avc denied messages from boot

Frank Marsolais FMarsolais at gpinet.com
Mon Jul 12 11:30:34 UTC 2004


I found the following in the archives.
I upgraded from rh7.2 to 9.0 to fedora 2.

When I put in rpm -q policy policy-sources
I received back
# rpm -q policy policy-sources
policy-1.11.3-3
package policy-sources is not installed

Should I download policy-sources or is something else broken?
For the -12 policy would that be 1.12 or 1.9.2-12?

My error messages look like the following:


Jul 11 09:50:02 gpi04 kernel: security:  30 classes, 303377 rules
Jul 11 09:50:02 gpi04 kernel: SELinux:  Completing initialization.
Jul 11 09:50:02 gpi04 kernel: SELinux:  Setting up existing superblocks.
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type selinuxfs), uses genfs_contexts
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev sda5, type ext3), uses xattr
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev ram0, type ext2), uses xattr
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type mqueue), not configured for labeling
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type hugetlbfs), not configured for labeling
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type devpts), uses transition SIDs
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type eventpollfs), uses genfs_contexts
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type pipefs), uses task SIDs
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type tmpfs), uses transition SIDs
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type futexfs), uses genfs_contexts
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type sockfs), uses task SIDs
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type proc), uses genfs_contexts
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type bdev), uses genfs_contexts
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type rootfs), uses genfs_contexts
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type sysfs), uses genfs_contexts 
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.326:0): avc:  denied  { read write } for  pid=1 exe=/sbin/init path=/dev/console d
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.326:0): avc:  denied  { read } for  pid=1 exe=/sbin/init name=libselinux.so.1 dev=
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.326:0): avc:  denied  { getattr } for  pid=1 exe=/sbin/init path=/lib/libselinux.s
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.326:0): avc:  denied  { execute } for  pid=1 path=/lib/libselinux.so.1 dev=sda5 in
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.326:0): avc:  denied  { read } for  pid=1 exe=/sbin/init name=libc.so.6 dev=sda5 i
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.327:0): avc:  denied  { ioctl } for  pid=1 exe=/sbin/init path=/dev/tty0 dev=sda5 
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.545:0): avc:  denied  { lock } for  pid=1 exe=/sbin/init path=/var/run/utmp dev=sd
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.603:0): avc:  denied  { getattr } for  pid=1 exe=/sbin/init path=/dev/initctl dev=
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.603:0): avc:  denied  { read write } for  pid=1 exe=/sbin/init name=initctl dev=sd
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.612:0): avc:  denied  { execute_no_trans } for  pid=287 exe=/sbin/init path=/etc/r
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.618:0): avc:  denied  { ioctl } for  pid=287 exe=/bin/bash path=/etc/rc.d/rc.sysin
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.658:0): avc:  denied  { getattr } for  pid=287 exe=/bin/bash path=/ dev=sda5 ino=2
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.675:0): avc:  denied  { execute } for  pid=293 exe=/bin/bash name=hostname dev=sda
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.675:0): avc:  denied  { execute_no_trans } for  pid=293 exe=/bin/bash path=/bin/ho
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.747:0): avc:  denied  { getattr } for  pid=298 exe=/bin/gawk path=/dev/console dev
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.791:0): avc:  denied  { mounton } for  pid=299 exe=/bin/mount path=/proc dev=sda5 
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.791:0): avc:  denied  { mount } for  pid=299 exe=/bin/mount name=/ dev= ino=1 scon
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.792:0): avc:  denied  { mount } for  pid=300 exe=/bin/mount name=/ dev= ino=1 scon
Jul 11 09:50:03 gpi04 xinetd[2420]: xinetd Version 2.3.13 started with libwrap loadavg options compiled in.
Jul 11 09:50:03 gpi04 kernel: audit(1089539247.894:0): avc:  denied  { read } for  pid=453 exe=/bin/setfont dev=sda5 ino=2 sconte
Jul 11 09:50:03 gpi04 xinetd[2420]: Started working: 2 available services
Jul 11 09:50:03 gpi04 kernel: audit(1089539247.990:0): avc:  denied  { syslog_console } for  pid=459 exe=/bin/dmesg scontext=syst
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.012:0): avc:  denied  { mount } for  pid=460 exe=/bin/mount name=/ dev= ino=1 scon
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc:  denied  { search } for  pid=463 exe=/sbin/sysctl name=sys dev= ino=-
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc:  denied  { search } for  pid=463 exe=/sbin/sysctl name=net dev= ino=-
