sedispatch: Connection Error
Daniel J Walsh
dwalsh at redhat.com
Tue Mar 26 19:27:56 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/26/2013 03:23 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> Hi Dan,
>
> Thanks for your prompt response.
>
> Yes we have removed unconfined.pp from our system.
>
> And here are the outputs for the ps command
>
> [root at nw043b-vcma1 ~]# ps -eZ | grep sedispatch
> system_u:system_r:audisp_t:s0 30135 ? 00:00:11 sedispatch
> [root at nw043b-vcma1 ~]# [root at nw043b-vcma1 ~]# ps -eZ | grep
> setroubleshootd [root at nw043b-vcma1 ~]#
>
Those look correct, is there a chance setroubleshootd is blowing up.
sedispatch sending a dbus message should activate it.
grep setroubleshoot /var/log/audit/audit.log
Writing policy for vmstoolsd, would require soemthing like
sepolgen PATHTO/vmstoolsd
to start
> What kind of policies to we need to add for vmtoolsd ?
>
> Thanks, Anamitra
>
> On 3/26/13 12:08 PM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>
> Are you running this with unconfined.pp disabled? Looks like you need
> policy for vmtoolsd.
>
> I was looking for auditd_t or setroubleshootd avc's.
>
> ps -eZ | grep sedispatch ps -eZ | grep setroubleshootd
>
> sedispatch sends avc messages via dbus to setroubleshootd, if
> setroubleshootd gets an AVC about itself, it will drop it on the floor,
>
>
>
>
>
> On 03/26/2013 03:01 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>> Hi Dan,
>>>>
>>>> Yes there are many denials being seen. Here is an ouput from
>>>> ausearch....
>>>>
>>>> time->Tue Mar 26 13:58:16 2013 type=SYSCALL
>>>> msg=audit(1364324296.810:915270): arch=c000003e syscall=16
>>>> success=yes exit=0 a0=15 a1=8912 a2=7ffffa54bf90 a3=0 items=0 ppid=1
>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd"
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC
>>>> msg=audit(1364324296.810:915270): avc: denied { ioctl } for
>>>> pid=18992 comm="vmtoolsd" path="socket:[2348604]" dev=sockfs
>>>> ino=2348604 scontext=system_u:system_r:init_t:s0
>>>> tcontext=system_u:system_r:init_t:s0 tclass=tcp_socket ---- time->Tue
>>>> Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.076:915272):
>>>> item=0 name="/" inode=2 dev=08:01 mode=040555 ouid=0 ogid=0
>>>> rdev=00:00 obj=system_u:object_r:root_t:s0 type=CWD
>>>> msg=audit(1364324306.076:915272): cwd="/" type=SYSCALL
>>>> msg=audit(1364324306.076:915272): arch=c000003e syscall=137
>>>> success=yes exit=0 a0=c45530 a1=7ffffa54c150 a2=1 a3=2 items=1 ppid=1
>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd"
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC
>>>> msg=audit(1364324306.076:915272): avc: denied { getattr } for
>>>> pid=18992 comm="vmtoolsd" name="/" dev=sda1 ino=2
>>>> scontext=system_u:system_r:init_t:s0
>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Tue
>>>> Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.075:915271):
>>>> item=0 name="/dev/sda1" inode=5938 dev=00:05 mode=060660 ouid=0
>>>> ogid=6 rdev=08:01 obj=system_u:object_r:fixed_disk_device_t:s0
>>>> type=CWD msg=audit(1364324306.075:915271): cwd="/" type=SYSCALL
>>>> msg=audit(1364324306.075:915271): arch=c000003e syscall=4
>>>> success=yes exit=0 a0=c7d0b0 a1=7ffffa54c110 a2=7ffffa54c110 a3=a
>>>> items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>> comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC
>>>> msg=audit(1364324306.075:915271): avc: denied { getattr } for
>>>> pid=18992 comm="vmtoolsd" path="/dev/sda1" dev=devtmpfs ino=5938
>>>> scontext=system_u:system_r:init_t:s0
>>>> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
>>>> ---- time->Tue Mar 26 13:58:26 2013 type=PATH
>>>> msg=audit(1364324306.080:915273): item=0 name="/proc/net/dev"
>>>> inode=4026531979 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
>>>> obj=system_u:object_r:proc_net_t:s0 type=CWD
>>>> msg=audit(1364324306.080:915273): cwd="/" type=SYSCALL
>>>> msg=audit(1364324306.080:915273): arch=c000003e syscall=2
>>>> success=yes exit=22 a0=7f783bc0e159 a1=0 a2=1b6 a3=0 items=1 ppid=1
>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd"
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC
>>>> msg=audit(1364324306.080:915273): avc: denied { open } for
>>>> pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979
>>>> scontext=system_u:system_r:init_t:s0
>>>> tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC
>>>> msg=audit(1364324306.080:915273): avc: denied { read } for
>>>> pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979
>>>> scontext=system_u:system_r:init_t:s0
>>>> tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue
>>>> Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.081:915274):
