exit=-13
a0=b1676f0 a1=8441 a2=1b6 a3=8441 items=1 pid=11652 auid=500 uid=0 gid=0 euid=500 suid=0
fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd"
exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
type=CWD msg=audit(1151774266.909:5311): cwd="/"
type=PATH msg=audit(1151774266.909:5311): item=0 name="/var/log/razor-agent.log"
obj=user_u:object_r:etc_mail_t:s0
type=AVC msg=audit(1151774267.629:5312): avc: denied { read } for pid=18080
comm="dccproc" name=".fonts.cache-2" dev=hdc7 ino=427877
scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:user_home_t:s0
tclass=file
type=SYSCALL msg=audit(1151774267.629:5312): arch=40000003 syscall=11 success=yes exit=0
a0=b0c96b8 a1=a432fd8 a2=b18feb8 a3=bfce606c items=2 pid=18080 auid=500 uid=500 gid=0
euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dccproc"
exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=AVC_PATH msg=audit(1151774267.629:5312):
path="/root/.rh-fontconfig/.fonts.cache-2"
type=CWD msg=audit(1151774267.629:5312): cwd="/"
type=PATH msg=audit(1151774267.629:5312): item=0 name="/usr/local/bin/dccproc"
inode=3118478 dev=16:07 mode=0104555 ouid=0 ogid=1 rdev=00:00
obj=system_u:object_r:dcc_client_exec_t:s0
type=PATH msg=audit(1151774267.629:5312): item=1 name=(null) inode=754491 dev=16:07
mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
Thanks,
Marc