too many selinux alerts, after touch ./ autorelabel reboot
Antonio Olivares
olivares14031 at yahoo.com
Tue Aug 21 23:48:51 UTC 2007
Dear all,
selinux on rawhide is cranking out many denials. . These do not show up on dmesg. What is happening? I do not know enough to help myself fix them.
Here's one of them
Summary
SELinux is preventing dhclient-script (dhcpc_t) "getattr" to /sbin/setfiles
(setfiles_exec_t).
Detailed Description
SELinux denied access requested by dhclient-script. It is not expected that
this access is required by dhclient-script and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /sbin/setfiles, restorecon -v
/sbin/setfiles If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context user_u:system_r:dhcpc_t
Target Context system_u:object_r:setfiles_exec_t
Target Objects /sbin/setfiles [ file ]
Affected RPM Packages policycoreutils-2.0.19-1.fc8 [target]
Policy RPM selinux-policy-2.6.5-2.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name localhost
Platform Linux localhost 2.6.21-1.3194.fc7 #1 SMP Wed May
23 22:35:01 EDT 2007 i686 athlon
Alert Count 1
First Seen Tue 21 Aug 2007 07:41:12 AM CDT
Last Seen Tue 21 Aug 2007 07:41:12 AM CDT
Local ID 73dc2e0c-fc2c-496f-8f0e-87e72cfd3ce5
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm="dhclient-script" dev=dm-0 egid=0 euid=0
exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="setfiles"
path="/sbin/setfiles" pid=3563 scontext=user_u:system_r:dhcpc_t:s0 sgid=0
subj=user_u:system_r:dhcpc_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:setfiles_exec_t:s0 tty=(none) uid=0
SELinux is preventing /usr/bin/uptime (logwatch_t) "read write" to utmp (initrc_var_run_t).
SELinux is preventing /usr/bin/uptime (logwatch_t) "read" to utmp (initrc_var_run_t).
SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t).
SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to sbin (bin_t).
This one is a major one:
SELinux prevented /sbin/ldconfig from using the terminal /dev/pts/0.
Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1."The following command will allow this access:setsebool -P allow_daemons_use_tty=1
There are some more, but in reality. I cannot understand why they do not show up on a regular dmesg. How can I cure all these selinux denials. This is reminiscent on the installation of Fedora 7, with too many problems with selinux.
Sorry to complain, but I need some help. I hope that I am not the only one with these kind of errors.
Regards,
Antonio
____________________________________________________________________________________
Luggage? GPS? Comic books?
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
More information about the fedora-selinux-list
mailing list