[redhat-lspp] SE Linux avc denial and syscall successful
Steve Grubb
sgrubb at redhat.com
Tue Nov 8 15:01:46 UTC 2005
Hi,
ausearch -m AVC -sv yes -sc stat
time->Mon Nov 7 08:16:13 2005
type=PATH msg=audit(1131369373.260:35): item=0
name="/usr/share/man/man1/mailq.postfix.1.gz" flags=1 inode=7065730
dev=08:07 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1131369373.260:35): cwd="/var/spool/postfix"
type=AVC_PATH msg=audit(1131369373.260:35):
path="/usr/share/man/man1/mailq.postfix.1.gz"
type=SYSCALL msg=audit(1131369373.260:35): arch=c000003e syscall=4 success=yes
exit=0 a0=6ce940 a1=7fffff96cf40 a2=7fffff96cf40 a3=0 items=1 pid=2072
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="sh" exe="/bin/bash"
type=AVC msg=audit(1131369373.260:35): avc: denied { getattr } for pid=2072
comm="sh" name="mailq.postfix.1.gz" dev=sda7 ino=7065730
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:man_t:s0 tclass=file
There seems to be a problem in either policy, audit code, or the kernel code
for stat syscalls. When I run the above search on my x86_64 machine, I am
finding that the syscall reported success, yet there was an AVC denial. I do
not run my machines in permissive mode.
Also look at "aureport -a --success -i | grep -v granted"
-Steve
More information about the redhat-lspp
mailing list