SELinux troubleshooting
Lopez, Denise
dlopez at humnet.ucla.edu
Tue Dec 5 00:37:44 UTC 2006
Dear Daniel,
Thanks for the help. I decided to create a custom policy with
audit2allow. It seemed to work since I am not getting any more avc
denied messages. I did see the following errors though and I was
wondering what they meant.
This means the custom policy was applied.
Dec 4 15:45:10 dev kernel: security: 3 users, 4 roles, 355 types, 26
bools
Dec 4 15:45:10 dev kernel: security: 55 classes, 22587 rules
I was just wondering what these meant?
Dec 4 15:45:10 dev dbus: Can't send to audit system: USER_AVC pid=3327
uid=81 loginuid=-1 message=avc: received policyload notice (seqno=3)
Dec 4 15:45:10 dev dbus: Can't send to audit system: USER_AVC pid=3327
uid=81 loginuid=-1 message=avc: 0 AV entries and 0/512 buckets used,
longest chain length 0
Thanks in advance.
Denise Lopez
UCLA Center for Digital Humanities
Network Services
Systems Engineer
337 Charles E. Young Drive East
PPB 1020
Los Angeles, CA 90095
310/206-8216
-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh at redhat.com]
Sent: Friday, December 01, 2006 1:59 PM
To: Lopez, Denise
Cc: fedora-selinux-list at redhat.com
Subject: Re: SELinux troubleshooting
Lopez, Denise wrote:
>
> Hello everyone,
>
> I keep getting the following messages in my messages log about every
> 30 seconds or so. I have SELinux set to enforcing and targeted mode.
> If I do a getenforce on the command line it returns enforcing.
>
> Dec 1 12:31:03 dev kernel: audit(1165005063.015:258313): avc: denied
> { getattr } for pid=31342 comm="snmpd" name="/" dev=sda3 ino=2
> scontext=system_u:system_r:snmpd_t
> tcontext=system_u:object_r:home_root_t tclass=dir
>
> I need help deciphering what is happening. I have a snmpd daemon
> running that responds to queries from a Nagios host that performs
> service checks.
>
snmp is trying to getattr /home. Which is being denied by SELinux. The
latest policy looks like this is allowed. So you can either update to
the latest policy, or you can use
grep snmpd_t /var/log/audit/audit.log | audit2allow -M mysnmp
And load your own custom policy.
> Thanks in advance.
>
> Denise Lopez
>
> UCLA Center for Digital Humanities
>
> Network Services
>
> Systems Engineer
>
> 337 Charles E. Young Drive East
>
> PPB 1020
>
> Los Angeles, CA 90095
>
> 310/206-8216
>
>
------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list