[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: selinux denies dmesg

From: Antonio Olivares <olivares14031 yahoo com>
To: Stephen Smalley <sds tycho nsa gov>
Cc: fedora-selinux-list redhat com
Subject: Re: selinux denies dmesg
Date: Fri, 17 Oct 2008 08:39:16 -0700 (PDT)



--- On Fri, 10/17/08, Stephen Smalley <sds tycho nsa gov> wrote:

> From: Stephen Smalley <sds tycho nsa gov>
> Subject: Re: selinux denies dmesg
> To: olivares14031 yahoo com
> Cc: fedora-selinux-list redhat com
> Date: Friday, October 17, 2008, 7:32 AM
> On Thu, 2008-10-16 at 15:27 -0700, Antonio Olivares wrote:
> > Dear fellow selinux experts,
> > 
> > After recovering from a kernel panic to check up on
> the filesystem, I run dmesg and I encounter some avc's
> > 
> > [olivares riohigh ~]$ dmesg | grep avc
> > type=1400 audit(1224195506.669:4): avc:  denied  {
> sys_resource } for  pid=1534 comm="dmesg"
> capability=24 scontext=system_u:system_r:dmesg_t:s0
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > type=1400 audit(1224195506.669:5): avc:  denied  {
> sys_resource } for  pid=1534 comm="dmesg"
> capability=24 scontext=system_u:system_r:dmesg_t:s0
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > type=1400 audit(1224195506.669:6): avc:  denied  {
> sys_resource } for  pid=1534 comm="dmesg"
> capability=24 scontext=system_u:system_r:dmesg_t:s0
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > type=1400 audit(1224195506.669:7): avc:  denied  {
> sys_resource } for  pid=1534 comm="dmesg"
> capability=24 scontext=system_u:system_r:dmesg_t:s0
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > type=1400 audit(1224195506.670:8): avc:  denied  {
> sys_resource } for  pid=1534 comm="dmesg"
> capability=24 scontext=system_u:system_r:dmesg_t:s0
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > type=1400 audit(1224195506.670:9): avc:  denied  {
> sys_resource } for  pid=1534 comm="dmesg"
> capability=24 scontext=system_u:system_r:dmesg_t:s0
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > type=1400 audit(1224195506.670:10): avc:  denied  {
> sys_resource } for  pid=1534 comm="dmesg"
> capability=24 scontext=system_u:system_r:dmesg_t:s0
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > type=1400 audit(1224195506.670:11): avc:  denied  {
> sys_resource } for  pid=1534 comm="dmesg"
> capability=24 scontext=system_u:system_r:dmesg_t:s0
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > type=1400 audit(1224195506.670:12): avc:  denied  {
> sys_resource } for  pid=1534 comm="dmesg"
> capability=24 scontext=system_u:system_r:dmesg_t:s0
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > type=1400 audit(1224195506.670:13): avc:  denied  {
> sys_resource } for  pid=1534 comm="dmesg"
> capability=24 scontext=system_u:system_r:dmesg_t:s0
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> > 
> > 
> > I have just updated to a newer kernel 2.6.27-13 and
> new selinux policy updates :)
> > 
> > [olivares riohigh ~]$ rpm -qa selinux*
> > selinux-policy-3.5.12-2.fc10.noarch
> > selinux-policy-targeted-3.5.12-2.fc10.noarch
> > [olivares riohigh ~]$ 
> > 
> > 
> > What do I do?
> 
> Enable syscall auditing and find out what syscall triggered
> the
> CAP_SYS_RESOURCE check.
> 
> -- 
> Stephen Smalley
> National Security Agency

How do I do that:

> Enable syscall auditing and find out what syscall triggered
> the
> CAP_SYS_RESOURCE check.
> 

If there is a way to do it?
I feel that Selinux should not get in the way of dmesg and other important system commands.  Why does it deny it?  

Seatroubleshooter has not appeared and on other machine without ext4 I see the following denials:

[olivares localhost ~]$ dmesg | grep 'avc'
type=1400 audit(1224252291.136:4): avc:  denied  { write } for  pid=1459 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
type=1400 audit(1224252414.451:5): avc:  denied  { execstack } for  pid=2951 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
[olivares localhost ~]$ dmesg | grep 'avcs'
[olivares localhost ~]$ dmesg | grep avc
type=1400 audit(1224252291.136:4): avc:  denied  { write } for  pid=1459 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
type=1400 audit(1224252414.451:5): avc:  denied  { execstack } for  pid=2951 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
[olivares localhost ~]$


Thanks,

Antonio

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Follow-Ups:
- Re: selinux denies dmesg
  - From: Stephen Smalley

References:
- Re: selinux denies dmesg
  - From: Stephen Smalley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]