More avc denies

Leonard den Ottolander leonard at den.ottolander.nl
Mon May 10 14:04:04 UTC 2004 

Hi,

With the latest updates on a FC2t3 setup with SELinux running in
permissive mode I am still seeing avc errors. Kernel-2.6.5-1.358,
policy-1.11.3-3. Had to move in the /etc/security/selinux/policies
because they were created as .rpmnews.

System startup:
avc:  denied  { read } for  pid=546 exe=/sbin/lvm.static name=dri
dev=hda2 ino=84499 scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
avc:  denied  { search } for  pid=546 exe=/sbin/lvm.static name=dri
dev=hda2 ino=84499 scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:dri_device_t tclass=dir

Root console login:
avc:  denied  { read } for  pid=1559 exe=/bin/login
name=.default_contexts dev=hda2 ino=437194
scontext=system_u:system_r:local_login_t
tcontext=root:object_r:staff_home_dir_t tclass=file
avc:  denied  { getattr } for  pid=1559 exe=/bin/login
path=/root/.default_contexts dev=hda2 ino=437194
scontext=system_u:system_r:local_login_t
tcontext=root:object_r:staff_home_dir_t tclass=file

ntpdate <server>:
avc:  denied  { getattr } for  pid=1759 exe=/usr/sbin/ntpdate
path=/dev/tty1 dev=hda2 ino=71082 scontext=root:system_r:ntpd_t
tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file
avc:  denied  { ioctl } for  pid=1759 exe=/usr/sbin/ntpdate
path=/dev/tty1 dev=hda2 ino=71082 scontext=root:system_r:ntpd_t
tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file

Daily cron (webalizer?):
avc:  denied  { read } for  pid=1818 exe=/bin/cat name=access_log
dev=hda2 ino=390310 scontext=system_u:system_r:system_crond_t
tcontext=root:object_r:httpd_log_t tclass=file

and 20 secs later:
avc:  denied  { execute_no_trans } for  pid=1960 exe=/usr/sbin/prelink
path=/lib/ld-2.3.3.so dev=hda2 ino=32386
scontext=system_u:system_r:prelink_t tcontext=system_u:object_r:ld_so_t
tclass=file

ssh login and su - :
avc:  denied  { read } for  pid=3489 exe=/bin/su name=.default_contexts
dev=hda2 ino=437194 scontext=user_u:user_r:user_su_t
tcontext=root:object_r:staff_home_dir_t tclass=file
avc:  denied  { getattr } for  pid=3489 exe=/bin/su
path=/root/.default_contexts dev=hda2 ino=437194
scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t
tclass=file

avc:  denied  { add_name } for  pid=3489 exe=/bin/su name=.xauthrQsUjb
scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t
tclass=dir
avc:  denied  { create } for  pid=3489 exe=/bin/su name=.xauthrQsUjb
scontext=user_u:user_r:user_su_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
avc:  denied  { setattr } for  pid=3489 exe=/bin/su name=.xauthrQsUjb
dev=hda2 ino=437207 scontext=user_u:user_r:user_su_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file

And when setenforce 1 I get tons of prelink execute_no_trans errors for
prelink on /lib/ld-2.3.3.so .

Maybe some of these are expected behaviour, but then a few aren't :) .

Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

More information about the fedora-selinux-list mailing list