We've got a scratch directory; in it, any user can write. I've gotten complaints of unlabled, and I found and set them to default_t.
Here's the question: if I use semanage to set one of the user subdirectories to, say, default_t, and they try to copy a file that already has a valid context, would that context be changed to default_t, or would it retain its existing context?
Thanks in advance.
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/25/2013 10:13 AM, m.roth@5-cent.us wrote:
We've got a scratch directory; in it, any user can write. I've gotten complaints of unlabled, and I found and set them to default_t.
Here's the question: if I use semanage to set one of the user subdirectories to, say, default_t, and they try to copy a file that already has a valid context, would that context be changed to default_t, or would it retain its existing context?
Thanks in advance.
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
If it is shared by users I would label it something like user_home_t.
cp command adopts the label of the destination parent directory or file (Most of the time).
mv command maintains the label of the source.
Daniel J Walsh wrote:
On 03/25/2013 10:13 AM, m.roth@5-cent.us wrote:
We've got a scratch directory; in it, any user can write. I've gotten complaints of unlabled, and I found and set them to default_t.
Here's the question: if I use semanage to set one of the user subdirectories to, say, default_t, and they try to copy a file that already has a valid context, would that context be changed to default_t, or would it retain its existing context?
If it is shared by users I would label it something like user_home_t.
cp command adopts the label of the destination parent directory or file (Most of the time).
mv command maintains the label of the source.
But if, after this, I do a restorecon, or fixfiles, or autorelabel, will that change all of them?
mark
On 03/25/2013 06:56 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/25/2013 10:13 AM, m.roth@5-cent.us wrote:
We've got a scratch directory; in it, any user can write. I've gotten complaints of unlabled, and I found and set them to default_t.
Here's the question: if I use semanage to set one of the user subdirectories to, say, default_t, and they try to copy a file that already has a valid context, would that context be changed to default_t, or would it retain its existing context?
If it is shared by users I would label it something like user_home_t.
cp command adopts the label of the destination parent directory or file (Most of the time).
mv command maintains the label of the source.
But if, after this, I do a restorecon, or fixfiles, or autorelabel, will that change all of them?
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can verify it using matchpathcon. Basically if you use "semanage", you add permanent labeling.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/25/2013 01:56 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/25/2013 10:13 AM, m.roth@5-cent.us wrote:
We've got a scratch directory; in it, any user can write. I've gotten complaints of unlabled, and I found and set them to default_t.
Here's the question: if I use semanage to set one of the user subdirectories to, say, default_t, and they try to copy a file that already has a valid context, would that context be changed to default_t, or would it retain its existing context?
If it is shared by users I would label it something like user_home_t.
cp command adopts the label of the destination parent directory or file (Most of the time).
mv command maintains the label of the source.
But if, after this, I do a restorecon, or fixfiles, or autorelabel, will that change all of them?
mark
Yes. Unless the file is listed in customizable_types, /etc/selinux/targeted/contexts/customizable_types
On one of our system we see that the syslog/messages file has been flooded with the following messages
r 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped
We are on RHEL6.2 and running in permissive mode.
Here are the version of the selinux related rpms.
root@nw043b-vcma1 vos]# rpm -qa | grep selinux selinux-policy-3.7.19-126.el6.noarch libselinux-2.0.94-5.2.el6.i686 libselinux-2.0.94-5.2.el6.x86_64 selinux-policy-targeted-3.7.19-126.el6.noarch libselinux-utils-2.0.94-5.2.el6.i686 libselinux-utils-2.0.94-5.2.el6.x86_64 libselinux-python-2.0.94-5.2.el6.x86_64 [root@nw043b-vcma1 vos]# rpm -qa | grep setro setroubleshoot-server-3.0.38-2.1.el6.x86_64 setroubleshoot-plugins-3.0.16-1.el6.noarch
What could be the root cause of these messages.
Thanks, Anamitra
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/26/2013 12:50 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
On one of our system we see that the syslog/messages file has been flooded with the following messages
r 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped
We are on RHEL6.2 and running in permissive mode.
Here are the version of the selinux related rpms.
root@nw043b-vcma1 vos]# rpm -qa | grep selinux selinux-policy-3.7.19-126.el6.noarch libselinux-2.0.94-5.2.el6.i686 libselinux-2.0.94-5.2.el6.x86_64 selinux-policy-targeted-3.7.19-126.el6.noarch libselinux-utils-2.0.94-5.2.el6.i686 libselinux-utils-2.0.94-5.2.el6.x86_64 libselinux-python-2.0.94-5.2.el6.x86_64 [root@nw043b-vcma1 vos]# rpm -qa | grep setro setroubleshoot-server-3.0.38-2.1.el6.x86_64 setroubleshoot-plugins-3.0.16-1.el6.noarch
What could be the root cause of these messages.
