denied avc's on rawhide
Rick Stevens
ricks at nerd.com
Wed Dec 10 00:54:59 UTC 2008
Antonio Olivares wrote:
>> If you update to selinux-policy-3.6.1-8.fc11.noarch
>> These should be fixed.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora -
>> http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkk+2DIACgkQrlYvE4MpobN1TwCdF5LmqDAhnTEkvYVDYeahBzAW
>> ddsAoLmrjp/0XyRA/5kiNLPqDxJ0xega
>> =euz2
>> -----END PGP SIGNATURE-----
>
> Yes, they are :), thank you very much. Now selinux is denying the setroubleshoot daemon from kicking in :(, selinux denying itself in some ways. I got new avcs:
>
> [olivares at riohigh ~]$ dmesg | grep 'avc'
> type=1400 audit(1228868792.540:4): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868792.546:5): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868792.569:6): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868792.574:7): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868792.582:8): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868792.600:9): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868792.617:10): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868792.647:11): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868792.653:12): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868792.665:13): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868798.247:59): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868798.259:60): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868798.269:61): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868798.277:62): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868798.283:63): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868798.296:64): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868798.304:65): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868798.309:66): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868798.322:67): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868798.354:68): avc: denied { write } for pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=1400 audit(1228868811.296:89): avc: denied { read } for pid=2492 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=23265 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868811.414:90): avc: denied { read } for pid=2492 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=23265 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868818.290:91): avc: denied { read } for pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868818.597:92): avc: denied { read } for pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868932.171:93): avc: denied { read } for pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868932.997:94): avc: denied { read write } for pid=2537 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868932.997:95): avc: denied { read append } for pid=2537 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868978.329:96): avc: denied { read } for pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868978.569:97): avc: denied { read } for pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.153:98): avc: denied { read } for pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.899:99): avc: denied { read write } for pid=3315 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.899:100): avc: denied { read append } for pid=3315 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.901:101): avc: denied { read } for pid=3315 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.906:102): avc: denied { unlink } for pid=3315 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> [olivares at riohigh ~]$ rpm -qa selinux-policy
> selinux-policy-3.6.1-8.fc11.noarch
Uhm, did you reboot? You may need a relabel. SOP for me whenever a new
selinux thing comes out:
touch /.autorelabel; reboot
"Just because I'm paranoid doesn't mean they AIN'T out to get me!"
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Perseverance: When you're too damned stubborn to say "I quit!" -
----------------------------------------------------------------------
More information about the fedora-test-list
mailing list