too many selinux alerts, after touch ./ autorelabel reboot
Daniel J Walsh
dwalsh at redhat.com
Thu Aug 23 13:48:19 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
> Dear all,
>
> selinux on rawhide is cranking out many denials. . These do not show up on dmesg. What is happening? I do not know enough to help myself fix them.
>
> Here's one of them
>
> Summary
> SELinux is preventing dhclient-script (dhcpc_t) "getattr" to /sbin/setfiles
> (setfiles_exec_t).
>
> Detailed Description
> SELinux denied access requested by dhclient-script. It is not expected that
> this access is required by dhclient-script and this access may signal an
> intrusion attempt. It is also possible that the specific version or
> configuration of the application is causing it to require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore the default system file context for /sbin/setfiles, restorecon -v
> /sbin/setfiles If this does not work, there is currently no automatic way to
> allow this access. Instead, you can generate a local policy module to allow
> this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
> Or you can disable SELinux protection altogether. Disabling SELinux
> protection is not recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
>
> Additional Information
>
> Source Context user_u:system_r:dhcpc_t
> Target Context system_u:object_r:setfiles_exec_t
> Target Objects /sbin/setfiles [ file ]
> Affected RPM Packages policycoreutils-2.0.19-1.fc8 [target]
> Policy RPM selinux-policy-2.6.5-2.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name localhost
> Platform Linux localhost 2.6.21-1.3194.fc7 #1 SMP Wed May
> 23 22:35:01 EDT 2007 i686 athlon
> Alert Count 1
> First Seen Tue 21 Aug 2007 07:41:12 AM CDT
> Last Seen Tue 21 Aug 2007 07:41:12 AM CDT
> Local ID 73dc2e0c-fc2c-496f-8f0e-87e72cfd3ce5
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { getattr } for comm="dhclient-script" dev=dm-0 egid=0 euid=0
> exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="setfiles"
> path="/sbin/setfiles" pid=3563 scontext=user_u:system_r:dhcpc_t:s0 sgid=0
> subj=user_u:system_r:dhcpc_t:s0 suid=0 tclass=file
> tcontext=system_u:object_r:setfiles_exec_t:s0 tty=(none) uid=0
>
>
> SELinux is preventing /usr/bin/uptime (logwatch_t) "read write" to utmp (initrc_var_run_t).
> SELinux is preventing /usr/bin/uptime (logwatch_t) "read" to utmp (initrc_var_run_t).
> SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t).
> SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to sbin (bin_t).
>
> This one is a major one:
> SELinux prevented /sbin/ldconfig from using the terminal /dev/pts/0.
>
> Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1."The following command will allow this access:setsebool -P allow_daemons_use_tty=1
>
>
> There are some more, but in reality. I cannot understand why they do not show up on a regular dmesg. How can I cure all these selinux denials. This is reminiscent on the installation of Fedora 7, with too many problems with selinux.
>
The audit subsystem intercepts this kind of message and places them in
/var/log/audit/audit.log
You are running a really old version of selinux policy for fc8. YOu
should probably yum update.
> Sorry to complain, but I need some help. I hope that I am not the only one with these kind of errors.
>
> Regards,
>
> Antonio
>
>
>
>
> ____________________________________________________________________________________
> Luggage? GPS? Comic books?
> Check out fitting gifts for grads at Yahoo! Search
> http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFGzZAjrlYvE4MpobMRAnEQAJ9snXlhgfBHaHt7MMm2V458pDmpTgCgyZG4
BaPhZY6u+RMxCjvniithjJk=
=mRsl
-----END PGP SIGNATURE-----
More information about the test
mailing list