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc:  denied  { write } for  pid=463 exe=/sbin/sysctl name=ip_forward dev=
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc:  denied  { getattr } for  pid=463 exe=/sbin/sysctl path=/proc/sys/net
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc:  denied  { search } for  pid=463 exe=/sbin/sysctl name=kernel dev= in
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc:  denied  { write } for  pid=463 exe=/sbin/sysctl name=sysrq dev= ino=
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc:  denied  { getattr } for  pid=463 exe=/sbin/sysctl path=/proc/sys/ker
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.032:0): avc:  denied  { read } for  pid=470 exe=/bin/date scontext=system_u:system
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.256:0): avc:  denied  { sys_module } for  pid=483 exe=/sbin/insmod capability=16 s
Jul 11 09:50:04 gpi04 kernel: ACPI: Power Button (FF) [PWRF]
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.288:0): avc:  denied  { read } for  pid=489 exe=/sbin/insmod name=modprobe.conf.di
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.288:0): avc:  denied  { getattr } for  pid=489 exe=/sbin/insmod path=/etc/modprobe
Jul 11 09:50:04 gpi04 kernel: ohci_hcd 0000:00:0f.2: OHCI Host Controller
Jul 11 09:50:04 gpi04 kernel: ohci_hcd 0000:00:0f.2: irq 7, pci mem 22831000
Jul 11 09:50:04 gpi04 kernel: SELinux: initialized (dev , type usbdevfs), uses genfs_contexts
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.469:0): avc:  denied  { mount } for  pid=493 exe=/sbin/insmod name=/ dev= ino=1195
Jul 11 09:50:04 gpi04 kernel: SELinux: initialized (dev , type usbfs), uses genfs_contexts
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.469:0): avc:  denied  { mount } for  pid=493 exe=/sbin/insmod name=/ dev= ino=1196
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.469:0): avc:  denied  { search } for  pid=493 exe=/sbin/insmod dev= ino=1196 scont
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.469:0): avc:  denied  { search } for  pid=493 exe=/sbin/insmod dev= ino=1195 scont
Jul 11 09:50:04 gpi04 kernel: ohci_hcd 0000:00:0f.2: new USB bus registered, assigned bus number 1
Jul 11 09:50:04 gpi04 kernel: hub 1-0:1.0: USB hub found
Jul 11 09:50:04 gpi04 kernel: hub 1-0:1.0: 2 ports detected
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.506:0): avc:  denied  { mounton } for  pid=507 exe=/bin/mount path=/proc/bus/usb d
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.511:0): avc:  denied  { read } for  pid=510 exe=/bin/grep name=devices dev= ino=11
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.511:0): avc:  denied  { getattr } for  pid=510 exe=/bin/grep path=/proc/bus/usb/de
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.527:0): avc:  denied  { getattr } for  pid=500 exe=/bin/bash path=/sys/devices/pci
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.528:0): avc:  denied  { read } for  pid=516 exe=/bin/cat name=bNumConfigurations d
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.553:0): avc:  denied  { getattr } for  pid=287 exe=/bin/bash path=/forcefsck dev=s
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.560:0): avc:  denied  { getattr } for  pid=287 exe=/bin/bash path=/initrd/dev/root
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.567:0): avc:  denied  { getattr } for  pid=521 exe=/usr/bin/readlink path=/sys dev
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.991:0): avc:  denied  { read } for  pid=526 exe=/sbin/fsck name=sda5 dev=sda5 ino=
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.991:0): avc:  denied  { getattr } for  pid=526 exe=/sbin/fsck path=/dev/sda5 dev=s
Jul 11 09:50:04 gpi04 kernel: audit(1089553651.014:0): avc:  denied  { read } for  pid=526 exe=/sbin/fsck name=root dev=ram0 ino=
Jul 11 09:50:04 gpi04 kernel: audit(1089553651.014:0): avc:  denied  { ioctl } for  pid=526 exe=/sbin/fsck path=/initrd/dev/root 
Jul 11 09:50:04 gpi04 kernel: audit(1089553651.091:0): avc:  denied  { write } for  pid=536 exe=/sbin/fsck.ext2 name=root dev=ram
Jul 11 09:50:04 gpi04 kernel: audit(1089553771.892:0): avc:  denied  { unmount } for  pid=1056 exe=/bin/umount scontext=system_u:
Jul 11 09:50:04 gpi04 kernel: audit(1089553771.912:0): avc:  denied  { ioctl } for  pid=1057 exe=/sbin/blockdev path=/dev/ram0 de
Jul 11 09:50:04 gpi04 kernel: audit(1089553772.043:0): avc:  denied  { remount } for  pid=1063 exe=/bin/mount scontext=system_u:s
Jul 11 09:50:04 gpi04 kernel: EXT3 FS on sda5, internal journal
Jul 11 09:50:04 gpi04 kernel: audit(1089553772.062:0): avc:  denied  { write } for  pid=1065 exe=/sbin/minilogd name=dev dev=sda5
Jul 11 09:50:04 gpi04 kernel: audit(1089553772.062:0): avc:  denied  { add_name } for  pid=1065 exe=/sbin/minilogd name=log scont
Jul 11 09:50:05 gpi04 kernel: audit(1089553772.062:0): avc:  denied  { create } for  pid=1065 exe=/sbin/minilogd name=log scontex
Jul 11 09:50:05 gpi04 kernel: audit(1089553772.062:0): avc:  denied  { listen } for  pid=1065 exe=/sbin/minilogd path=/dev/log sc
Jul 11 09:50:05 gpi04 kernel: audit(1089553772.062:0): avc:  denied  { getattr } for  pid=1067 exe=/sbin/minilogd path=/dev/log 


