logwatch/pidof avcs
Daniel J Walsh
dwalsh at redhat.com
Fri Dec 30 16:03:23 UTC 2005
Steve G wrote:
> Hi,
>
> I'm using today's rawhide and see these scroll occasionally:
>
> type=PATH msg=audit(12/28/2005 09:47:17.210:107) : item=0 name=/proc/2675/stat
> inode=175308814 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00
> obj=system_u:system_r:local_login_t:s0-s0:c0.c255
> type=CWD msg=audit(12/28/2005 09:47:17.210:107) : cwd=/
> type=SYSCALL msg=audit(12/28/2005 09:47:17.210:107) : arch=x86_64 syscall=open
> success=no exit=-13(Permission denied) a0=7fffffbaa110 a1=0 a2=1b6 a3=0 items=1
> pid=3204 auid=unknown(4294967295) uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root comm=pidof exe=/sbin/killall5
> subj=system_u:system_r:crond_t:s0
> type=AVC msg=audit(12/28/2005 09:47:17.210:107) : avc: denied { read } for
> pid=3204 comm=pidof name=stat dev=proc ino=175308814
> scontext=system_u:system_r:crond_t:s0
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c255 tclass=file
>
> This occurs for a number of /prod/pid/stat entries. It appears to be coming from
> logwatch.
>
> -Steve
>
>
>
I have added a logwatch policy. Do you know what logwatch is trying to
do? Does it need this capability? This is caused because of MCS.
Basically a s0 process is trying to read a s0-s0:co.c255 file.
Dan
>
>
> __________________________________
> Yahoo! for Good - Make a difference this year.
> http://brand.yahoo.com/cybergivingweek2005/
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
--
More information about the fedora-selinux-list
mailing list