'avc denied'

Daniel J Walsh dwalsh at redhat.com
Wed Nov 23 15:37:24 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/22/2011 06:23 PM, jackson byers wrote:
> # uname -r 2.6.35.14-103.fc14.i686.PAE
> 
> 
> 
> I haven't paid much attention to avc warnings.
> 
> did /.autorelabel, reboot, to see if  that could stop avc.
> 
> Still see 'avc:  denied'   in auditlog,   involving  firefox,
> plugin-config,...
> 
> last 6  of # grep -n avc audit.log:
> 
> 
> 279:type=AVC msg=audit(1321983739.130:242): avc:  denied  { read }
> for pid=20223 comm="ldd" name="firefox" dev=sda8 ino=999863 
> scontext=system_u:system_r:setroubleshootd_t:s0 
> tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file 
> 281:type=AVC msg=audit(1321983739.134:243): avc:  denied  {
> sys_ptrace } for  pid=20215 comm="setroubleshootd" capability=19 
> scontext=system_u:system_r:setroubleshootd_t:s0 
> tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability 
> 283:type=AVC msg=audit(1321983739.312:244): avc:  denied  { read }
> for pid=20225 comm="ldd" name="firefox" dev=sda8 ino=999863 
> scontext=system_u:system_r:setroubleshootd_t:s0 
> tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file 
> 285:type=AVC msg=audit(1321983739.314:245): avc:  denied  {
> sys_ptrace } for  pid=20215 comm="setroubleshootd" capability=19 
> scontext=system_u:system_r:setroubleshootd_t:s0 
> tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability 
> 302:type=AVC msg=audit(1321989501.906:261): avc:  denied  {
> execstack } for  pid=21019 comm="plugin-config" 
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> tclass=process 304:type=AVC msg=audit(1321989519.158:262): avc:
> denied  { read } for pid=21046 comm="ldd" name="plugin-config"
> dev=sda8 ino=1000054 
> scontext=system_u:system_r:setroubleshootd_t:s0 
> tcontext=system_u:object_r:nsplugin_config_exec_t:s0 tclass=file 
> [root at f14 audit]#
> 
> 
> no 'file_t' seen:
> 
> [root at f14 audit]# grep file_t audit.log [root at f14 audit]#
> 
> I have put only minimal effort into learning selinux syntax,
> methods. Overwhelming, to me.
> 
> are there simple rules on how to respond to 'avc denied'?
> 
> If I do nothing?
> 
> Jack

Interesting AVC's.  SEtroubleshoot is trying to figure out why a
certain application required execstack privs.  In this case
plugin-config.  It looks like you have installed an application plugin
for firefox that requies execstack. setroubleshoot was trying to
figure out if you had any libraries labeled as requireing execstack by
executing

ldd plugin-config.

Sadly this generated additional AVCs.

The setroubleshoot avc's are fixed in F16.






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NEzQACgkQrlYvE4MpobPzlQCeLQtV1PU8w8wjgozHYi4JMs8E
ljYAnA3KMDuoy5wWBfT+wF4cN7lp7Wrq
=Vn19
-----END PGP SIGNATURE-----


More information about the users mailing list