Today's avcs....(readahead, hald)
Tom London
selinux at gmail.com
Sat Jan 7 19:52:51 UTC 2006
Running today's rawhide(selinux-policy-targeted-2.1.7-3),
targeted/enforcing, got some avcs in messages and audit.log.
I rebooted in permissive mode and:
Get this in /var/log/messages (before auditd starts, I guess):
----
type=PATH msg=audit(01/07/2006 11:44:46.028:12) : item=0 name=/media/
flags=follow,directory,open inode=2289281 dev=fd:00 mode=dir,755
ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/07/2006 11:44:46.028:12) : cwd=/
type=SYSCALL msg=audit(01/07/2006 11:44:46.028:12) : arch=i386
syscall=open success=yes exit=3 a0=9233228 a1=18800 a2=261158
a3=92331e8 items=1 pid=2532 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=hal-system-stor exe=/bin/bash
type=AVC msg=audit(01/07/2006 11:44:46.028:12) : avc: denied { read
} for pid=2532 comm=hal-system-stor name=media dev=dm-0 ino=2289281
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=dir
----
type=PATH msg=audit(01/07/2006 11:44:50.152:13) : item=0 name=/boot
flags=follow inode=2 dev=03:02 mode=dir,755 ouid=root ogid=root
rdev=00:00
type=CWD msg=audit(01/07/2006 11:44:50.152:13) : cwd=/
type=AVC_PATH msg=audit(01/07/2006 11:44:50.152:13) : path=/boot
type=SYSCALL msg=audit(01/07/2006 11:44:50.152:13) : arch=i386
syscall=stat64 success=yes exit=0 a0=bfd80ede a1=bfd80e5c a2=359ff4
a3=303 items=1 pid=2527 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=hald exe=/usr/sbin/hald
type=AVC msg=audit(01/07/2006 11:44:50.152:13) : avc: denied {
getattr } for pid=2527 comm=hald name=/ dev=hda2 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir
----
type=PATH msg=audit(01/07/2006 11:44:50.152:14) : item=0
name=/proc/sys/fs/binfmt_misc flags=follow inode=4808 dev=00:13
mode=dir,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/07/2006 11:44:50.152:14) : cwd=/
type=SYSCALL msg=audit(01/07/2006 11:44:50.152:14) : arch=i386
syscall=stat64 success=yes exit=0 a0=bfd80ed9 a1=bfd80e5c a2=359ff4
a3=303 items=1 pid=2527 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=hald exe=/usr/sbin/hald
type=AVC msg=audit(01/07/2006 11:44:50.152:14) : avc: denied {
search } for pid=2527 comm=hald name=fs dev=proc ino=-268435429
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
----
type=PATH msg=audit(01/07/2006 11:44:50.152:15) : item=0
name=/var/lib/nfs/rpc_pipefs flags=follow inode=5930 dev=00:14
mode=dir,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/07/2006 11:44:50.152:15) : cwd=/
type=SYSCALL msg=audit(01/07/2006 11:44:50.152:15) : arch=i386
syscall=stat64 success=yes exit=0 a0=bfd80edb a1=bfd80e5c a2=359ff4
a3=303 items=1 pid=2527 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=hald exe=/usr/sbin/hald
type=AVC msg=audit(01/07/2006 11:44:50.152:15) : avc: denied {
search } for pid=2527 comm=hald name=nfs dev=dm-0 ino=2142222
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir
----
type=PATH msg=audit(01/07/2006 11:45:00.837:17) : item=0
name=/var/lib/nfs/rpc_pipefs flags=follow inode=5930 dev=00:14
mode=dir,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/07/2006 11:45:00.837:17) : cwd=/
type=SYSCALL msg=audit(01/07/2006 11:45:00.837:17) : arch=i386
syscall=stat64 success=yes exit=0 a0=bfd8105b a1=bfd80fdc a2=359ff4
a3=bfd8105e items=1 pid=2527 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=hald exe=/usr/sbin/hald
type=AVC msg=audit(01/07/2006 11:45:00.837:17) : avc: denied {
search } for pid=2527 comm=hald name=nfs dev=dm-0 ino=2142222
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir
----
type=PATH msg=audit(01/07/2006 11:45:40.036:25) : item=1
flags=follow,open inode=327257 dev=fd:00 mode=file,755 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(01/07/2006 11:45:40.036:25) : item=0
name=/usr/bin/skype flags=follow,open inode=145693 dev=fd:00
mode=file,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/07/2006 11:45:40.036:25) : cwd=/home/tbl
type=SYSCALL msg=audit(01/07/2006 11:45:40.036:25) : arch=i386
syscall=execve success=yes exit=0 a0=9126db0 a1=bffa9740 a2=9114078
