Worrying AVC messages

Stephen Smalley sds at tycho.nsa.gov
Mon Jan 22 14:49:47 UTC 2007 

On Sun, 2007-01-21 at 12:24 +0000, Anne Wilson wrote:
> I'm seeing a lot of AVC message, a sample of which is
> 
> type=AVC msg=audit(1162463326.809:49): avc:  denied  { search } for  pid=4186 
> comm="postmap" name="nscd" dev=hdb1 ino=195773
> 
> type=AVC msg=audit(1162483288.034:31): avc:  denied  { write } for  pid=5804 
> comm="ip" name="[23145]" dev=pipefs ino=23145
> 
> type=AVC msg=audit(1162483738.762:39): avc:  denied  { write } for  pid=7191 
> comm="ip" name="[27659]" dev=pipefs ino=27659
> 
> type=AVC msg=audit(1169284673.188:58): avc:  denied  { ioctl } for  pid=4212 
> comm="smartd" name="hda" dev=tmpfs ino=879
> 
> type=AVC msg=audit(1162495544.436:62): avc:  denied  { write } for  pid=28024 
> comm="setfiles" name="[120832]" dev=pipefs ino=120832
> 
> type=AVC_PATH msg=audit(1169310171.523:150):  path="/dev/bus/usb/001/004"
> type=AVC msg=audit(1169310172.778:151): avc:  denied  { read } for  pid=2996 
> comm="hald-addon-stor" name="hdd" dev=tmpfs ino=7431
> 
> I don't really understand what is going on.  'postmap' to me implies postfix, 
> which seems odd.
> 
> There are many such messages about smartd.  This is something I'd want to be 
> working.  Why is this blocked?  Can/Should I enable it?  How?
> 
> I looked at /dev/bus/usb/001/004 but I can't tell what this is.  I'm guessing 
> that it's a card-reader, but it's sheer guesswork.
> 
> I'd be glad of any hints.  SELinux hasn't really caused me any problems up to 
> now, but one of my projects, which I'll address in a later thread, may be 
> being blocked, so I need to start to understand more.

You don't seem to have included the scontext, tcontext, and tclass
information, which is the real basis for the permission denial.

You can also get supplemental information about each avc denial by
enabling system call auditing.  Requires installing "audit" and adding
at least one audit rule to enable collection of the full audit context.
This will provide you with information like the system call number and
arguments, the path that has been looked up, etc.

audit2allow can be used to generate a local policy module to allow
permissions as appropriate; see its man page and the Fedora SELinux FAQ.
 
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list