On Sun, 2007-01-21 at 12:24 +0000, Anne Wilson wrote:
I'm seeing a lot of AVC message, a sample of which is
type=AVC msg=audit(1162463326.809:49): avc: denied { search } for pid=4186
comm="postmap" name="nscd" dev=hdb1 ino=195773
type=AVC msg=audit(1162483288.034:31): avc: denied { write } for pid=5804
comm="ip" name="[23145]" dev=pipefs ino=23145
type=AVC msg=audit(1162483738.762:39): avc: denied { write } for pid=7191
comm="ip" name="[27659]" dev=pipefs ino=27659
type=AVC msg=audit(1169284673.188:58): avc: denied { ioctl } for pid=4212
comm="smartd" name="hda" dev=tmpfs ino=879
type=AVC msg=audit(1162495544.436:62): avc: denied { write } for pid=28024
comm="setfiles" name="[120832]" dev=pipefs ino=120832
type=AVC_PATH msg=audit(1169310171.523:150): path="/dev/bus/usb/001/004"
type=AVC msg=audit(1169310172.778:151): avc: denied { read } for pid=2996
comm="hald-addon-stor" name="hdd" dev=tmpfs ino=7431
I don't really understand what is going on. 'postmap' to me implies postfix,
which seems odd.
There are many such messages about smartd. This is something I'd want to be
working. Why is this blocked? Can/Should I enable it? How?
I looked at /dev/bus/usb/001/004 but I can't tell what this is. I'm guessing
that it's a card-reader, but it's sheer guesswork.
I'd be glad of any hints. SELinux hasn't really caused me any problems up to
now, but one of my projects, which I'll address in a later thread, may be
being blocked, so I need to start to understand more.
You don't seem to have included the scontext, tcontext, and tclass
information, which is the real basis for the permission denial.
You can also get supplemental information about each avc denial by
enabling system call auditing. Requires installing "audit" and adding
at least one audit rule to enable collection of the full audit context.
This will provide you with information like the system call number and
arguments, the path that has been looked up, etc.
audit2allow can be used to generate a local policy module to allow
permissions as appropriate; see its man page and the Fedora SELinux FAQ.
--
Stephen Smalley
National Security Agency