a3=0 items=2 pid=2857 auid=unknown(4294967295) uid=tbl gid=tbl
euid=tbl suid=tbl fsuid=tbl egid=tbl sgid=tbl fsgid=tbl comm=skype
exe=/usr/bin/skype
type=AVC msg=audit(01/07/2006 11:45:40.036:25) : avc: granted {
execmem } for pid=2857 comm=skype
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(01/07/2006 11:45:40.036:25) : avc: granted {
execmem } for pid=2857 comm=skype
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
----
type=PATH msg=audit(01/07/2006 11:45:41.792:26) : item=0
name=/media/disk flags=parent inode=2289281 dev=fd:00 mode=dir,755
ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/07/2006 11:45:41.792:26) : cwd=/
type=SYSCALL msg=audit(01/07/2006 11:45:41.792:26) : arch=i386
syscall=mkdir success=yes exit=0 a0=bfa31919 a1=1ff a2=804e1b8
a3=bfa31919 items=1 pid=2871 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=mkdir exe=/bin/mkdir
type=AVC msg=audit(01/07/2006 11:45:41.792:26) : avc: denied {
create } for pid=2871 comm=mkdir name=disk
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=dir
type=AVC msg=audit(01/07/2006 11:45:41.792:26) : avc: denied {
add_name } for pid=2871 comm=mkdir name=disk
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=dir
type=AVC msg=audit(01/07/2006 11:45:41.792:26) : avc: denied { write
} for pid=2871 comm=mkdir name=media dev=dm-0 ino=2289281
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=dir
----
type=PATH msg=audit(01/07/2006 11:45:41.868:27) : item=0
name=/media/disk/.created-by-hal flags=parent,open,create
inode=2289299 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/07/2006 11:45:41.868:27) : cwd=/
type=SYSCALL msg=audit(01/07/2006 11:45:41.868:27) : arch=i386
syscall=open success=yes exit=0 a0=bff77909 a1=8941 a2=1b6 a3=8941
items=1 pid=2872 auid=unknown(4294967295) uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root comm=touch
exe=/bin/touch
type=AVC msg=audit(01/07/2006 11:45:41.868:27) : avc: denied {
create } for pid=2872 comm=touch name=.created-by-hal
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=file
----
type=PATH msg=audit(01/07/2006 11:45:41.868:28) : item=0
name=/proc/self/fd/0 flags=follow inode=2289300 dev=fd:00
mode=file,644 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/07/2006 11:45:41.868:28) : cwd=/
type=SYSCALL msg=audit(01/07/2006 11:45:41.868:28) : arch=i386
syscall=utimes success=yes exit=0 a0=bff772c0 a1=0 a2=8ecff4 a3=0
items=1 pid=2872 auid=unknown(4294967295) uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root comm=touch
exe=/bin/touch
type=AVC msg=audit(01/07/2006 11:45:41.868:28) : avc: denied { write
} for pid=2872 comm=touch name=.created-by-hal dev=dm-0 ino=2289300
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=file
----
type=PATH msg=audit(01/07/2006 11:45:42.136:29) : item=0
name=/media/disk flags=parent inode=2289281 dev=fd:00 mode=dir,755
ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/07/2006 11:45:42.136:29) : cwd=/
type=SYSCALL msg=audit(01/07/2006 11:45:42.136:29) : arch=i386
syscall=rmdir success=no exit=-39(Directory not empty) a0=bffe1919
a1=0 a2=804c80c a3=bffe1919 items=1 pid=2877 auid=unknown(4294967295)
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root comm=rmdir exe=/bin/rmdir
type=AVC msg=audit(01/07/2006 11:45:42.136:29) : avc: denied { rmdir
} for pid=2877 comm=rmdir name=disk dev=dm-0 ino=2289299
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=dir
type=AVC msg=audit(01/07/2006 11:45:42.136:29) : avc: denied {
remove_name } for pid=2877 comm=rmdir name=disk dev=dm-0 ino=2289299
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=dir
----
type=SYSCALL msg=audit(01/07/2006 11:45:46.992:30) : arch=i386
syscall=mprotect success=yes exit=0 a0=bfcd5000 a1=1000 a2=1000007
a3=fffff000 items=0 pid=2862 auid=unknown(4294967295) uid=tbl gid=tbl
euid=tbl suid=tbl fsuid=tbl egid=tbl sgid=tbl fsgid=tbl comm=gaim
exe=/usr/bin/gaim
type=AVC msg=audit(01/07/2006 11:45:46.992:30) : avc: granted {
execmem } for pid=2862 comm=gaim
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
tom
--
Tom London
More information about the fedora-selinux-list
mailing list