On Nov 29, 2010, at 4:36 AM, Miroslav Grepl wrote:
> On 11/22/2010 02:07 PM, Vadym Chepkov wrote:
>> Hi,
>>
>> I just upgraded to Fedora 14 and got a significant amount of all sort of
denials.
>> I thought maybe some relabeling went wrong - so I did it manually, just in case,
didn't help much, still lots of issues.
>> I tried to post raw audit log, but got bounced from mail-list with "message
too big"
>>
>> Anyway, here is what audit2allow -R suggests
>>
>> #============= chkpwd_t ==============
>> allow chkpwd_t self:capability sys_nice;
>> allow chkpwd_t self:process setsched;
>> files_list_tmp(chkpwd_t)
>> files_read_usr_symlinks(chkpwd_t)
>>
>> #============= dovecot_auth_t ==============
>> allow dovecot_auth_t self:capability sys_nice;
>> allow dovecot_auth_t self:process setsched;
>>
>> #============= dovecot_t ==============
>> allow dovecot_t self:capability sys_nice;
>> files_read_usr_symlinks(dovecot_t)
>> #============= nscd_t ==============
>> files_list_tmp(nscd_t)
>> files_read_usr_symlinks(nscd_t)
>>
>> #============= saslauthd_t ==============
>> allow saslauthd_t self:capability sys_nice;
>> allow saslauthd_t self:process setsched;
>> files_read_usr_symlinks(saslauthd_t)
>>
>> #============= spamd_t ==============
>> allow spamd_t admin_home_t:file { read ioctl open getattr append }; # spammers
send e-mails to root@ , spamd needs to create working files in /root/
>> allow spamd_t self:capability sys_nice;
>> kernel_list_unlabeled(spamd_t) # razor and pyzor contexts gone
>> kernel_read_unlabeled_state(spamd_t) # same
>> userdom_read_user_home_content_files(spamd_t) # changed boolean
spamd_enable_home_dirs
>>
>> Thanks,
>> Vadym
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
> Vadym,
> are you still getting all these AVC messages?
>
>
> Some of these issues are known and some of these issues should be fixed in the
latest SELinux policy.
>
Miroslav,
If I remove locally added rules, then yes, I still see bunch:
time->Mon Nov 29 06:59:27 2010
type=SYSCALL msg=audit(1291031967.456:65945): arch=40000003 syscall=156 success=yes
exit=0 a0=23cc a1=0 a2=bfcc9ca0 a3=b77328d0 items=0 ppid=9159 pid=9164
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2296
comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
key=(
null)type=AVC msg=audit(1291031967.456:65945): avc: denied { sys_nice } for pid=9164
comm="spamd" capability=23 scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=capability
----
time->Mon Nov 29 07:11:00 2010
type=SYSCALL msg=audit(1291032660.140:66007): arch=40000003 syscall=5 success=yes exit=4
a0=145497 a1=0 a2=1b6 a3=15256a items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd"
exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
type=AVC msg=audit(1291032660.140:66007): avc: denied { read } for pid=9789
comm="unix_chkpwd" name="/" dev=dm-2 ino=2
scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Mon Nov 29 07:11:00 2010
type=SYSCALL msg=audit(1291032660.109:66006): arch=40000003 syscall=156 success=yes
exit=0 a0=263d a1=0 a2=bfd58eb0 a3=b7717930 items=0 ppid=9321 pid=9789 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11
comm="unix_chkpwd" exe="/sbin/unix_chkpwd"
subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
type=AVC msg=audit(1291032660.109:66006): avc: denied { setsched } for pid=9789
comm="unix_chkpwd" scontext=unconfined_u:system_r:chkpwd_t:s0
tcontext=unconfined_u:system_r:chkpwd_t:s0 tclass=process
type=AVC msg=audit(1291032660.109:66006): avc: denied { sys_nice } for pid=9789
comm="unix_chkpwd" capability=23 scontext=unconfined_u:system_r:chkpwd_t:s0
tcontext=unconfined_u:system_r:chkpwd_t:s0 tclass=capability
----
time->Mon Nov 29 07:11:00 2010
type=SYSCALL msg=audit(1291032660.141:66008): arch=40000003 syscall=195 success=yes
exit=0 a0=14549c a1=bfd544c4 a2=efdff4 a3=3 items=0 ppid=9321 pid=9789 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11
comm="unix_chkpwd" exe="/sbin/unix_chkpwd"
subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
type=AVC msg=audit(1291032660.141:66008): avc: denied { read } for pid=9789
comm="unix_chkpwd" name="tmp" dev=dm-0 ino=15581
scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=lnk_file
by the way i have /usr/tmp labeled tmp_t in my personal policy and then i could for
example add files_list_generic_tmp_symlinks to files_list_tmp or something.
I am pretty sure link related denials are due to:
# ls -ld /usr/tmp
lrwxrwxrwx. 1 root root 10 Nov 21 01:49 /usr/tmp -> ../var/tmp
which is a standard link in Fedora
I also had to manually set spamc_home_t on /root/.razor and $HOME/.razor
I have selinux-policy-targeted-3.9.7-12.fc14.noarch installed.
Vadym
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux