setroubleshootd message.....cool!
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 1 20:37:33 UTC 2006
Tom London wrote:
> During update of today's rawhide, I get this in /var/log messages (and
> a nice icon in the tray):
>
> Sep 1 08:18:44 localhost Updated: kexec-tools.i386 1.101-51.fc6
> Sep 1 08:19:14 localhost /usr/sbin/setroubleshootd: SELinux is
> preventing /usr/sbin/lvm (lvm_t) "getattr" to /dev/nvram
> (unlabeled_t). See audit.log for complete SELinux messages. id =
> 1fbf1f44-8ff6-4eb2-96dd-cdfe9ea35829
> Sep 1 08:19:22 localhost Installed: kernel.i686 2.6.17-1.2608.fc6
>
> Here's the associated AVC:
>
> type=AVC msg=audit(1157123951.753:51): avc: denied { getattr } for
> pid=7465 comm="lvs" name="nvram" dev=tmpfs ino=3418
> scontext=user_u:system_r:lvm_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=chr_file
> type=SYSCALL msg=audit(1157123951.753:51): arch=40000003 syscall=195
> success=no exit=-13 a0=8611ef8 a1=bfc3281c a2=c4fff4 a3=8611ef8
> items=0 ppid=7464 pid=7465 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="lvs" exe="/usr/sbin/lvm"
> subj=user_u:system_r:lvm_t:s0 key=(null)
> type=AVC_PATH msg=audit(1157123951.753:51): path="/dev/nvram"
>
> On reboot, /dev/nvram seems to be labeled properly.
> [tbl at localhost ~]$ ls -lZ /dev/nvram
> crw-rw---- root root system_u:object_r:nvram_device_t /dev/nvram
> [tbl at localhost ~]$
>
> Anyway, setroubleshoot is neat.....
>
> tom
We changed the context of /dev/nvram from bios_device_t to
nvram_device_t which caused it to become
unlabeled_t when bios_device_t disappeared. One of the costs of running
rawhide.
Anyways we have some nice updates to the tool coming tonight. The GUI
now has printing, popup message seems to work properly. I am really
excited about this tool.
More information about the fedora-selinux-list
mailing list