too many sealerts, most have been reported, and still see denials

Antonio Olivares olivares14031 at yahoo.com
Sun Sep 13 16:03:14 UTC 2009 

> > No, the vast majority of the 'denials' aren't
> actually
> > denials.  Dan
> > removed all unconfined domains and replaced them with
> > permissive
> > domains.  An unconfined domain allows everything and
> > audits nothing.  A
> > permissive domain allows everything but audits every
> time
> > there is no
> > allow rule for a given request.
> > 
> > This has helped to define the actual needs of many of
> the
> > unconfined
> > domains.  And hopefully we can remove them entirely
> in
> > the future.
> > Please keep filing bugs.
> >
Here's one for modprobe.d 

https://bugzilla.redhat.com/show_bug.cgi?id=523039

https://bugzilla.redhat.com/show_bug.cgi?id=523040

some from dmesg to support ones on top

SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
type=1403 audit(1252857173.233:3): policy loaded auid=4294967295 ses=4294967295
load_policy used greatest stack depth: 5448 bytes left
dracut: Switching root
type=1305 audit(1252857175.267:6): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1
udev: starting version 145
type=1400 audit(1252857180.016:7): avc:  denied  { read } for  pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=1400 audit(1252857180.017:8): avc:  denied  { open } for  pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
end_request: I/O error, dev fd0, sector 0
sis900.c: v1.08.10 Apr. 2 2006
sis900 0000:00:04.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19
0000:00:04.0: Realtek RTL8201 PHY transceiver found at address 1.
0000:00:04.0: Using transceiver found at address 1 as default
eth0: SiS 900 PCI Fast Ethernet at 0xb000, IRQ 19, 00:16:ec:7d:be:bd
parport_pc 00:09: reported by Plug and Play ACPI
parport0: PC-style at 0x378 (0x778), irq 7 [PCSPP,TRISTATE]
ppdev: user-space parallel port driver
Intel ICH 0000:00:02.7: PCI INT C -> GSI 18 (level, low) -> IRQ 18
intel8x0_measure_ac97_clock: measured 50745 usecs (2442 samples)
intel8x0: clocking to 48000
type=1400 audit(1252857184.249:9): avc:  denied  { read } for  pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=1400 audit(1252857184.249:10): avc:  denied  { open } for  pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
device-mapper: multipath: version 1.1.0 loaded
EXT4-fs (dm-0): internal journal on dm-0:8
kjournald starting.  Commit interval 5 seconds
EXT3 FS on sda1, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev sda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Adding 950264k swap on /dev/mapper/vg_n63552-lv_swap.  Priority:-1 extents:1 across:950264k 
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
microcode: CPU0 sig=0xf29, pf=0x4, revision=0x0
platform microcode: firmware: requesting intel-ucode/0f-02-09
type=1400 audit(1252857189.780:11): avc:  denied  { read } for  pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=1400 audit(1252857189.780:12): avc:  denied  { open } for  pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
microcode: CPU1 sig=0xf29, pf=0x4, revision=0x0
platform microcode: firmware: requesting intel-ucode/0f-02-09
Microcode Update Driver: v2.00 <tigran at aivazian.fsnet.co.uk>, Peter Oruba
microcode: CPU0 updated to revision 0x2e, date = 2004-08-11 
microcode: CPU1 updated to revision 0x2e, date = 2004-08-11 
Microcode Update Driver: v2.00 removed.
p4-clockmod: P4/Xeon(TM) CPU On-Demand Clock Modulation available
type=1400 audit(1252857190.717:13): avc:  denied  { read } for  pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=1400 audit(1252857190.717:14): avc:  denied  { open } for  pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
ip6_tables: (C) 2000-2006 Netfilter Core Team
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
eth0: Media Link On 100mbps full-duplex 
Installing knfsd (copyright (C) 1996 okir at monad.swb.de).
SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts
eth0: no IPv6 routers present
CPU0 attaching NULL sched-domain.
CPU1 attaching NULL sched-domain.
CPU0 attaching sched-domain:
 domain 0: span 0-1 level SIBLING
  groups: 0 1
CPU1 attaching sched-domain:
 domain 0: span 0-1 level SIBLING
  groups: 1 0
canberra-gtk-pl used greatest stack depth: 5236 bytes left
fuse init (API version 7.12)
SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
[root at n6355-2 ~]# uname -r
2.6.31-2.fc12.i686

Another one filed,but cut + paste failed :(

Regards,

Antonio

More information about the fedora-selinux-list mailing list