[F11, SELinux] What is mls?
Marko Vojinovic
vvmarko at gmail.com
Tue Jul 7 12:48:18 UTC 2009
Hello folks!
On this freshly installed F11 machine (from the KDE Live CD) I often
get selinux alerts similar to the one below. It's not just openvpn,
but also mv (dhcpc_t) and ifconfig (ifconfig_t). I don't feel anything
to be non-functional (aside from openvpn, but that's a different
problem), but these alerts are confusing to me. I did a yum list
selinux* and it replied with:
Installed Packages
selinux-policy.noarch
selinux-policy-targeted.noarch
Available Packages
selinux-doc.noarch
selinux-policy-doc.noarch
selinux-policy-minimum.noarch
selinux-policy-mls.noarch
Here I can see that selinux-policy-mls is not installed, while all the
alerts are related to mls. yum info selinux-policy-mls gives the
description "SELinux Reference policy mls base module" which is not
very informative (for me).
So, five questions:
1) what is mls?
2) is installing selinux-policy-mls going to help with these alerts?
3) if yes, why wasn't it installed automatically?
4) is any of this actually related to the alerts I get?
5) are the alerts important, or is it safe to ignore them?
TIA!
Best, :-)
Marko
P.S. An example alert, triggered by openvpn:
Summary:
SELinux is preventing openvpn (openvpn_t) "read" security_t.
Detailed Description:
SELinux denied access requested by openvpn. It is not expected that this access
is required by openvpn and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:openvpn_t:s0
Target Context system_u:object_r:security_t:s0
Target Objects mls [ file ]
Source openvpn
Source Path /usr/sbin/openvpn
Port <Unknown>
Host QuiGon.cii.fc.ul.pt
Source RPM Packages openvpn-2.1-0.32.rc15.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.12-53.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name QuiGon.cii.fc.ul.pt
Platform Linux QuiGon.cii.fc.ul.pt 2.6.29.5-191.fc11.x86_64
#1 SMP Tue Jun 16 23:23:21 EDT 2009 x86_64 x86_64
Alert Count 3
First Seen Tue Jun 30 18:19:36 2009
Last Seen Wed Jul 1 17:23:23 2009
Local ID 21d91c14-a449-42d6-86e9-96f04843e91e
Line Numbers
Raw Audit Messages
node=QuiGon.cii.fc.ul.pt type=AVC msg=audit(1246465403.798:64): avc:
denied { read } for pid=27303 comm="openvpn" name="mls"
dev=selinuxfs ino=12 scontext=unconfined_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file
node=QuiGon.cii.fc.ul.pt type=SYSCALL msg=audit(1246465403.798:64):
arch=c000003e syscall=2 success=no exit=-13 a0=7fffb20f6880 a1=0
a2=7fffb20f688c a3=fffffff8 items=0 ppid=27290 pid=27303 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1
comm="openvpn" exe="/usr/sbin/openvpn"
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
More information about the fedora-list
mailing list