I know I am very green when it comes to this;  A point in the right direction would be greatly appreciated, even a suggested FAQ to
read.  
TIA

Frank Marsolais


The original message I found follows:


*****************************************************************************************
*****************************************************************************************  

Re: avc denied messages from boot

--------------------------------------------------------------------------------

From: Richard Hally <rhally mindspring com> 
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com> 
Subject: Re: avc denied messages from boot 
Date: Tue, 06 Apr 2004 12:53:04 -0400 

--------------------------------------------------------------------------------
Daniel J Walsh wrote:


Richard Hally wrote:


when booting to runlevel 5 in enforcing mode with the latest policy there were only a few AVC denied messages. they are copied
below.
[root localhost root]# rpm -q policy policy-sources
policy-1.9.2-10
policy-sources-1.9.2-10
[root localhost root]#


Hope this helps,
Richard Hally



There is a bug in the init scripts that leaves /initrd mounted. If you umount this directory most of these messages will disappear.

The screensaver ones should be fixed by -12 policy

Not sure why gnome is trying to manipulate the registry.xml file.




--------------------messages-----------------------------
Apr 5 22:37:25 localhost crond: crond startup succeeded
Apr 5 22:37:25 localhost kernel: audit(1081219045.889:0): avc: denied { read
} for pid=1647 exe=/usr/sbin/crond name=mailman dev=hdc3 ino=539689 scontext=system_u:system_r:crond_t
tcontext=system_u:object_r:file_t tclass=file
Apr 5 22:37:27 localhost xfs: xfs startup succeeded


Apr 5 22:38:04 localhost gdm(pam_unix)[1814]: session opened for user richard by (uid=0)
Apr 5 22:38:19 localhost kernel: audit(1081219099.459:0): avc: denied { setattr } for pid=1886
exe=/usr/libexec/gnome-settings-daemon name=registry.xml dev=hdc3 ino=3009195 scontext=richard:staff_r:staff_t
tcontext=system_u:object_r:var_t tclass=file
Apr 5 22:38:20 localhost kernel: audit(1081219100.136:0): avc: denied { getattr } for pid=1901 exe=/usr/X11R6/bin/xscreensaver
path=/home/richard/.xscreensaver dev=hdc3 ino=2469233 scontext=richard:staff_r:staff_screensaver_t
tcontext=richard:object_r:staff_home_t tclass=file
Apr 5 22:38:29 localhost kernel: audit(1081219109.860:0): avc: denied { getattr } for pid=1955 exe=/usr/libexec/gnome-vfs-daemon
path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir
Apr 5 22:38:30 localhost kernel: audit(1081219110.466:0): avc: denied { getattr } for pid=1966 exe=/usr/bin/nautilus path=/initrd
dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir
Apr 5 22:38:30 localhost kernel: audit(1081219110.653:0): avc: denied { getattr } for pid=1967 exe=/usr/bin/nautilus path=/initrd
dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir
Apr 5 22:38:37 localhost kernel: audit(1081219117.803:0): avc: denied { setattr } for pid=1976 exe=/usr/libexec/mixer_applet2
name=registry.xml dev=hdc3 ino=3009195 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:var_t tclas:


--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list




--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list


Thanks Dan! you and the other people working on SELinux are making great progress. It looks like really will happen :)
Richard Hally 

Frank Marsolais, MCSE, CCA
Greenman-Pedersen, Inc.
Phone (631) 587-5060 x348
Fax (631) 422-3479
FMarsolais at gpinet.com




More information about the selinux mailing list