on machine with CPU -> 100%, lots of avc's
Antonio Olivares
olivares14031 at yahoo.com
Thu Feb 5 17:05:07 UTC 2009
--- On Wed, 2/4/09, Christopher Beland <beland at alum.mit.edu> wrote:
> From: Christopher Beland <beland at alum.mit.edu>
> Subject: Re: on machine with CPU -> 100%, lots of avc's
> To: olivares14031 at yahoo.com
> Cc: "For testers of Fedora Core development releases" <fedora-test-list at redhat.com>
> Date: Wednesday, February 4, 2009, 7:45 PM
> Try (as root):
>
> service auditd restart
>
> and see if auditd returns OK or FAIL? It might spit out
> some errors, or
> put something in /var/log/messages. If it complains about
> the log not
> being writable by owner, then "chmod u+w
> /var/log/audit/*" is what
> fixed it for me.
>
> It could also be an SELinux problem, but only if you have
> SELINUX=enforcing in /etc/selinux/config. On my test
> machine, I
> generally set SELINUX=permissive there so I see avc
> denials, but
> everything continues working even if there is an SELinux
> misconfiguration.
>
> > Disable SELinux and AVCs will be gone. Forever.
>
> I agree SELinux can be quite frustrating once you start
> customizing
> services, and I have been known to turn it off entirely for
> that reason.
> But for testing purpose, it's extremely useful to have
> people like us
> stumble across avc denials so the general public
> doesn't have to, and
> they can enjoy the security benefits.
>
> -B.
Thank you for your help, I am now seeing setroubleshooter kick in :)
[olivares at localhost ~]$ su -
Password:
[root at localhost ~]# service auditd restart
Stopping auditd: [FAILED]
Starting auditd: [FAILED]
[root at localhost ~]# tail -f /var/log/messages
Feb 5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:5): avc: denied { read write } for pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:6): avc: denied { read write } for pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:7): avc: denied { read write } for pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:8): avc: denied { read write } for pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:9): avc: denied { read write } for pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:10): avc: denied { read write } for pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost auditd: audit log is not writable by owner
Feb 5 11:00:40 localhost auditd: The audit daemon is exiting.
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:11): avc: denied { read write } for pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:12): avc: denied { read write } for pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
^C
[root at localhost ~]# chmod u+w /var/log/audit/*
You have new mail in /var/spool/mail/root
[root at localhost ~]# service auditd restart
Stopping auditd: [FAILED]
Starting auditd: [ OK ]
[root at localhost ~]# service auditd status
auditd (pid 3930) is running...
[root at localhost ~]#
Now I get to see the alerts:
Summary:
SELinux is preventing consoletype (consoletype_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by consoletype. It is not expected that this
access is required by consoletype and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:consoletype_t
Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects socket [ unix_stream_socket ]
Source consoletype
Source Path /sbin/consoletype
Port <Unknown>
Host localhost
Source RPM Packages initscripts-8.89-1
Target RPM Packages
Policy RPM selinux-policy-3.6.4-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost
Platform Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1
SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon
Alert Count 2
First Seen Thu 05 Feb 2009 11:02:08 AM CST
Last Seen Thu 05 Feb 2009 11:02:08 AM CST
Local ID f1514423-f554-4573-bbbc-be7e2ea49653
Line Numbers
Raw Audit Messages
node=localhost type=AVC msg=audit(1233853328.116:21): avc: denied { read write } for pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost type=AVC msg=audit(1233853328.116:21): avc: denied { read write } for pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost type=SYSCALL msg=audit(1233853328.116:21): arch=40000003 syscall=11 success=yes exit=0 a0=8401580 a1=84015e0 a2=84012e8 a3=84015e0 items=0 ppid=3960 pid=3961 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)
Summary:
SELinux is preventing auditctl (auditctl_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by auditctl. It is not expected that this access
is required by auditctl and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:auditctl_t
Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects socket [ unix_stream_socket ]
Source auditctl
Source Path /sbin/auditctl
Port <Unknown>
Host localhost
Source RPM Packages audit-1.7.11-2.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.4-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost
Platform Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1
SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon
Alert Count 2
First Seen Thu 05 Feb 2009 11:01:56 AM CST
Last Seen Thu 05 Feb 2009 11:01:56 AM CST
Local ID 57e3c37f-6698-456e-9d2f-86ad2b68220a
Line Numbers
Raw Audit Messages
node=localhost type=AVC msg=audit(1233853316.292:19): avc: denied { read write } for pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost type=AVC msg=audit(1233853316.292:19): avc: denied { read write } for pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost type=SYSCALL msg=audit(1233853316.292:19): arch=40000003 syscall=11 success=yes exit=0 a0=83a4c40 a1=83a4e38 a2=83a8350 a3=83a4e38 items=0 ppid=3913 pid=3936 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="auditctl" exe="/sbin/auditctl" subj=unconfined_u:system_r:auditctl_t:s0 key=(null)
I will now check my other two machines to see if auditd is running or not and apply the same fix.
Thank you for helping out again with this problem.
Regards,
Antonio
More information about the fedora-test-list
mailing list