[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[F11, SELinux] What is mls?



Hello folks!

On this freshly installed F11 machine (from the KDE Live CD) I often
get selinux alerts similar to the one below. It's not just openvpn,
but also mv (dhcpc_t) and ifconfig (ifconfig_t). I don't feel anything
to be non-functional (aside from openvpn, but that's a different
problem), but these alerts are confusing to me. I did a yum list
selinux* and it replied with:

Installed Packages
selinux-policy.noarch
selinux-policy-targeted.noarch
Available Packages
selinux-doc.noarch
selinux-policy-doc.noarch
selinux-policy-minimum.noarch
selinux-policy-mls.noarch

Here I can see that selinux-policy-mls is not installed, while all the
alerts are related to mls. yum info selinux-policy-mls gives the
description "SELinux Reference policy mls base module" which is not
very informative (for me).

So, five questions:
1) what is mls?
2) is installing selinux-policy-mls going to help with these alerts?
3) if yes, why wasn't it installed automatically?
4) is any of this actually related to the alerts I get?
5) are the alerts important, or is it safe to ignore them?

TIA!

Best, :-)
Marko

P.S. An example alert, triggered by openvpn:

Summary:

SELinux is preventing openvpn (openvpn_t) "read" security_t.

Detailed Description:

SELinux denied access requested by openvpn. It is not expected that this access
is required by openvpn and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:security_t:s0
Target Objects                mls [ file ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          QuiGon.cii.fc.ul.pt
Source RPM Packages           openvpn-2.1-0.32.rc15.fc11
Target RPM Packages
Policy RPM                    selinux-policy-3.6.12-53.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     QuiGon.cii.fc.ul.pt
Platform                      Linux QuiGon.cii.fc.ul.pt 2.6.29.5-191.fc11.x86_64
                              #1 SMP Tue Jun 16 23:23:21 EDT 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Tue Jun 30 18:19:36 2009
Last Seen                     Wed Jul  1 17:23:23 2009
Local ID                      21d91c14-a449-42d6-86e9-96f04843e91e
Line Numbers

Raw Audit Messages

node=QuiGon.cii.fc.ul.pt type=AVC msg=audit(1246465403.798:64): avc:
denied  { read } for  pid=27303 comm="openvpn" name="mls"
dev=selinuxfs ino=12 scontext=unconfined_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file

node=QuiGon.cii.fc.ul.pt type=SYSCALL msg=audit(1246465403.798:64):
arch=c000003e syscall=2 success=no exit=-13 a0=7fffb20f6880 a1=0
a2=7fffb20f688c a3=fffffff8 items=0 ppid=27290 pid=27303 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1
comm="openvpn" exe="/usr/sbin/openvpn"
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]