This avc is a constraint violation! Stuck resolving this via --update on sepolgen generated file
Michael Atighetchi
matighet at bbn.com
Fri Sep 23 10:55:54 UTC 2011
Hi,
I am stuck trying to create a selinux policy for the Software Test
Automation Framework (STAF) daemon on Fedora 14.
From the violations, it seems that STAF wants to send out emails and
restart iptables, which is behavior that should be allowed.
I've created the inital policy with sepolgen and did run the resulting
.sh script with "--update" a number of times, but so far no success in
getting a policy that works without generating violations.
I have included the resulting te file as an attachment.
Any ideas about what could be wrong would be greatly appreciated.
The current set of violations are:
[root at lime audit]# grep AVC audit.log | grep STAF
type=AVC msg=audit(1316772648.834:16749): avc: denied { create } for
pid=13504 comm="STAFProc" name="STAF.tmp"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { read } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { open } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.906:16751): avc: denied { getattr } for
pid=13541 comm="killall" path="/proc/1433/stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772677.136:16755): avc: denied { transition }
for pid=13558 comm="env" path="/etc/rc.d/init.d/iptables" dev=dm-0
ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { rlimitinh }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { siginh } for
pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { noatsecure }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet at bbn.com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: STAFProc.te
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110923/ad4f60c1/attachment.pl
More information about the selinux
mailing list