AVC denied messages for openvpn and procmail
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 27 19:49:54 UTC 2006
Tony Molloy wrote:
> Hi,
>
> I'm trying to get up to speed on SElinux so sorry for being so long.
>
> I've managed to get rid of various avc denied messages. However I'm
> getting the following two AVC denied messages from setroubleshoot. They
> are not causing any problems but I would like to know how to go about
> getting rid of them. Would I need to have some sort of local policy.
>
> I'll include the complete message here.
>
>
>> Summary
>>
>
>
>> SELinux is preventing /sbin/ifconfig (ifconfig_t) "write"
>> to /etc/openvpn/openvpn.log (openvpn_etc_t).
>>
>
>
>> Detailed Description
>>
>
>
>> SELinux denied access requested by /sbin/ifconfig. It is not expected
>> that this access is required by /sbin/ifconfig and this access may
>> signal an intrusion attempt. It is also possible that the specific
>> version or configuration of the application is causing it to require
>> additional access.
>>
>
>
>> Allowing Access
>>
>
>
>> Sometimes labeling problems can cause SELinux denials. You could try to
>> restore the default system file context for /etc/openvpn/openvpn.log,
>> restorecon -v /etc/openvpn/openvpn.log If this does not work, there is
>> currently no automatic way to allow this access. Instead, you can
>> generate a local policy module to allow this access - see FAQ Or you can
>> disable SELinux protection altogether. Disabling SELinux protection is
>> not recommended. Please file a bug report against this package.
>>
>
>
>> Additional Information
>>
>
>
>> Source Context system_u:system_r:ifconfig_t:s0
>> Target Context system_u:object_r:openvpn_etc_t:s0
>> Target Objects /etc/openvpn/openvpn.log [ file ]
>> Affected RPM Packages net-tools-1.60-73 [application]
>> Policy RPM selinux-policy-2.4.3-10.fc6
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name plugins.catchall
>> Host Name localhost
>> Platform Linux localhost 2.6.18-1.8492.fc6 #1 SMP Fri Nov 10 12:45:28 EST
>> 2006 i686 i686
>>
>
>
>> Raw Audit Messages
>>
>
>
>> avc: denied { write } for comm='"ifconfig"' dev='sda10' egid='0' euid='0'
>> exe='"/sbin/ifconfig"' exit='0' fsgid='0' fsuid='0' gid='0' items='0'
>> name='"openvpn.log"' path='"/etc/openvpn/openvpn.log"' pid='2983'
>> scontext=system_u:system_r:ifconfig_t:s0 sgid='0'
>> subj='system_u:system_r:ifconfig_t:s0' suid='0' tclass='file'
>> tcontext=system_u:object_r:openvpn_etc_t:s0 tty='(none)' uid='0'
>>
>
> This is on a laptop. I tried "restorecon -v /etc/openvpn/openvpn.log" but
> since openvpn.log is recreated on each boot then it's always going to
> have the wrong label. How can I get rid of this.
>
This is a bug in openvpn. Please report to them that they are leaking
the open file descript to their log file. Basically it is leaking a
file descriptor which is causing this access. This is not really a
problem. In that ifconfig does not need this access to function
correctly. You can tell setroubleshoot to ignore the message and it
will stop bothering you, until openvpn fixes their problem.
>
>
>
>> Summary
>>
>
>
>> SELinux is preventing access to files with the default label, default_t.
>>
>
>
>> Detailed Description
>>
>
>
>> These files have the default label on them. This can indicate a labeling
>> problem, especially if the files being referred to are not top level
>> directories. IE everything under /usr, /var. /dev, /tmp, ... should not
>> be labeled with the default label. The default label is for files who do
>> not have a label on a parent directory. So if you create a new directory
>> in / you might legitimately get this label.
>>
>
>
>> Allowing Access
>>
>
>
>> If you want a confined domain to use these files you will probably need
>> to relabel the file/directory with chcon. In some cases it is just
>> easier to relabel the system, to relabel execute: "touch /.autorelabel;
>> reboot"
>>
>
>
>> Additional Information
>>
>
>
>> Source Context system_u:system_r:procmail_t:s0
>> Target Context system_u:object_r:default_t:s0
>> Target Objects / [ dir ]
>> Affected RPM Packages procmail-3.22-17.1 [application]filesystem-2.4.0-1
>> [target]
>> Policy RPM selinux-policy-2.4.3-10.fc6
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name plugins.default
>> Host Name localhost
>> Platform Linux localhost 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST
>> 2006 i686 i686
>>
>
>
>> Raw Audit Messages
>>
>
>
>> avc: denied { search } for comm='"procmail"' dev='sda8' egid='12'
>> euid='0' exe='"/usr/bin/procmail"' exit='-13' fsgid='12' fsuid='0'
>> gid='12' items='0' name='"/"' pid='3112'
>> scontext=system_u:system_r:procmail_t:s0 sgid='12'
>> subj='system_u:system_r:procmail_t:s0' suid='0' tclass='dir'
>> tcontext=system_u:object_r:default_t:s0 tty='(none)' uid='0'
>>
>
>
> Again I tried "touch /.autorelabel; >reboot" but I keep getting the avc
> denied message.
>
> Regards,
>
> Tony
>
/ should be labeled root_t? not default_t?
ls -lZd /
restorcon /
ls -lZd /
More information about the fedora-selinux-list
mailing list