selinux April 2004

selinux@lists.fedoraproject.org

84 participants
96 discussions

setting files attributes
by Gene Czarcinski 15 Apr '04

15 Apr '04

I had an experience yesterday which has given me pause for thought. I was working with Dan Walsh to get the policy correct to run the X after the xorg-x11-* update which renamed a lot of things including /usr/X11R6/bin/XFree86 -> /usr/X11R6/bin/Xorg. After installing the updated packages (which should be in development/rawhide later today), he informed me I needed to run the following: restorecon /usr/bin/X11/Xorg restorecon /var/log/Xorg* and I dutifully did that. Then I tried to do "telinit 5" with enforcing=1 again and, again, the X server startup failed. After some looking around I came to realize the following: The path specified makes a difference. The full path specified in policy is /usr/X11R6/bin/Xorg where I was using /usr/bin/X11/Xorg. The result of restorecon /usr/bin/X11/Xorg is -rws--x--x+ root root system_u:object_r:bin_t \ /usr/bin/X11/Xorg whereas the result of running restorecon /usr/X11R6/Xorg is -rws--x--x+ root root system_u:object_r:xserver_exec_t /usr/bin/X11/Xorg OK, besides sending this message to give folks some warning when they install the new xor-x11-* and the new policy (1.11.2-3 or later) is that I do not complete understand what is done when I do a system wide relabel. What make -C /etc/security/selinux/src/policy/ relabel appears to do is to go through the all mounted filesystems and set the attributes depending on the rules it has. The question is, does it follow symbolic links or not. If it does not, then there should not be a problem as long as all of the policy rules always use the actual (non-symbolic-link) path AND make sure we do also if we do something manually. However, I can see a problem occurring if it does follow symbolic links because the process likely occurs in sorted order. Now /tmp is clears (or so it says and, I hope, that means /var/tmp/ also), so I should not be able to rename /usr/X11R6/bin/Xorg. However, what if I had a symbolic link from my home directory to something in /etc. Would that get mislabeled? Gene

2 2

A lot of AVC messages running "make install" from the kernel source dir.
by Aleksey Nogin 15 Apr '04

15 Apr '04

If I install the kernel-source package and build a custom kernel, then at "make install" I see: rm: ??????? ??????? ??????????: Permission denied rm: ??????? ??????? ??????????: Permission denied rm: remove.c:378: AD_pop_and_chdir: Assertion `AD_stack_height (ds)' failed. /sbin/mkinitrd: line 678: 11649 Aborted rm -rf $MNTIMAGE $MNTPOINT $IMAGE grubby: error moving /boot/grub/grub.conf- to /boot/grub/grub.conf: Permission denied And I see a huge number of AVC messages. Some of them are obviously a bug (the grub.conf- should be created as bootloader_t, not as etc_t), and for others I am not sure what would be the right thing to do. audit(1081938574.814:0): avc: denied { search } for pid=11483 exe=/bin/bash name=src dev=hda2 ino=4627617 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938574.816:0): avc: denied { search } for pid=11484 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938575.176:0): avc: denied { search } for pid=11487 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938575.397:0): avc: denied { search } for pid=11491 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938575.398:0): avc: denied { search } for pid=11492 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938576.040:0): avc: denied { search } for pid=11492 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938576.040:0): avc: denied { search } for pid=11492 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938576.400:0): avc: denied { search } for pid=11495 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938576.402:0): avc: denied { search } for pid=11496 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938576.403:0): avc: denied { search } for pid=11497 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938576.405:0): avc: denied { search } for pid=11497 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938576.406:0): avc: denied { search } for pid=11497 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938576.406:0): avc: denied { search } for pid=11494 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938576.779:0): avc: denied { search } for pid=11500 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938576.782:0): avc: denied { search } for pid=11503 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938576.786:0): avc: denied { search } for pid=11505 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938576.844:0): avc: denied { search } for pid=11506 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938576.847:0): avc: denied { search } for pid=11506 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938576.847:0): avc: denied { search } for pid=11506 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938576.966:0): avc: denied { search } for pid=11511 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938576.966:0): avc: denied { search } for pid=11511 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.352:0): avc: denied { search } for pid=11516 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.352:0): avc: denied { search } for pid=11516 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.375:0): avc: denied { search } for pid=11521 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.375:0): avc: denied { search } for pid=11521 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.540:0): avc: denied { search } for pid=11523 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.543:0): avc: denied { search } for pid=11523 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.543:0): avc: denied { search } for pid=11523 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.544:0): avc: denied { search } for pid=11524 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.549:0): avc: denied { search } for pid=11525 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.551:0): avc: denied { search } for pid=11525 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.551:0): avc: denied { search } for pid=11525 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.643:0): avc: denied { search } for pid=11527 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.646:0): avc: denied { search } for pid=11528 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.652:0): avc: denied { search } for pid=11530 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.654:0): avc: denied { search } for pid=11531 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.658:0): avc: denied { search } for pid=11532 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.660:0): avc: denied { search } for pid=11532 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.660:0): avc: denied { search } for pid=11532 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.663:0): avc: denied { search } for pid=11533 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.665:0): avc: denied { search } for pid=11533 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.665:0): avc: denied { search } for pid=11533 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.669:0): avc: denied { search } for pid=11536 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.674:0): avc: denied { search } for pid=11539 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.679:0): avc: denied { search } for pid=11541 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.683:0): avc: denied { search } for pid=11542 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.686:0): avc: denied { search } for pid=11542 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.687:0): avc: denied { search } for pid=11542 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.733:0): avc: denied { search } for pid=11545 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.737:0): avc: denied { search } for pid=11547 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.741:0): avc: denied { search } for pid=11548 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.743:0): avc: denied { search } for pid=11548 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.744:0): avc: denied { search } for pid=11548 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.792:0): avc: denied { search } for pid=11553 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.793:0): avc: denied { search } for pid=11553 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.828:0): avc: denied { search } for pid=11557 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.828:0): avc: denied { search } for pid=11557 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.850:0): avc: denied { search } for pid=11561 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.850:0): avc: denied { search } for pid=11561 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.853:0): avc: denied { search } for pid=11565 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.868:0): avc: denied { search } for pid=11570 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.868:0): avc: denied { search } for pid=11570 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.888:0): avc: denied { search } for pid=11575 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.888:0): avc: denied { search } for pid=11575 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.910:0): avc: denied { search } for pid=11580 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.910:0): avc: denied { search } for pid=11580 exe=/bin/gawk name=sys dev= ino=4120 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1081938579.924:0): avc: denied { search } for pid=11582 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938579.930:0): avc: denied { search } for pid=11583 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938580.116:0): avc: denied { search } for pid=11584 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938580.142:0): avc: denied { search } for pid=11585 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938580.144:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938580.458:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938581.734:0): avc: denied { search } for pid=11593 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.096:0): avc: denied { search } for pid=11593 exe=/sbin/mke2fs name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir sage repeated 3 times audit(1081938582.184:0): avc: denied { search } for pid=11593 exe=/sbin/mke2fs name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.184:0): avc: denied { search } for pid=11593 exe=/sbin/mke2fs name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.185:0): avc: denied { search } for pid=11593 exe=/sbin/mke2fs name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir sage repeated 4 times audit(1081938582.189:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.364:0): avc: denied { search } for pid=11594 exe=/sbin/tune2fs name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir sage repeated 10 times audit(1081938582.366:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.487:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir SELinux: initialized (dev loop0, type ext2), uses xattr audit(1081938582.685:0): avc: denied { search } for pid=11598 exe=/bin/mkdir name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.687:0): avc: denied { search } for pid=11599 exe=/bin/mkdir name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.690:0): avc: denied { search } for pid=11600 exe=/bin/mkdir name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.693:0): avc: denied { search } for pid=11601 exe=/bin/mkdir name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.695:0): avc: denied { search } for pid=11602 exe=/bin/mkdir name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.698:0): avc: denied { search } for pid=11603 exe=/bin/mkdir name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.700:0): avc: denied { search } for pid=11604 exe=/bin/mkdir name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.703:0): avc: denied { search } for pid=11605 exe=/bin/mkdir name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.703:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.847:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.864:0): avc: denied { search } for pid=11607 exe=/bin/rm name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938582.969:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938584.003:0): avc: denied { search } for pid=11611 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.075:0): avc: denied { search } for pid=11613 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.372:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.591:0): avc: denied { search } for pid=11625 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.591:0): avc: denied { search } for pid=11626 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.687:0): avc: denied { search } for pid=11629 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.691:0): avc: denied { search } for pid=11630 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.699:0): avc: denied { search } for pid=11634 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.701:0): avc: denied { search } for pid=11635 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.706:0): avc: denied { search } for pid=11638 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.711:0): avc: denied { search } for pid=11639 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.716:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938585.788:0): avc: denied { search } for pid=11641 exe=/bin/chmod name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938586.514:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938586.766:0): avc: denied { search } for pid=11483 exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938587.469:0): avc: denied { search } for pid=11649 exe=/bin/rm name=linux-2.6.5-1.319 dev=hda2 ino=4627658 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t tclass=dir audit(1081938587.987:0): avc: denied { unlink } for pid=11664 exe=/sbin/grubby name=grub.conf dev=hda1 ino=4031 scontext=root:sysadm_r:bootloader_t tcontext=aleksey:object_r:etc_t tclass=file audit(1081938587.988:0): avc: denied { unlink } for pid=11664 exe=/sbin/grubby name=grub.conf dev=hda1 ino=4031 scontext=root:sysadm_r:bootloader_t tcontext=aleksey:object_r:etc_t tclass=file -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

