[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: selinux denies dmesg

From: Stephen Smalley <sds tycho nsa gov>
To: olivares14031 yahoo com
Cc: fedora-selinux-list redhat com
Subject: Re: selinux denies dmesg
Date: Fri, 17 Oct 2008 10:32:53 -0400

On Thu, 2008-10-16 at 15:27 -0700, Antonio Olivares wrote:
> Dear fellow selinux experts,
> 
> After recovering from a kernel panic to check up on the filesystem, I run dmesg and I encounter some avc's
> 
> [olivares riohigh ~]$ dmesg | grep avc
> type=1400 audit(1224195506.669:4): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.669:5): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.669:6): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.669:7): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:8): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:9): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:10): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:11): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:12): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:13): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> 
> 
> I have just updated to a newer kernel 2.6.27-13 and new selinux policy updates :)
> 
> [olivares riohigh ~]$ rpm -qa selinux*
> selinux-policy-3.5.12-2.fc10.noarch
> selinux-policy-targeted-3.5.12-2.fc10.noarch
> [olivares riohigh ~]$ 
> 
> 
> What do I do?

Enable syscall auditing and find out what syscall triggered the
CAP_SYS_RESOURCE check.

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- Re: selinux denies dmesg
  - From: Antonio Olivares

References:
- selinux denies dmesg
  - From: Antonio Olivares

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]