Worrying AVC messages

Stephen Smalley sds at tycho.nsa.gov
Tue Jan 23 19:58:32 UTC 2007 

On Tue, 2007-01-23 at 19:33 +0000, Anne Wilson wrote:
> On Monday 22 January 2007 19:40, Stephen Smalley wrote:
> > > type=AVC msg=audit(1162463326.809:49): avc:  denied  { search } for 
> > > pid=4186 comm="postmap" name="nscd" dev=hdb1 ino=195773
> > > scontext=user_u:system_r:postfix_map_t:s0
> > > tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir
> > > type=SYSCALL msg=audit(1162463326.809:49): arch=40000003 syscall=102
> > > success=no exit=-2 a0=3 a1=bf915688 a2=67eff4 a3=4 items=0 ppid=4147
> > > pid=4186 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > > tty=pts5 comm="postmap" exe="/usr/sbin/postmap"
> > > subj=user_u:system_r:postfix_map_t:s0 key=(null)
> >
> > Yes, that shows the security contexts of the source (process) and the
> > target (in this case, a directory).  audit2allow will turn those
> > messages into allow rules, e.g.
> > 	su -
> > 	audit2allow -a -M local
> > 	semodule -i local.pp
> >
> After reading the man pages I find that I'm no wiser as to what this is doing.  
> I understand the first and last lines, but could you explain how you build 
> the audit2allow line, and what it actually does?

audit2allow is just a filter that reads avc messages and emits policy
rules that would allow them.  The -a option tells it to check
both /var/log/messages and the audit logs for avc messages (using
ausearch for processing the audit logs).  The -M local option tells it
to generate a loadable policy module named "local".  Upon completion,
you should have the following files in the current directory:
1) local.te - the policy source generated by audit2allow based on the
avc messages,
2) local.mod - binary representation of the same, created by
checkmodule,
3) local.pp - policy package file, containing local.mod and optionally
other policy components (but not in this case), created by
semodule_package.

The last file is then loadable via semodule -i.
When semodule -i completes, your policy has been updated and loaded into
the kernel.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list