Selinux error help - continued

Dan Track dan.track at gmail.com
Thu Feb 8 16:09:15 UTC 2007 

On 2/8/07, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Thu, 2007-02-08 at 14:48 +0000, Dan Track wrote:
> > Thanks for getting back.
> > I started the audit daemon and I got the following come up when I
> > tried to create a profile from the web page:
> > ype=AVC msg=audit(1170945767.596:8934): avc:  denied  { getattr } for
> > pid=18356 comm="beltane_cp" name="TMPFILvLYQ7Z" dev=sda3 ino=147703
> > scontext=root:system_r:httpd_sys_script_t
> > tcontext=root:object_r:httpd_var_lib_t tclass=file
> > type=SYSCALL msg=audit(1170945767.596:8934): arch=40000003 syscall=196
> > success=no exit=-13 a0=bffa1b9d a1=bff42cdc a2=8a9ff4 a3=bff42cdc
> > items=1 pid=18356 auid=4294967295 uid=48 gid=48 euid=0 suid=0 fsuid=0
> > egid=48 sgid=48 fsgid=48 comm="beltane_cp"
> > exe="/usr/local/bin/beltane_cp"
> > type=AVC_PATH msg=audit(1170945767.596:8934):
> > path="/var/lib/yule/profiles/TMPFILvLYQ7Z"
> > type=CWD msg=audit(1170945767.596:8934):  cwd="/opt/www/beltane/php"
> > type=PATH msg=audit(1170945767.596:8934):
> > name="/var/lib/yule/profiles/TMPFILvLYQ7Z" flags=0  inode=147703
> > dev=08:03 mode=0100600 ouid=48 ogid=48 rdev=00:00
> > type=AVC msg=audit(1170945774.915:8935): avc:  denied  { getsession }
> > for  pid=15500 comm="httpd" scontext=root:system_r:httpd_t
> > tcontext=root:system_r:unconfined_t tclass=process
> > type=AVC msg=audit(1170945805.142:8936): avc:  denied  { getsession }
> > for  pid=31207 comm="httpd" scontext=root:system_r:httpd_t
> > tcontext=root:system_r:unconfined_t tclass=process
> > type=AVC msg=audit(1170945835.202:8937): avc:  denied  { getsession }
> > for  pid=15498 comm="httpd" scontext=root:system_r:httpd_t
> > tcontext=root:system_r:unconfined_t tclass=process
> >
> > I'm not sure what you meant by the "a0" argument. The exe in the above
> > output shows "/usr/local/bin/beltane_cp" and the uid show 48 (apache).
> > Is this what you meant?
>
> I'm looking for the SYSCALL record that corresponds to the getsession
> AVC message.  It should have the same audit event id as the AVC message.
> But I don't see one above.  What I was interested in was what pid is
> being passed to the getsid() call, and what process corresponds to that
> pid - that is the unconfined process that httpd is trying to get
> information about.
>

Hi

I've tried to capture the process information that is triggiring these
alerts but so far I'm failing. Basically the web page is just a form
which you submit as soon as you press the submit button the whole
process is over in a second.

I've tried running the following to capture what is causing it:
 tail -f /var/log/audit/audit.log| grep SYSCALL  | grep beltane | awk
-F' ' {'print $12'} | awk -F'=' {'print "/proc/"$2"/cmdline"'} | xargs
cat $1

But I'm getting blanks when running with tail. Any ideas of another
way to capture the info using the pid in the a0 line of the audit log.

Thanks in advance
Dan

More information about the fedora-selinux-list mailing list