setroub;eshoot problem
max
maximilianbianco at gmail.com
Wed Jul 16 15:00:53 UTC 2008
Steve wrote:
> ---- max bianco <maximilianbianco at gmail.com> wrote:
>> On Mon, Jul 14, 2008 at 8:55 AM, Steve <zephod at cfl.rr.com> wrote:
>>> I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:
>>>
>>> connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused
>>>
>>> #ls -lZ /var/run/setroubleshoot/setroubleshoot_server
>>> srw-rw-rw- root root system_u:object_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server
>>>
>> That looks right. Is it F8 or F9?
>
> Found some more interesting AVC messages in /var/log/dmesg, This doesn't mean anything to me. Where is the best place to go to get a little more educated about what all this is supposed to mean?
>
> Thanks,
> Steve
>
That depends on what you already know about SELinux. I have found alot
of material but its never enough for me:^) This is as good a place to
start as any(probably better than most):
http://fedoraproject.org/wiki/SELinux
Depending on how deep you want to get you might look up the Flask
Security Architecture. There is a PDF available, its not very long but
its informative. There are also a few SELinux specific papers out there.
I am reading SELinux by Example, it seems very complete so far and
actually references some of the available papers throughout. As for the
errors below I am assuming this is the first time you've seen them since
you just installed policy. Did you uninstall the policy at some point?
Has the machine always, from day of install, been in permissive? Was
this a fresh install or an upgrade? Are there any AVC's or error
messages, related to SELinux, in the logs from before policy was installed?
> ...
> SELinux:8192 avtab hash slots allocated. Num of rules:68341
> SELinux:8192 avtab hash slots allocated. Num of rules:68341
> security: 3 users, 6 roles, 1823 types, 80 bools, 1 sens, 1024 cats
> security: 61 classes, 68341 rules
> security: class peer not defined in policy
> security: class capability2 not defined in policy
> security: permission recvfrom in class node not defined in policy
> security: permission sendto in class node not defined in policy
> security: permission ingress in class netif not defined in policy
> security: permission egress in class netif not defined in policy
> security: permission setfcap in class capability not defined in policy
> security: permission forward_in in class packet not defined in policy
> security: permission forward_out in class packet not defined in policy
> SELinux: Completing initialization.
> SELinux: Setting up existing superblocks.
> SELinux: initialized (dev dm-0, type ext3), uses xattr
> SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
> SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
> SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
> SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
> SELinux: initialized (dev devpts, type devpts), uses transition SIDs
> SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
> SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
> SELinux: initialized (dev anon_inodefs, type anon_inodefs), not configured for labeling
> SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
> SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
> SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
> SELinux: initialized (dev proc, type proc), uses genfs_contexts
> SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
> SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
> SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> SELinux: policy loaded with handle_unknown=deny
> type=1403 audit(1216200106.325:2): policy loaded auid=4294967295 ses=4294967295
> type=1400 audit(1216200107.996:3): avc: denied { read write } for pid=505 comm="restorecon" path="/dev/console" dev=tmpfs ino=233 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
> type=1400 audit(1216200109.580:4): avc: denied { create } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=1400 audit(1216200109.594:5): avc: denied { getattr } for pid=731 comm="hwclock" path="/etc/adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:adjtime_t:s0 tclass=file
> type=1400 audit(1216200109.594:6): avc: denied { read } for pid=731 comm="hwclock" name="adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:adjtime_t:s0 tclass=file
> type=1400 audit(1216200109.819:7): avc: denied { sys_time } for pid=731 comm="hwclock" capability=25 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
> type=1400 audit(1216214509.907:8): avc: denied { write } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=1400 audit(1216214510.000:9): avc: denied { nlmsg_relay } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=1400 audit(1216214510.000:10): avc: denied { audit_write } for pid=731 comm="hwclock" capability=29 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
> type=1400 audit(1216214510.000:11): avc: denied { read } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> ...
>
>
--
Fortune favors the BOLD
More information about the fedora-list
mailing list