selinux denials on rawhide. Some I can't get back

Tom London selinux at gmail.com
Thu Aug 20 13:37:13 UTC 2009 

On Thu, Aug 20, 2009 at 5:41 AM, Dominick Grift<domg472 at gmail.com> wrote:
> On Thu, Aug 20, 2009 at 05:27:33AM -0700, Antonio Olivares wrote:
>> Dear fellow selinux experts,
>>
>> I have encountered some weird denials while running rawhide.  But selinux troubleshooter is not allowing me to file bugs.  IT just hangs.  While running livecd I was able to file some bugs.  After installing(restoring a rawhide system using livecd), I can't do it.  I will attach a set of denials by selinux.
>>
>> Thanks,
>>
>> Antonio
>>
>>
>>
>> Aug 12 02:41:26 localhost kernel: type=1400 audit(1250062886.941:25230): avc:  denied  { write } for  pid=1590 comm="auditctl" path="/dev/null" dev=tmpfs ino=11264 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
>> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:4): avc:  denied  { execute } for  pid=166 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1011 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file
>> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:5): avc:  denied  { mmap_zero } for  pid=166 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect
>> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:6): avc:  denied  { execute } for  pid=166 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1113 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
>> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.131:7): avc:  denied  { write } for  pid=166 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
>> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.131:8): avc:  denied  { open } for  pid=166 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
>> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062928.769:9): avc:  denied  { sys_module } for  pid=459 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
>> Aug 12 17:11:37 localhost setroubleshoot: [avc.ERROR] Plugin Exception leaks #012Traceback (most recent call last):#012  File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 148, in analyze_avc#012    report = plugin.analyze(avc)#012  File "/usr/share/setroubleshoot/plugins/leaks.py", line 46, in analyze#012    if avc.syscall == 'execve':#012AttributeError: AVC instance has no attribute 'syscall'
>> Aug 12 17:36:26 localhost kernel: type=1400 audit(1250116586.288:39547): avc:  denied  { write } for  pid=23025 comm="auditctl" path="/dev/null" dev=tmpfs ino=161648 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
>> Aug 12 17:40:26 localhost kernel: type=1400 audit(1250116826.639:22972): avc:  denied  { write } for  pid=2085 comm="auditctl" path="/dev/null" dev=tmpfs ino=14928 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
>> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.129:4): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file
>> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.129:5): avc:  denied  { mmap_zero } for  pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect
>> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.130:6): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
>> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.130:7): avc:  denied  { write } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
>> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.131:8): avc:  denied  { open } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
>> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165525.340:9): avc:  denied  { sys_module } for  pid=480 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
>> Aug 13 12:40:40 localhost kernel: type=1400 audit(1250185240.254:91): avc:  denied  { write } for  pid=2860 comm="auditctl" path="/dev/null" dev=tmpfs ino=40043 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
>> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.229:4): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file
>> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.230:5): avc:  denied  { mmap_zero } for  pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect
>> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.231:6): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
>> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.231:7): avc:  denied  { write } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
>> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.232:8): avc:  denied  { open } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
>> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.790:9): avc:  denied  { sys_module } for  pid=463 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
>> Aug 14 17:14:31 localhost kernel: type=1400 audit(1250288071.151:120): avc:  denied  { write } for  pid=2853 comm="auditctl" path="/dev/null" dev=tmpfs ino=83085 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
>> Aug 17 07:46:24 localhost kernel: type=1400 audit(1250513184.418:22958): avc:  denied  { write } for  pid=2188 comm="auditctl" path="/dev/null" dev=tmpfs ino=19698 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
>> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.366:4): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file
>> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.367:5): avc:  denied  { mmap_zero } for  pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect
>> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.367:6): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
>> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.368:7): avc:  denied  { write } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
>> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.368:8): avc:  denied  { open } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
>> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597974.538:9): avc:  denied  { sys_module } for  pid=435 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
>> Aug 19 15:53:41 localhost dbus: avc:  received policyload notice (seqno=2)
>> Aug 19 15:53:41 localhost dbus: Can't send to audit system: USER_AVC avc:  received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
>> Aug 19 16:04:57 localhost kernel: type=1400 audit(1250715897.391:279): avc:  denied  { write } for  pid=5261 comm="auditctl" path="/dev/null" dev=tmpfs ino=283860 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
>> Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.824:20606): avc:  denied  { unlink } for  pid=1500 comm="chkconfig" name="K88auditd" dev=dm-0 ino=9509 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
>> Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.825:20607): avc:  denied  { create } for  pid=1500 comm="chkconfig" name="S11auditd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
>> Aug 20 07:22:57 localhost dbus: avc:  received policyload notice (seqno=2)
>> Aug 20 07:22:57 localhost dbus: Can't send to audit system: USER_AVC avc:  received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
>
> Join the club :)
>
> I have a shedload of custom policy modules for rawhide. Some of it may not be recommended to add but it does fix most issues.
> have a look here: http://82.197.205.60/~dgrift/stuff/modules/rawhide12/
>
> Also install the latest packages available (koji and
>
> [root at notebook3 ~]# less /etc/yum.repos.d/koji.repo
> [koji]
> name=Fedora 12 - x86_64 - Just Born
> baseurl=http://koji.fedoraproject.org/static-repos/dist-f12-build-current/x86_64
> enabled=0
>
> My rawhide runs surprisingly good in some regards even better than f11 ...
>
> hth
>

Believe a few of these are understood:

> Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.824:20606): avc:  denied  { unlink } for  pid=1500 comm="chkconfig" name="K88auditd" dev=dm-0 ino=9509 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
> Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.825:20607): avc:  denied  { create } for  pid=1500 comm="chkconfig" name="S11auditd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file

These are caused by "readahead": readahead delays starting up auditd
until it has "finished".  Apparently it does this in a manner not 100%
as expected.  I got rid of these by uninstalling readahead.

Believe the developers are aware of this.,....

Believe many of the earlier AVCs are due to recent changes to the
"unconfined" domain. From dwalsh: "I have changed all
unconfined_domains to permissive so that we can find as many AVC's as
possible for a couple of weeks."

tom
-- 
Tom London

More information about the fedora-selinux-list mailing list