3 5

X and SELinux on PowerPC
by W. Michael Petullo 14 Apr '04

14 Apr '04

Has anyone had any luck with Fedora/SELinux on the PowerPC platform? On my PowerPC-based system, x.org's server wishes to access /proc/sys/dev (probably for mac_hid/mouse emulation) and /proc/bus/pci. When I set SELinux to enforce, these operations are blocked and X does not start. Here are the relavent logs: avc: denied { search } for pid=1504 exe=/usr/X11R6/bin/XFree86 name=dev +dev= ino=5303 scontext=system_u:system_r:xdm_xserver_t +tcontext=system_u:object_r:sysctl_dev_t tclass=dir avc: denied { getattr } for pid=1504 exe=/usr/X11R6/bin/XFree86 +path=/proc/bus/pci dev= ino=5458 scontext=system_u:system_r:xdm_xserver_t +tcontext=system_u:object_r:proc_t tclass=dir Perhaps x86's X server not touch these directories? I assume this policy works on x86 because I haven't seen any mention of this on fedora-dev or -test. Adding the following to xserver_macros.te gets X to load on PowerPC: # Access /proc/bus/pci allow $1_xserver_t proc_t:dir { getattr read }; However, I don't know if this is the correct way to do this. I'm not even sure exactly why X is trying to read from /proc/bus/pci. -- Mike :wq

2 2

Enforcing mode requested but no policy loaded. Halting now.
by dfiguero 14 Apr '04

14 Apr '04

Hi, I recently installed FC2 and I updated the kernel, using up2date, on my machine but whenever I try to log to the new kernel I get the error on the subject: Enforcing mode requested but no policy loaded. Halting now. Kernel panic: attempted to kill init! I read the FAQ but I couldn't find an answer. I tried relabeling the filesystem but that didn't work. Any suggestions? Diego.

2 1

A typo/thinko in current policy wrt synaptic + an ldconfig issue
by Panu Matilainen 14 Apr '04

14 Apr '04

Hi, There's a small typo/thinko in current policy (1.11.1-2) wrt synaptic: it says "apt-synaptic" when it should be just "synaptic". Other than that apt seems to mostly work ok with enforcing mode on but it gets denied when running ldconfig (as the interpreter, if that's of relevance) in package %post: denied { read } for pid=1332 exe=/sbin/ldconfig name=liblcms.so.1.0.12 dev=hda2 ino=1170323 scontext=root:sysamd_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file (and then the same with { getattr }) Well, in fact I get the same error if I try to run /sbin/ldconfig as root:sysadm_r:sysadm_t which feels kinda curious :) but what baffles me is that when installing that package with rpm itself it doesn't complain. I would've thought having apt-get marked as system_u:object_r:rpm_exec_t meant that it's got exactly the same priviledges as rpm does but apparently not so... - Panu -

