fedora-selinux-list Digest, Vol 20, Issue 18

Jayendren Anand Maduray jayendren at hivsa.com
Fri Oct 21 10:10:46 UTC 2005 

Greetings fellow travellers.


Could someone please help me with the following errors:

*audit(1129788324.500:0): avc:  denied  { execute } for  pid=3105 
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.501:0): avc:  denied  { execute } for  pid=3106 
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.507:0): avc:  denied  { execute } for  pid=3107 
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.510:0): avc:  denied  { execute } for  pid=3108 
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.514:0): avc:  denied  { execute } for  pid=3109 
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.517:0): avc:  denied  { execute } for  pid=3110 
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.521:0): avc:  denied  { execute } for  pid=3111 
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.522:0): avc:  denied  { execute } for  pid=3112 
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.528:0): avc:  denied  { execute } for  pid=3113 
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.529:0): avc:  denied  { execute } for  pid=3114 
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file*


These errors are from dmesg, and occured after compiling and installing 
squidclam from source.

Here is the output of selinuxconf:

[*root at shiva jay]# selinuxconfig
selinux state="enforcing"
policypath="/etc/selinux/targeted"
default_type_path="/etc/selinux/targeted/contexts/default_type"
default_context_path="/etc/selinux/targeted/contexts/default_contexts"
default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context"
binary_policy_path="/etc/selinux/targeted/policy/policy"
user_contexts_path="/etc/selinux/targeted/contexts/users/"
contexts_path="/etc/selinux/targeted/contexts"*

Output of uname -a:
*[root at shiva jay]# uname -a
Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 i686 
i386 GNU/Linux*

Any help would be greatly appreciated.

God bless.



fedora-selinux-list-request at redhat.com wrote:

