Beginner question deciphering SELinux logs

Lance Spitzner lance at spitzner.net
Wed Jan 2 02:59:18 UTC 2008 

>
>> PS: Is there anyway to configure SELinux/auditd to use regular dates,
>> as sylogd does?
>
> Stop looking at audit logs directly.  (I'll leave the policy questions
> to the policy people, sorry)
>
> ausearch -m AVC -i

Very cool, thanks!  One other outstanding suggestion I received was  
the RPM pkg 'setroubleshoot'.  It does a mind blowing / amazing job of  
taking AVC error messages and explaining to you exactly what they mean  
and suggested actions.  Not only does it help troubleshooting, but it  
helps to better understand SElinux in general.  Now only if there was  
such a utlity for the rest of Linux logging (dmesg anyone? :).

Thanks!

lance

Summary
     SELinux is preventing /usr/sbin/named (named_t) "getattr" access to
     /dev/random (tmpfs_t).

Detailed Description
     SELinux denied access requested by /usr/sbin/named. It is not  
expected that
     this access is required by /usr/sbin/named and this access may  
signal an
     intrusion attempt. It is also possible that the specific version or
     configuration of the application is causing it to require  
additional access.
     Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi  
against this
     package.

Allowing Access
     Sometimes labeling problems can cause SELinux denials.  You could  
try to
     restore the default system file context for /dev/random,  
restorecon -v
     /dev/random. There is currently no automatic way to allow this  
access.
     Instead, you can generate a local policy module to allow this  
access - see
     http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you  
can
     disable SELinux protection entirely for the application.  
Disabling SELinux
     protection is not recommended. Please file a
     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this  
package.
     Changing the "named_disable_trans" boolean to true will disable  
SELinux
     protection this application: "setsebool -P named_disable_trans=1."

     The following command will allow this access:
     setsebool -P named_disable_trans=1

Additional Information

Source Context                user_u:system_r:named_t
Target Context                system_u:object_r:tmpfs_t
Target Objects                /dev/random [ chr_file ]
Affected RPM Packages
Policy RPM
Selinux Enabled
Policy Type
MLS Enabled
Enforcing Mode
Plugin Name                   plugins.disable_trans
Host Name
Platform
Alert Count                   1
Line Numbers                  1689,1690

Raw Audit Messages

avc: denied { getattr } for comm="named" dev=sdb1 egid=25 euid=25
exe="/usr/sbin/named" exit=-13 fsgid=25 fsuid=25 gid=25 items=0
path="/dev/random" pid=10791 scontext=user_u:system_r:named_t:s0 sgid=25
subj=user_u:system_r:named_t:s0 suid=25 tclass=chr_file
tcontext=system_u:object_r:tmpfs_t:s0 tty=(none) uid=25

More information about the fedora-selinux-list mailing list