Thanks, Anamitra
Are you seeing lots of AVC messages?
ausearch -m avc -ts recent
Hi Dan,
Yes there are many denials being seen. Here is an ouput from ausearch....
time->Tue Mar 26 13:58:16 2013 type=SYSCALL msg=audit(1364324296.810:915270): arch=c000003e syscall=16 success=yes exit=0 a0=15 a1=8912 a2=7ffffa54bf90 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324296.810:915270): avc: denied { ioctl } for pid=18992 comm="vmtoolsd" path="socket:[2348604]" dev=sockfs ino=2348604 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=tcp_socket ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.076:915272): item=0 name="/" inode=2 dev=08:01 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 type=CWD msg=audit(1364324306.076:915272): cwd="/" type=SYSCALL msg=audit(1364324306.076:915272): arch=c000003e syscall=137 success=yes exit=0 a0=c45530 a1=7ffffa54c150 a2=1 a3=2 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.076:915272): avc: denied { getattr } for pid=18992 comm="vmtoolsd" name="/" dev=sda1 ino=2 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.075:915271): item=0 name="/dev/sda1" inode=5938 dev=00:05 mode=060660 ouid=0 ogid=6 rdev=08:01 obj=system_u:object_r:fixed_disk_device_t:s0 type=CWD msg=audit(1364324306.075:915271): cwd="/" type=SYSCALL msg=audit(1364324306.075:915271): arch=c000003e syscall=4 success=yes exit=0 a0=c7d0b0 a1=7ffffa54c110 a2=7ffffa54c110 a3=a items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.075:915271): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/dev/sda1" dev=devtmpfs ino=5938 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.080:915273): item=0 name="/proc/net/dev" inode=4026531979 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 type=CWD msg=audit(1364324306.080:915273): cwd="/" type=SYSCALL msg=audit(1364324306.080:915273): arch=c000003e syscall=2 success=yes exit=22 a0=7f783bc0e159 a1=0 a2=1b6 a3=0 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.080:915273): avc: denied { open } for pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1364324306.080:915273): avc: denied { read } for pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.081:915274): arch=c000003e syscall=5 success=yes exit=0 a0=16 a1=7ffffa547f10 a2=7ffffa547f10 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.081:915274): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/proc/18992/net/dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.082:915275): item=0 name="/etc/resolv.conf" inode=654095 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 type=CWD msg=audit(1364324306.082:915275): cwd="/" type=SYSCALL msg=audit(1364324306.082:915275): arch=c000003e syscall=2 success=yes exit=21 a0=7f78443317fa a1=0 a2=1b6 a3=2 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.082:915275): avc: denied { open } for pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC msg=audit(1364324306.082:915275): avc: denied { read } for pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.083:915276): arch=c000003e syscall=5 success=yes exit=0 a0=15 a1=7ffffa549e80 a2=7ffffa549e80 a3=2 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.083:915276): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/etc/resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
Thanks, Anamitra
On 3/26/13 11:55 AM, "Daniel J Walsh" dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/26/2013 12:50 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
On one of our system we see that the syslog/messages file has been flooded with the following messages
r 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped
We are on RHEL6.2 and running in permissive mode.
Here are the version of the selinux related rpms.
root@nw043b-vcma1 vos]# rpm -qa | grep selinux selinux-policy-3.7.19-126.el6.noarch libselinux-2.0.94-5.2.el6.i686 libselinux-2.0.94-5.2.el6.x86_64 selinux-policy-targeted-3.7.19-126.el6.noarch libselinux-utils-2.0.94-5.2.el6.i686 libselinux-utils-2.0.94-5.2.el6.x86_64 libselinux-python-2.0.94-5.2.el6.x86_64 [root@nw043b-vcma1 vos]# rpm -qa | grep setro setroubleshoot-server-3.0.38-2.1.el6.x86_64 setroubleshoot-plugins-3.0.16-1.el6.noarch
What could be the root cause of these messages.
Thanks, Anamitra
Are you seeing lots of AVC messages?
ausearch -m avc -ts recent
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFR7woACgkQrlYvE4MpobMh1QCfWpUjoLmwWZCP9gXLKbrITyZj xZUAnjYxpQwqUE6sJ941oeBN7qX/KsAP =Gw0k -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Are you running this with unconfined.pp disabled? Looks like you need policy for vmtoolsd.
