List of selinux issues
Warren Togami
wtogami at redhat.com
Tue Apr 6 07:42:03 UTC 2004
This is my first time running with selinux enforcement enabled and this
system has been apt upgraded from FC2test1 to latest rawhide, so please
forgive me that some of these will be duplicates and others may be
errors. Please let me know which are not duplicates, and if you want me
to bugzilla them.
To be clear, I did the following in order to ensure that my labels are
correct during runtime. I hope this was correct.
setenforce off
fixfiles relabel
setenforce 1
1) Infinite Loop of these messages when using "/sbin/ifup eth0" as
non-root user. This is allowed when enforcement is disabled. CTRL-C is
abled to stop the looping.
Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.571:0): avc: denied
{ setuid } for pid=2463 exe=/bin/bash capability=7
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=capability
Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.589:0): avc: denied
{ setuid } for pid=2463 exe=/usr/sbin/usernetctl capability=7
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=capability
2) "su -" from my non-root user caused this error. I was however
allowed to work as root.
Apr 5 21:07:42 ibmlaptop su(pam_unix)[12399]: session opened for user
root by warren(uid=500)
Apr 5 21:07:42 ibmlaptop su[12399]: pam_xauth: error creating temporary
file `/root/.xauthsDAz4e': Permission denied
Apr 5 21:07:42 ibmlaptop kernel: audit(1081235262.772:0): avc: denied
{ write } for pid=12399 exe=/bin/su name=root dev=hda2 ino=1291809
scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t
tclass=dir
3) Then as root, I used "ifup eth0" which succeeded, but with the
following in /var/log/messages.
Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc: denied
{ search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
ino=1389922 scontext=root:system_r:dhcpc_t
tcontext=system_u:object_r:home_root_t tclass=dir
Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc: denied
{ search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
ino=1389922 scontext=root:system_r:dhcpc_t
tcontext=system_u:object_r:home_root_t tclass=dir
Apr 5 21:07:45 ibmlaptop dhclient: can't create
/var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr 5 21:07:46 ibmlaptop dhclient: sit0: unknown hardware address type 776
Apr 5 21:07:48 ibmlaptop dhclient: DHCPDISCOVER on eth0 to
255.255.255.255 port 67 interval 4
Apr 5 21:07:48 ibmlaptop dhclient: DHCPOFFER from 172.31.16.1
Apr 5 21:07:48 ibmlaptop dhclient: DHCPREQUEST on eth0 to
255.255.255.255 port 67
Apr 5 21:07:48 ibmlaptop dhclient: DHCPACK from 172.31.16.1
Apr 5 21:07:48 ibmlaptop dhclient: can't create
/var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr 5 21:07:48 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal in
356918 seconds.
Apr 5 21:07:48 ibmlaptop kernel: audit(1081235268.039:0): avc: denied
{ search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
ino=1389922 scontext=root:system_r:dhcpc_t
tcontext=system_u:object_r:home_root_t tclass=dir
4) GNOME mixer_applet2 is unable to reach the device. Strangely this
began failing in permissive mode too, but it works when selinux is
totally disabled and not loaded.
Apr 5 21:07:10 ibmlaptop kernel: audit(1081235230.797:0): avc: denied
{ setattr } for pid=2435 exe=/usr/libexec/mixer_applet2
name=registry.xml dev=hda2 ino=1425367 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:var_t tclass=file
5) This is vmware from the VMWare WS 4.5.1 service startup. The issues
are ... complicated, numerous, and scary looking.
Apr 5 21:06:08 ibmlaptop kernel: vmmon: module license 'unspecified'
taints kernel.
Apr 5 21:06:08 ibmlaptop kernel: vmnet: module license 'unspecified'
taints kernel.
Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.858:0): avc: denied
{ search } for pid=1909 exe=/usr/bin/vmnet-netifup name=net dev=
ino=344 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.867:0): avc: denied
{ search } for pid=1910 exe=/usr/bin/vmnet-netifup name=net dev=
ino=344 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.047:0): avc: denied
{ node_bind } for pid=1931 exe=/usr/bin/vmnet-natd
scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:node_inaddr_any_t tclass=rawip_socket
Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.048:0): avc: denied
{ create } for pid=1931 exe=/usr/bin/vmnet-natd name=vmnat.1931
scontext=system_u:system_r:vmware_t tcontext=system_u:object_r:var_run_t
tclass=sock_file
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP
Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998,
1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find
this software useful.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit
http://www.isc.org/dhcp-contrib.html
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP
Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998,
1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP
Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998,
1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.18.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find
this software useful.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address:
173.31.18.254
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit
http://www.isc.org/dhcp-contrib.html
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Recving on
VNet/vmnet1/173.31.18.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:10 ibmlaptop vmnet-dhcpd: Sending on
VNet/vmnet1/173.31.18.0
Apr 5 21:06:11 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.17.0
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address:
173.31.17.254
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Recving on
VNet/vmnet8/173.31.17.0
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Sending on
VNet/vmnet8/173.31.17.0
Apr 5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc: denied
{ create } for pid=2253 exe=/usr/bin/vmware-nmbd
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=udp_socket
Apr 5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc: denied
{ create } for pid=2253 exe=/usr/bin/vmware-nmbd
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=udp_socket
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.460:0): avc: denied
{ read } for pid=2254 exe=/usr/bin/vmware-smbd name=urandom dev=hda2
ino=1270748 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_fileApr 5
21:06:16 ibmlaptop kernel: audit(1081235176.461:0): avc: denied { read
} for pid=2254 exe=/usr/bin/vmware-smbd name=shadow dev=hda2
ino=1963867 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:shadow_t tclass=file
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc: denied
{ setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=capability
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc: denied
{ setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=capability
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.805:0): avc: denied
{ setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=capability
Apr 5 21:06:16 ibmlaptop last message repeated 2 times
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc: denied
{ read } for pid=2254 exe=/usr/bin/vmware-smbd name=printcap dev=hda2
ino=1962265 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc: denied
{ create } for pid=2254 exe=/usr/bin/vmware-smbd
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=udp_socket Apr 5 21:06:17 ibmlaptop kernel:
audit(1081235177.041:0): avc: denied { sys_resource } for pid=2254
exe=/usr/bin/vmware-smbd capability=24
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=capability
More information about the fedora-selinux-list
mailing list