Selinux error help - continued

Stephen Smalley sds at tycho.nsa.gov
Thu Feb 8 15:13:09 UTC 2007 

On Thu, 2007-02-08 at 14:48 +0000, Dan Track wrote:
> Thanks for getting back.
> I started the audit daemon and I got the following come up when I
> tried to create a profile from the web page:
> ype=AVC msg=audit(1170945767.596:8934): avc:  denied  { getattr } for
> pid=18356 comm="beltane_cp" name="TMPFILvLYQ7Z" dev=sda3 ino=147703
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:object_r:httpd_var_lib_t tclass=file
> type=SYSCALL msg=audit(1170945767.596:8934): arch=40000003 syscall=196
> success=no exit=-13 a0=bffa1b9d a1=bff42cdc a2=8a9ff4 a3=bff42cdc
> items=1 pid=18356 auid=4294967295 uid=48 gid=48 euid=0 suid=0 fsuid=0
> egid=48 sgid=48 fsgid=48 comm="beltane_cp"
> exe="/usr/local/bin/beltane_cp"
> type=AVC_PATH msg=audit(1170945767.596:8934):
> path="/var/lib/yule/profiles/TMPFILvLYQ7Z"
> type=CWD msg=audit(1170945767.596:8934):  cwd="/opt/www/beltane/php"
> type=PATH msg=audit(1170945767.596:8934):
> name="/var/lib/yule/profiles/TMPFILvLYQ7Z" flags=0  inode=147703
> dev=08:03 mode=0100600 ouid=48 ogid=48 rdev=00:00
> type=AVC msg=audit(1170945774.915:8935): avc:  denied  { getsession }
> for  pid=15500 comm="httpd" scontext=root:system_r:httpd_t
> tcontext=root:system_r:unconfined_t tclass=process
> type=AVC msg=audit(1170945805.142:8936): avc:  denied  { getsession }
> for  pid=31207 comm="httpd" scontext=root:system_r:httpd_t
> tcontext=root:system_r:unconfined_t tclass=process
> type=AVC msg=audit(1170945835.202:8937): avc:  denied  { getsession }
> for  pid=15498 comm="httpd" scontext=root:system_r:httpd_t
> tcontext=root:system_r:unconfined_t tclass=process
> 
> I'm not sure what you meant by the "a0" argument. The exe in the above
> output shows "/usr/local/bin/beltane_cp" and the uid show 48 (apache).
> Is this what you meant?

I'm looking for the SYSCALL record that corresponds to the getsession
AVC message.  It should have the same audit event id as the AVC message.
But I don't see one above.  What I was interested in was what pid is
being passed to the getsid() call, and what process corresponds to that
pid - that is the unconfined process that httpd is trying to get
information about.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list