mrtg selinux denials in default configuration
Daniel J Walsh
dwalsh at redhat.com
Tue Apr 15 13:57:26 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Timms wrote:
> Daniel J Walsh wrote:
>> # semanage user -l
>> # semanage login -l
> #assume DJW_REQUESTING_RESULT:
>
> # semanage user -l
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Lvl MCS Range
> SELinux Roles
>
> root user s0 SystemLow-SystemHigh
> system_r staff_r unconfined_r sysadm_r
> staff_u user s0 SystemLow-SystemHigh
> system_r staff_r sysadm_r
> sysadm_u user s0 SystemLow-SystemHigh
> sysadm_r
> system_u user s0 SystemLow-SystemHigh
> system_r
> unconfined_u unconfined s0 SystemLow-SystemHigh
> system_r unconfined_r
> user_u user s0 s0 user_r
>
> # semanage login -l
> Login Name SELinux User MLS/MCS Range
>
>
> __default__ unconfined_u SystemLow-SystemHigh
> root unconfined_u SystemLow-SystemHigh
> system_u system_u SystemLow-SystemHigh
>
> As an aside, I erased mrtg yesterday - mo more mrtg denials.
> Reinstalled mrtg just now, mrtg denials every five minutes. It is also
> possible that when originally installed under F8, that I attempted to
> configure it, but I can't find any evidence of that in /etc ...etc. My
> other machine doesn't popup the denials with a default install, so I
> expect there must be some invalid or selinux not configured to match
> service requirements.
> ===
> Actually running same -l on another f9beta notebook:
> # semanage user -l {has the ones above plus:}
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> guest_u guest s0 s0
> guest_r
> xguest_u xguest s0 s0
> xguest_r
>
> # semanage login -l {same 3 items, except the selinux user for root is
> different}.
> Login Name SELinux User MLS/MCS Range
>
>
> root root SystemLow-SystemHigh
>
> Given autorelabel doesn't seem to solve it, is it worth {possible} to
> rpm -e the targeted policy, then reinstall it - or am I barking up the
> wrong tree ?
> =====
>
> DaveT.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Ok I looked at the bugzilla, looks like mrtg is execing top which is
reading all process /proc information. Does it need to be able to read
all this, or can I dontaudit it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkgEtEYACgkQrlYvE4MpobPnWgCfWlInfyvJgskvev32mFqTWAos
Kq0AnROErPbG2Ycqk3MW3Bal0kJSG7r5
=wtxK
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list