New Years Resolution

Tom London selinux at gmail.com
Sat Jan 2 18:10:27 UTC 2010 

On Sat, Jan 2, 2010 at 9:39 AM, Steve Blackwell <zephod at cfl.rr.com> wrote:
> OK, here is one of my New Year's resolutions:
>
> Get a better understanding of SELinux.
>
> I'm running a F11 box in permissive mode and I get hundreds of AVCs.
> Let start with this one.
>
> SELinux is preventing dbus-daemon (system_dbusd_t) "search"
> unconfined_t.
>
> node=steve.blackwell type=AVC msg=audit(1262408462.863:1162): avc:
> denied { search } for pid=1613 comm="dbus-daemon" name="23667" dev=proc
> ino=584443 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
>
> Now, if I'm reading this correctly, the dbus-daemon process tried to
> search a directory called 23667 but didn't have permission to do so.
>
> The problem with that is that I don't have a directory called 23667.
> At least there isn't one now but I suppose it could have existed at the
> time the AVC was generated which was just after midnight. I'm getting
> one of these every hour with different numbers for the target
> directory. I thought that it might be related to a cron job but it
> seems that the hourly crom job just calls anacron to check to see if
> the daily, weekly or monthly cron job needs to be run. The other
> possibility is that it has something to do with BackupPC.
>
> One thing I don't understand is why SELinux is flagging this in the
> first place. Since the target context is unconfined_t, should anything
> be able to search it?
>
> Steve.

If you notice, the AVC says "dev=proc".  That, and the name of the
directory suggests that the target directory in question is
'/proc/23677'.  So, dbus-daemon (pid=1613) is attempting to search for
some information about a running unconfined_t process (in this case,
23677) and the policy is not allowing it.

Since the attempted accesses are directed at running processes, they
would almost certainly be different and/or change with time, reboots,
etc.

I believe the policy does not allow unrestricted access by arbitrary
domains to unconfined_t targets.

Hope this helps....

tom
-- 
Tom London

More information about the selinux mailing list