simplified question
Stephen Smalley
sds at tycho.nsa.gov
Mon Nov 14 19:18:41 UTC 2005
On Mon, 2005-11-14 at 11:31 -0700, Craig White wrote:
> audit2allow doesn't show anything concerning the dbus error. That still
> is present. The above did fix the problem with connecting between httpd
> -> mysql.sock so that is cool. The dbus error has been around for a
> while and it doesn't seem to prevent anything that I need but would like
> the education of it - so it remains.
>
> audit2allow doesn't have a man page so I haven't garnered much of
> anything that isn't in audit2allow --help.
audit2allow man page is available from:
http://cvs.sourceforge.net/viewcvs.py/*checkout*/selinux/nsa/selinux-usr/policycoreutils/audit2allow/audit2allow.1
The dbus output suggests two separate problems:
1) dbusd is denying an attempt to send a message through it (this is
what you see from the message= payload with the avc: denied message),
which can be addressed by adding an appropriate allow rule to policy and
reloading it, and
2) dbusd is encountering an error when trying to send the audit message
for the above denial to the audit system (this is the "Can't send to
audit system" prefix), and thus falls back to using syslog to log the
audit message along with the warning. This problem may or may not be
due to SELinux (e.g. SELinux might be denying permission to send the
audit message to the audit system, or there may be some other error,
e.g. since dbusd doesn't run as root, it might not be allowed to use the
audit system anyway).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list