SELinux Admin newbie question
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 4 18:45:27 UTC 2010
On 03/04/2010 01:33 PM, Temlakos wrote:
> Dominick Grift wrote:
>
>> On 03/04/2010 07:14 PM, Temlakos wrote:
>>
>>
>>
>>> Anyway--in case I have to use that installer again, as I think I might,
>>> I'd like to have somebody go over those alerts--because they /have/ to
>>> be related, somehow. Here they are again:
>>>
>>>
>> Just a comment:
>>
>> ausearch -m avc -ts ... does not show all denials in
>> /var/log/audit/audit.log
>>
>> There could also be user space AVC denials present which can be listed with:
>>
>> ausearch -m user_avc -ts ...
>>
>> In some rare cases sone AVC denials may end up in dmesg and/or
>> /var/log/messages.
>>
>> Unfortunately i do not see anything in your enclosed AVC denials that i
>> suspect may be related to your issue. Hopefully someone else does.
>>
>>
>>
> Well, I just tried searching on user_avc, even after un-hiding the
> alerts. Result:
>
> <no matches>
>
> So what I submitted, has to be it.
>
> But: might this have anything to do with it? I'm using KDE now, and one
> of the things that the installer had to do was to get into KWallet, and
> for that the system asked for my KWallet password, which I gave.
>
> I'm new to KDE, and I'm surprised that I didn't use it earlier. KDE has
> an automatic package installer that has already made my life a lot
> simpler, and when I realized that I was using a lot of KDE-specific
> apps, KDE was the logical choice. But maybe KDE has some subtleties that
> occasionally create a security problem in a security-enhanced environment.
>
> Temlakos
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
I have seen installations trip over execmod,execmem and execstack checks.
Also if the tools use java, it can do some stuff that SELinux does not like.
getsebool allow_execstack allow_execmem allow_execmod
More information about the selinux
mailing list