mrtg selinux denials in default configuration

Daniel J Walsh dwalsh at redhat.com
Tue Apr 15 13:57:26 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Timms wrote:
> Daniel J Walsh wrote:
>> # semanage user -l
>> # semanage login -l
> #assume DJW_REQUESTING_RESULT:
> 
> # semanage user -l
>                Labeling  MLS/     MLS/
> SELinux User   Prefix    MCS Lvl  MCS Range
> SELinux Roles
> 
> root           user      s0       SystemLow-SystemHigh
> system_r staff_r unconfined_r sysadm_r
> staff_u        user      s0       SystemLow-SystemHigh
> system_r staff_r sysadm_r
> sysadm_u       user      s0       SystemLow-SystemHigh
> sysadm_r
> system_u       user      s0       SystemLow-SystemHigh
> system_r
> unconfined_u   unconfined s0      SystemLow-SystemHigh
> system_r unconfined_r
> user_u         user      s0       s0                             user_r
> 
> # semanage login -l
> Login Name                SELinux User              MLS/MCS Range
> 
> 
> __default__               unconfined_u              SystemLow-SystemHigh
> root                      unconfined_u              SystemLow-SystemHigh
> system_u                  system_u                  SystemLow-SystemHigh
> 
> As an aside, I erased mrtg yesterday - mo more mrtg denials.
> Reinstalled mrtg just now, mrtg denials every five minutes. It is also
> possible that when originally installed under F8, that I attempted to
> configure it, but I can't find any evidence of that in /etc ...etc. My
> other machine doesn't popup the denials with a default install, so I
> expect there must be some invalid or selinux not configured to match
> service requirements.
> ===
> Actually running same -l on another f9beta notebook:
> # semanage user -l {has the ones above plus:}
> 
>                 Labeling   MLS/       MLS/
> SELinux User    Prefix     MCS Level  MCS Range
> SELinux Roles
> 
> guest_u         guest      s0         s0                            
> guest_r
> xguest_u        xguest     s0         s0
> xguest_r
> 
> # semanage login -l   {same 3 items, except the selinux user for root is
> different}.
> Login Name                SELinux User              MLS/MCS Range
> 
> 
> root                      root                      SystemLow-SystemHigh
> 
> Given autorelabel doesn't seem to solve it, is it worth {possible} to
> rpm -e the targeted policy, then reinstall it - or am I barking up the
> wrong tree ?
> =====
> 
> DaveT.
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Ok I looked at the bugzilla, looks like mrtg is execing top which is
reading all process /proc information.  Does it need to be able to read
all this, or can I dontaudit it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgEtEYACgkQrlYvE4MpobPnWgCfWlInfyvJgskvev32mFqTWAos
Kq0AnROErPbG2Ycqk3MW3Bal0kJSG7r5
=wtxK
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list