Two issues

Stephen Smalley sds at tycho.nsa.gov
Wed Sep 27 17:51:15 UTC 2006 

On Wed, 2006-09-27 at 13:32 -0400, Richard Irving wrote:
> Hi,
>    I am having two issues with FC5 (x86_64) and selinux....
> 
> First, it appears the system is having a problem logging AVC's:
> 
> ===================================================================
> Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC 
> avc:  received policyload notice (seqno=4) : exe="?" (sauid=81, 
> hostname=?, addr=?, terminal=?)
> Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC 
> avc:  2 AV entries and 2/512 buckets used, longest chain length 1 : 
> exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
> Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC 
> avc:  received policyload notice (seqno=4) : exe="/bin/dbus-daemon" 
> (sauid=500, hostname=?, addr=?, terminal=?)
> Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC 
> avc:  0 AV entries and 0/512 buckets used, longest chain length 0 : 
> exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?)

Not certain about this one, although I recall issues with the session
dbus (which runs with the user's identity, not as root) not being able
to generate audit messages in the past.  Steve?
> ================================================================
> 
> And second,  I was working on a hand edited local.te, as selinux is 
> preventing vsftpd from creating files in users home directories...
> When running the policy compiler, I get.....
> 
> ========================================================================
> (unknown source)::ERROR 'permission write is not defined for class dir' 
> at token ';' on line 22:
> allow ftpd_t user_home_dir_t:dir { getattr read search write };
> allow ftpd_t user_home_t:dir { getattr read search write };
> ===============================================================
> 
>    And it appears "write" is no longer a valid attribute for directories 
> ?  What is its replacement ?  The AVC is calling it a "write" problem...
> and audit2allow says the correcting line should be:
> 
> allow ftpd_t user_home_dir_t:dir write;
> 
> Am I missing something ?
> 
> TIA!

How was that local.te file generated?   In any event, assuming you are
trying to build it as a module, it needs to declare any required
permissions in its require block, which can either be done explicitly or
by using the policy_module() macro.  Otherwise, the compiler doesn't
know that it is an external dependency.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list