SELinux alleged Attack!

[Andy Green]

Somebody in the thread at some point said:

> Here is what I got the day of the problem:

Well, none of these are normal avcs that you would see if selinux was
denying access to something.

A classical avc that makes trouble looks like this:

Sep  2 05:03:13 hostname kernel: audit(1188705793.190:416): avc:  denied
 { search } for  pid=12965 comm="wpa_supplicant" name="netdev:wlan0"
dev=debugfs ino=2841020 scontext=user_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=dir

The avcs are pretty verbose about who what where and when.

> [root at k5di ~]# grep avc /var/log/messages
> Oct 11 02:31:08 k5di dbus: Can't send to audit system: USER_AVC avc: 
> received policyload notice (seqno=2) : exe="/bin/dbus-daemon"
> (sauid=500, hostname=?, addr=?, terminal=?)

Hum seems to be some meta information about loading policies, not in
itself an error, although I dunno what "Can't send to audit system" means.

> Oct 11 02:52:39 k5di setroubleshoot: [avc.ERROR] Plugin Exception
> plugins.catchall_file  Traceback (most recent call last):   File
> "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 259,
> in analyze_avc     report_receiver.report_problem(report)   File
> "/usr/lib/python2.5/site-packages/setroubleshoot/server.py", line 157,
> in report_problem     _(" For complete SELinux messages. run sealert -l
> %s" % siginfo.local_id )) UnicodeDecodeError: 'ascii' codec can't decode
> byte 0x93 in position 66: ordinal not in range(128)

Seems to be setroubleshoot crashing, again not directly itself an error
caused by selinux.

Not much the wiser except that there don't appear to be any actual
selinux avcs in there and something is unhappy somehwere.

-Andy