I was looking for auditd_t or setroubleshootd avc's.
ps -eZ | grep sedispatch ps -eZ | grep setroubleshootd
sedispatch sends avc messages via dbus to setroubleshootd, if setroubleshootd gets an AVC about itself, it will drop it on the floor,
On 03/26/2013 03:01 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dan,
Yes there are many denials being seen. Here is an ouput from ausearch....
time->Tue Mar 26 13:58:16 2013 type=SYSCALL msg=audit(1364324296.810:915270): arch=c000003e syscall=16 success=yes exit=0 a0=15 a1=8912 a2=7ffffa54bf90 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324296.810:915270): avc: denied { ioctl } for pid=18992 comm="vmtoolsd" path="socket:[2348604]" dev=sockfs ino=2348604 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=tcp_socket ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.076:915272): item=0 name="/" inode=2 dev=08:01 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 type=CWD msg=audit(1364324306.076:915272): cwd="/" type=SYSCALL msg=audit(1364324306.076:915272): arch=c000003e syscall=137 success=yes exit=0 a0=c45530 a1=7ffffa54c150 a2=1 a3=2 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.076:915272): avc: denied { getattr } for pid=18992 comm="vmtoolsd" name="/" dev=sda1 ino=2 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.075:915271): item=0 name="/dev/sda1" inode=5938 dev=00:05 mode=060660 ouid=0 ogid=6 rdev=08:01 obj=system_u:object_r:fixed_disk_device_t:s0 type=CWD msg=audit(1364324306.075:915271): cwd="/" type=SYSCALL msg=audit(1364324306.075:915271): arch=c000003e syscall=4 success=yes exit=0 a0=c7d0b0 a1=7ffffa54c110 a2=7ffffa54c110 a3=a items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.075:915271): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/dev/sda1" dev=devtmpfs ino=5938 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.080:915273): item=0 name="/proc/net/dev" inode=4026531979 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 type=CWD msg=audit(1364324306.080:915273): cwd="/" type=SYSCALL msg=audit(1364324306.080:915273): arch=c000003e syscall=2 success=yes exit=22 a0=7f783bc0e159 a1=0 a2=1b6 a3=0 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.080:915273): avc: denied { open } for pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1364324306.080:915273): avc: denied { read } for pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.081:915274): arch=c000003e syscall=5 success=yes exit=0 a0=16 a1=7ffffa547f10 a2=7ffffa547f10 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.081:915274): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/proc/18992/net/dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.082:915275): item=0 name="/etc/resolv.conf" inode=654095 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 type=CWD msg=audit(1364324306.082:915275): cwd="/" type=SYSCALL msg=audit(1364324306.082:915275): arch=c000003e syscall=2 success=yes exit=21 a0=7f78443317fa a1=0 a2=1b6 a3=2 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.082:915275): avc: denied { open } for pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC msg=audit(1364324306.082:915275): avc: denied { read } for pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.083:915276): arch=c000003e syscall=5 success=yes exit=0 a0=15 a1=7ffffa549e80 a2=7ffffa549e80 a3=2 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.083:915276): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/etc/resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
Thanks, Anamitra
On 3/26/13 11:55 AM, "Daniel J Walsh" dwalsh@redhat.com wrote:
On 03/26/2013 12:50 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
On one of our system we see that the syslog/messages file has been flooded with the following messages
r 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped
We are on RHEL6.2 and running in permissive mode.
Here are the version of the selinux related rpms.
root@nw043b-vcma1 vos]# rpm -qa | grep selinux selinux-policy-3.7.19-126.el6.noarch libselinux-2.0.94-5.2.el6.i686 libselinux-2.0.94-5.2.el6.x86_64 selinux-policy-targeted-3.7.19-126.el6.noarch libselinux-utils-2.0.94-5.2.el6.i686 libselinux-utils-2.0.94-5.2.el6.x86_64 libselinux-python-2.0.94-5.2.el6.x86_64 [root@nw043b-vcma1 vos]# rpm -qa | grep setro setroubleshoot-server-3.0.38-2.1.el6.x86_64 setroubleshoot-plugins-3.0.16-1.el6.noarch
What could be the root cause of these messages.
Thanks, Anamitra
Are you seeing lots of AVC messages?
ausearch -m avc -ts recent
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Hi Dan,
Thanks for your prompt response.
Yes we have removed unconfined.pp from our system.
And here are the outputs for the ps command
[root@nw043b-vcma1 ~]# ps -eZ | grep sedispatch system_u:system_r:audisp_t:s0 30135 ? 00:00:11 sedispatch [root@nw043b-vcma1 ~]# [root@nw043b-vcma1 ~]# ps -eZ | grep setroubleshootd [root@nw043b-vcma1 ~]#
What kind of policies to we need to add for vmtoolsd ?
