selinux denies dmesg
Stephen Smalley
sds at tycho.nsa.gov
Fri Oct 17 16:38:42 UTC 2008
On Fri, 2008-10-17 at 08:39 -0700, Antonio Olivares wrote:
>
>
> --- On Fri, 10/17/08, Stephen Smalley <sds at tycho.nsa.gov> wrote:
>
> > From: Stephen Smalley <sds at tycho.nsa.gov>
> > Subject: Re: selinux denies dmesg
> > To: olivares14031 at yahoo.com
> > Cc: fedora-selinux-list at redhat.com
> > Date: Friday, October 17, 2008, 7:32 AM
> > On Thu, 2008-10-16 at 15:27 -0700, Antonio Olivares wrote:
> > > Dear fellow selinux experts,
> > >
> > > After recovering from a kernel panic to check up on
> > the filesystem, I run dmesg and I encounter some avc's
> > >
> > > [olivares at riohigh ~]$ dmesg | grep avc
> > > type=1400 audit(1224195506.669:4): avc: denied {
> > sys_resource } for pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.669:5): avc: denied {
> > sys_resource } for pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.669:6): avc: denied {
> > sys_resource } for pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.669:7): avc: denied {
> > sys_resource } for pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:8): avc: denied {
> > sys_resource } for pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:9): avc: denied {
> > sys_resource } for pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:10): avc: denied {
> > sys_resource } for pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:11): avc: denied {
> > sys_resource } for pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:12): avc: denied {
> > sys_resource } for pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > > type=1400 audit(1224195506.670:13): avc: denied {
> > sys_resource } for pid=1534 comm="dmesg"
> > capability=24 scontext=system_u:system_r:dmesg_t:s0
> > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > >
> > >
> > > I have just updated to a newer kernel 2.6.27-13 and
> > new selinux policy updates :)
> > >
> > > [olivares at riohigh ~]$ rpm -qa selinux*
> > > selinux-policy-3.5.12-2.fc10.noarch
> > > selinux-policy-targeted-3.5.12-2.fc10.noarch
> > > [olivares at riohigh ~]$
> > >
> > >
> > > What do I do?
> >
> > Enable syscall auditing and find out what syscall triggered
> > the
> > CAP_SYS_RESOURCE check.
> >
> > --
> > Stephen Smalley
> > National Security Agency
>
> How do I do that:
>
> > Enable syscall auditing and find out what syscall triggered
> > the
> > CAP_SYS_RESOURCE check.
> >
>
> If there is a way to do it?
Do you have auditd running?
Try running:
/sbin/ausearch -m AVC -sv no
> I feel that Selinux should not get in the way of dmesg and other important system commands. Why does it deny it?
>
> Seatroubleshooter has not appeared and on other machine without ext4 I see the following denials:
>
> [olivares at localhost ~]$ dmesg | grep 'avc'
> type=1400 audit(1224252291.136:4): avc: denied { write } for pid=1459 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> type=1400 audit(1224252414.451:5): avc: denied { execstack } for pid=2951 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> [olivares at localhost ~]$ dmesg | grep 'avcs'
> [olivares at localhost ~]$ dmesg | grep avc
> type=1400 audit(1224252291.136:4): avc: denied { write } for pid=1459 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> type=1400 audit(1224252414.451:5): avc: denied { execstack } for pid=2951 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> [olivares at localhost ~]$
>
>
> Thanks,
>
> Antonio
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list