SELinux troubleshooting

Lopez, Denise dlopez at humnet.ucla.edu
Tue Dec 5 00:37:44 UTC 2006 

Dear Daniel,

Thanks for the help. I decided to create a custom policy with
audit2allow.  It seemed to work since I am not getting any more avc
denied messages. I did see the following errors though and I was
wondering what they meant.

This means the custom policy was applied.
Dec  4 15:45:10 dev kernel: security:  3 users, 4 roles, 355 types, 26
bools
Dec  4 15:45:10 dev kernel: security:  55 classes, 22587 rules

I was just wondering what these meant?
Dec  4 15:45:10 dev dbus: Can't send to audit system: USER_AVC pid=3327
uid=81 loginuid=-1 message=avc:  received policyload notice (seqno=3)
Dec  4 15:45:10 dev dbus: Can't send to audit system: USER_AVC pid=3327
uid=81 loginuid=-1 message=avc:  0 AV entries and 0/512 buckets used,
longest chain length 0

Thanks in advance.

Denise Lopez
UCLA Center for Digital Humanities
Network Services
Systems Engineer
337 Charles E. Young Drive East
PPB 1020
Los Angeles, CA 90095
310/206-8216

-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh at redhat.com] 
Sent: Friday, December 01, 2006 1:59 PM
To: Lopez, Denise
Cc: fedora-selinux-list at redhat.com
Subject: Re: SELinux troubleshooting

Lopez, Denise wrote:
>
> Hello everyone,
>
> I keep getting the following messages in my messages log about every 
> 30 seconds or so.  I have SELinux set to enforcing and targeted mode.

> If I do a getenforce on the command line it returns enforcing.
>
> Dec  1 12:31:03 dev kernel: audit(1165005063.015:258313): avc: denied

> { getattr } for  pid=31342 comm="snmpd" name="/" dev=sda3 ino=2 
> scontext=system_u:system_r:snmpd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
>
> I need help deciphering what is happening.  I have a snmpd daemon 
> running that responds to queries from a Nagios host that performs 
> service checks.
>
snmp is trying to getattr /home.  Which is being denied by SELinux.  The

latest policy looks like this is allowed.  So you can either update to 
the latest policy, or you can use
grep snmpd_t /var/log/audit/audit.log | audit2allow -M mysnmp

And load your own custom policy.

> Thanks in advance.
>
> Denise Lopez
>
> UCLA Center for Digital Humanities
>
> Network Services
>
> Systems Engineer
>
> 337 Charles E. Young Drive East
>
> PPB 1020
>
> Los Angeles, CA 90095
>
> 310/206-8216
>
>
------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list