too many selinux alerts, after touch ./ autorelabel reboot

Daniel J Walsh dwalsh at redhat.com
Thu Aug 23 13:48:19 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear all,
> 
> selinux on rawhide is cranking out many denials. . These do not show up on dmesg.  What is happening?  I do not know enough to help myself fix them.  
> 
> Here's one of them  
> 
> Summary
>     SELinux is preventing dhclient-script (dhcpc_t) "getattr" to /sbin/setfiles
>     (setfiles_exec_t).
> 
> Detailed Description
>     SELinux denied access requested by dhclient-script. It is not expected that
>     this access is required by dhclient-script and this access may signal an
>     intrusion attempt. It is also possible that the specific version or
>     configuration of the application is causing it to require additional access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could try to
>     restore the default system file context for /sbin/setfiles, restorecon -v
>     /sbin/setfiles If this does not work, there is currently no automatic way to
>     allow this access. Instead,  you can generate a local policy module to allow
>     this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
>     Or you can disable SELinux protection altogether. Disabling SELinux
>     protection is not recommended. Please file a
>     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
> 
> Additional Information        
> 
> Source Context                user_u:system_r:dhcpc_t
> Target Context                system_u:object_r:setfiles_exec_t
> Target Objects                /sbin/setfiles [ file ]
> Affected RPM Packages         policycoreutils-2.0.19-1.fc8 [target]
> Policy RPM                    selinux-policy-2.6.5-2.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     localhost
> Platform                      Linux localhost 2.6.21-1.3194.fc7 #1 SMP Wed May
>                               23 22:35:01 EDT 2007 i686 athlon
> Alert Count                   1
> First Seen                    Tue 21 Aug 2007 07:41:12 AM CDT
> Last Seen                     Tue 21 Aug 2007 07:41:12 AM CDT
> Local ID                      73dc2e0c-fc2c-496f-8f0e-87e72cfd3ce5
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { getattr } for comm="dhclient-script" dev=dm-0 egid=0 euid=0
> exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="setfiles"
> path="/sbin/setfiles" pid=3563 scontext=user_u:system_r:dhcpc_t:s0 sgid=0
> subj=user_u:system_r:dhcpc_t:s0 suid=0 tclass=file
> tcontext=system_u:object_r:setfiles_exec_t:s0 tty=(none) uid=0
> 
> 
> SELinux is preventing /usr/bin/uptime (logwatch_t) "read write" to utmp (initrc_var_run_t).
> SELinux is preventing /usr/bin/uptime (logwatch_t) "read" to utmp (initrc_var_run_t).
> SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t).
> SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to sbin (bin_t).
> 
> This one is a major one:  
> SELinux prevented /sbin/ldconfig from using the terminal /dev/pts/0.
> 
> Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1."The following command will allow this access:setsebool -P allow_daemons_use_tty=1
> 
> 
> There are some more, but in reality.  I cannot understand why they do not show up on a regular dmesg.  How can I cure all these selinux denials.  This is reminiscent on the installation of Fedora 7, with too many problems with selinux.  
>
The audit subsystem intercepts this kind of message and places them in
/var/log/audit/audit.log

You are running a really old version of selinux policy for fc8.  YOu
should probably yum update.

> Sorry to complain, but I need some help.  I hope that I am not the only one with these kind of errors.
> 
> Regards,
> 
> Antonio 
> 
> 
> 
> 
>       ____________________________________________________________________________________
> Luggage? GPS? Comic books? 
> Check out fitting gifts for grads at Yahoo! Search
> http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGzZAjrlYvE4MpobMRAnEQAJ9snXlhgfBHaHt7MMm2V458pDmpTgCgyZG4
BaPhZY6u+RMxCjvniithjJk=
=mRsl
-----END PGP SIGNATURE-----

More information about the test mailing list