AVCs from cron.daily (F9)
Paul Howarth
paul at city-fan.org
Wed Jun 4 19:19:50 UTC 2008
On Wed, 04 Jun 2008 15:05:55 -0400
Daniel J Walsh <dwalsh at redhat.com> wrote:
> Paul Howarth wrote:
> > On my work box, which is an up-to-date F9 install, I get a set of
> > AVCs from cron.daily every day, which I don't get on my home boxes.
> > I suspect it's because we use LDAP auth at work. It boils down to
> > this when passed through audit2allow -R:
> >
> > require {
> > type logwatch_t;
> > type locate_t;
> > type tmpreaper_t;
> > type logrotate_t;
> > }
> >
> > #============= locate_t ==============
> > cron_rw_tcp_sockets(locate_t)
> >
> > #============= logrotate_t ==============
> > cron_rw_tcp_sockets(logrotate_t)
> >
> > #============= logwatch_t ==============
> > cron_rw_tcp_sockets(logwatch_t)
> >
> > #============= tmpreaper_t ==============
> > cron_rw_tcp_sockets(tmpreaper_t)
> >
> >
> > Sample AVC:
> > time->Tue Jun 3 05:05:05 2008
> > type=SYSCALL msg=audit(1212465905.734:5714): arch=c000003e
> > syscall=59 success=yes exit=0 a0=25545d0 a1=2551360 a2=25539a0 a3=8
> > items=0 ppid=12101 pid=12134 auid=0 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=605 comm="tmpwatch"
> > exe="/usr/sbin/tmpwatch"
> > subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1212465905.734:5714): avc: denied { read
> > write } for pid=12134 comm="tmpwatch" path="socket:[24785059]"
> > dev=sockfs ino=24785059
> > scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023
> > tclass=tcp_socket
> >
> > Paul.
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Leaked file descriptor in nssldap?
I expect so. The denials don't seem to cause any problems but it would
be nice if they were dontaudited.
Paul.
More information about the fedora-selinux-list
mailing list