dontaudit for
Tom London
selinux at gmail.com
Tue Mar 7 18:24:46 UTC 2006
Running targeted/enforcing, latest rawhide.
I get this:
----
type=PATH msg=audit(03/07/2006 09:11:05.866:13) : item=0
name=/proc/sys/vm/ flags=follow,access inode=4026531930 dev=00:03
mode=dir,555 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/07/2006 09:11:05.866:13) : cwd=/usr/share/hal/scripts
type=SYSCALL msg=audit(03/07/2006 09:11:05.866:13) : arch=i386
syscall=access success=no exit=-13(Permission denied) a0=95213b8 a1=2
a2=2 a3=9520528 items=1 pid=2674 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=pm-powersave exe=/bin/bash
type=AVC msg=audit(03/07/2006 09:11:05.866:13) : avc: denied { write
} for pid=2674 comm=pm-powersave name=vm dev=proc ino=-268435366
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
----
I think it comes from /usr/sbin/pm-powersave:
if [ ! -w "/proc/sys/vm/" ] ; then
# Use the raw kernel sysfs interface
echo "You do not have write access to /proc/sys/vm/"
exit 1
fi
/proc/sys/vm appers to not want to be written:
[tbl at localhost vm]$ ls -ldZ /proc/sys/vm
dr-xr-xr-x root root system_u:object_r:sysctl_vm_t /proc/sys/vm
[tbl at localhost vm]$
Should this be a 'dontaudit'? E.g.:
dontaudit hald_t sysctl_vm_t:dir write;
tom
--
Tom London
More information about the selinux
mailing list