too many sealerts, most have been reported, and still see denials

Daniel J Walsh dwalsh at redhat.com
Mon Sep 14 19:54:38 UTC 2009 

On 09/13/2009 12:03 PM, Antonio Olivares wrote:
>>> No, the vast majority of the 'denials' aren't
>> actually
>>> denials.  Dan
>>> removed all unconfined domains and replaced them with
>>> permissive
>>> domains.  An unconfined domain allows everything and
>>> audits nothing.  A
>>> permissive domain allows everything but audits every
>> time
>>> there is no
>>> allow rule for a given request.
>>>
>>> This has helped to define the actual needs of many of
>> the
>>> unconfined
>>> domains.  And hopefully we can remove them entirely
>> in
>>> the future.
>>> Please keep filing bugs.
>>>
> Here's one for modprobe.d 
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=523039
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=523040
> 
> some from dmesg to support ones on top
> 
> SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> type=1403 audit(1252857173.233:3): policy loaded auid=4294967295 ses=4294967295
> load_policy used greatest stack depth: 5448 bytes left
> dracut: Switching root
> type=1305 audit(1252857175.267:6): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1
> udev: starting version 145
> type=1400 audit(1252857180.016:7): avc:  denied  { read } for  pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> type=1400 audit(1252857180.017:8): avc:  denied  { open } for  pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> end_request: I/O error, dev fd0, sector 0
> sis900.c: v1.08.10 Apr. 2 2006
> sis900 0000:00:04.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19
> 0000:00:04.0: Realtek RTL8201 PHY transceiver found at address 1.
> 0000:00:04.0: Using transceiver found at address 1 as default
> eth0: SiS 900 PCI Fast Ethernet at 0xb000, IRQ 19, 00:16:ec:7d:be:bd
> parport_pc 00:09: reported by Plug and Play ACPI
> parport0: PC-style at 0x378 (0x778), irq 7 [PCSPP,TRISTATE]
> ppdev: user-space parallel port driver
> Intel ICH 0000:00:02.7: PCI INT C -> GSI 18 (level, low) -> IRQ 18
> intel8x0_measure_ac97_clock: measured 50745 usecs (2442 samples)
> intel8x0: clocking to 48000
> type=1400 audit(1252857184.249:9): avc:  denied  { read } for  pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> type=1400 audit(1252857184.249:10): avc:  denied  { open } for  pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> device-mapper: multipath: version 1.1.0 loaded
> EXT4-fs (dm-0): internal journal on dm-0:8
> kjournald starting.  Commit interval 5 seconds
> EXT3 FS on sda1, internal journal
> EXT3-fs: mounted filesystem with ordered data mode.
> SELinux: initialized (dev sda1, type ext3), uses xattr
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
> Adding 950264k swap on /dev/mapper/vg_n63552-lv_swap.  Priority:-1 extents:1 across:950264k 
> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
> microcode: CPU0 sig=0xf29, pf=0x4, revision=0x0
> platform microcode: firmware: requesting intel-ucode/0f-02-09
> type=1400 audit(1252857189.780:11): avc:  denied  { read } for  pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> type=1400 audit(1252857189.780:12): avc:  denied  { open } for  pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> microcode: CPU1 sig=0xf29, pf=0x4, revision=0x0
> platform microcode: firmware: requesting intel-ucode/0f-02-09
> Microcode Update Driver: v2.00 <tigran at aivazian.fsnet.co.uk>, Peter Oruba
> microcode: CPU0 updated to revision 0x2e, date = 2004-08-11 
> microcode: CPU1 updated to revision 0x2e, date = 2004-08-11 
> Microcode Update Driver: v2.00 removed.
> p4-clockmod: P4/Xeon(TM) CPU On-Demand Clock Modulation available
> type=1400 audit(1252857190.717:13): avc:  denied  { read } for  pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> type=1400 audit(1252857190.717:14): avc:  denied  { open } for  pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> NET: Registered protocol family 10
> lo: Disabled Privacy Extensions
> ip6_tables: (C) 2000-2006 Netfilter Core Team
> RPC: Registered udp transport module.
> RPC: Registered tcp transport module.
> SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
> eth0: Media Link On 100mbps full-duplex 
> Installing knfsd (copyright (C) 1996 okir at monad.swb.de).
> SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts
> eth0: no IPv6 routers present
> CPU0 attaching NULL sched-domain.
> CPU1 attaching NULL sched-domain.
> CPU0 attaching sched-domain:
>  domain 0: span 0-1 level SIBLING
>   groups: 0 1
> CPU1 attaching sched-domain:
>  domain 0: span 0-1 level SIBLING
>   groups: 1 0
> canberra-gtk-pl used greatest stack depth: 5236 bytes left
> fuse init (API version 7.12)
> SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
> [root at n6355-2 ~]# uname -r
> 2.6.31-2.fc12.i686
> 
> Another one filed,but cut + paste failed :(
> 
> Regards,
> 
> Antonio 
> 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
Just imagine if you are on the recieving end of all these bugs.  

Wine is a huge culpret and is being turned back into unconfined_domain.  

abrt was also causing lots of these denials.  Most of which are fixed in the latest policy builds.

THe bugs I received this weekend including the modules_conf_t are legitimate.

More information about the fedora-selinux-list mailing list