Some AVC denials to consider:
Miroslav Grepl
mgrepl at redhat.com
Tue Aug 4 14:29:39 UTC 2009
On 08/04/2009 02:48 PM, Dominick Grift wrote:
> On 08/04/2009 02:40 PM, Dominick Grift wrote:
>> On 08/04/2009 02:37 PM, Miroslav Grepl wrote:
>>> On 08/04/2009 02:30 PM, Dominick Grift wrote:
>>>> dev_rw_generic_files(NetworkManager_t)
>>>>
>>>> allow consoletype_t device_t:file { read getattr ioctl };
>>>>
>>>> xserver_rw_xdm_home_files(staff_dbusd_t)
>>>>
>>>> allow staff_t staff_screen_t:process sigchld;
>>>> allow staff_t print_spool_t:dir getattr;
>>>> allow staff_t screen_var_run_t:fifo_file read;
>>>> dev_rw_dri(staff_t)
>>>>
>>>> allow ifconfig_t device_t:file read;
>>>>
>>>> allow mount_t dgrift_t:unix_stream_socket { read write };
>>>>
>>>> allow nscd_t device_t:file read;
>>>>
>>>> allow ifconfig_t device_t:file read;
>>>>
>>>> allow mount_t dgrift_t:unix_stream_socket { read write };
>>>>
>>>> allow nscd_t device_t:file read;
>>>>
>>>> term_use_console(portreserve_t)
>>>>
>>>> allow readahead_t proc_kcore_t:file getattr;
>>>> allow readahead_ self:capability net_admin;
>>>>
>>>> allow rpcbind_t self:udp_socket listen;
>>>>
>>>> allow xdm_dbusd_t xdm_var_lib_t:dir search;
>>>>
>>>> dev_rw_generic_files(auditctl_t)
>>>>
>>>> allow readahead_t self:capability net_admin;
>>>> fs_rw_tmpfs_chr_files(readahead_t)
>>>>
>>>> fprintd_dbus_chat(staff_sudo_t)
>>>>
>>>> fprintd_dbus_chat(staff_t)
>>>>
>>>> fprintd_dbus_chat(fprintd_t)
> Looks like fprintd_dbus_chat(fprintd_t) is a bad translation by
> audit2allow -R
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>> What version of selinux-policy ?
>>>
>>> Regards,
>>> Miroslav
>> selinux-policy-targeted-3.6.12-69.fc11.noarch
>> selinux-policy-3.6.12-69.fc11.noarch
>>
>> on a clean fedora 11 installation (note: semodule -DB could have been
>> enabled/ not in permissive mode)
>
> If you want to see any specific raw AVC denials let me know
At least there is a problem with /dev/null labeling. For example from
your audit.log
type=AVC msg=audit(1249386885.044:43034): avc: denied { read } for pid=12059 comm="ip" path="/dev/null"
dev=tmpfs ino=1005228 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
/dev/null should be a device and labeled null_device_t
There is a bug relating to /dev/null labeling. Look at the comment from Dan.
https://bugzilla.redhat.com/show_bug.cgi?id=515096#c1
More information about the fedora-selinux-list
mailing list