>>>> arch=c000003e syscall=5 success=yes exit=0 a0=16 a1=7ffffa547f10
>>>> a2=7ffffa547f10 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0
>>>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>>>> ses=4294967295 comm="vmtoolsd"
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC
>>>> msg=audit(1364324306.081:915274): avc: denied { getattr } for
>>>> pid=18992 comm="vmtoolsd" path="/proc/18992/net/dev" dev=proc
>>>> ino=4026531979 scontext=system_u:system_r:init_t:s0
>>>> tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue
>>>> Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.082:915275):
>>>> item=0 name="/etc/resolv.conf" inode=654095 dev=08:01 mode=0100644
>>>> ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0
>>>> type=CWD msg=audit(1364324306.082:915275): cwd="/" type=SYSCALL
>>>> msg=audit(1364324306.082:915275): arch=c000003e syscall=2
>>>> success=yes exit=21 a0=7f78443317fa a1=0 a2=1b6 a3=2 items=1 ppid=1
>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd"
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC
>>>> msg=audit(1364324306.082:915275): avc: denied { open } for
>>>> pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095
>>>> scontext=system_u:system_r:init_t:s0
>>>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC
>>>> msg=audit(1364324306.082:915275): avc: denied { read } for
>>>> pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095
>>>> scontext=system_u:system_r:init_t:s0
>>>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file ---- time->Tue
>>>> Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.083:915276):
>>>> arch=c000003e syscall=5 success=yes exit=0 a0=15 a1=7ffffa549e80
>>>> a2=7ffffa549e80 a3=2 items=0 ppid=1 pid=18992 auid=4294967295 uid=0
>>>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>>>> ses=4294967295 comm="vmtoolsd"
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC
>>>> msg=audit(1364324306.083:915276): avc: denied { getattr } for
>>>> pid=18992 comm="vmtoolsd" path="/etc/resolv.conf" dev=sda1
>>>> ino=654095 scontext=system_u:system_r:init_t:s0
>>>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
>>>>
>>>>
>>>>
>>>> Thanks, Anamitra
>>>>
>>>> On 3/26/13 11:55 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>>>>
>>>> On 03/26/2013 12:50 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>>>>>
>>>>>>> On one of our system we see that the syslog/messages file has
>>>>>>> been flooded with the following messages
>>>>>>>
>>>>>>> r 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error
>>>>>>> (An SELinux policy prevents this sender from sending this
>>>>>>> message to this recipient (rejected message had sender
>>>>>>> "(unset)" interface "org.freedesktop.DBus" member "Hello" error
>>>>>>> name "(unset)" destination "org.freedesktop.DBus")): AVC Will
>>>>>>> be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch:
>>>>>>> Connection Error (An SELinux policy prevents this sender from
>>>>>>> sending this message to this recipient (rejected message had
>>>>>>> sender "(unset)" interface "org.freedesktop.DBus" member
>>>>>>> "Hello" error name "(unset)" destination
>>>>>>> "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56
>>>>>>> nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux
>>>>>>> policy prevents this sender from sending this message to this
>>>>>>> recipient (rejected message had sender "(unset)" interface
>>>>>>> "org.freedesktop.DBus" member "Hello" error name "(unset)"
>>>>>>> destination "org.freedesktop.DBus")): AVC Will be dropped
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> We are on RHEL6.2 and running in permissive mode.
>>>>>>>
>>>>>>> Here are the version of the selinux related rpms.
>>>>>>>
>>>>>>> root at nw043b-vcma1 vos]# rpm -qa | grep selinux
>>>>>>> selinux-policy-3.7.19-126.el6.noarch
>>>>>>> libselinux-2.0.94-5.2.el6.i686
>>>>>>> libselinux-2.0.94-5.2.el6.x86_64
>>>>>>> selinux-policy-targeted-3.7.19-126.el6.noarch
>>>>>>> libselinux-utils-2.0.94-5.2.el6.i686
>>>>>>> libselinux-utils-2.0.94-5.2.el6.x86_64
>>>>>>> libselinux-python-2.0.94-5.2.el6.x86_64 [root at nw043b-vcma1
>>>>>>> vos]# rpm -qa | grep setro
>>>>>>> setroubleshoot-server-3.0.38-2.1.el6.x86_64
>>>>>>> setroubleshoot-plugins-3.0.16-1.el6.noarch
>>>>>>>
>>>>>>> What could be the root cause of these messages.
>>>>>>>
>>>>>>> Thanks, Anamitra
>>>>>>>
>>>>>>>
>>>>>>>
>>>> Are you seeing lots of AVC messages?
>>>>
>>>> ausearch -m avc -ts recent
>>>>
>>>>
>>>>
>>>> -- selinux mailing list selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFR9rwACgkQrlYvE4MpobO5agCgvIKxlraxUWzUjyHKOtYHvEEd
IysAn3n2+sEP0lyLjICF2IpgEhIcJFlk
=bWQc
-----END PGP SIGNATURE-----
More information about the selinux
mailing list