auditd went crazy
Chuck Anderson
cra at WPI.EDU
Thu Jul 3 20:42:02 UTC 2008
On Thu, Jul 03, 2008 at 03:05:08PM -0400, Daniel J Walsh wrote:
> > type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
> > read write } for pid=9726 comm=rndc path=socket:[13830433] dev=sockfs
> > ino=13830433 scontext=unconfined_u:system_r:ndc_t:s0
> > tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
> > type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
> > read write } for pid=9726 comm=rndc path=socket:[13830431] dev=sockfs
> > ino=13830431 scontext=unconfined_u:system_r:ndc_t:s0
> > tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
> > type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
> > read write } for pid=9726 comm=rndc path=socket:[13830360] dev=sockfs
> > ino=13830360 scontext=unconfined_u:system_r:ndc_t:s0
> > tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
> >
> > Anyone know what happened?
> Seems like you have a mislabeld program running as initrc_t?
>
> ps -eZ | grep initrc_t
No results currently, but I'll keep an eye on it. I see these AVC
mostly from "rndc" (part of the bind name server package) and also
sometimes from "ifconfig" which is strange because I'm not running a
DHCP client, nor NetworkManager, nor any other program that I know of
that should be running "ifconfig".
type=AVC msg=audit(1214939740.621:142073): avc: denied { read write
} for pid=1330 comm="ifconfig" path="socket:[13885742]" dev=sockfs
ino=13885742 scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1214939740.621:142073): avc: denied { read write
} for pid=1330 comm="ifconfig" path="socket:[13885749]" dev=sockfs
ino=13885749 scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1214939740.621:142073): avc: denied { read write
} for pid=1330 comm="ifconfig" path="socket:[13885756]" dev=sockfs
ino=13885756 scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1214939740.621:142073): arch=40000003
syscall=11 success=yes exit=0 a0=bfe3a0e0 a1=bfe3a110 a2=bfe4ac84
a3=bfe3a0e0 items=0 ppid=1306 pid=1330 auid=10000 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ifconfig"
exe="/sbin/ifconfig" subj=unconfined_u:system_r:ifconfig_t:s0
key=(null)
More information about the fedora-selinux-list
mailing list