many avcs at startup, readahead and several others

Tom London selinux at gmail.com
Wed Sep 3 22:14:16 UTC 2008 

On Wed, Sep 3, 2008 at 2:14 PM, Antonio Olivares
<olivares14031 at yahoo.com> wrote:
>
>
>
> --- On Wed, 9/3/08, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>> From: Daniel J Walsh <dwalsh at redhat.com>
>> Subject: Re: many avcs at startup, readahead and several others
>> To: olivares14031 at yahoo.com, "For testers of Fedora Core development releases" <fedora-test-list at redhat.com>
>> Cc: "Tom London" <selinux at gmail.com>, fedora-selinux-list at redhat.com
>> Date: Wednesday, September 3, 2008, 10:14 AM
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Antonio Olivares wrote:
>> >
>> >
>> > --- On Tue, 9/2/08, Tom London
>> <selinux at gmail.com> wrote:
>> >
>> >> I'm running
>> selinux-policy-targeted-3.5.5-3.fc10.noarch
>> >> and
>> >> selinux-policy-3.5.5-3.fc10.noarch.
>> >>
>> >> and on my system ~/.pulse is:
>> >> [tbl at tlondon ~]$ ls -ld .pulse
>> >> drwx------ 2 tbl tbl 4096 2008-09-02 19:48 .pulse
>> >> [tbl at tlondon ~]$ ls -ldZ .pulse
>> >> drwx------  tbl tbl
>> system_u:object_r:gnome_home_t:s0
>> >> .pulse
>> >> [tbl at tlondon ~]$
>> >>
>> >> On yours, it seems to be user_home_t.
>> >>
>> >> type=1400 audit(1220391480.206:24): avc:  denied
>> { setattr
>> >> } for
>> >> pid=3267 comm="npviewer.bin"
>> >> name=".pulse" dev=dm-0 ino=7176200
>> >>
>> scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
>> >> tcontext=unconfined_u:object_r:user_home_t:s0
>> tclass=dir
>> >>
>> >> You running the same policy?  Did you update from
>> F9?
>> >
>> > [olivares at localhost ~]$ cat .selinux-policy.txt
>> > selinux-policy-targeted-3.5.5-3.fc10.noarch
>> > selinux-policy-3.5.5-3.fc10.noarch
>> > [olivares at localhost ~]$ ls -ld .pulse
>> > drwx------ 2 olivares olivares 4096 2008-09-03 07:00
>> .pulse
>> > [olivares at localhost ~]$ ls -ldZ .pulse
>> > drwx------  olivares olivares
>> system_u:object_r:gnome_home_t   .pulse
>> > [olivares at localhost ~]$
>> >
>> > I did a
>> > # touch ./autorelabel; reboot
>> >
>> > and the denied avcs still appear :(.  Wonder what is
>> happening?
>> >> tom
>> >> --
>> >> Tom London
>> >
>> >
>> >
>> >
>> Which avc's still appear?
>
>
> After applying today's updates,
>
> [olivares at localhost ~]$ dmesg | grep 'avc'
> type=1400 audit(1220475941.234:4): avc:  denied  { read write } for  pid=613 comm="readahead" path="/dev/console" dev=tmpfs ino=410 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
> type=1400 audit(1220475941.235:5): avc:  denied  { read write } for  pid=613 comm="readahead" path="/dev/console" dev=tmpfs ino=410 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
> type=1400 audit(1220475941.235:6): avc:  denied  { read write } for  pid=613 comm="readahead" path="/dev/console" dev=tmpfs ino=410 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
> type=1400 audit(1220475942.150:7): avc:  denied  { fowner } for  pid=613 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability
> type=1400 audit(1220475942.150:8): avc:  denied  { fowner } for  pid=613 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability
> type=1400 audit(1220475942.155:9): avc:  denied  { fowner } for  pid=613 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability
> type=1400 audit(1220475942.651:10): avc:  denied  { fowner } for  pid=613 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability
> type=1400 audit(1220475968.477:11): avc:  denied  { write } for  pid=1475 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> type=1400 audit(1220475969.949:12): avc:  denied  { write } for  pid=1697 comm="ip" path="/0" dev=devpts ino=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> type=1400 audit(1220476005.919:13): avc:  denied  { search } for  pid=1958 comm="pcscd" name="dbus" dev=dm-0 ino=3276848 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
> type=1400 audit(1220476026.870:14): avc:  denied  { search } for  pid=2368 comm="python" name="hp" dev=dm-0 ino=28345940 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
> type=1400 audit(1220476026.972:15): avc:  denied  { execute } for  pid=2417 comm="gdm" name="rpm" dev=dm-0 ino=24117291 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
> type=1400 audit(1220476026.973:16): avc:  denied  { getattr } for  pid=2417 comm="gdm" path="/bin/rpm" dev=dm-0 ino=24117291 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
> type=1400 audit(1220476026.973:17): avc:  denied  { getattr } for  pid=2417 comm="gdm" path="/bin/rpm" dev=dm-0 ino=24117291 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
> type=1400 audit(1220476028.580:18): avc:  denied  { search } for  pid=2449 comm="python" name="hp" dev=dm-0 ino=28345940 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
> [olivares at localhost ~]$
> [olivares at localhost ~]$ uname -a
> Linux localhost 2.6.27-0.297.rc5.git2.fc10.i686 #1 SMP Tue Sep 2 11:19:36 EDT 2008 i686 athlon i386 GNU/Linux
>
>
>
OK, so running "restorecon" on your home directory got rid of the
pulse related AVCs.

Are you booting/running in enforcing or permissive mode?

tom
-- 
Tom London

More information about the fedora-test-list mailing list