Running strict/enforcing, latest rawhide.
The following crop up with today's updates:
0. Early boot denials:
May 3 06:42:12 fedora kernel: security: 3 users, 6 roles, 1333
types, 63 boolsMay 3 06:42:12 fedora kernel: security: 55 classes,
342123 rules
May 3 06:42:12 fedora kernel: SELinux: Completing initialization.
May 3 06:42:12 fedora kernel: SELinux: Setting up existing superblocks.
May 3 06:42:12 fedora kernel: audit(1115102485.415:0): avc: denied
{ read } for name=proc dev=hda2 ino=3407873
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
May 3 06:42:12 fedora kernel: audit(1115102485.416:0): avc: denied
{ search } for name=/ dev=hda2 ino=2
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
May 3 06:42:12 fedora last message repeated 3 times
May 3 06:42:12 fedora kernel: SELinux: initialized (dev hda2, type
ext3), uses xattr
Also, init seems to be doing a PID scan:
May 3 06:42:13 fedora kernel: audit(1115102490.729:0): avc: denied
{ read } for name=stat dev=proc ino=65550
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t
tclass=file
May 3 06:42:13 fedora kernel: audit(1115102490.730:0): avc: denied
{ read } for name=stat dev=proc ino=31916046
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t
tclass=file
May 3 06:42:13 fedora kernel: audit(1115102490.730:0): avc: denied
{ read } for name=stat dev=proc ino=32505870
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:initrc_t tclass=file
May 3 06:42:13 fedora kernel: audit(1115102490.730:0): avc: denied
{ read } for name=stat dev=proc ino=36175886
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:hotplug_t tclass=file
<<<SNIP>>>
1. privoxy is non functional:
May 3 06:42:53 fedora kernel: audit(1115127773.695:0): avc: denied
{ name_bind } for src=8118 scontext=system_u:system_r:privoxy_t
tcontext=system_u:object_r:http_cache_port_t tclass=tcp_socket
so suggest adding
allow privoxy_t http_cache_port_t:tcp_socket name_bind;
to privoxy.te
2. trouble starting ptal. I can't tell if this is a missing
transition to ptal_t, or just a missing entry in net_contexts.
Help?
May 3 06:42:21 fedora kernel: audit(1115127741.848:0): avc: denied
{ name_bind } for src=5703 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5704 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5705 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5706 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5707 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5708 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5709 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5710 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5711 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5712 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5713 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5714 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5715 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora ptal-photod:
ptal-photod(mlc:usb:PSC_900_Series): bind(tcpPort=5729) failed,
errno=13!
Also:
May 3 06:42:22 fedora kernel: audit(1115127741.921:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:25 fedora ptal-mlcd: ERROR at ExMgr.cpp:2525,
dev=<mlc:usb:PSC_900_Series>, pid=2372, e=1, t=1115127745
Couldn't find device!
May 3 06:42:25 fedora kernel: audit(1115127745.660:0): avc: denied
{ write } for name=001 dev=usbfs ino=4489
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May 3 06:42:25 fedora kernel: audit(1115127745.660:0): avc: denied
{ write } for name=001 dev=usbfs ino=4489
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May 3 06:42:25 fedora kernel: audit(1115127745.660:0): avc: denied
{ write } for name=001 dev=usbfs ino=4473
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May 3 06:42:25 fedora kernel: audit(1115127745.661:0): avc: denied
{ write } for name=001 dev=usbfs ino=4473
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May 3 06:42:25 fedora kernel: audit(1115127745.661:0): avc: denied
{ write } for name=001 dev=usbfs ino=4457
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May 3 06:42:25 fedora kernel: audit(1115127745.661:0): avc: denied
{ write } for name=001 dev=usbfs ino=4457
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
3. issues with fifo files:
May 3 06:42:14 fedora kernel: IPv6 over IPv4 tunneling driver
May 3 06:42:14 fedora kernel: audit(1115127718.038:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:14 fedora kernel: audit(1115127718.041:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:14 fedora kernel: audit(1115127718.256:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:14 fedora kernel: audit(1115127718.260:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:14 fedora kernel: ACPI: Power Button (FF) [PWRF]
<<<SNIP>>>
May 3 06:42:50 fedora ntpd[2472]: kernel time sync status 0040
May 3 06:42:50 fedora kernel: audit(1115127770.407:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:50 fedora ntpd[2472]: frequency initialized 67.355 PPM
from /var/lib/ntp/drift
May 3 06:42:50 fedora ntpd[2472]: configure: keyword "authenticate"
unknown, line ignored
May 3 06:42:51 fedora kernel: audit(1115127771.070:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
<<<SNIP>>>
May 3 06:42:59 fedora kernel: audit(1115127779.773:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:59 fedora kernel: audit(1115127779.800:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
4. ddclient (fix to support http_port_t):
May 3 06:42:52 fedora kernel: audit(1115127772.664:0): avc: denied
{ name_connect } for dest=80 scontext=system_u:system_r:ddclient_t
tcontext=system_u:object_r:http_port_t tclass=tcp_socket
or
allow ddclient_t http_port_t:tcp_socket name_connect;
5. su denial:
May 3 06:44:04 fedora su(pam_unix)[3241]: session opened for user
root by tbl(uid=500)
May 3 06:44:17 fedora kernel: audit(1115127857.306:0): avc: denied
{ unix_read unix_write } for key=1592234044
scontext=user_u:user_r:user_t tcontext=system_u:system_r:xdm_t
tclass=sem
Does
allow user_t xdm_t:sem { unix_read unix_write };
make sense?
Thanks!
tom
--
Tom London