many avcs at startup, readahead and several others

Antonio Olivares olivares14031 at yahoo.com
Wed Sep 3 21:14:12 UTC 2008 



--- On Wed, 9/3/08, Daniel J Walsh <dwalsh at redhat.com> wrote:

> From: Daniel J Walsh <dwalsh at redhat.com>
> Subject: Re: many avcs at startup, readahead and several others
> To: olivares14031 at yahoo.com, "For testers of Fedora Core development releases" <fedora-test-list at redhat.com>
> Cc: "Tom London" <selinux at gmail.com>, fedora-selinux-list at redhat.com
> Date: Wednesday, September 3, 2008, 10:14 AM
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Antonio Olivares wrote:
> > 
> > 
> > --- On Tue, 9/2/08, Tom London
> <selinux at gmail.com> wrote:
> > 
> >> I'm running
> selinux-policy-targeted-3.5.5-3.fc10.noarch
> >> and
> >> selinux-policy-3.5.5-3.fc10.noarch.
> >>
> >> and on my system ~/.pulse is:
> >> [tbl at tlondon ~]$ ls -ld .pulse
> >> drwx------ 2 tbl tbl 4096 2008-09-02 19:48 .pulse
> >> [tbl at tlondon ~]$ ls -ldZ .pulse
> >> drwx------  tbl tbl
> system_u:object_r:gnome_home_t:s0
> >> .pulse
> >> [tbl at tlondon ~]$
> >>
> >> On yours, it seems to be user_home_t.
> >>
> >> type=1400 audit(1220391480.206:24): avc:  denied 
> { setattr
> >> } for
> >> pid=3267 comm="npviewer.bin"
> >> name=".pulse" dev=dm-0 ino=7176200
> >>
> scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
> >> tcontext=unconfined_u:object_r:user_home_t:s0
> tclass=dir
> >>
> >> You running the same policy?  Did you update from
> F9?
> > 
> > [olivares at localhost ~]$ cat .selinux-policy.txt
> > selinux-policy-targeted-3.5.5-3.fc10.noarch
> > selinux-policy-3.5.5-3.fc10.noarch
> > [olivares at localhost ~]$ ls -ld .pulse
> > drwx------ 2 olivares olivares 4096 2008-09-03 07:00
> .pulse
> > [olivares at localhost ~]$ ls -ldZ .pulse
> > drwx------  olivares olivares
> system_u:object_r:gnome_home_t   .pulse
> > [olivares at localhost ~]$
> > 
> > I did a 
> > # touch ./autorelabel; reboot
> > 
> > and the denied avcs still appear :(.  Wonder what is
> happening?
> >> tom
> >> -- 
> >> Tom London
> > 
> > 
> >       
> > 
> Which avc's still appear?


After applying today's updates, 

[olivares at localhost ~]$ dmesg | grep 'avc'                                      
type=1400 audit(1220475941.234:4): avc:  denied  { read write } for  pid=613 comm="readahead" path="/dev/console" dev=tmpfs ino=410 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file             
type=1400 audit(1220475941.235:5): avc:  denied  { read write } for  pid=613 comm="readahead" path="/dev/console" dev=tmpfs ino=410 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file             
type=1400 audit(1220475941.235:6): avc:  denied  { read write } for  pid=613 comm="readahead" path="/dev/console" dev=tmpfs ino=410 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file             
type=1400 audit(1220475942.150:7): avc:  denied  { fowner } for  pid=613 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability                                    
type=1400 audit(1220475942.150:8): avc:  denied  { fowner } for  pid=613 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability                                    
type=1400 audit(1220475942.155:9): avc:  denied  { fowner } for  pid=613 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability                                    
type=1400 audit(1220475942.651:10): avc:  denied  { fowner } for  pid=613 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability                                   
type=1400 audit(1220475968.477:11): avc:  denied  { write } for  pid=1475 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file                     
type=1400 audit(1220475969.949:12): avc:  denied  { write } for  pid=1697 comm="ip" path="/0" dev=devpts ino=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
type=1400 audit(1220476005.919:13): avc:  denied  { search } for  pid=1958 comm="pcscd" name="dbus" dev=dm-0 ino=3276848 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=1400 audit(1220476026.870:14): avc:  denied  { search } for  pid=2368 comm="python" name="hp" dev=dm-0 ino=28345940 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
type=1400 audit(1220476026.972:15): avc:  denied  { execute } for  pid=2417 comm="gdm" name="rpm" dev=dm-0 ino=24117291 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
type=1400 audit(1220476026.973:16): avc:  denied  { getattr } for  pid=2417 comm="gdm" path="/bin/rpm" dev=dm-0 ino=24117291 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
type=1400 audit(1220476026.973:17): avc:  denied  { getattr } for  pid=2417 comm="gdm" path="/bin/rpm" dev=dm-0 ino=24117291 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
type=1400 audit(1220476028.580:18): avc:  denied  { search } for  pid=2449 comm="python" name="hp" dev=dm-0 ino=28345940 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
[olivares at localhost ~]$
[olivares at localhost ~]$ uname -a
Linux localhost 2.6.27-0.297.rc5.git2.fc10.i686 #1 SMP Tue Sep 2 11:19:36 EDT 2008 i686 athlon i386 GNU/Linux

More information about the fedora-selinux-list mailing list