selinux denials on rawhide. Some I can't get back

Dominick Grift domg472 at gmail.com
Thu Aug 20 12:41:34 UTC 2009 

On Thu, Aug 20, 2009 at 05:27:33AM -0700, Antonio Olivares wrote:
> Dear fellow selinux experts,
> 
> I have encountered some weird denials while running rawhide.  But selinux troubleshooter is not allowing me to file bugs.  IT just hangs.  While running livecd I was able to file some bugs.  After installing(restoring a rawhide system using livecd), I can't do it.  I will attach a set of denials by selinux.
> 
> Thanks,
> 
> Antonio
> 
> 
>       
> Aug 12 02:41:26 localhost kernel: type=1400 audit(1250062886.941:25230): avc:  denied  { write } for  pid=1590 comm="auditctl" path="/dev/null" dev=tmpfs ino=11264 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:4): avc:  denied  { execute } for  pid=166 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1011 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file
> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:5): avc:  denied  { mmap_zero } for  pid=166 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect
> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:6): avc:  denied  { execute } for  pid=166 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1113 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.131:7): avc:  denied  { write } for  pid=166 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.131:8): avc:  denied  { open } for  pid=166 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062928.769:9): avc:  denied  { sys_module } for  pid=459 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
> Aug 12 17:11:37 localhost setroubleshoot: [avc.ERROR] Plugin Exception leaks #012Traceback (most recent call last):#012  File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 148, in analyze_avc#012    report = plugin.analyze(avc)#012  File "/usr/share/setroubleshoot/plugins/leaks.py", line 46, in analyze#012    if avc.syscall == 'execve':#012AttributeError: AVC instance has no attribute 'syscall'
> Aug 12 17:36:26 localhost kernel: type=1400 audit(1250116586.288:39547): avc:  denied  { write } for  pid=23025 comm="auditctl" path="/dev/null" dev=tmpfs ino=161648 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
> Aug 12 17:40:26 localhost kernel: type=1400 audit(1250116826.639:22972): avc:  denied  { write } for  pid=2085 comm="auditctl" path="/dev/null" dev=tmpfs ino=14928 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.129:4): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file
> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.129:5): avc:  denied  { mmap_zero } for  pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect
> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.130:6): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.130:7): avc:  denied  { write } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.131:8): avc:  denied  { open } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165525.340:9): avc:  denied  { sys_module } for  pid=480 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
> Aug 13 12:40:40 localhost kernel: type=1400 audit(1250185240.254:91): avc:  denied  { write } for  pid=2860 comm="auditctl" path="/dev/null" dev=tmpfs ino=40043 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.229:4): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file
> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.230:5): avc:  denied  { mmap_zero } for  pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect
> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.231:6): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.231:7): avc:  denied  { write } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.232:8): avc:  denied  { open } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.790:9): avc:  denied  { sys_module } for  pid=463 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
> Aug 14 17:14:31 localhost kernel: type=1400 audit(1250288071.151:120): avc:  denied  { write } for  pid=2853 comm="auditctl" path="/dev/null" dev=tmpfs ino=83085 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
> Aug 17 07:46:24 localhost kernel: type=1400 audit(1250513184.418:22958): avc:  denied  { write } for  pid=2188 comm="auditctl" path="/dev/null" dev=tmpfs ino=19698 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.366:4): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file
> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.367:5): avc:  denied  { mmap_zero } for  pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect
> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.367:6): avc:  denied  { execute } for  pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.368:7): avc:  denied  { write } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.368:8): avc:  denied  { open } for  pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597974.538:9): avc:  denied  { sys_module } for  pid=435 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
> Aug 19 15:53:41 localhost dbus: avc:  received policyload notice (seqno=2)
> Aug 19 15:53:41 localhost dbus: Can't send to audit system: USER_AVC avc:  received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
> Aug 19 16:04:57 localhost kernel: type=1400 audit(1250715897.391:279): avc:  denied  { write } for  pid=5261 comm="auditctl" path="/dev/null" dev=tmpfs ino=283860 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
> Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.824:20606): avc:  denied  { unlink } for  pid=1500 comm="chkconfig" name="K88auditd" dev=dm-0 ino=9509 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
> Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.825:20607): avc:  denied  { create } for  pid=1500 comm="chkconfig" name="S11auditd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
> Aug 20 07:22:57 localhost dbus: avc:  received policyload notice (seqno=2)
> Aug 20 07:22:57 localhost dbus: Can't send to audit system: USER_AVC avc:  received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)

Join the club :)

I have a shedload of custom policy modules for rawhide. Some of it may not be recommended to add but it does fix most issues.
have a look here: http://82.197.205.60/~dgrift/stuff/modules/rawhide12/

Also install the latest packages available (koji and 

[root at notebook3 ~]# less /etc/yum.repos.d/koji.repo
[koji]
name=Fedora 12 - x86_64 - Just Born
baseurl=http://koji.fedoraproject.org/static-repos/dist-f12-build-current/x86_64
enabled=0

My rawhide runs surprisingly good in some regards even better than f11 ...

hth	

> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090820/f0df8158/attachment.sig>

More information about the fedora-selinux-list mailing list