2 1

Kernel audit messages
by Mike Chambers 14 Apr '04

14 Apr '04

I have found these this morning in my logs after the latest kernel from rawhide on a FC2T2 system... [root@homer cron.monthly]# rpm -q policy kernel policy-1.10.2-5 kernel-2.6.5-1.315 Apr 12 18:51:53 homer kernel: audit(1081813913.544:0): avc: denied { search } for pid=973 exe=/usr/bin/procmail name=mail dev=hda2 ino=246478 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:etc_mail_t tclass=dir Apr 12 18:51:53 homer kernel: audit(1081813913.558:0): avc: denied { getattr } for pid=973 exe=/usr/bin/procmail path=/etc/mail/spamassassin/spamassassin-default.rc dev=hda2 ino=246760 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:etc_mail_t tclass=file Apr 12 18:51:53 homer kernel: audit(1081813913.559:0): avc: denied { read } for pid=973 exe=/usr/bin/procmail name=spamassassin-default.rc dev=hda2 ino=246760 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:etc_mail_t tclass=file Apr 12 18:51:53 homer kernel: audit(1081813913.662:0): avc: denied { read } for pid=975 exe=/usr/bin/perl name=urandom dev=hda2 ino=798062 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Apr 12 18:51:53 homer kernel: audit(1081813913.664:0): avc: denied { read } for pid=975 exe=/usr/bin/perl name=self dev= ino=2 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:proc_t tclass=lnk_file Apr 12 18:51:53 homer kernel: audit(1081813913.665:0): avc: denied { search } for pid=975 exe=/usr/bin/perl name=975 dev= ino=63897602 scontext=system_u:system_r:procmail_t tcontext=system_u:system_r:procmail_t tclass=dir Apr 12 18:51:53 homer kernel: audit(1081813913.665:0): avc: denied { read } for pid=975 exe=/usr/bin/perl name=exe dev= ino=63897608 scontext=system_u:system_r:procmail_t tcontext=system_u:system_r:procmail_t tclass=lnk_file Apr 12 18:51:53 homer kernel: audit(1081813913.666:0): avc: denied { getattr } for pid=975 exe=/usr/bin/perl path=/bin dev=hda2 ino=851969 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:bin_t tclass=dir Apr 12 18:51:56 homer kernel: audit(1081813916.231:0): avc: denied { search } for pid=975 exe=/usr/bin/perl name=mqueue dev=hda2 ino=1065066 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Apr 12 18:51:58 homer kernel: audit(1081813918.828:0): avc: denied { read } for pid=975 exe=/usr/bin/perl name=shadow dev=hda2 ino=246191 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:shadow_t tclass=file Apr 12 18:51:58 homer kernel: audit(1081813918.829:0): avc: denied { getattr } for pid=975 exe=/usr/bin/perl path=/etc/shadow dev=hda2 ino=246191 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:shadow_t tclass=file Apr 12 18:51:59 homer kernel: audit(1081813919.130:0): avc: denied { getattr } for pid=975 exe=/usr/bin/perl path=/usr/share/spamassassin/20_anti_ratware.cf dev=hda2 ino=2327150 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 18:51:59 homer kernel: audit(1081813919.268:0): avc: denied { read } for pid=975 exe=/usr/bin/perl name=10_misc.cf dev=hda2 ino=2326781 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 18:51:59 homer kernel: audit(1081813919.268:0): avc: denied { ioctl } for pid=975 exe=/usr/bin/perl path=/usr/share/spamassassin/10_misc.cf dev=hda2 ino=2326781 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 18:52:01 homer kernel: audit(1081813921.154:0): avc: denied { getattr } for pid=975 exe=/usr/bin/perl path=/etc/mail/spamassassin dev=hda2 ino=246658 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:etc_mail_t tclass=dir Apr 12 18:52:01 homer kernel: audit(1081813921.155:0): avc: denied { read } for pid=975 exe=/usr/bin/perl name=spamassassin dev=hda2 ino=246658 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:etc_mail_t tclass=dir Apr 12 18:52:01 homer kernel: audit(1081813921.156:0): avc: denied { ioctl } for pid=975 exe=/usr/bin/perl path=/etc/mail/spamassassin/local.cf dev=hda2 ino=246831 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:etc_mail_t tclass=file Apr 12 18:52:03 homer kernel: audit(1081813923.705:0): avc: denied { net_admin } for pid=986 exe=/usr/sbin/httpd capability=12 scontext=system_u:system_r:httpd_t tcontext=system_u:system_r:httpd_t tclass=capability Apr 12 18:52:05 homer kernel: audit(1081813925.336:0): avc: denied { getattr } for pid=975 exe=/usr/bin/perl path=/var/tmp dev=hda2 ino=1064964 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:tmp_t tclass=dir Apr 12 18:52:09 homer kernel: audit(1081813929.624:0): avc: denied { setrlimit } for pid=1007 exe=/usr/sbin/smbd scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:smbd_t tclass=process Apr 12 18:54:57 homer kernel: audit(1081814097.936:0): avc: denied { search } for pid=1073 exe=/usr/bin/procmail name=mail dev=hda2 ino=246478 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:etc_mail_t tclass=dir Apr 12 18:54:57 homer kernel: audit(1081814097.937:0): avc: denied { getattr } for pid=1073 exe=/usr/bin/procmail path=/etc/mail/spamassassin/spamassassin-default.rc dev=hda2 ino=246760 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:etc_mail_t tclass=file Apr 12 18:54:57 homer kernel: audit(1081814097.948:0): avc: denied { read } for pid=1075 exe=/usr/bin/perl name=urandom dev=hda2 ino=798062 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Apr 12 18:54:57 homer kernel: audit(1081814097.951:0): avc: denied { read } for pid=1075 exe=/usr/bin/perl name=self dev= ino=2 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:proc_t tclass=lnk_file Apr 12 18:54:57 homer kernel: audit(1081814097.952:0): avc: denied { search } for pid=1075 exe=/usr/bin/perl name=1075 dev= ino=70451202 scontext=system_u:system_r:procmail_t tcontext=system_u:system_r:procmail_t tclass=dir Apr 12 18:54:57 homer kernel: audit(1081814097.952:0): avc: denied { read } for pid=1075 exe=/usr/bin/perl name=exe dev= ino=70451208 scontext=system_u:system_r:procmail_t tcontext=system_u:system_r:procmail_t tclass=lnk_file Apr 12 18:54:57 homer kernel: audit(1081814097.953:0): avc: denied { getattr } for pid=1075 exe=/usr/bin/perl path=/bin dev=hda2 ino=851969 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:bin_t tclass=dir Apr 12 18:54:59 homer kernel: audit(1081814099.890:0): avc: denied { read } for pid=1075 exe=/usr/bin/perl name=shadow dev=hda2 ino=246191 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:shadow_t tclass=file Apr 12 18:54:59 homer kernel: audit(1081814099.891:0): avc: denied { getattr } for pid=1075 exe=/usr/bin/perl path=/etc/shadow dev=hda2 ino=246191 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:shadow_t