<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div>Hi,<br><br>I'm new to SElinux and I'm a bit careful with it, so up till now I want to run it in permissive mode. After reading a lot's of docs I fixed most of my problems, but there are still some errors in audit.log. Now I would like to ask you to review this errors and give me feedback if this rules are safe to add to my policy or not. In summary is my understanding correct that:<br><br>O auditctl, ifconfig, iptables-restor, dmesg and pppd try to write to the console,<br>O pppd searches something in the root home directory ??!,<br>O and iptables
writes to a socket?<br><br>if I would add this policy to the module wouldn't it be too much (e.g. could for example pppd access all my files?)<br><br>Thanks for the answers,<br>Kind Regards, Tibor<br><br><br>type=AVC msg=audit(1253870573.883:13):
avc: denied { read write } for pid=877 comm="auditctl" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file<br> Was caused by:<br> Missing type enforcement (TE) allow rule.<br><br> You can use audit2allow to generate a loadable module to allow this access.<br><br>type=AVC msg=audit(1253870574.190:15): avc: denied { read write } for pid=918 comm="ifconfig" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file<br> Was caused
by:<br> Missing type enforcement (TE) allow rule.<br><br> You can use audit2allow to generate a loadable module to allow this access.<br><br>type=AVC msg=audit(1253870574.264:16): avc: denied { read write } for pid=921 comm="pppd" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file<br> Was caused by:<br> Missing type enforcement (TE) allow rule.<br><br> You can use audit2allow to generate a loadable module to allow this access.<br><br>type=AVC
msg=audit(1253870574.325:17): avc: denied { search } for pid=921 comm="pppd" name="root" dev=sda1 ino=12 scontext=system_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir<br> Was caused by:<br> Missing type enforcement (TE) allow rule.<br><br> You can use audit2allow to generate a loadable module to allow this access.<br><br>type=AVC msg=audit(1253870574.401:18): avc: denied { read write } for pid=929 comm="iptables-restor" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file<br> Was caused
by:<br> Missing type enforcement (TE) allow rule.<br><br> You can use audit2allow to generate a loadable module to allow this access.<br><br>type=AVC msg=audit(1253870576.482:19): avc: denied { read write } for pid=1087 comm="dmesg" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file<br> Was caused by:<br> Missing type enforcement (TE) allow rule.<br><br> You can use audit2allow to generate a loadable module to allow this access.<br><br>type=AVC
msg=audit(1253870578.829:20): avc: denied { read write } for pid=1242 comm="iptables" path="socket:[3131]" dev=sockfs ino=3131 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket<br> Was caused by:<br> Missing type enforcement (TE) allow rule.<br><br> You can use audit2allow to generate a loadable module to allow this access.<br><br><br></div></div><br>
</div></div></div><br>
</body></html>