selinux denies dmesg

Stephen Smalley sds at tycho.nsa.gov
Fri Oct 17 16:38:42 UTC 2008 

On Fri, 2008-10-17 at 08:39 -0700, Antonio Olivares wrote:
> 
> 
> --- On Fri, 10/17/08, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> 
> > From: Stephen Smalley <sds at tycho.nsa.gov>
> > Subject: Re: selinux denies dmesg
> > To: olivares14031 at yahoo.com
> > Cc: fedora-selinux-list at redhat.com
> > Date: Friday, October 17, 2008, 7:32 AM
> > On Thu, 2008-10-16 at 15:27 -0700, Antonio Olivares wrote:
> > > Dear fellow selinux experts,
> > > 
> > > After recovering from a kernel panic to check up on
> > the filesystem, I run dmesg and I encounter some avc's
> > > 
> > > [olivares at riohigh ~]$ dmesg | grep avc
> > > type=1400 audit(1224195506.669:4): avc:  denied  {
> > sys_resource } for  pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.669:5): avc:  denied  {
> > sys_resource } for  pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.669:6): avc:  denied  {
> > sys_resource } for  pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.669:7): avc:  denied  {
> > sys_resource } for  pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:8): avc:  denied  {
> > sys_resource } for  pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:9): avc:  denied  {
> > sys_resource } for  pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:10): avc:  denied  {
> > sys_resource } for  pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:11): avc:  denied  {
> > sys_resource } for  pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:12): avc:  denied  {
> > sys_resource } for  pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:13): avc:  denied  {
> > sys_resource } for  pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > 
> > > 
> > > I have just updated to a newer kernel 2.6.27-13 and
> > new selinux policy updates :)
> > > 
> > > [olivares at riohigh ~]$ rpm -qa selinux*
> > > selinux-policy-3.5.12-2.fc10.noarch
> > > selinux-policy-targeted-3.5.12-2.fc10.noarch
> > > [olivares at riohigh ~]$ 
> > > 
> > > 
> > > What do I do?
> > 
> > Enable syscall auditing and find out what syscall triggered
> > the
> > CAP_SYS_RESOURCE check.
> > 
> > -- 
> > Stephen Smalley
> > National Security Agency
> 
> How do I do that:
> 
> > Enable syscall auditing and find out what syscall triggered
> > the
> > CAP_SYS_RESOURCE check.
> > 
> 
> If there is a way to do it?

Do you have auditd running?
Try running:
/sbin/ausearch -m AVC -sv no


> I feel that Selinux should not get in the way of dmesg and other important system commands.  Why does it deny it?  
> 
> Seatroubleshooter has not appeared and on other machine without ext4 I see the following denials:
> 
> [olivares at localhost ~]$ dmesg | grep 'avc'
> type=1400 audit(1224252291.136:4): avc:  denied  { write } for  pid=1459 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> type=1400 audit(1224252414.451:5): avc:  denied  { execstack } for  pid=2951 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> [olivares at localhost ~]$ dmesg | grep 'avcs'
> [olivares at localhost ~]$ dmesg | grep avc
> type=1400 audit(1224252291.136:4): avc:  denied  { write } for  pid=1459 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> type=1400 audit(1224252414.451:5): avc:  denied  { execstack } for  pid=2951 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> [olivares at localhost ~]$
> 
> 
> Thanks,
> 
> Antonio
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list