tclass=file Apr 12 18:54:59 homer kernel: audit(1081814099.893:0): avc: denied { getattr } for pid=1075 exe=/usr/bin/perl path=/usr/share/spamassassin/20_anti_ratware.cf dev=hda2 ino=2327150 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 18:54:59 homer kernel: audit(1081814099.896:0): avc: denied { read } for pid=1075 exe=/usr/bin/perl name=10_misc.cf dev=hda2 ino=2326781 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 18:54:59 homer kernel: audit(1081814099.897:0): avc: denied { ioctl } for pid=1075 exe=/usr/bin/perl path=/usr/share/spamassassin/10_misc.cf dev=hda2 ino=2326781 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 18:55:00 homer kernel: audit(1081814100.023:0): avc: denied { getattr } for pid=1075 exe=/usr/bin/perl path=/etc/mail/spamassassin dev=hda2 ino=246658 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:etc_mail_t tclass=dir Apr 12 18:55:00 homer kernel: audit(1081814100.025:0): avc: denied { read } for pid=1075 exe=/usr/bin/perl name=spamassassin dev=hda2 ino=246658 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:etc_mail_t tclass=dir Apr 12 18:55:00 homer kernel: audit(1081814100.026:0): avc: denied { ioctl } for pid=1075 exe=/usr/bin/perl path=/etc/mail/spamassassin/local.cf dev=hda2 ino=246831 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:etc_mail_t tclass=file Apr 12 19:12:59 homer kernel: audit(1081815179.382:0): avc: denied { read } for pid=1089 exe=/usr/sbin/smbd name=mtab dev=hda2 ino=247415 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Apr 12 19:12:59 homer kernel: audit(1081815179.383:0): avc: denied { getattr } for pid=1089 exe=/usr/sbin/smbd path=/etc/mtab dev=hda2 ino=247415 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Apr 12 20:01:11 homer kernel: audit(1081818071.753:0): avc: denied { setattr } for pid=1182 exe=/usr/bin/rsync name=rawhide dev=hdd1 ino=473284 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:user_home_t tclass=dir Apr 12 20:01:11 homer kernel: audit(1081818071.754:0): avc: denied { setattr } for pid=1182 exe=/usr/bin/rsync name=Archive-Update-in-Progress-carroll.aset.psu.edu dev=hdd1 ino=473288 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:user_home_t tclass=file Apr 12 20:01:12 homer kernel: audit(1081818072.235:0): avc: denied { setattr } for pid=1182 exe=/usr/bin/rsync name=Canna-libs-3.7p1-6.i386.rpm dev=hdd1 ino=522486 scontext=system_u:system_r:system_crond_t tcontext=root:object_r:user_home_t tclass=file Apr 12 20:01:16 homer kernel: audit(1081818076.850:0): avc: denied { read } for pid=1192 exe=/usr/bin/perl name=shadow dev=hda2 ino=246191 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:shadow_t tclass=file Apr 12 20:01:16 homer kernel: audit(1081818076.851:0): avc: denied { getattr } for pid=1192 exe=/usr/bin/perl path=/etc/shadow dev=hda2 ino=246191 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:shadow_t tclass=file Apr 12 20:01:16 homer kernel: audit(1081818076.854:0): avc: denied { getattr } for pid=1192 exe=/usr/bin/perl path=/usr/share/spamassassin/20_anti_ratware.cf dev=hda2 ino=2327150 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 20:01:16 homer kernel: audit(1081818076.857:0): avc: denied { read } for pid=1192 exe=/usr/bin/perl name=10_misc.cf dev=hda2 ino=2326781 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 20:01:16 homer kernel: audit(1081818076.857:0): avc: denied { ioctl } for pid=1192 exe=/usr/bin/perl path=/usr/share/spamassassin/10_misc.cf dev=hda2 ino=2326781 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 20:16:59 homer kernel: audit(1081819019.856:0): avc: denied { read } for pid=1253 exe=/usr/sbin/smbd name=mtab dev=hda2 ino=247415 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Apr 12 20:16:59 homer kernel: audit(1081819019.857:0): avc: denied { getattr } for pid=1253 exe=/usr/sbin/smbd path=/etc/mtab dev=hda2 ino=247415 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Apr 12 21:26:27 homer kernel: audit(1081823187.677:0): avc: denied { getattr } for pid=1360 exe=/usr/sbin/ipop3d path=/etc/krb5.conf dev=hda2 ino=247355 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:krb5_conf_t tclass=file Apr 12 21:26:27 homer kernel: audit(1081823187.679:0): avc: denied { read } for pid=1360 exe=/usr/sbin/ipop3d name=krb5.conf dev=hda2 ino=247355 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:krb5_conf_t tclass=file Apr 12 21:26:27 homer kernel: audit(1081823187.679:0): avc: denied { write } for pid=1360 exe=/usr/sbin/ipop3d name=krb5.conf dev=hda2 ino=247355 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:krb5_conf_t tclass=file Apr 12 21:26:27 homer kernel: audit(1081823187.716:0): avc: denied { read } for pid=1360 exe=/usr/sbin/ipop3d name=urandom dev=hda2 ino=798062 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Apr 12 21:26:27 homer kernel: audit(1081823187.719:0): avc: denied { getattr } for pid=1360 exe=/usr/sbin/ipop3d path=/dev/urandom dev=hda2 ino=798062 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Apr 12 21:26:28 homer kernel: audit(1081823188.064:0): avc: denied { read } for pid=1360 exe=/usr/sbin/ipop3d name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file Apr 12 21:26:28 homer kernel: audit(1081823188.065:0): avc: denied { search } for pid=1360 exe=/usr/sbin/ipop3d name=1360 dev= ino=89128962 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir Apr 12 21:26:28 homer kernel: audit(1081823188.065:0): avc: denied { read } for pid=1360 exe=/usr/sbin/ipop3d name=mounts dev= ino=89128976 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file Apr 12 21:26:28 homer kernel: audit(1081823188.066:0): avc: denied { getattr } for pid=1360 exe=/usr/sbin/ipop3d path=/proc/1360/mounts dev= ino=89128976 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file Apr 12 21:26:28 homer kernel: audit(1081823188.116:0): avc: denied { read } for pid=1360 exe=/usr/sbin/ipop3d name=shadow dev=hda2 ino=246191 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:shadow_t tclass=file Apr 12 21:26:28 homer kernel: audit(1081823188.117:0): avc: denied { getattr } for pid=1360 exe=/usr/sbin/ipop3d path=/etc/shadow dev=hda2 ino=246191 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:shadow_t tclass=file Apr 12 21:26:28 homer kernel: audit(1081823188.160:0): avc: denied { search } for pid=1360 exe=/usr/sbin/ipop3d name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir Apr 12 21:26:28 homer kernel: audit(1081823188.162:0): avc: denied { search } for pid=1360 exe=/usr/sbin/ipop3d dev=hdd1 ino=2 