on machine with CPU -> 100%, lots of avc's
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 10 11:43:42 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
> --- On Wed, 2/4/09, Christopher Beland <beland at alum.mit.edu> wrote:
>
>> From: Christopher Beland <beland at alum.mit.edu>
>> Subject: Re: on machine with CPU -> 100%, lots of avc's
>> To: olivares14031 at yahoo.com
>> Cc: "For testers of Fedora Core development releases" <fedora-test-list at redhat.com>
>> Date: Wednesday, February 4, 2009, 7:45 PM
>> Try (as root):
>>
>> service auditd restart
>>
>> and see if auditd returns OK or FAIL? It might spit out
>> some errors, or
>> put something in /var/log/messages. If it complains about
>> the log not
>> being writable by owner, then "chmod u+w
>> /var/log/audit/*" is what
>> fixed it for me.
>>
>> It could also be an SELinux problem, but only if you have
>> SELINUX=enforcing in /etc/selinux/config. On my test
>> machine, I
>> generally set SELINUX=permissive there so I see avc
>> denials, but
>> everything continues working even if there is an SELinux
>> misconfiguration.
>>
>>> Disable SELinux and AVCs will be gone. Forever.
>> I agree SELinux can be quite frustrating once you start
>> customizing
>> services, and I have been known to turn it off entirely for
>> that reason.
>> But for testing purpose, it's extremely useful to have
>> people like us
>> stumble across avc denials so the general public
>> doesn't have to, and
>> they can enjoy the security benefits.
>>
>> -B.
>
> Thank you for your help, I am now seeing setroubleshooter kick in :)
>
> [olivares at localhost ~]$ su -
> Password:
> [root at localhost ~]# service auditd restart
> Stopping auditd: [FAILED]
> Starting auditd: [FAILED]
> [root at localhost ~]# tail -f /var/log/messages
> Feb 5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:5): avc: denied { read write } for pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> Feb 5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:6): avc: denied { read write } for pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:7): avc: denied { read write } for pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:8): avc: denied { read write } for pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:9): avc: denied { read write } for pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:10): avc: denied { read write } for pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> Feb 5 11:00:40 localhost auditd: audit log is not writable by owner
> Feb 5 11:00:40 localhost auditd: The audit daemon is exiting.
> Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:11): avc: denied { read write } for pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:12): avc: denied { read write } for pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> ^C
> [root at localhost ~]# chmod u+w /var/log/audit/*
> You have new mail in /var/spool/mail/root
> [root at localhost ~]# service auditd restart
> Stopping auditd: [FAILED]
> Starting auditd: [ OK ]
> [root at localhost ~]# service auditd status
> auditd (pid 3930) is running...
> [root at localhost ~]#
>
> Now I get to see the alerts:
>
>
> Summary:
>
> SELinux is preventing consoletype (consoletype_t) "read write" unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by consoletype. It is not expected that this
> access is required by consoletype and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:consoletype_t
> Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects socket [ unix_stream_socket ]
> Source consoletype
> Source Path /sbin/consoletype
> Port <Unknown>
> Host localhost
> Source RPM Packages initscripts-8.89-1
> Target RPM Packages
> Policy RPM selinux-policy-3.6.4-2.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost
> Platform Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1
> SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon
> Alert Count 2
> First Seen Thu 05 Feb 2009 11:02:08 AM CST
> Last Seen Thu 05 Feb 2009 11:02:08 AM CST
> Local ID f1514423-f554-4573-bbbc-be7e2ea49653
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost type=AVC msg=audit(1233853328.116:21): avc: denied { read write } for pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost type=AVC msg=audit(1233853328.116:21): avc: denied { read write } for pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost type=SYSCALL msg=audit(1233853328.116:21): arch=40000003 syscall=11 success=yes exit=0 a0=8401580 a1=84015e0 a2=84012e8 a3=84015e0 items=0 ppid=3960 pid=3961 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)
>
>
>
>
> Summary:
>
> SELinux is preventing auditctl (auditctl_t) "read write" unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by auditctl. It is not expected that this access
> is required by auditctl and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:auditctl_t
> Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects socket [ unix_stream_socket ]
> Source auditctl
> Source Path /sbin/auditctl
> Port <Unknown>
> Host localhost
> Source RPM Packages audit-1.7.11-2.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.4-2.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost
> Platform Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1
> SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon
> Alert Count 2
> First Seen Thu 05 Feb 2009 11:01:56 AM CST
> Last Seen Thu 05 Feb 2009 11:01:56 AM CST
> Local ID 57e3c37f-6698-456e-9d2f-86ad2b68220a
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost type=AVC msg=audit(1233853316.292:19): avc: denied { read write } for pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost type=AVC msg=audit(1233853316.292:19): avc: denied { read write } for pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost type=SYSCALL msg=audit(1233853316.292:19): arch=40000003 syscall=11 success=yes exit=0 a0=83a4c40 a1=83a4e38 a2=83a8350 a3=83a4e38 items=0 ppid=3913 pid=3936 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="auditctl" exe="/sbin/auditctl" subj=unconfined_u:system_r:auditctl_t:s0 key=(null)
>
>
>
> I will now check my other two machines to see if auditd is running or not and apply the same fix.
>
> Thank you for helping out again with this problem.
>
> Regards,
>
> Antonio
>
>
>
>
>
>
>
>
Those all look like leaked file descriptors and would have nothing to do
with audit failing. the devicekit_power avcs from earlier posts should
be fixed in latest policies.
Are you running konsole? This is leaking file descriptors which would
cause these avc messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmRaG4ACgkQrlYvE4MpobMpsQCgqU7D4TQKuVo1gK2rBjF/Mx4d
YLcAn0EfHcepL85Tz1hAny2G3YHyCkFY
=8b/X
-----END PGP SIGNATURE-----
More information about the fedora-test-list
mailing list