RHEL 5.3 and sealert -b
ESGLinux
esggrupos at gmail.com
Wed Mar 4 08:19:15 UTC 2009
Hello,
Looking at the browser the advice it gives me about this error was to allow
an access rule to selinux this way:
#more allowrule
type=AVC msg=audit(1236084821.214:171): avc: denied { connectto } for
pid=212
3 comm="setroubleshootd" path="/var/run/audispd_events"
scontext=system_u:system
_r:setroubleshootd_t:s0 tcontext=system_u:system_r:auditd_t:s0
tclass=unix_strea
m_socket
this text is taken from audit.log
#audit2allow -M local < allowrule
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i local.pp
#semodule -i local.pp
Now it works fine.
Why happened this? it´s a mistery...
ESG
2009/3/3 George Magklaras <georgios at biotek.uio.no>
> Hi again,
>
> ESGLinux wrote:
>
>> in /var/log/audit/audit.log there are a lot of logs with AVC
>>> ...
>>>
>>> u:system_r:setroubleshootd_t:s0
>>> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
>>> type=AVC msg=audit(1236072678.050:68): avc: denied { write } for
>>> pid=2130 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
>>> scontext=system_u:system_r:setroubleshootd_t:s0
>>> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
>>> type=AVC msg=audit(1236072738.057:69): avc: denied { write } for
>>> pid=2130 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
>>> scontext=system_u:system_r:setroubleshootd_t:s0
>>> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
>>> type=AVC msg=audit(1236085050.837:8): avc: denied { write } for
>>> pid=2123
>>> comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
>>> scontext=system_u:system_r:setroubleshootd_t:s0
>>> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
>>> type=USER_TTY msg=audit(1236085103.658:21): user pid=2940 uid=0 auid=0
>>> subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='grep AVC audit.log '
>>> type=AVC msg=audit(1236085110.848:22): avc: denied { write } for
>>> pid=2123 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
>>> scontext=system_u:system_r:setroubleshootd_t:s0
>>> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
>>> type=USE
>>>
>>
> These messages indicate that setroubleshootd itself has problems
> communicating with the OS audit daemon. Interesting! Could it be that you
> should try to restart the audit daemon by doing a service auditd stop
> followed by a service auditd start.
>
> If the problem is not cured by this, then you need to look at the context
> of the files been shown in the AVC messages( name="audispd_events" dev=hda8
> ino=16329). I am guessing that this probably refers to a file under
> /var/run:
>
> srw-r----- root root user_u:object_r:audisp_var_run_t audispd_events
> -rw-r--r-- root root user_u:object_r:auditd_var_run_t auditd.pid
> drwxr-xr-x root root system_u:object_r:setroubleshoot_var_run_t
> setroubleshoot
>
>
> You should then have at this point access to these files in the correct
> SElinux context under /var/run and try to make it winge by executing a
> manually installed version of Open Office 3. You should see the star icon
> popping up.
>
>
>
> --
> --
> George Magklaras BSc Hons MPhil
> RHCE:805008309135525
>
> Senior Computer Systems Engineer/UNIX-Linux Systems Administrator
> EMBnet Technical Management Board
> The Biotechnology Centre of Oslo,
> University of Oslo
> http://folk.uio.no/georgios
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
More information about the redhat-list
mailing list