--- On Wed, 9/3/08, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
From: Daniel J Walsh <dwalsh(a)redhat.com>
Subject: Re: many avcs at startup, readahead and several others
To: olivares14031(a)yahoo.com, "For testers of Fedora Core development releases"
<fedora-test-list(a)redhat.com>
Cc: "Tom London" <selinux(a)gmail.com>, fedora-selinux-list(a)redhat.com
Date: Wednesday, September 3, 2008, 10:14 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
>
>
> --- On Tue, 9/2/08, Tom London
<selinux(a)gmail.com> wrote:
>
>> I'm running
selinux-policy-targeted-3.5.5-3.fc10.noarch
>> and
>> selinux-policy-3.5.5-3.fc10.noarch.
>>
>> and on my system ~/.pulse is:
>> [tbl@tlondon ~]$ ls -ld .pulse
>> drwx------ 2 tbl tbl 4096 2008-09-02 19:48 .pulse
>> [tbl@tlondon ~]$ ls -ldZ .pulse
>> drwx------ tbl tbl
system_u:object_r:gnome_home_t:s0
>> .pulse
>> [tbl@tlondon ~]$
>>
>> On yours, it seems to be user_home_t.
>>
>> type=1400 audit(1220391480.206:24): avc: denied
{ setattr
>> } for
>> pid=3267 comm="npviewer.bin"
>> name=".pulse" dev=dm-0 ino=7176200
>>
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:user_home_t:s0
tclass=dir
>>
>> You running the same policy? Did you update from
F9?
>
> [olivares@localhost ~]$ cat .selinux-policy.txt
> selinux-policy-targeted-3.5.5-3.fc10.noarch
> selinux-policy-3.5.5-3.fc10.noarch
> [olivares@localhost ~]$ ls -ld .pulse
> drwx------ 2 olivares olivares 4096 2008-09-03 07:00
.pulse
> [olivares@localhost ~]$ ls -ldZ .pulse
> drwx------ olivares olivares
system_u:object_r:gnome_home_t .pulse
> [olivares@localhost ~]$
>
> I did a
> # touch ./autorelabel; reboot
>
> and the denied avcs still appear :(. Wonder what is
happening?
>> tom
>> --
>> Tom London
>
>
>
>
Which avc's still appear?
After applying today's updates,
[olivares@localhost ~]$ dmesg | grep 'avc'
type=1400 audit(1220475941.234:4): avc: denied { read write } for pid=613
comm="readahead" path="/dev/console" dev=tmpfs ino=410
scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=chr_file
type=1400 audit(1220475941.235:5): avc: denied { read write } for pid=613
comm="readahead" path="/dev/console" dev=tmpfs ino=410
scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=chr_file
type=1400 audit(1220475941.235:6): avc: denied { read write } for pid=613
comm="readahead" path="/dev/console" dev=tmpfs ino=410
scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=chr_file
type=1400 audit(1220475942.150:7): avc: denied { fowner } for pid=613
comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:readahead_t:s0 tclass=capability
type=1400 audit(1220475942.150:8): avc: denied { fowner } for pid=613
comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:readahead_t:s0 tclass=capability
type=1400 audit(1220475942.155:9): avc: denied { fowner } for pid=613
comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:readahead_t:s0 tclass=capability
type=1400 audit(1220475942.651:10): avc: denied { fowner } for pid=613
comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:readahead_t:s0 tclass=capability
type=1400 audit(1220475968.477:11): avc: denied { write } for pid=1475
comm="ip6tables-resto" path="/0" dev=devpts ino=2
scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0
tclass=chr_file
type=1400 audit(1220475969.949:12): avc: denied { write } for pid=1697
comm="ip" path="/0" dev=devpts ino=2
scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0
tclass=chr_file
type=1400 audit(1220476005.919:13): avc: denied { search } for pid=1958
comm="pcscd" name="dbus" dev=dm-0 ino=3276848
scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0
tclass=dir
type=1400 audit(1220476026.870:14): avc: denied { search } for pid=2368
comm="python" name="hp" dev=dm-0 ino=28345940
scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0
tclass=dir
type=1400 audit(1220476026.972:15): avc: denied { execute } for pid=2417
comm="gdm" name="rpm" dev=dm-0 ino=24117291
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0
tclass=file
type=1400 audit(1220476026.973:16): avc: denied { getattr } for pid=2417
comm="gdm" path="/bin/rpm" dev=dm-0 ino=24117291
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0
tclass=file
type=1400 audit(1220476026.973:17): avc: denied { getattr } for pid=2417
comm="gdm" path="/bin/rpm" dev=dm-0 ino=24117291
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0
tclass=file
type=1400 audit(1220476028.580:18): avc: denied { search } for pid=2449
comm="python" name="hp" dev=dm-0 ino=28345940
scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0
tclass=dir
[olivares@localhost ~]$
[olivares@localhost ~]$ uname -a
Linux localhost 2.6.27-0.297.rc5.git2.fc10.i686 #1 SMP Tue Sep 2 11:19:36 EDT 2008 i686
athlon i386 GNU/Linux