dmesg avcs

Daniel J Walsh dwalsh at redhat.com
Mon Mar 8 14:07:46 UTC 2004


Josh Boyer wrote:

>This is my first stab at working with selinux, so be gentle ;).
>
>I am getting these avc messages when I run dmesg:
>
>avc:  denied  { use } for  pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= ino=4 
>scontext=root:system_r:dmesg_t tcontext=jwboyer:user_r:user_t tclass=fd
>
>avc:  denied  { read write } for  pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= 
>ino=4 scontext=root:system_r:dmesg_t tcontext=root:object_r:user_devpts_t 
>tclass=chr_file
>
>So in the dmesg.te file, i defined the following rules:
>
>allow dmesg_t user_devpts_t:chr_file { read write getattr };
>allow dmesg_t user_t:fd { use };
>
>does that look correct?  from my understanding, the 2 rules i added allow the 
>dmesg_t domain read, write, and getattr access to pts char files...
>
>  
>
Yes, but this might not be necessary.  If the dmesg code was working 
correctly and you saw these messages you might want to dontaudit them. 

dontaudit dmesg_t userdomain:fd { use }; 
Would eliminate the terminal error for all userdomains (user, staff and 
sysadm).

>josh
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>




More information about the fedora-selinux-list mailing list