On Nov 29, 2010, at 4:36 AM, Miroslav Grepl wrote:
On 11/22/2010 02:07 PM, Vadym Chepkov wrote:
> Hi,
>
> I just upgraded to Fedora 14 and got a significant amount of all sort of denials.
> I thought maybe some relabeling went wrong - so I did it manually, just in case,
didn't help much, still lots of issues.
> I tried to post raw audit log, but got bounced from mail-list with "message too
big"
>
> Anyway, here is what audit2allow -R suggests
>
> #============= chkpwd_t ==============
> allow chkpwd_t self:capability sys_nice;
> allow chkpwd_t self:process setsched;
> files_list_tmp(chkpwd_t)
> files_read_usr_symlinks(chkpwd_t)
>
> #============= dovecot_auth_t ==============
> allow dovecot_auth_t self:capability sys_nice;
> allow dovecot_auth_t self:process setsched;
>
> #============= dovecot_t ==============
> allow dovecot_t self:capability sys_nice;
> files_read_usr_symlinks(dovecot_t)
> #============= nscd_t ==============
> files_list_tmp(nscd_t)
> files_read_usr_symlinks(nscd_t)
>
> #============= saslauthd_t ==============
> allow saslauthd_t self:capability sys_nice;
> allow saslauthd_t self:process setsched;
> files_read_usr_symlinks(saslauthd_t)
>
> #============= spamd_t ==============
> allow spamd_t admin_home_t:file { read ioctl open getattr append }; # spammers send
e-mails to root@ , spamd needs to create working files in /root/
> allow spamd_t self:capability sys_nice;
> kernel_list_unlabeled(spamd_t) # razor and pyzor contexts gone
> kernel_read_unlabeled_state(spamd_t) # same
> userdom_read_user_home_content_files(spamd_t) # changed boolean
spamd_enable_home_dirs
>
> Thanks,
> Vadym
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
Vadym,
are you still getting all these AVC messages?
Some of these issues are known and some of these issues should be fixed in the latest
SELinux policy.
Miroslav,
If I remove locally added rules, then yes, I still see bunch:
time->Mon Nov 29 06:59:27 2010
type=SYSCALL msg=audit(1291031967.456:65945): arch=40000003 syscall=156 success=yes exit=0
a0=23cc a1=0 a2=bfcc9ca0 a3=b77328d0 items=0 ppid=9159 pid=9164
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2296
comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
key=(
null)type=AVC msg=audit(1291031967.456:65945): avc: denied { sys_nice } for pid=9164
comm="spamd" capability=23 scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=capability
----
time->Mon Nov 29 07:11:00 2010
type=SYSCALL msg=audit(1291032660.140:66007): arch=40000003 syscall=5 success=yes exit=4
a0=145497 a1=0 a2=1b6 a3=15256a items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd"
exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
type=AVC msg=audit(1291032660.140:66007): avc: denied { read } for pid=9789
comm="unix_chkpwd" name="/" dev=dm-2 ino=2
scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Mon Nov 29 07:11:00 2010
type=SYSCALL msg=audit(1291032660.109:66006): arch=40000003 syscall=156 success=yes exit=0
a0=263d a1=0 a2=bfd58eb0 a3=b7717930 items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd"
exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
type=AVC msg=audit(1291032660.109:66006): avc: denied { setsched } for pid=9789
comm="unix_chkpwd" scontext=unconfined_u:system_r:chkpwd_t:s0
tcontext=unconfined_u:system_r:chkpwd_t:s0 tclass=process
type=AVC msg=audit(1291032660.109:66006): avc: denied { sys_nice } for pid=9789
comm="unix_chkpwd" capability=23 scontext=unconfined_u:system_r:chkpwd_t:s0
tcontext=unconfined_u:system_r:chkpwd_t:s0 tclass=capability
----
time->Mon Nov 29 07:11:00 2010
type=SYSCALL msg=audit(1291032660.141:66008): arch=40000003 syscall=195 success=yes exit=0
a0=14549c a1=bfd544c4 a2=efdff4 a3=3 items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd"
exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
type=AVC msg=audit(1291032660.141:66008): avc: denied { read } for pid=9789
comm="unix_chkpwd" name="tmp" dev=dm-0 ino=15581
scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=lnk_file
I am pretty sure link related denials are due to:
# ls -ld /usr/tmp
lrwxrwxrwx. 1 root root 10 Nov 21 01:49 /usr/tmp -> ../var/tmp
which is a standard link in Fedora
I also had to manually set spamc_home_t on /root/.razor and $HOME/.razor
I have selinux-policy-targeted-3.9.7-12.fc14.noarch installed.
Vadym