> Could you send me the output of
> ausearch -m avc
>
> If audit is not running send me
>
> grep avc /var/log/messages
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
>
>
iEYEARECAAYFAk6MXHQACgkQrlYvE4MpobMjJACglIoDWdgYu4wJMwF3Hwc05jE5
> evYAn1zQ5s83+J/A7AQf00sU3WuqpTQ9
> =Qga3
> -----END PGP SIGNATURE-----
>
[students@localhost ~]$ su -
Password:
[root@localhost ~]# ausearch -m avc
----
time->Tue Oct 4 19:58:30 2011
type=SYSCALL msg=audit(1317776310.816:77): arch=c000003e
syscall=189 success=no exit=-22 a0=bb1ce30 a1=7fd0a4e0123b
a2=bb3afe0 a3=24 items=0 ppid=1367 pid=1427 auid=1000 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
ses=1 comm="yum" exe="/usr/bin/python"
subj=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1317776310.816:77): avc:
denied { mac_admin } for pid=1427 comm="yum"
capability=33
scontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023
tclass=capability2
[root@localhost ~]# service auditd status
Redirecting to /bin/systemctl status auditd.service
auditd.service - Security Auditing Service
Loaded: loaded
(/lib/systemd/system/auditd.service; enabled)
Active: active (running) since
Tue, 04 Oct 2011 20:21:01 -0500; 21h ago
Process: 910
ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules
(code=exited, status=0/SUCCESS)
Main PID: 906 (auditd)
CGroup:
name=systemd:/system/auditd.service
├ 906
/sbin/auditd -n
├ 946
/sbin/audispd
└ 948
/usr/sbin/sedispatch
Thanks,
Antonio
--
While installing from livecd, this is the seaplugin alert that I got:
SELinux is preventing /sbin/ldconfig from append access on the chr_file /dev/tty3.
***** Plugin leaks (50.5 confidence) suggests ******************************
If you want to ignore ldconfig trying to append access the tty3 chr_file, because you
believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /sbin/ldconfig /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
***** Plugin catchall (50.5 confidence) suggests ***************************
If you believe that ldconfig should be allowed append access on the tty3 chr_file by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ldconfig /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c102
3
Target Context system_u:object_r:tty_device_t:s0
Target Objects /dev/tty3 [ chr_file ]
Source ldconfig
Source Path /sbin/ldconfig
Port <Unknown>
Host localhost.localdomain
Source RPM Packages glibc-2.14.90-8
Target RPM Packages
Policy RPM selinux-policy-3.10.0-32.fc16
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name localhost.localdomain
Platform Linux localhost.localdomain
3.1.0-0.rc6.git0.3.fc16.x86_64 #1 SMP Fri Sep 16
12:26:22 UTC 2011 x86_64 x86_64
Alert Count 1
First Seen Wed 05 Oct 2011 02:40:53 PM CDT
Last Seen Wed 05 Oct 2011 02:40:53 PM CDT
Local ID c1953056-941c-4d02-9cfe-ddce29f219d3
Raw Audit Messages
type=AVC msg=audit(1317843653.766:69): avc: denied { append } for pid=13323
comm="ldconfig" path="/dev/tty3" dev=devtmpfs ino=37
scontext=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1317843653.766:69): avc: denied { read write } for pid=13323
comm="ldconfig" path="/dev/mapper/control" dev=devtmpfs ino=185
scontext=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1317843653.766:69): arch=x86_64 syscall=execve success=yes exit=0
a0=1d67650 a1=1cd8aa0 a2=1d80530 a3=7fffc91fec80 items=0 ppid=3359 pid=13323 auid=1000
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=ldconfig
exe=/sbin/ldconfig subj=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023 key=(null)
Hash: ldconfig,ldconfig_t,tty_device_t,chr_file,append
audit2allow
#============= ldconfig_t ==============
allow ldconfig_t lvm_control_t:chr_file { read write };
allow ldconfig_t tty_device_t:chr_file append;
audit2allow -R
#============= ldconfig_t ==============
allow ldconfig_t lvm_control_t:chr_file { read write };
allow ldconfig_t tty_device_t:chr_file append;
I could not capture it at first clicked on dismiss :(
I have installed Beta on at least 3 machines two i686s and one x86_64 and installing one
x86_64 at this time :)
Regards,
Antonio