fedora-selinux-list Digest, Vol 20, Issue 18
Jayendren Anand Maduray
jayendren at hivsa.com
Fri Oct 21 10:10:46 UTC 2005
Greetings fellow travellers.
Could someone please help me with the following errors:
*audit(1129788324.500:0): avc: denied { execute } for pid=3105
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.501:0): avc: denied { execute } for pid=3106
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.507:0): avc: denied { execute } for pid=3107
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.510:0): avc: denied { execute } for pid=3108
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.514:0): avc: denied { execute } for pid=3109
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.517:0): avc: denied { execute } for pid=3110
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.521:0): avc: denied { execute } for pid=3111
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.522:0): avc: denied { execute } for pid=3112
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.528:0): avc: denied { execute } for pid=3113
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.529:0): avc: denied { execute } for pid=3114
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file*
These errors are from dmesg, and occured after compiling and installing
squidclam from source.
Here is the output of selinuxconf:
[*root at shiva jay]# selinuxconfig
selinux state="enforcing"
policypath="/etc/selinux/targeted"
default_type_path="/etc/selinux/targeted/contexts/default_type"
default_context_path="/etc/selinux/targeted/contexts/default_contexts"
default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context"
binary_policy_path="/etc/selinux/targeted/policy/policy"
user_contexts_path="/etc/selinux/targeted/contexts/users/"
contexts_path="/etc/selinux/targeted/contexts"*
Output of uname -a:
*[root at shiva jay]# uname -a
Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 i686
i386 GNU/Linux*
Any help would be greatly appreciated.
God bless.
fedora-selinux-list-request at redhat.com wrote:
>Send fedora-selinux-list mailing list submissions to
> fedora-selinux-list at redhat.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>or, via email, send a message with subject or body 'help' to
> fedora-selinux-list-request at redhat.com
>
>You can reach the person managing the list at
> fedora-selinux-list-owner at redhat.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of fedora-selinux-list digest..."
>
>
>Today's Topics:
>
> 1. Re: mailman cgi-bin denied search (Tim Fenn)
> 2. Preserving Context with tar (W. Scott wilburn)
> 3. Re: mailman cgi-bin denied search (Daniel J Walsh)
> 4. Re: Preserving Context with tar (Daniel J Walsh)
> 5. Re: mailman cgi-bin denied search (Tim Fenn)
> 6. Re: Preserving Context with tar (Stephen Smalley)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Wed, 19 Oct 2005 13:49:47 -0700
>From: Tim Fenn <fenn at stanford.edu>
>Subject: Re: mailman cgi-bin denied search
>To: Daniel J Walsh <dwalsh at redhat.com>
>Cc: fedora-selinux-list at redhat.com
>Message-ID: <20051019204947.GC6466 at stanford.edu>
>Content-Type: text/plain; charset=us-ascii
>
>On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>
>
>>Tim Fenn wrote:
>>
>>
>>>I recently installed mailman on my FC3 box (using the redhat based
>>>RPMs), and it seems to be working just fine, except for the numerous
>>>avc messages it cranks out whenever I run one of the cgi scripts
>>>associated with mailman (e.g. via the web interface):
>>>
>>>Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
>>>{ search } for pid=18761 comm="listinfo" name="run" dev=sda1
>>>ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>u:object_r:var_run_t tclass=dir
>>>
>>>
>>>
>>Why would mailman listinfo be searching /var/log directory?
>>
>>
>>
>
>Well, I get the same errors with mailmanctl:
>
>./mailmanctl status
>
>yields no output, and the following errors:
>Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>{ read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts
>ino=5 scontext=root:system_r:mailman_mail_t
>tcontext=root:object_r:devpts_t tclass=chr_file
>Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>{ search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
>ino=1294372 scontext=root:system_r:mailman_mail_t
>tcontext=system_u:object_r:var_run_t tclass=dir
>Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>{ setgid } for pid=20837 comm="mailmanctl" capability=6
>scontext=root:system_r:mailman_mail_t
>tcontext=root:system_r:mailman_mail_t tclass=capability
>
>However, if I comment out:
>
>from Mailman.Logging.Syslog import syslog
>
>in the mailmanctl script, all is well:
>
># ./mailmanctl status
>mailman (pid 17677) is running...
>
>and no error messages. I would assume the same is true with the
>cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>
>Regards,
>Tim
>
>
>
>------------------------------
>
>Message: 2
>Date: Wed, 19 Oct 2005 15:56:06 -0600
>From: "W. Scott wilburn" <wilburn at lanl.gov>
>Subject: Preserving Context with tar
>To: fedora-selinux-list at redhat.com
>Message-ID: <20051019215606.GE4717 at wilburn.lanl.gov>
>Content-Type: text/plain; charset=us-ascii
>
>Sorry to be asking such a simple question. Is it possible to preserve
>file contexts using tar? I would have thought -p would do this, but
>it appears no, atleast on RHEL4 and FC4.
>
>The reason to do this is a use tar to install modified config files on
>new machines. Having to relabel after doing this is somewhat slow.
>Perhaps there is a better solution?
>
>Thanks,
>Scott Wilburn
>
>
>
>------------------------------
>
>Message: 3
>Date: Wed, 19 Oct 2005 22:31:36 -0400
>From: Daniel J Walsh <dwalsh at redhat.com>
>Subject: Re: mailman cgi-bin denied search
>To: Daniel J Walsh <dwalsh at redhat.com>, fedora-selinux-list at redhat.com
>Message-ID: <43570188.5060201 at redhat.com>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>Tim Fenn wrote:
>
>
>>On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>
>>
>>
>>>Tim Fenn wrote:
>>>
>>>
>>>
>>>>I recently installed mailman on my FC3 box (using the redhat based
>>>>RPMs), and it seems to be working just fine, except for the numerous
>>>>avc messages it cranks out whenever I run one of the cgi scripts
>>>>associated with mailman (e.g. via the web interface):
>>>>
>>>>Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
>>>>{ search } for pid=18761 comm="listinfo" name="run" dev=sda1
>>>>ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>>u:object_r:var_run_t tclass=dir
>>>>
>>>>
>>>>
>>>>
>>>Why would mailman listinfo be searching /var/log directory?
>>>
>>>
>>>
>>>
>>Well, I get the same errors with mailmanctl:
>>
>>./mailmanctl status
>>
>>yields no output, and the following errors:
>>Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>>{ read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts
>>ino=5 scontext=root:system_r:mailman_mail_t
>>tcontext=root:object_r:devpts_t tclass=chr_file
>>Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>>{ search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
>>ino=1294372 scontext=root:system_r:mailman_mail_t
>>tcontext=system_u:object_r:var_run_t tclass=dir
>>Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>>{ setgid } for pid=20837 comm="mailmanctl" capability=6
>>scontext=root:system_r:mailman_mail_t
>>tcontext=root:system_r:mailman_mail_t tclass=capability
>>
>>However, if I comment out:
>>
>>from Mailman.Logging.Syslog import syslog
>>
>>in the mailmanctl script, all is well:
>>
>># ./mailmanctl status
>>mailman (pid 17677) is running...
>>
>>and no error messages. I would assume the same is true with the
>>cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>>
>>Regards,
>>Tim
>>
>>
>>
>Yes. submit a bug. Although generating these in FC4 would be far more
>interesting. Also do these AVC messages cause problems or are they just
>being reported. No output from the script is fixed in FC4.
>
>
>
>
>
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren at mweb.co.za
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20051021/be2425b8/attachment.htm>
More information about the fedora-selinux-list
mailing list