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir Apr 12 21:26:28 homer kernel: audit(1081823188.162:0): avc: denied { search } for pid=1360 exe=/usr/sbin/ipop3d name=mike dev=hdd1 ino=1648321 scontext=system_u:system_r:inetd_child_t tcontext=mike:object_r:user_home_dir_t tclass=dir Apr 12 21:26:28 homer kernel: audit(1081823188.209:0): avc: denied { search } for pid=1360 exe=/usr/sbin/ipop3d name=spool dev=hda2 ino=1064995 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:var_spool_t tclass=dir Apr 12 21:26:28 homer kernel: audit(1081823188.209:0): avc: denied { search } for pid=1360 exe=/usr/sbin/ipop3d name=mail dev=hda2 ino=1064997 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 12 21:26:28 homer kernel: audit(1081823188.209:0): avc: denied { getattr } for pid=1360 exe=/usr/sbin/ipop3d path=/var/spool/mail/mike dev=hda2 ino=1065833 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 12 21:26:28 homer kernel: audit(1081823188.210:0): avc: denied { read } for pid=1360 exe=/usr/sbin/ipop3d name=mike dev=hda2 ino=1065833 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 12 21:26:28 homer kernel: audit(1081823188.263:0): avc: denied { setattr } for pid=1360 exe=/usr/sbin/ipop3d name=mike dev=hda2 ino=1065833 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 12 21:26:28 homer kernel: audit(1081823188.269:0): avc: denied { write } for pid=1360 exe=/usr/sbin/ipop3d name=mike dev=hda2 ino=1065833 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 12 21:26:28 homer kernel: audit(1081823188.270:0): avc: denied { write } for pid=1360 exe=/usr/sbin/ipop3d name=mail dev=hda2 ino=1064997 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 12 21:26:28 homer kernel: audit(1081823188.270:0): avc: denied { add_name } for pid=1360 exe=/usr/sbin/ipop3d name=mike.lock.1081823188.1360.homer.netlyncs.com scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 12 21:26:28 homer kernel: audit(1081823188.270:0): avc: denied { create } for pid=1360 exe=/usr/sbin/ipop3d name=mike.lock.1081823188.1360.homer.netlyncs.com scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 12 21:26:28 homer kernel: audit(1081823188.272:0): avc: denied { link } for pid=1360 exe=/usr/sbin/ipop3d name=mike.lock.1081823188.1360.homer.netlyncs.com dev=hda2 ino=1065132 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 12 21:26:28 homer kernel: audit(1081823188.272:0): avc: denied { remove_name } for pid=1360 exe=/usr/sbin/ipop3d name=mike.lock.1081823188.1360.homer.netlyncs.com dev=hda2 ino=1065132 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 12 21:26:28 homer kernel: audit(1081823188.272:0): avc: denied { unlink } for pid=1360 exe=/usr/sbin/ipop3d name=mike.lock.1081823188.1360.homer.netlyncs.com dev=hda2 ino=1065132 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 12 21:26:28 homer kernel: audit(1081823188.273:0): avc: denied { lock } for pid=1360 exe=/usr/sbin/ipop3d path=/var/spool/mail/mike dev=hda2 ino=1065833 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 12 21:31:24 homer kernel: audit(1081823484.510:0): avc: denied { read } for pid=1361 exe=/usr/sbin/ipop3d name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file Apr 12 21:40:42 homer kernel: audit(1081824042.049:0): avc: denied { read } for pid=1373 exe=/usr/bin/perl name=self dev= ino=2 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:proc_t tclass=lnk_file Apr 12 21:43:58 homer kernel: audit(1081824238.654:0): avc: denied { read } for pid=829 comm=nfsd laddr=192.168.1.4 lport=2049 faddr=192.168.1.3 fport=800 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file Apr 12 21:43:58 homer kernel: audit(1081824238.717:0): avc: denied { rawip_recv } for saddr=192.168.1.3 src=800 daddr=192.168.1.4 dest=2049 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:netif_eth0_t tclass=netif Apr 12 21:43:58 homer kernel: audit(1081824238.717:0): avc: denied { rawip_recv } for saddr=192.168.1.3 src=800 daddr=192.168.1.4 dest=2049 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:node_t tclass=node Apr 12 21:43:58 homer kernel: audit(1081824238.717:0): avc: denied { rawip_send } for saddr=192.168.1.4 src=2049 daddr=192.168.1.3 dest=800 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:netif_eth0_t tclass=netif Apr 12 21:43:58 homer kernel: audit(1081824238.717:0): avc: denied { rawip_send } for saddr=192.168.1.4 src=2049 daddr=192.168.1.3 dest=800 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:node_t tclass=node Apr 12 21:43:58 homer kernel: audit(1081824238.717:0): avc: denied { write } for pid=828 comm=nfsd laddr=192.168.1.4 lport=2049 faddr=192.168.1.3 fport=800 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file Apr 12 21:50:17 homer kernel: audit(1081824617.611:0): avc: denied { read } for pid=1452 exe=/usr/bin/perl name=exe dev= ino=95158280 scontext=system_u:system_r:procmail_t tcontext=system_u:system_r:procmail_t tclass=lnk_file Apr 12 21:50:17 homer kernel: audit(1081824617.613:0): avc: denied { getattr } for pid=1452 exe=/usr/bin/perl path=/bin dev=hda2 ino=851969 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:bin_t tclass=dir Apr 12 21:50:21 homer kernel: audit(1081824621.537:0): avc: denied { getattr } for pid=1452 exe=/usr/bin/perl path=/usr/share/spamassassin/20_anti_ratware.cf dev=hda2 ino=2327150 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 21:50:21 homer kernel: audit(1081824621.540:0): avc: denied { read } for pid=1452 exe=/usr/bin/perl name=10_misc.cf dev=hda2 ino=2326781 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 21:50:21 homer kernel: audit(1081824621.540:0): avc: denied { ioctl } for pid=1452 exe=/usr/bin/perl path=/usr/share/spamassassin/10_misc.cf dev=hda2 ino=2326781 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 12 21:50:22 homer sshd[1413]: Warning! Could not relabel with system_u:object_r:sshd_devpts_t, not relabeling. Apr 12 21:51:24 homer kernel: audit(1081824684.506:0): avc: denied { search } for pid=1458 exe=/usr/sbin/ipop3d name=1458 dev= ino=95551490 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir Apr 12 21:51:24 homer kernel: audit(1081824684.506:0): avc: denied { read } for pid=1458 exe=/usr/sbin/ipop3d name=mounts dev= ino=95551504 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file Apr 12 21:51:24 homer kernel: audit(1081824684.507:0): avc: denied { getattr } for pid=1458 exe=/usr/sbin/ipop3d path=/proc/1458/mounts dev= ino=95551504 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file Apr 12 21:53:00 homer kernel: audit(1081824780.234:0): avc: denied { read } for pid=1461 