List of selinux issues
Russell Coker
russell at coker.com.au
Sat Apr 10 10:24:50 UTC 2004
On Tue, 6 Apr 2004 21:19, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:
> > denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
> > ino=1389922 scontext=root:system_r:dhcpc_t
> > tcontext=system_u:object_r:home_root_t tclass=dir
>
> Added policy to allow this , but not sure what it is trying todo. Could
> you try it in non-enforcing mode and grab the avc messages.
Looks like /var/lib is mis-labeled as home_root_t. Relabeling the file system
is probably the best thing to do.
> > 5) This is vmware from the VMWare WS 4.5.1 service startup. The
> > issues are ... complicated, numerous, and scary looking.
> >
> > Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.858:0): avc:
> > denied { search } for pid=1909 exe=/usr/bin/vmnet-netifup name=net
> > dev= ino=344 scontext=system_u:system_r:vmware_t
> > tcontext=system_u:object_r:sysfs_t tclass=dir
> > Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.867:0): avc:
> > denied { search } for pid=1910 exe=/usr/bin/vmnet-netifup name=net
> > dev= ino=344 scontext=system_u:system_r:vmware_t
> > tcontext=system_u:object_r:sysfs_t tclass=dir
> > Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.047:0): avc:
> > denied { node_bind } for pid=1931 exe=/usr/bin/vmnet-natd
> > scontext=system_u:system_r:vmware_t
> > tcontext=system_u:object_r:node_inaddr_any_t tclass=rawip_socket
> > Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.048:0): avc:
> > denied { create } for pid=1931 exe=/usr/bin/vmnet-natd
> > name=vmnat.1931 scontext=system_u:system_r:vmware_t
> > tcontext=system_u:object_r:var_run_t tclass=sock_file
The problem here is that we don't have any distinction between vmware
processes started by the user and the vmware daemons. Probably the best
thing to do is to entirely re-write the vmware policy to fix this and the
other problems.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the selinux
mailing list