Thanks, Anamitra
On 3/26/13 12:08 PM, "Daniel J Walsh" dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Are you running this with unconfined.pp disabled? Looks like you need policy for vmtoolsd.
I was looking for auditd_t or setroubleshootd avc's.
ps -eZ | grep sedispatch ps -eZ | grep setroubleshootd
sedispatch sends avc messages via dbus to setroubleshootd, if setroubleshootd gets an AVC about itself, it will drop it on the floor,
On 03/26/2013 03:01 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dan,
Yes there are many denials being seen. Here is an ouput from ausearch....
time->Tue Mar 26 13:58:16 2013 type=SYSCALL msg=audit(1364324296.810:915270): arch=c000003e syscall=16 success=yes exit=0 a0=15 a1=8912 a2=7ffffa54bf90 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324296.810:915270): avc: denied { ioctl } for pid=18992 comm="vmtoolsd" path="socket:[2348604]" dev=sockfs ino=2348604 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=tcp_socket ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.076:915272): item=0 name="/" inode=2 dev=08:01 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 type=CWD msg=audit(1364324306.076:915272): cwd="/" type=SYSCALL msg=audit(1364324306.076:915272): arch=c000003e syscall=137 success=yes exit=0 a0=c45530 a1=7ffffa54c150 a2=1 a3=2 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.076:915272): avc: denied { getattr } for pid=18992 comm="vmtoolsd" name="/" dev=sda1 ino=2 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.075:915271): item=0 name="/dev/sda1" inode=5938 dev=00:05 mode=060660 ouid=0 ogid=6 rdev=08:01 obj=system_u:object_r:fixed_disk_device_t:s0 type=CWD msg=audit(1364324306.075:915271): cwd="/" type=SYSCALL msg=audit(1364324306.075:915271): arch=c000003e syscall=4 success=yes exit=0 a0=c7d0b0 a1=7ffffa54c110 a2=7ffffa54c110 a3=a items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.075:915271): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/dev/sda1" dev=devtmpfs ino=5938 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.080:915273): item=0 name="/proc/net/dev" inode=4026531979 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 type=CWD msg=audit(1364324306.080:915273): cwd="/" type=SYSCALL msg=audit(1364324306.080:915273): arch=c000003e syscall=2 success=yes exit=22 a0=7f783bc0e159 a1=0 a2=1b6 a3=0 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.080:915273): avc: denied { open } for pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1364324306.080:915273): avc: denied { read } for pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.081:915274): arch=c000003e syscall=5 success=yes exit=0 a0=16 a1=7ffffa547f10 a2=7ffffa547f10 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.081:915274): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/proc/18992/net/dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.082:915275): item=0 name="/etc/resolv.conf" inode=654095 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 type=CWD msg=audit(1364324306.082:915275): cwd="/" type=SYSCALL msg=audit(1364324306.082:915275): arch=c000003e syscall=2 success=yes exit=21 a0=7f78443317fa a1=0 a2=1b6 a3=2 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.082:915275): avc: denied { open } for pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC msg=audit(1364324306.082:915275): avc: denied { read } for pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.083:915276): arch=c000003e syscall=5 success=yes exit=0 a0=15 a1=7ffffa549e80 a2=7ffffa549e80 a3=2 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.083:915276): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/etc/resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
Thanks, Anamitra
On 3/26/13 11:55 AM, "Daniel J Walsh" dwalsh@redhat.com wrote:
On 03/26/2013 12:50 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
On one of our system we see that the syslog/messages file has been flooded with the following messages
r 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped
We are on RHEL6.2 and running in permissive mode.
Here are the version of the selinux related rpms.
root@nw043b-vcma1 vos]# rpm -qa | grep selinux selinux-policy-3.7.19-126.el6.noarch libselinux-2.0.94-5.2.el6.i686 libselinux-2.0.94-5.2.el6.x86_64 selinux-policy-targeted-3.7.19-126.el6.noarch libselinux-utils-2.0.94-5.2.el6.i686 libselinux-utils-2.0.94-5.2.el6.x86_64 libselinux-python-2.0.94-5.2.el6.x86_64 [root@nw043b-vcma1 vos]# rpm -qa | grep setro setroubleshoot-server-3.0.38-2.1.el6.x86_64 setroubleshoot-plugins-3.0.16-1.el6.noarch
What could be the root cause of these messages.