exe=/usr/sbin/smbd name=mtab dev=hda2 ino=247415 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Apr 12 21:53:00 homer kernel: audit(1081824780.235:0): avc: denied { getattr } for pid=1461 exe=/usr/sbin/smbd path=/etc/mtab dev=hda2 ino=247415 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Apr 12 21:55:48 homer kernel: audit(1081824948.537:0): avc: denied { read } for pid=826 comm=nfsd laddr=192.168.1.4 lport=2049 faddr=192.168.1.3 fport=800 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file Apr 12 21:55:48 homer kernel: audit(1081824948.537:0): avc: denied { write } for pid=826 comm=nfsd laddr=192.168.1.4 lport=2049 faddr=192.168.1.3 fport=800 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file Apr 12 21:55:48 homer kernel: audit(1081824948.537:0): avc: denied { rawip_send } for pid=826 comm=nfsd saddr=192.168.1.4 src=2049 daddr=192.168.1.3 dest=800 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:netif_eth0_t tclass=netif Apr 12 21:55:48 homer kernel: audit(1081824948.538:0): avc: denied { rawip_send } for pid=826 comm=nfsd saddr=192.168.1.4 src=2049 daddr=192.168.1.3 dest=800 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:node_t tclass=node Apr 12 21:55:48 homer kernel: audit(1081824948.538:0): avc: denied { rawip_recv } for pid=725 exe=/sbin/klogd saddr=192.168.1.3 src=800 daddr=192.168.1.4 dest=2049 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:netif_eth0_t tclass=netif Apr 12 21:55:48 homer kernel: audit(1081824948.538:0): avc: denied { rawip_recv } for pid=725 exe=/sbin/klogd saddr=192.168.1.3 src=800 daddr=192.168.1.4 dest=2049 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:node_t tclass=node Apr 12 22:38:14 homer kernel: audit(1081827494.725:0): avc: denied { search } for pid=1069 exe=/usr/sbin/httpd name=mysql dev=hda2 ino=1081669 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:mysqld_db_t tclass=dir Apr 12 22:38:14 homer kernel: audit(1081827494.725:0): avc: denied { write } for pid=1069 exe=/usr/sbin/httpd name=mysql.sock dev=hda2 ino=1802291 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:mysqld_db_t tclass=sock_file Apr 12 22:38:14 homer kernel: audit(1081827494.726:0): avc: denied { connectto } for pid=1069 exe=/usr/sbin/httpd path=/var/lib/mysql/mysql.sock scontext=system_u:system_r:httpd_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket Apr 12 22:40:26 homer kernel: audit(1081827626.397:0): avc: denied { getattr } for pid=838 exe=/usr/sbin/rpc.mountd path=/proc/fs/nfsd/filehandle dev= ino=10 scontext=system_u:system_r:nfsd_t tcontext=system_u:object_r:nfsd_fs_t tclass=file Apr 12 23:55:20 homer kernel: audit(1081832120.161:0): avc: denied { search } for pid=1068 exe=/usr/sbin/httpd name=mysql dev=hda2 ino=1081669 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:mysqld_db_t tclass=dir Apr 13 00:00:00 homer kernel: audit(1081832400.471:0): avc: denied { read } for pid=1670 exe=/usr/bin/perl name=exe dev= ino=109445128 scontext=system_u:system_r:procmail_t tcontext=system_u:system_r:procmail_t tclass=lnk_file Apr 13 00:00:00 homer kernel: audit(1081832400.472:0): avc: denied { getattr } for pid=1670 exe=/usr/bin/perl path=/bin dev=hda2 ino=851969 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:bin_t tclass=dir Apr 13 00:00:04 homer kernel: audit(1081832404.255:0): avc: denied { getattr } for pid=1670 exe=/usr/bin/perl path=/usr/share/spamassassin/20_anti_ratware.cf dev=hda2 ino=2327150 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 13 00:00:04 homer kernel: audit(1081832404.258:0): avc: denied { read } for pid=1670 exe=/usr/bin/perl name=10_misc.cf dev=hda2 ino=2326781 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 13 00:00:04 homer kernel: audit(1081832404.259:0): avc: denied { ioctl } for pid=1670 exe=/usr/bin/perl path=/usr/share/spamassassin/10_misc.cf dev=hda2 ino=2326781 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:usr_t tclass=file Apr 13 00:01:00 homer kernel: audit(1081832460.817:0): avc: denied { read } for pid=1678 exe=/usr/sbin/smbd name=mtab dev=hda2 ino=247415 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Apr 13 00:01:00 homer kernel: audit(1081832460.818:0): avc: denied { getattr } for pid=1678 exe=/usr/sbin/smbd path=/etc/mtab dev=hda2 ino=247415 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Apr 13 00:01:05 homer kernel: audit(1081832465.152:0): avc: denied { setattr } for pid=1676 exe=/usr/bin/rsync name=rawhide dev=hdd1 ino=473284 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:user_home_t tclass=dir Apr 13 00:01:05 homer kernel: audit(1081832465.153:0): avc: denied { setattr } for pid=1676 exe=/usr/bin/rsync name=Archive-Update-in-Progress-carroll.aset.psu.edu dev=hdd1 ino=473288 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:user_home_t tclass=file Apr 13 00:01:05 homer kernel: audit(1081832465.634:0): avc: denied { setattr } for pid=1676 exe=/usr/bin/rsync name=Canna-libs-3.7p1-6.i386.rpm dev=hdd1 ino=522486 scontext=system_u:system_r:system_crond_t tcontext=root:object_r:user_home_t tclass=file Apr 13 02:33:18 homer kernel: audit(1081841598.434:0): avc: denied { getattr } for pid=1894 exe=/usr/sbin/ipop3d path=/etc/krb5.conf dev=hda2 ino=247355 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:krb5_conf_t tclass=file Apr 13 02:33:18 homer kernel: audit(1081841598.435:0): avc: denied { read } for pid=1894 exe=/usr/sbin/ipop3d name=krb5.conf dev=hda2 ino=247355 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:krb5_conf_t tclass=file Apr 13 02:33:18 homer kernel: audit(1081841598.436:0): avc: denied { write } for pid=1894 exe=/usr/sbin/ipop3d name=krb5.conf dev=hda2 ino=247355 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:krb5_conf_t tclass=file Apr 13 02:33:18 homer kernel: audit(1081841598.438:0): avc: denied { read } for pid=1894 exe=/usr/sbin/ipop3d name=urandom dev=hda2 ino=798062 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Apr 13 02:33:18 homer kernel: audit(1081841598.439:0): avc: denied { getattr } for pid=1894 exe=/usr/sbin/ipop3d path=/dev/urandom dev=hda2 ino=798062 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Apr 13 02:33:19 homer kernel: audit(1081841599.251:0): avc: denied { read } for pid=1894 exe=/usr/sbin/ipop3d name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file Apr 13 02:33:19 homer kernel: audit(1081841599.251:0): avc: denied { search } for pid=1894 exe=/usr/sbin/ipop3d name=1894 dev= ino=124125186 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir Apr 13 02:33:19 homer kernel: audit(1081841599.251:0): avc: