New Years Resolution

Steve Blackwell zephod at cfl.rr.com
Sat Jan 2 19:10:35 UTC 2010 

On Sat, 2 Jan 2010 10:10:27 -0800
Tom London <selinux at gmail.com> wrote:

> On Sat, Jan 2, 2010 at 9:39 AM, Steve Blackwell <zephod at cfl.rr.com>
> wrote:
> > OK, here is one of my New Year's resolutions:
> >
> > Get a better understanding of SELinux.
> >
> > I'm running a F11 box in permissive mode and I get hundreds of AVCs.
> > Let start with this one.
> >
> > SELinux is preventing dbus-daemon (system_dbusd_t) "search"
> > unconfined_t.
> >
> > node=steve.blackwell type=AVC msg=audit(1262408462.863:1162): avc:
> > denied { search } for pid=1613 comm="dbus-daemon" name="23667"
> > dev=proc ino=584443
> > scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
> >
> > Now, if I'm reading this correctly, the dbus-daemon process tried to
> > search a directory called 23667 but didn't have permission to do so.
> >
> > The problem with that is that I don't have a directory called 23667.
> > At least there isn't one now but I suppose it could have existed at
> > the time the AVC was generated which was just after midnight. I'm
> > getting one of these every hour with different numbers for the
> > target directory. I thought that it might be related to a cron job
> > but it seems that the hourly crom job just calls anacron to check
> > to see if the daily, weekly or monthly cron job needs to be run.
> > The other possibility is that it has something to do with BackupPC.
> >
> > One thing I don't understand is why SELinux is flagging this in the
> > first place. Since the target context is unconfined_t, should
> > anything be able to search it?
> >
> > Steve.
> 
> If you notice, the AVC says "dev=proc".  That, and the name of the
> directory suggests that the target directory in question is
> '/proc/23677'.  So, dbus-daemon (pid=1613) is attempting to search for
> some information about a running unconfined_t process (in this case,
> 23677) and the policy is not allowing it.
> 
> Since the attempted accesses are directed at running processes, they
> would almost certainly be different and/or change with time, reboots,
> etc.
> 
> I believe the policy does not allow unrestricted access by arbitrary
> domains to unconfined_t targets.
> 
> Hope this helps....
> 
> tom
Thanks Tom, it does help.

This is interesting. I just got another of the same type of AVC while I
was watching and so I was able to look at the process and:

# ls -Zd /proc/29899
dr-xr-xr-x. steve steve
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /proc/29899

# ps -ef | grep 29899
steve    29899     1  2 13:55 ?        00:00:04 /usr/bin/python
-E /usr/bin/sealert -s

so SELinux is complaining about sealert!?

# ps -Z 29899
LABEL                             PID TTY      STAT   TIME COMMAND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 29899 ? S
0:04 /usr/bin/python -E /usr/bin/sealert -s

Is that context correct?

Steve.

More information about the fedora-selinux-list mailing list