denied avc's on rawhide

Rick Stevens ricks at nerd.com
Wed Dec 10 00:54:59 UTC 2008 

Antonio Olivares wrote:
>> If you update to selinux-policy-3.6.1-8.fc11.noarch
>> These should be fixed.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora -
>> http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkk+2DIACgkQrlYvE4MpobN1TwCdF5LmqDAhnTEkvYVDYeahBzAW
>> ddsAoLmrjp/0XyRA/5kiNLPqDxJ0xega
>> =euz2
>> -----END PGP SIGNATURE-----
> 
> Yes, they are :), thank you very much.  Now selinux is denying the setroubleshoot daemon from kicking in :(, selinux denying itself in some ways.  I got new avcs:
> 
> [olivares at riohigh ~]$ dmesg | grep 'avc'
> type=1400 audit(1228868792.540:4): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.546:5): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.569:6): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.574:7): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.582:8): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.600:9): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.617:10): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868792.647:11): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868792.653:12): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868792.665:13): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.247:59): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.259:60): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.269:61): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.277:62): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.283:63): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.296:64): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.304:65): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.309:66): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.322:67): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.354:68): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868811.296:89): avc:  denied  { read } for  pid=2492 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=23265 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868811.414:90): avc:  denied  { read } for  pid=2492 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=23265 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868818.290:91): avc:  denied  { read } for  pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868818.597:92): avc:  denied  { read } for  pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868932.171:93): avc:  denied  { read } for  pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868932.997:94): avc:  denied  { read write } for  pid=2537 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file                                                                           
> type=1400 audit(1228868932.997:95): avc:  denied  { read append } for  pid=2537 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file                                                                          
> type=1400 audit(1228868978.329:96): avc:  denied  { read } for  pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868978.569:97): avc:  denied  { read } for  pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868986.153:98): avc:  denied  { read } for  pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.899:99): avc:  denied  { read write } for  pid=3315 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.899:100): avc:  denied  { read append } for  pid=3315 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.901:101): avc:  denied  { read } for  pid=3315 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.906:102): avc:  denied  { unlink } for  pid=3315 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> [olivares at riohigh ~]$ rpm -qa selinux-policy
> selinux-policy-3.6.1-8.fc11.noarch

Uhm, did you reboot?  You may need a relabel.  SOP for me whenever a new
selinux thing comes out:

	touch /.autorelabel; reboot

"Just because I'm paranoid doesn't mean they AIN'T out to get me!"
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-  Perseverance:  When you're too damned stubborn to say "I quit!"   -
----------------------------------------------------------------------

More information about the fedora-test-list mailing list