>Send fedora-selinux-list mailing list submissions to
>	fedora-selinux-list at redhat.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>or, via email, send a message with subject or body 'help' to
>	fedora-selinux-list-request at redhat.com
>
>You can reach the person managing the list at
>	fedora-selinux-list-owner at redhat.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of fedora-selinux-list digest..."
>
>
>Today's Topics:
>
>   1. Re: mailman cgi-bin denied search (Tim Fenn)
>   2. Preserving Context with tar (W. Scott wilburn)
>   3. Re: mailman cgi-bin denied search (Daniel J Walsh)
>   4. Re: Preserving Context with tar (Daniel J Walsh)
>   5. Re: mailman cgi-bin denied search (Tim Fenn)
>   6. Re: Preserving Context with tar (Stephen Smalley)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Wed, 19 Oct 2005 13:49:47 -0700
>From: Tim Fenn <fenn at stanford.edu>
>Subject: Re: mailman cgi-bin denied search
>To: Daniel J Walsh <dwalsh at redhat.com>
>Cc: fedora-selinux-list at redhat.com
>Message-ID: <20051019204947.GC6466 at stanford.edu>
>Content-Type: text/plain; charset=us-ascii
>
>On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>  
>
>>Tim Fenn wrote:
>>    
>>
>>>I recently installed mailman on my FC3 box (using the redhat based
>>>RPMs), and it seems to be working just fine, except for the numerous
>>>avc messages it cranks out whenever I run one of the cgi scripts
>>>associated with mailman (e.g. via the web interface):
>>>
>>>Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:  denied
>>>{ search } for  pid=18761 comm="listinfo" name="run" dev=sda1
>>>ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>u:object_r:var_run_t tclass=dir
>>>
>>>      
>>>
>>Why would mailman listinfo be searching /var/log directory?
>>
>>    
>>
>
>Well, I get the same errors with mailmanctl:
>
>./mailmanctl status
>
>yields no output, and the following errors:
>Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc:  denied
>{ read write } for  pid=20837 comm="mailmanctl" name="3" dev=devpts
>ino=5 scontext=root:system_r:mailman_mail_t
>tcontext=root:object_r:devpts_t tclass=chr_file
>Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc:  denied
>{ search } for  pid=20837 comm="mailmanctl" name="run" dev=sda1
>ino=1294372 scontext=root:system_r:mailman_mail_t
>tcontext=system_u:object_r:var_run_t tclass=dir
>Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc:  denied
>{ setgid } for  pid=20837 comm="mailmanctl" capability=6
>scontext=root:system_r:mailman_mail_t
>tcontext=root:system_r:mailman_mail_t tclass=capability
>
>However, if I comment out:
>
>from Mailman.Logging.Syslog import syslog
>
>in the mailmanctl script, all is well:
>
># ./mailmanctl status
>mailman (pid 17677) is running...
>
>and no error messages.  I would assume the same is true with the
>cgi-bin scripts, such as listinfo.  Should I file a bugzilla report?
>
>Regards,
>Tim
>
>
>
>------------------------------
>
>Message: 2
>Date: Wed, 19 Oct 2005 15:56:06 -0600
>From: "W. Scott wilburn" <wilburn at lanl.gov>
>Subject: Preserving Context with tar
>To: fedora-selinux-list at redhat.com
>Message-ID: <20051019215606.GE4717 at wilburn.lanl.gov>
>Content-Type: text/plain; charset=us-ascii
>
>Sorry to be asking such a simple question. Is it possible to preserve 
>file contexts using tar? I would have thought -p would do this, but 
>it appears no, atleast on RHEL4 and FC4.
>
>The reason to do this is a use tar to install modified config files on 
>new machines. Having to relabel after doing this is somewhat slow. 
>Perhaps there is a better solution?
>
>Thanks,
>Scott Wilburn
>
>
>
>------------------------------
>
>Message: 3
>Date: Wed, 19 Oct 2005 22:31:36 -0400
>From: Daniel J Walsh <dwalsh at redhat.com>
>Subject: Re: mailman cgi-bin denied search
>To: Daniel J Walsh <dwalsh at redhat.com>, fedora-selinux-list at redhat.com
>Message-ID: <43570188.5060201 at redhat.com>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>Tim Fenn wrote:
>  
>
>>On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>  
>>    
>>
>>>Tim Fenn wrote:
>>>    
>>>      
>>>
>>>>I recently installed mailman on my FC3 box (using the redhat based
>>>>RPMs), and it seems to be working just fine, except for the numerous
>>>>avc messages it cranks out whenever I run one of the cgi scripts
>>>>associated with mailman (e.g. via the web interface):
>>>>
>>>>Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:  denied
>>>>{ search } for  pid=18761 comm="listinfo" name="run" dev=sda1
>>>>ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>>u:object_r:var_run_t tclass=dir
>>>>
>>>>      
>>>>        
>>>>
>>>Why would mailman listinfo be searching /var/log directory?
>>>
>>>    
>>>      
>>>
>>Well, I get the same errors with mailmanctl:
>>
>>./mailmanctl status
>>
>>yields no output, and the following errors:
>>Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc:  denied
>>{ read write } for  pid=20837 comm="mailmanctl" name="3" dev=devpts
>>ino=5 scontext=root:system_r:mailman_mail_t
>>tcontext=root:object_r:devpts_t tclass=chr_file
>>Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc:  denied
>>{ search } for  pid=20837 comm="mailmanctl" name="run" dev=sda1
>>ino=1294372 scontext=root:system_r:mailman_mail_t
>>tcontext=system_u:object_r:var_run_t tclass=dir
>>Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc:  denied
>>{ setgid } for  pid=20837 comm="mailmanctl" capability=6
>>scontext=root:system_r:mailman_mail_t
>>tcontext=root:system_r:mailman_mail_t tclass=capability
>>
>>However, if I comment out:
>>
>>from Mailman.Logging.Syslog import syslog
>>
>>in the mailmanctl script, all is well:
>>
>># ./mailmanctl status
>>mailman (pid 17677) is running...
>>
>>and no error messages.  I would assume the same is true with the
>>cgi-bin scripts, such as listinfo.  Should I file a bugzilla report?
>>
>>Regards,
>>Tim
>>  
>>    
>>
>Yes.  submit a bug.   Although generating these in FC4 would be far more 
>interesting.  Also do these AVC messages cause problems or are they just 
>being reported.  No output from the script is fixed in FC4.
>
>
>
>  
>

-- 
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator

Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa

Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94

Alternate email address: jayendren at mweb.co.za

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20051021/be2425b8/attachment.html

More information about the selinux mailing list