denied { read } for pid=1894 exe=/usr/sbin/ipop3d name=mounts dev= ino=124125200 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file Apr 13 02:33:19 homer kernel: audit(1081841599.251:0): avc: denied { getattr } for pid=1894 exe=/usr/sbin/ipop3d path=/proc/1894/mounts dev= ino=124125200 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file Apr 13 02:33:19 homer kernel: audit(1081841599.255:0): avc: denied { read } for pid=1894 exe=/usr/sbin/ipop3d name=shadow dev=hda2 ino=246191 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:shadow_t tclass=file Apr 13 02:33:19 homer kernel: audit(1081841599.256:0): avc: denied { getattr } for pid=1894 exe=/usr/sbin/ipop3d path=/etc/shadow dev=hda2 ino=246191 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:shadow_t tclass=file Apr 13 02:33:19 homer kernel: audit(1081841599.261:0): avc: denied { search } for pid=1894 exe=/usr/sbin/ipop3d name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir Apr 13 02:33:19 homer kernel: audit(1081841599.267:0): avc: denied { search } for pid=1894 exe=/usr/sbin/ipop3d dev=hdd1 ino=2 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir Apr 13 02:33:19 homer kernel: audit(1081841599.267:0): avc: denied { search } for pid=1894 exe=/usr/sbin/ipop3d name=brad dev=hdd1 ino=734401 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir Apr 13 02:33:19 homer kernel: audit(1081841599.287:0): avc: denied { search } for pid=1894 exe=/usr/sbin/ipop3d name=spool dev=hda2 ino=1064995 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:var_spool_t tclass=dir Apr 13 02:33:19 homer kernel: audit(1081841599.288:0): avc: denied { search } for pid=1894 exe=/usr/sbin/ipop3d name=mail dev=hda2 ino=1064997 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 13 02:33:19 homer kernel: audit(1081841599.288:0): avc: denied { getattr } for pid=1894 exe=/usr/sbin/ipop3d path=/var/spool/mail/brad dev=hda2 ino=1065835 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 13 02:33:19 homer kernel: audit(1081841599.289:0): avc: denied { read } for pid=1894 exe=/usr/sbin/ipop3d name=brad dev=hda2 ino=1065835 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 13 02:33:19 homer kernel: audit(1081841599.339:0): avc: denied { setattr } for pid=1894 exe=/usr/sbin/ipop3d name=brad dev=hda2 ino=1065835 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 13 02:33:19 homer kernel: audit(1081841599.401:0): avc: denied { write } for pid=1894 exe=/usr/sbin/ipop3d name=brad dev=hda2 ino=1065835 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 13 02:33:19 homer kernel: audit(1081841599.401:0): avc: denied { write } for pid=1894 exe=/usr/sbin/ipop3d name=mail dev=hda2 ino=1064997 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 13 02:33:19 homer kernel: audit(1081841599.402:0): avc: denied { add_name } for pid=1894 exe=/usr/sbin/ipop3d name=brad.lock.1081841599.1894.homer.netlyncs.com scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 13 02:33:19 homer kernel: audit(1081841599.402:0): avc: denied { create } for pid=1894 exe=/usr/sbin/ipop3d name=brad.lock.1081841599.1894.homer.netlyncs.com scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 13 02:33:19 homer kernel: audit(1081841599.403:0): avc: denied { link } for pid=1894 exe=/usr/sbin/ipop3d name=brad.lock.1081841599.1894.homer.netlyncs.com dev=hda2 ino=1065132 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 13 02:33:19 homer kernel: audit(1081841599.404:0): avc: denied { remove_name } for pid=1894 exe=/usr/sbin/ipop3d name=brad.lock.1081841599.1894.homer.netlyncs.com dev=hda2 ino=1065132 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 13 02:33:19 homer kernel: audit(1081841599.404:0): avc: denied { unlink } for pid=1894 exe=/usr/sbin/ipop3d name=brad.lock.1081841599.1894.homer.netlyncs.com dev=hda2 ino=1065132 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 13 02:33:19 homer kernel: audit(1081841599.404:0): avc: denied { lock } for pid=1894 exe=/usr/sbin/ipop3d path=/var/spool/mail/brad dev=hda2 ino=1065835 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:mail_spool_t tclass=file Apr 13 02:42:31 homer kernel: audit(1081842151.034:0): avc: denied { read } for pid=827 comm=nfsd laddr=192.168.1.4 lport=2049 faddr=192.168.1.3 fport=800 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file Apr 13 02:42:31 homer kernel: audit(1081842151.098:0): avc: denied { rawip_recv } for pid=1446 exe=/home/mike/Seti/setiathome saddr=192.168.1.3 src=800 daddr=192.168.1.4 dest=2049 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:netif_eth0_t tclass=netif Apr 13 02:42:31 homer kernel: audit(1081842151.099:0): avc: denied { rawip_recv } for pid=1446 exe=/home/mike/Seti/setiathome saddr=192.168.1.3 src=800 daddr=192.168.1.4 dest=2049 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:node_t tclass=node Apr 13 02:42:31 homer kernel: audit(1081842151.099:0): avc: denied { rawip_send } for pid=1446 exe=/home/mike/Seti/setiathome saddr=192.168.1.4 src=2049 daddr=192.168.1.3 dest=800 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:netif_eth0_t tclass=netif Apr 13 02:42:31 homer kernel: audit(1081842151.099:0): avc: denied { rawip_send } for pid=1446 exe=/home/mike/Seti/setiathome saddr=192.168.1.4 src=2049 daddr=192.168.1.3 dest=800 netif=eth0 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:node_t tclass=node Apr 13 02:42:31 homer kernel: audit(1081842151.108:0): avc: denied { write } for pid=828 comm=nfsd laddr=192.168.1.4 lport=2049 faddr=192.168.1.3 fport=800 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file Apr 13 03:02:02 homer kernel: audit(1081843322.045:0): avc: denied { write } for pid=1944 exe=/usr/bin/python name=run dev=hda2 ino=1064994 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:var_run_t tclass=dir Apr 13 03:02:02 homer kernel: audit(1081843322.045:0): avc: denied { add_name } for pid=1944 exe=/usr/bin/python name=epylog.pid scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:var_run_t tclass=dir Apr 13 03:02:02 homer kernel: audit(1081843322.045:0): avc: denied { create } for pid=1944 exe=/usr/bin/python name=epylog.pid scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:var_run_t tclass=file I do see some things in the log that might be 3rd party, such as setiathome and epylog which is how I get my logs but wasn't sure if this only involved those or others, such as POP3. Sorry to flood the list, but wasn't sure how to show these. -- Mike Chambers Madisonville, KY "It's only funny until someone gets hurt...Then it's hilarious!"

