Bonjour,
I have some alerts from selinux, for instance:
SELinux prevent mdadm to access getattr on file /dev/shm/lttng-ust-wait-7-972
Why this alert? What should I do?
This is not the only one, how to configure selinux to act in a "normal" way: leave regular processes to access what they need to work normally?
Thank you.
On 03/14/2018 10:47 AM, François Patte wrote:
Bonjour,
I have some alerts from selinux, for instance:
SELinux prevent mdadm to access getattr on file /dev/shm/lttng-ust-wait-7-972
Why this alert? What should I do?
This is not the only one, how to configure selinux to act in a "normal" way: leave regular processes to access what they need to work normally?
Thank you.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
Hi François,
Could you attach output of:
# ausearch -m AVC -m USER_AVC -ts today
Thanks, Lukas.
Le 14/03/2018 à 10:53, Lukas Vrabec a écrit :
ausearch -m AVC -m USER_AVC -ts today
time->Wed Mar 14 09:49:23 2018 type=AVC msg=audit(1521017363.092:103): avc: denied { unlink } for pid=1 comm="systemd" name="request" dev="dm-6" ino=393224 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=sock_file permissive=0 ---- time->Wed Mar 14 09:49:23 2018 type=AVC msg=audit(1521017363.388:136): avc: denied { map } for pid=1596 comm="dictd" path="/opt/share/stardict/dic/stardict-xmlittre-2.4.2/stardict.idx" dev="dm-2" ino=8466 scontext=system_u:system_r:dictd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 09:49:23 2018 type=AVC msg=audit(1521017363.851:148): avc: denied { getattr } for pid=1735 comm="mdadm" path="/dev/shm/lttng-ust-wait-7" dev="tmpfs" ino=28666 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 09:49:23 2018 type=AVC msg=audit(1521017363.851:149): avc: denied { getattr } for pid=1735 comm="mdadm" path="/dev/shm/lttng-ust-wait-7-972" dev="tmpfs" ino=30476 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 09:49:23 2018 type=AVC msg=audit(1521017363.865:150): avc: denied { getattr } for pid=1741 comm="mdadm" path="/dev/shm/lttng-ust-wait-7" dev="tmpfs" ino=28666 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 09:49:23 2018 type=AVC msg=audit(1521017363.865:151): avc: denied { getattr } for pid=1741 comm="mdadm" path="/dev/shm/lttng-ust-wait-7-972" dev="tmpfs" ino=30476 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 09:49:23 2018 type=AVC msg=audit(1521017363.932:152): avc: denied { getattr } for pid=1762 comm="mdadm" path="/dev/shm/lttng-ust-wait-7" dev="tmpfs" ino=28666 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 09:49:23 2018 type=AVC msg=audit(1521017363.933:153): avc: denied { getattr } for pid=1762 comm="mdadm" path="/dev/shm/lttng-ust-wait-7-972" dev="tmpfs" ino=30476 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 09:49:23 2018 type=AVC msg=audit(1521017363.952:157): avc: denied { getattr } for pid=1767 comm="mdadm" path="/dev/shm/lttng-ust-wait-7" dev="tmpfs" ino=28666 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 09:49:23 2018 type=AVC msg=audit(1521017363.952:158): avc: denied { getattr } for pid=1767 comm="mdadm" path="/dev/shm/lttng-ust-wait-7-972" dev="tmpfs" ino=30476 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 09:49:29 2018 type=USER_AVC msg=audit(1521017369.672:182): pid=1456 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=2275 tpid=1394 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Wed Mar 14 09:50:39 2018 type=AVC msg=audit(1521017439.445:214): avc: denied { getattr } for pid=1438 comm="systemd-logind" path="/dev/shm/lttng-ust-wait-7" dev="tmpfs" ino=28666 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 09:50:39 2018 type=AVC msg=audit(1521017439.445:215): avc: denied { getattr } for pid=1438 comm="systemd-logind" path="/dev/shm/lttng-ust-wait-7-972" dev="tmpfs" ino=30476 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 10:07:43 2018 type=USER_AVC msg=audit(1521018463.712:259): pid=1456 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Wed Mar 14 10:08:22 2018 type=USER_AVC msg=audit(1521018502.689:261): pid=1456 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=1) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Wed Mar 14 10:12:49 2018 type=USER_AVC