logwatch does not show disk usage of partitions mounted in /mnt
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 23 16:08:14 UTC 2006
Dawid Gajownik wrote:
> Dnia 03/22/2006 04:15 PM, Użytkownik Daniel J Walsh napisał:
>
>> First make sure this is all the access that it needs by running
>> logwatch with setenforce 0.
>>
>> Then send us the AVC messages, so we can update policy.
>
> I run today my system in permissive mode and logwatch showed disk
> usage of all partitions mounted in /mnt. Here are AVC messages:
>
> [root at X ~]# grep -i logwatch /var/log/messages
> Mar 21 17:14:05 X kernel: audit(1142957645.904:32): avc: denied {
> search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 21 17:14:05 X kernel: audit(1142957645.904:33): avc: denied {
> search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 21 17:14:05 X kernel: audit(1142957645.904:34): avc: denied {
> search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 21 17:14:05 X kernel: audit(1142957645.904:35): avc: denied {
> search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 21 17:14:05 X kernel: audit(1142957645.904:36): avc: denied {
> search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 21 17:14:05 X kernel: audit(1142957645.908:37): avc: denied {
> search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 22 12:31:53 X kernel: audit(1143027113.272:34): avc: denied {
> search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 22 12:31:53 X kernel: audit(1143027113.276:35): avc: denied {
> search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 22 12:31:53 X kernel: audit(1143027113.276:36): avc: denied {
> search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 22 12:31:53 X kernel: audit(1143027113.276:37): avc: denied {
> search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 22 12:31:53 X kernel: audit(1143027113.276:38): avc: denied {
> search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 22 12:31:53 X kernel: audit(1143027113.276:39): avc: denied {
> search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> Mar 23 12:16:48 X kernel: audit(1143112608.114:7): avc: denied {
> search } for pid=3333 comm="df" name="mnt" dev=hda5 ino=809601
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=dir
> [root at X ~]#
>
> (Yes, I don't have auditd.)
>
>> You can also install a loadable module to allow this access by executing
>>
>> grep logwatch /var/log/audit/audit.log | audit2allow -M logwatch
>> semodule -i logwatch.pp
>
> I know about audit2allow, but this program sometimes allows to much. I
> wanted to ask about this issue developers of SELinux policy :)
>
Well I am a developer of SELinux policy. The policy I put out yesterday
will dontaudit this, but now I am thinking it should be allowed.
> Thanks,
> Dawid
>
More information about the fedora-selinux-list
mailing list