SELinux Admin newbie question

Temlakos temlakos at gmail.com
Thu Mar 4 17:47:06 UTC 2010 

Sebastian Pfaff wrote:
> Hey Temlakos,
>
>> Where do I find the logs to tell me what permissions a certain new
>> application will need to operate?
>
> You find these messages in /var/log/audit/audit.log. Open this file 
> with a pager of your choice (e.g. less or more). Then look for 
> messages with type AVC. As an alternativ you can use ausearch to find 
> SELinux AVC (Access Vector Cache) denials/messages.
>
> this command:
>
> ausearch -m avc -ts today  # shows you all auditd messages of type AVC 
> which are generated today. Consult manpage of ausearch for details.
>
> How to read AVC denials is described here:
>
> http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/
>
> (Read topic "7.3. Fixing Problems")
>
>> I'm using Fedora 12 on an HP Pavilion machine with a dual-core
>> processor. Several times I have tried to install an application called
>> TweetDeck. And each time I do, I am told that TweetDeck is having
>> trouble accessing some secure passwords that are stored on the machine.
>
> Redo your workflow and paste your AVC denials to this list.
>
>> I am convinced that SELinux is doing it.
>
> Probably yes.
>
>> But I don't know how to get
>> SELinux to play nice, because I can't see where the problem is.
>
> You can use audit2allow to get SELinux to play nice. But be careful 
> when using this command. audit2allow simply generates SELinux rules 
> (aka Access Vector Rules) based on /var/log/audit/audit.log . It is 
> not uncommon that audit2allow allows more than you want. But for a 
> beginner this tool is a good choice.
>
> -- 
> Sebastian Pfaff
>
>

Well, before I use audit2allow, I'll first want to know how to turn that 
off. Anyway, here's the output, after I un-hid the alerts:

-------------------------------------------

[root at temlakosbeta temlakos]# semodule -DB
[root at temlakosbeta temlakos]# ausearch -m avc -ts today
----
time->Thu Mar  4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.038:22518): arch=40000003 syscall=5 
success=no exit=-13 a0=1387d20 a1=98800 a2=c93ff4 a3=1387d20 items=0 
ppid=1 pid=1545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon" 
exe="/bin/dbus-daemon" subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 
key=(null)
type=AVC msg=audit(1267724351.038:22518): avc:  denied  { search } for  
pid=1545 comm="dbus-daemon" name="root" dev=dm-0 ino=106497 
scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Thu Mar  4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.050:22520): arch=40000003 syscall=11 
success=yes exit=0 a0=12c2778 a1=746ae28 a2=0 a3=0 items=0 ppid=5873 
pid=5879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" 
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.050:22520): avc:  denied  { noatsecure } 
for  pid=5879 comm="setfiles" 
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.050:22520): avc:  denied  { siginh } for  
pid=5879 comm="setfiles" 
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.050:22520): avc:  denied  { rlimitinh } 
for  pid=5879 comm="setfiles" 
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar  4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.052:22521): arch=40000003 syscall=11 
success=yes exit=0 a0=9f05c30 a1=9f055a8 a2=9f05008 a3=9f081e8 items=0 
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" 
exe="/usr/bin/python" 
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.052:22521): avc:  denied  { noatsecure } 
for  pid=5878 comm="setroubleshootd" 
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.052:22521): avc:  denied  { siginh } for  
pid=5878 comm="setroubleshootd" 
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.052:22521): avc:  denied  { rlimitinh } 
for  pid=5878 comm="setroubleshootd" 
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar  4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.227:22522): arch=40000003 syscall=33 
success=no exit=-13 a0=9868e90 a1=2 a2=60f900 a3=9809c00 items=0 
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" 
exe="/usr/bin/python" 
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.227:22522): avc:  denied  { write } for  
pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769 
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Thu Mar  4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.229:22523): arch=40000003 syscall=33 
success=no exit=-13 a0=9898478 a1=2 a2=60f900 a3=9854390 items=0 
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" 
exe="/usr/bin/python" 
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.229:22523): avc:  denied  { write } for  
pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769 
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
[root at temlakosbeta temlakos]#

------------------------------------------


The workflow is this: using Adobe AIR Installer to install the TweetDeck 
application. I only just performed this test, and that's what I got from 
a single workflow.

Temlakos

More information about the selinux mailing list