msg=audit(1521018769.515:265): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Wed Mar 14 10:12:49 2018 type=USER_AVC msg=audit(1521018769.515:266): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=1) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Wed Mar 14 10:12:50 2018 type=AVC msg=audit(1521018770.034:270): avc: denied { getattr } for pid=1438 comm="systemd-logind" path="/dev/shm/lttng-ust-wait-7" dev="tmpfs" ino=28666 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 10:12:50 2018 type=AVC msg=audit(1521018770.034:271): avc: denied { getattr } for pid=1438 comm="systemd-logind" path="/dev/shm/lttng-ust-wait-7-972" dev="tmpfs" ino=30476 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 10:27:41 2018 type=AVC msg=audit(1521019661.783:310): avc: denied { getattr } for pid=1438 comm="systemd-logind" path="/dev/shm/lttng-ust-wait-7" dev="tmpfs" ino=28666 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 10:27:41 2018 type=AVC msg=audit(1521019661.783:311): avc: denied { getattr } for pid=1438 comm="systemd-logind" path="/dev/shm/lttng-ust-wait-7-972" dev="tmpfs" ino=30476 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 10:32:04 2018 type=AVC msg=audit(1521019924.141:346): avc: denied { getattr } for pid=17188 comm="mdadm" path="/dev/shm/lttng-ust-wait-7" dev="tmpfs" ino=28666 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 10:32:04 2018 type=AVC msg=audit(1521019924.141:347): avc: denied { getattr } for pid=17188 comm="mdadm" path="/dev/shm/lttng-ust-wait-7-972" dev="tmpfs" ino=30476 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 10:32:04 2018 type=AVC msg=audit(1521019924.145:348): avc: denied { getattr } for pid=17189 comm="mdadm" path="/dev/shm/lttng-ust-wait-7" dev="tmpfs" ino=28666 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 10:32:04 2018 type=AVC msg=audit(1521019924.145:349): avc: denied { getattr } for pid=17189 comm="mdadm" path="/dev/shm/lttng-ust-wait-7-972" dev="tmpfs" ino=30476 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 10:32:04 2018 type=AVC msg=audit(1521019924.149:350): avc: denied { getattr } for pid=17190 comm="mdadm" path="/dev/shm/lttng-ust-wait-7" dev="tmpfs" ino=28666 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- time->Wed Mar 14 10:32:04 2018 type=AVC msg=audit(1521019924.149:351): avc: denied { getattr } for pid=17190 comm="mdadm" path="/dev/shm/lttng-ust-wait-7-972" dev="tmpfs" ino=30476 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
Le 14/03/2018 à 11:05, Kai Bojens a écrit :
sealert -a /var/log/audit/audit.log
Thank you for this answer, but I don't know what to do with the alert message: "I you think that mdadm should be allowed to access getattr..."
How can I think that.... I have absolutely no idea!!!
Regards
On 14/03/2018 –– 11:42:47AM +0100, François Patte wrote:
Le 14/03/2018 à 11:05, Kai Bojens a écrit :
sealert -a /var/log/audit/audit.log
Thank you for this answer, but I don't know what to do with the alert message: "I you think that mdadm should be allowed to access getattr..."
There should also be a solution shown which you could just copy and past to create an exception for this alert. I really don't know if SELinux might block this access for a good reason – but in my experience almost all of the alerts I encountered where due to some misconfiguration by package maintainers.
Le 14/03/2018 à 12:04, Kai Bojens a écrit :
On 14/03/2018 –– 11:42:47AM +0100, François Patte wrote:
Le 14/03/2018 à 11:05, Kai Bojens a écrit :
sealert -a /var/log/audit/audit.log
Thank you for this answer, but I don't know what to do with the alert message: "I you think that mdadm should be allowed to access getattr..."
There should also be a solution shown which you could just copy and past to create an exception for this alert. I really don't know if SELinux might block this access for a good reason – but in my experience almost all of the alerts I encountered where due to some misconfiguration by package maintainers.
So, it is a bit frustrating and strange: selinux is supposed to watch on computer security and it is suggested to add security exceptions for every selinux alert....
-
François Patte -
Kai Bojens -
Lukas Vrabec