Selinux problem
Daniel J Walsh
dwalsh at redhat.com
Tue Sep 18 16:06:38 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Running this log though audit2allow shows
audit2allow -i /tmp/t
#============= auditctl_t ==============
allow auditctl_t kernel_t:fd use;
>>> All of these are kernel_t are leaked file descriptors. Something
during the boot process, kernel or something in the init is leaking a
file descriptor
#============= automount_t ==============
allow automount_t kernel_t:fd use;
#============= avahi_t ==============
allow avahi_t kernel_t:fd use;
#============= bluetooth_t ==============
allow bluetooth_t kernel_t:fd use;
#============= brctl_t ==============
allow brctl_t kernel_t:fd use;
#============= consolekit_t ==============
allow consolekit_t kernel_t:fd use;
#============= dnsmasq_t ==============
allow dnsmasq_t kernel_t:fd use;
allow dnsmasq_t virt_var_lib_t:dir write;
>>>> virsh or xend is redirecting stdout for daemons it is starting to
this directory.
#============= fsdaemon_t ==============
allow fsdaemon_t kernel_t:fd use;
allow fsdaemon_t unconfined_execmem_exec_t:dir search;
>>>> There is a directory named share that is labeled
unconfined_execmem_exec_t, which is probably wrong.
#============= getty_t ==============
allow getty_t kernel_t:fd use;
#============= hald_t ==============
allow hald_t kernel_t:fd use;
#============= irqbalance_t ==============
allow irqbalance_t kernel_t:fd use;
#============= klogd_t ==============
allow klogd_t kernel_t:fd use;
#============= mount_t ==============
allow mount_t kernel_t:fd use;
#============= netutils_t ==============
allow netutils_t kernel_t:fd use;
#============= openct_t ==============
allow openct_t kernel_t:fd use;
#============= pcscd_t ==============
allow pcscd_t kernel_t:fd use;
#============= readahead_t ==============
allow readahead_t kernel_t:fd use;
#============= rhgb_t ==============
allow rhgb_t xdm_xserver_t:unix_stream_socket connectto;
>>> Fixed in selinux-policy-3.0.8-1
#============= rpcbind_t ==============
allow rpcbind_t kernel_t:fd use;
#============= rpcd_t ==============
allow rpcd_t kernel_t:fd use;
#============= sendmail_t ==============
allow sendmail_t kernel_t:fd use;
#============= setroubleshootd_t ==============
allow setroubleshootd_t kernel_t:fd use;
allow setroubleshootd_t system_dbusd_var_run_t:sock_file write;
>>> Fixed in selinux-policy-3.0.8-1
#============= spamd_t ==============
allow spamd_t user_home_t:sock_file create;
>>> Why is spamd trying to create a sock_file in a home directory?
Might be a problem with the way you have spam setup
#============= syslogd_t ==============
allow syslogd_t kernel_t:fd use;
#============= system_dbusd_t ==============
allow system_dbusd_t kernel_t:fd use;
allow system_dbusd_t unconfined_execmem_exec_t:dir search;
>>>> Same as aove
#============= unconfined_t ==============
allow unconfined_t self:process execmem;
#============= xend_t ==============
allow xend_t brctl_exec_t:file { read getattr execute };
allow xend_t initrc_t:unix_stream_socket connectto;
allow xend_t kernel_t:fd use;
>>> Fixed in selinux-policy-3.0.8-1
#============= xm_t ==============
allow xm_t nscd_var_run_t:dir search;
allow xm_t sysadm_home_dir_t:dir search;
allow xm_t unconfined_t:fifo_file write;
>>> I don't think these would show up in enforcing mode.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG7/eOrlYvE4MpobMRAjVSAJ9my3fwwJthMGF6GzPeSjiSgbUjcACfUdwE
iDvNPxnz/fQ9qJtSNCJlqLs=
=gSgw
-----END PGP SIGNATURE-----
More information about the fedora-test-list
mailing list