SELinux Admin newbie question
Temlakos
temlakos at gmail.com
Thu Mar 4 17:47:06 UTC 2010
Sebastian Pfaff wrote:
> Hey Temlakos,
>
>> Where do I find the logs to tell me what permissions a certain new
>> application will need to operate?
>
> You find these messages in /var/log/audit/audit.log. Open this file
> with a pager of your choice (e.g. less or more). Then look for
> messages with type AVC. As an alternativ you can use ausearch to find
> SELinux AVC (Access Vector Cache) denials/messages.
>
> this command:
>
> ausearch -m avc -ts today # shows you all auditd messages of type AVC
> which are generated today. Consult manpage of ausearch for details.
>
> How to read AVC denials is described here:
>
> http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/
>
> (Read topic "7.3. Fixing Problems")
>
>> I'm using Fedora 12 on an HP Pavilion machine with a dual-core
>> processor. Several times I have tried to install an application called
>> TweetDeck. And each time I do, I am told that TweetDeck is having
>> trouble accessing some secure passwords that are stored on the machine.
>
> Redo your workflow and paste your AVC denials to this list.
>
>> I am convinced that SELinux is doing it.
>
> Probably yes.
>
>> But I don't know how to get
>> SELinux to play nice, because I can't see where the problem is.
>
> You can use audit2allow to get SELinux to play nice. But be careful
> when using this command. audit2allow simply generates SELinux rules
> (aka Access Vector Rules) based on /var/log/audit/audit.log . It is
> not uncommon that audit2allow allows more than you want. But for a
> beginner this tool is a good choice.
>
> --
> Sebastian Pfaff
>
>
Well, before I use audit2allow, I'll first want to know how to turn that
off. Anyway, here's the output, after I un-hid the alerts:
-------------------------------------------
[root at temlakosbeta temlakos]# semodule -DB
[root at temlakosbeta temlakos]# ausearch -m avc -ts today
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.038:22518): arch=40000003 syscall=5
success=no exit=-13 a0=1387d20 a1=98800 a2=c93ff4 a3=1387d20 items=0
ppid=1 pid=1545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon"
exe="/bin/dbus-daemon" subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1267724351.038:22518): avc: denied { search } for
pid=1545 comm="dbus-daemon" name="root" dev=dm-0 ino=106497
scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.050:22520): arch=40000003 syscall=11
success=yes exit=0 a0=12c2778 a1=746ae28 a2=0 a3=0 items=0 ppid=5873
pid=5879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles"
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.050:22520): avc: denied { noatsecure }
for pid=5879 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.050:22520): avc: denied { siginh } for
pid=5879 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.050:22520): avc: denied { rlimitinh }
for pid=5879 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.052:22521): arch=40000003 syscall=11
success=yes exit=0 a0=9f05c30 a1=9f055a8 a2=9f05008 a3=9f081e8 items=0
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.052:22521): avc: denied { noatsecure }
for pid=5878 comm="setroubleshootd"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.052:22521): avc: denied { siginh } for
pid=5878 comm="setroubleshootd"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.052:22521): avc: denied { rlimitinh }
for pid=5878 comm="setroubleshootd"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.227:22522): arch=40000003 syscall=33
success=no exit=-13 a0=9868e90 a1=2 a2=60f900 a3=9809c00 items=0
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.227:22522): avc: denied { write } for
pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.229:22523): arch=40000003 syscall=33
success=no exit=-13 a0=9898478 a1=2 a2=60f900 a3=9854390 items=0
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.229:22523): avc: denied { write } for
pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
[root at temlakosbeta temlakos]#
------------------------------------------
The workflow is this: using Adobe AIR Installer to install the TweetDeck
application. I only just performed this test, and that's what I got from
a single workflow.
Temlakos
More information about the selinux
mailing list