on machine with CPU -> 100%, lots of avc's

Tom London selinux at gmail.com
Wed Feb 4 20:40:17 UTC 2009


On Wed, Feb 4, 2009 at 10:46 AM, Antonio Olivares
<olivares14031 at yahoo.com> wrote:
>
>
>
> --- On Wed, 2/4/09, Dominick Grift <domg472 at gmail.com> wrote:
>
>> From: Dominick Grift <domg472 at gmail.com>
>> Subject: Re: on machine with CPU -> 100%, lots of avc's
>> To: olivares14031 at yahoo.com
>> Cc: fedora-selinux-list at redhat.com, fedora-test-list at redhat.com
>> Date: Wednesday, February 4, 2009, 9:33 AM
>> Op woensdag 04-02-2009 om 08:39 uur [tijdzone -0800],
>> schreef Antonio
>> Olivares:
>>
>> > setroubleshooter does not kick in and I find these via
>> dmesg.
>> > Thanks for help/advice provided.
>>
>> Do you not have auditd enabled? Usually the avc denials are
>> in /var/log/audit/audit.log
>>
>> The avc denials are (most likely) due to missing policy.
>> You can pipe
>> them into the input stream of audit2why to confirm this.
>>
>> > --
>
>
> I wonder what is wrong auditd is not running :(, it is enabled via services, but it is not working:
>
> [olivares at localhost ~]$ su -
> Password:
> [root at localhost ~]# chkconfig auditd --list
> auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
> [root at localhost ~]# service auditd status
> auditd is stopped
> [root at localhost ~]#
>
>
> Thanks,
>
> Antonio
>
Running "audit2allow -al" on a system booted with "enforcing=0" yields:

[root at tlondon ~]# audit2allow -al


#============= devicekit_power_t ==============
allow devicekit_power_t NetworkManager_t:dir search;
allow devicekit_power_t NetworkManager_t:file { read getattr open };
allow devicekit_power_t audisp_t:dir search;
allow devicekit_power_t audisp_t:file { read getattr open };
allow devicekit_power_t auditd_t:dir search;
allow devicekit_power_t auditd_t:file { read getattr open };
allow devicekit_power_t avahi_t:dir search;
allow devicekit_power_t avahi_t:file { read getattr open };
allow devicekit_power_t crond_t:dir search;
allow devicekit_power_t crond_t:file { read getattr open };
allow devicekit_power_t cupsd_t:dir search;
allow devicekit_power_t cupsd_t:file { read getattr open };
allow devicekit_power_t dhcpc_t:dir search;
allow devicekit_power_t dhcpc_t:file { read getattr open };
allow devicekit_power_t hald_t:dir search;
allow devicekit_power_t hald_t:file { read getattr open };
allow devicekit_power_t kernel_t:dir search;
allow devicekit_power_t kernel_t:file { read getattr open };
allow devicekit_power_t kerneloops_t:dir search;
allow devicekit_power_t kerneloops_t:file { read getattr open };
allow devicekit_power_t nscd_t:dir search;
allow devicekit_power_t nscd_t:file { read getattr open };
allow devicekit_power_t ntpd_t:dir search;
allow devicekit_power_t ntpd_t:file { read getattr open };
allow devicekit_power_t proc_t:file { write read getattr open };
allow devicekit_power_t rpcbind_t:dir search;
allow devicekit_power_t rpcbind_t:file { read getattr open };
allow devicekit_power_t rpm_t:dir search;
allow devicekit_power_t rpm_t:file { read getattr open };
allow devicekit_power_t sendmail_t:dir search;
allow devicekit_power_t sendmail_t:file { read getattr open };
allow devicekit_power_t unconfined_dbusd_t:dir search;
allow devicekit_power_t unconfined_dbusd_t:file { read getattr open };
allow devicekit_power_t xdm_t:dir search;
allow devicekit_power_t xdm_t:file { read getattr open };
allow devicekit_power_t xserver_t:dir search;
allow devicekit_power_t xserver_t:file { read getattr open };

#============= devicekit_t ==============
allow devicekit_t udev_tbl_t:file { read getattr open };
[root at tlondon ~]#

tom

[BTW, SELinux/permissive mode appears to have no impact on the Xorg
issue.  Still at >90%....]

-- 
Tom London




More information about the fedora-selinux-list mailing list