Hi, these are the results of running strict policy selinux. Kernel: 2.6.7-1.448 Selinux-strict: 1.13.7-1 Filesystems: / is xfs, /tmp is tmpfs (is that a problem? xattrs?), /boot is ext3
I relabeled prior to running this test. I know there's a new version released today and I'll try that soon. I'm sorry if any of this are duplicates or have been fixed. ================================================================== audit2allow:
allow dmesg_t staff_home_t:file { write }; allow dmesg_t user_home_t:file { write }; allow httpd_t bin_t:dir { getattr }; allow httpd_t httpd_log_t:file { write }; allow httpd_t sbin_t:dir { getattr }; allow httpd_t snmpd_var_lib_t:file { getattr write }; allow klogd_t boot_t:lnk_file { read }; allow lvm_t device_t:file { getattr }; allow lvm_t selinux_config_t:dir { search }; allow udev_t var_lock_t:dir { search }; allow xdm_xserver_t xdm_tmpfs_t:dir { getattr }; allow xfs_t tmpfs_t:dir { search }; ==================================================================== Denies summary - all of those occur during normal startup, and the dmesg ones are me trying to pipe dmesg to a log file in my home folder as root.
LVM.STATIC 1) name = selinux tclass = dir denied { search } exe=lvm.static scontext = system_u:system_r:lvm_t tcontext = system_u:object_r:selinux_config_t
2) path = /dev/vcsa01 or /dev/vcsa05 tclass = file denied { getattr } exe=lvm.static scontext = system_u:system_r:lvm_t tcontext = system_u:object_r:device_t
KLOGD 3) name = System.map tclass = lnk_file denied { read } exe=/sbin/klogd scontext = system_u:system_r:klog_t tcontext = system_u:object_r:boot_t
UDEV 4) name = lock tclass = dir denied { search } exe=/bin/bash scontext = system_u:system_r:udev_t tcontext = system_u:object_r:var_lock_t HTTPD 5) name = /sbin or /usr/sbin tclass = dir denied { getattr } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:sbin_t
6) name = /bin or /usr/bin or /usr/X11R6/bin tclass = dir denied { getattr } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:bin_t
7) name = jk2.shm tclass = file denied { write } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:httpd_log_t
8) path = /usr/share/snmp/mibs/.index tclass = file denied { getattr } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:snmpd_var_lib_t
name = .index tclass = file denied { write } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:snmpd_var_lib_t
XFS 9) dev = tmpfs tclass = dir denied { search } exe = /usr/X11R6/bin/xfs scontext = system_u:system_r:xfs_t tcontext = system_u:object_r:tmpfs_t
Xorg 10) dev = tmpfs path = /tmp/.X11-unix tclass = dir denied { getattr } exe = /usr/X11R6/bin/Xorg scontext = system_u:system_r:xdm_xserver_t tcontext = system_u:object_r:xdm_tmpfs_t
Dmesg 11) path = /home/-username-/log tclass = file denied { write } exe = /bin/dmesg scontext = root:system_r:dmesg_t tcontext = root:object_r:user_home_t
Here's the targeted policy. It has some of the httpd errors from the strict policy test.
Kernel: 2.6.7-1.448 Selinux-targeted: 1.13.8-1
I relabeled prior to running this test. I'm sorry if any of this are duplicates or have been fixed. ================================================================== audit2allow: allow httpd_t bin_t:dir { getattr }; allow httpd_t httpd_log_t:file { write }; allow httpd_t sbin_t:dir { getattr }; =================================================================== HTTPD 1) name = /sbin or /usr/sbin tclass = dir denied { getattr } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:sbin_t
2) name = /bin or /usr/bin or /usr/X11R6/bin tclass = dir denied { getattr } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:bin_t
3) name = jk2.shm tclass = file denied { write } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:httpd_log_t
Should I file bugzilla(s)? Are those duplicates? fixed? bugs?
selinux@lists.fedoraproject.org