2 3

How to determine the role of a user
by Anurup Mishra 13 Apr '04

13 Apr '04

Hi, I am new to SELinux and recently I am able to install Fedora Core 2 test 2 on on machine. I want to implement a role based access control in one of my Java Stand Alone application. During experimentation, when I tried to find the context of an another user as root, I got following message: [root@v60x-1 root]# id --context n1gsps id: cannot display context when selinux not enabled or when displaying the id of a different user Now my first question is how do I figure out the role of another user. Do I need to tweak the policy to achieve this?? Could someone please navigate me on this. Second, how do I figure out the role of a user from a Java Application. As of now I am trying id command from java exec. Please suggest if you know any better alternative. warm regards, Anurup Mishra __________________________________ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html

2 1

sshd -- cannot relabel with system_u:object_r:sshd_devpts_t
by Tom Mitchell 13 Apr '04

13 Apr '04

I just killed a remote terminal window and noted this message triple in the log/messages: sshd(pam_unix)[30912]: session opened for user root by (uid=0) sshd[30912]: Warning! Could not relabel with system_u:object_r:sshd_devpts_t, not relabeling. sshd(pam_unix)[30912]: session closed for user root policy-sources-1.10.2-5 policy-1.10.2-5 If this is what I think it is sshd will slowly run out of available ptys. -- T o m M i t c h e l l /dev/null the ultimate in secure storage.

2 2

SELinux for RHEL3
by Bill McCarty 13 Apr '04

13 Apr '04

Hi all, My question is somewhat off topic, but I hope that it can nevertheless be indulged. Some time ago, SELinux packages for RHEL 3 had been available on people.redhat.com. I successfully installed SELinux on several RHEL 3 systems using these packages. However, the packages that currently reside there don't work under RHEL 3. I've tried various cheats, such as using FC 2 packages, compiling source RPMs, etc. But, so far, everything I've tried is no-go for at least some of the necessary packages. Do RHEL 3 packages for SELinux currently exist? If so, where can they be obtained? If not, must we wait for RHEL 4 to obtain compatible SELinux packages? Or, is there a chance of another experimental release for RHEL 3? I myself don't mind hacking the SRPMs or whatever a bit. But, the available packages seem to be bound to a variety of versions of automake and autoconf. Hence, it's very troublesome to coax all of them into compiling on the same host <g>. The coreutils package is especially troublesome; if SELinux packages aren't available I suspect that I'll have to patch the RHEL 3 coreutils sources. But I can't see when I'll have time to do so <g>. So, any pointers are most welcome! Cheers, --------------------------------------------------- Bill McCarty, Ph.D. Professor of Information Technology Azusa Pacific University

3 6

Some questions relating to selinux
by Gene Czarcinski 13 Apr '04

13 Apr '04

The following is a mixed bag of comments/questions related to SElinux... 1. I noticed that when I login as root from a VT I get the choice of 3 different roles (staff_r, sysadm_r, and system_r) but when I login as a sysadm_r user and then "su -" to root, I only get two roles (staff_r and sysadm_r). Whe the difference? Better still, is this intentional? 2. If I login a VT or su to a user who has multiple roles defined, I get the option to select which role (when su - is working). On the other hand, if I login via gdm I do not get such a choice. Question: should gdm be enhanced to offer to option to select a role for users with multiple roles defined? 3. In the /etc/security/selinux/src/policy/users file there are two examples of defining a user having sysadm_r: # sample for administrative user #user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', \ `system_r') }; # sample for regular user #user jdoe roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r') }; Which one is the "right" one to use? 4. In the above, I notice that if I login from gdm I get sysadm_r in the first case and user_r in the second case. However, if I login from a VT, the default role is sysadm_r in both cases. Is this operating correctly? Why the difference? It seems to me that the correct operation should be the same in both cases. 5. Why is the system_r role only available from the VT? 6. Is there some command that will list the roles available for a user? 7. The packages libselinux has a lot of /usr/bin/ files which have no documentation (e.g., setfilecon). Is there some reason for this (other than we have not got around to that yet)? 8. Is there someplace that describes the differences between the various policy versions (15, 16, 17, etc.)? 9. Is there some additional documentation concerning the /etc/security/selinux/src/policy/tunable.te file (besides the comments in the file itself)? 10. Is there any documentation planned (but maybe not in FC2) which will make recommendations on how to lock a system down using the tunable.te file? 11. For the record, my "vote" is for FC2 final to default to selinux=1, enforcing=1 but with a policy that is very "loose" by default (it would more or less work as if selinux was not really installed for most users). I would also like to see an option for a more restrictive policy which could then be worked with for those inclined to do so. 12. I noticed that if I login as a user defined in users as above case 2 and then "su -" to root, I am given no role options. However, if I login as a sysadm_r user (case 1 above) and then "su -" to root, I am given a choice of role. Why the difference? If this operating correctly? ------------------------------------------------------------------------------------ I am sure that more questions will occur to me but that is enough for now. Gene

4 4

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux April 2004