AVC denied messages for openvpn and procmail

Tony Molloy tony.molloy at ul.ie
Fri Nov 24 10:11:49 UTC 2006 


Hi,

I'm trying to get up to speed on SElinux so sorry for being so long.

I've managed to get rid of various avc denied messages. However I'm 
getting the following two AVC denied messages from setroubleshoot. They 
are not causing any problems but I would like to know how to go about 
getting rid of them. Would I need to have some sort of local policy.

I'll include the complete message here.

>Summary

>SELinux is preventing /sbin/ifconfig (ifconfig_t) "write" 
>to /etc/openvpn/openvpn.log (openvpn_etc_t).

>Detailed Description

>SELinux denied access requested by /sbin/ifconfig. It is not expected 
>that this access is required by /sbin/ifconfig and this access may 
>signal an intrusion attempt. It is also possible that the specific 
>version or configuration of the application is causing it to require 
>additional access.

>Allowing Access

>Sometimes labeling problems can cause SELinux denials. You could try to 
>restore the default system file context for /etc/openvpn/openvpn.log, 
>restorecon -v /etc/openvpn/openvpn.log If this does not work, there is 
>currently no automatic way to allow this access. Instead, you can 
>generate a local policy module to allow this access - see FAQ Or you can 
>disable SELinux protection altogether. Disabling SELinux protection is 
>not recommended. Please file a bug report against this package.

>Additional Information

>Source Context	system_u:system_r:ifconfig_t:s0
>Target Context	system_u:object_r:openvpn_etc_t:s0
>Target Objects	/etc/openvpn/openvpn.log [ file ]
>Affected RPM Packages	net-tools-1.60-73 [application]
>Policy RPM	selinux-policy-2.4.3-10.fc6
>Selinux Enabled	True
>Policy Type	targeted
>MLS Enabled	True
>Enforcing Mode	Enforcing
>Plugin Name	plugins.catchall
>Host Name	localhost
>Platform	Linux localhost 2.6.18-1.8492.fc6 #1 SMP Fri Nov 10 12:45:28 EST 
>2006 i686 i686

>Raw Audit Messages

>avc: denied { write } for comm='"ifconfig"' dev='sda10' egid='0' euid='0' 
>exe='"/sbin/ifconfig"' exit='0' fsgid='0' fsuid='0' gid='0' items='0' 
>name='"openvpn.log"' path='"/etc/openvpn/openvpn.log"' pid='2983' 
>scontext=system_u:system_r:ifconfig_t:s0 sgid='0' 
>subj='system_u:system_r:ifconfig_t:s0' suid='0' tclass='file' 
>tcontext=system_u:object_r:openvpn_etc_t:s0 tty='(none)' uid='0' 

This is on a laptop. I tried "restorecon -v /etc/openvpn/openvpn.log"  but 
since openvpn.log is recreated on each boot then it's always going to 
have the wrong label. How can I get rid of this. 



>Summary

>SELinux is preventing access to files with the default label, default_t.

>Detailed Description

>These files have the default label on them. This can indicate a labeling 
>problem, especially if the files being referred to are not top level 
>directories. IE everything under /usr, /var. /dev, /tmp, ... should not 
>be labeled with the default label. The default label is for files who do 
>not have a label on a parent directory. So if you create a new directory 
>in / you might legitimately get this label.

>Allowing Access

>If you want a confined domain to use these files you will probably need 
>to relabel the file/directory with chcon. In some cases it is just 
>easier to relabel the system, to relabel execute: "touch /.autorelabel; 
>reboot"

>Additional Information

>Source Context	system_u:system_r:procmail_t:s0
>Target Context	system_u:object_r:default_t:s0
>Target Objects	/ [ dir ]
>Affected RPM Packages	procmail-3.22-17.1 [application]filesystem-2.4.0-1 
>[target]
>Policy RPM	selinux-policy-2.4.3-10.fc6
>Selinux Enabled	True
>Policy Type	targeted
>MLS Enabled	True
>Enforcing Mode	Enforcing
>Plugin Name	plugins.default
>Host Name	localhost
>Platform	Linux localhost 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST 
>2006 i686 i686

>Raw Audit Messages

>avc: denied { search } for comm='"procmail"' dev='sda8' egid='12' 
>euid='0' exe='"/usr/bin/procmail"' exit='-13' fsgid='12' fsuid='0' 
>gid='12' items='0' name='"/"' pid='3112' 
>scontext=system_u:system_r:procmail_t:s0 sgid='12' 
>subj='system_u:system_r:procmail_t:s0' suid='0' tclass='dir' 
>tcontext=system_u:object_r:default_t:s0 tty='(none)' uid='0' 


Again I tried "touch /.autorelabel; >reboot" but I keep getting the avc 
denied message.

Regards,

Tony
-- 


Tony Molloy.

System Manager.
Dept. of Comp. Sci.
University of Limerick

More information about the fedora-selinux-list mailing list