setroubleshootd message.....cool!

Tom London selinux at gmail.com
Fri Sep 1 20:28:26 UTC 2006


During update of today's rawhide, I get this in /var/log messages (and
a nice icon in the tray):

Sep  1 08:18:44 localhost Updated: kexec-tools.i386 1.101-51.fc6
Sep  1 08:19:14 localhost /usr/sbin/setroubleshootd:      SELinux is
preventing /usr/sbin/lvm (lvm_t) "getattr" to /dev/nvram
(unlabeled_t).      See audit.log for complete SELinux messages. id =
1fbf1f44-8ff6-4eb2-96dd-cdfe9ea35829
Sep  1 08:19:22 localhost Installed: kernel.i686 2.6.17-1.2608.fc6

Here's the associated AVC:

type=AVC msg=audit(1157123951.753:51): avc:  denied  { getattr } for
pid=7465 comm="lvs" name="nvram" dev=tmpfs ino=3418
scontext=user_u:system_r:lvm_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1157123951.753:51): arch=40000003 syscall=195
success=no exit=-13 a0=8611ef8 a1=bfc3281c a2=c4fff4 a3=8611ef8
items=0 ppid=7464 pid=7465 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="lvs" exe="/usr/sbin/lvm"
subj=user_u:system_r:lvm_t:s0 key=(null)
type=AVC_PATH msg=audit(1157123951.753:51):  path="/dev/nvram"

On reboot, /dev/nvram seems to be labeled properly.
[tbl at localhost ~]$ ls -lZ /dev/nvram
crw-rw----  root root system_u:object_r:nvram_device_t /dev/nvram
[tbl at localhost ~]$

Anyway, setroubleshoot is neat.....

tom
-- 
Tom London




More information about the fedora-selinux-list mailing list