Thanks, Anamitra
Are you seeing lots of AVC messages?
ausearch -m avc -ts recent
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFR8j0ACgkQrlYvE4MpobOyKACgt7LNy1xrlOs9A7dfehw2d2L3 yO4AoMMWM6MhUGfOvR2AXwsw6LCjvcwh =Cxb+ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/26/2013 03:23 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dan,
Thanks for your prompt response.
Yes we have removed unconfined.pp from our system.
And here are the outputs for the ps command
[root@nw043b-vcma1 ~]# ps -eZ | grep sedispatch system_u:system_r:audisp_t:s0 30135 ? 00:00:11 sedispatch [root@nw043b-vcma1 ~]# [root@nw043b-vcma1 ~]# ps -eZ | grep setroubleshootd [root@nw043b-vcma1 ~]#
Those look correct, is there a chance setroubleshootd is blowing up. sedispatch sending a dbus message should activate it.
grep setroubleshoot /var/log/audit/audit.log
Writing policy for vmstoolsd, would require soemthing like
sepolgen PATHTO/vmstoolsd
to start
What kind of policies to we need to add for vmtoolsd ?
Thanks, Anamitra
On 3/26/13 12:08 PM, "Daniel J Walsh" dwalsh@redhat.com wrote:
Are you running this with unconfined.pp disabled? Looks like you need policy for vmtoolsd.
I was looking for auditd_t or setroubleshootd avc's.
ps -eZ | grep sedispatch ps -eZ | grep setroubleshootd
sedispatch sends avc messages via dbus to setroubleshootd, if setroubleshootd gets an AVC about itself, it will drop it on the floor,
On 03/26/2013 03:01 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dan,
Yes there are many denials being seen. Here is an ouput from ausearch....
time->Tue Mar 26 13:58:16 2013 type=SYSCALL msg=audit(1364324296.810:915270): arch=c000003e syscall=16 success=yes exit=0 a0=15 a1=8912 a2=7ffffa54bf90 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324296.810:915270): avc: denied { ioctl } for pid=18992 comm="vmtoolsd" path="socket:[2348604]" dev=sockfs ino=2348604 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=tcp_socket ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.076:915272): item=0 name="/" inode=2 dev=08:01 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 type=CWD msg=audit(1364324306.076:915272): cwd="/" type=SYSCALL msg=audit(1364324306.076:915272): arch=c000003e syscall=137 success=yes exit=0 a0=c45530 a1=7ffffa54c150 a2=1 a3=2 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.076:915272): avc: denied { getattr } for pid=18992 comm="vmtoolsd" name="/" dev=sda1 ino=2 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.075:915271): item=0 name="/dev/sda1" inode=5938 dev=00:05 mode=060660 ouid=0 ogid=6 rdev=08:01 obj=system_u:object_r:fixed_disk_device_t:s0 type=CWD msg=audit(1364324306.075:915271): cwd="/" type=SYSCALL msg=audit(1364324306.075:915271): arch=c000003e syscall=4 success=yes exit=0 a0=c7d0b0 a1=7ffffa54c110 a2=7ffffa54c110 a3=a items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.075:915271): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/dev/sda1" dev=devtmpfs ino=5938 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.080:915273): item=0 name="/proc/net/dev" inode=4026531979 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 type=CWD msg=audit(1364324306.080:915273): cwd="/" type=SYSCALL msg=audit(1364324306.080:915273): arch=c000003e syscall=2 success=yes exit=22 a0=7f783bc0e159 a1=0 a2=1b6 a3=0 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.080:915273): avc: denied { open } for pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1364324306.080:915273): avc: denied { read } for pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.081:915274): arch=c000003e syscall=5 success=yes exit=0 a0=16 a1=7ffffa547f10 a2=7ffffa547f10 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.081:915274): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/proc/18992/net/dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.082:915275): item=0 name="/etc/resolv.conf" inode=654095 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 type=CWD msg=audit(1364324306.082:915275): cwd="/" type=SYSCALL msg=audit(1364324306.082:915275): arch=c000003e syscall=2 success=yes exit=21 a0=7f78443317fa a1=0 a2=1b6 a3=2 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.082:915275): avc: denied { open } for pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC msg=audit(1364324306.082:915275): avc: denied { read } for pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.083:915276): arch=c000003e syscall=5 success=yes exit=0 a0=15 a1=7ffffa549e80 a2=7ffffa549e80 a3=2 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.083:915276): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/etc/resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
Thanks, Anamitra
On 3/26/13 11:55 AM, "Daniel J Walsh" dwalsh@redhat.com wrote:
On 03/26/2013 12:50 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> > On one of our system we see that the syslog/messages file has > been flooded with the following messages > > r 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error > (An SELinux policy prevents this sender from sending this > message to this recipient (rejected message had sender > "(unset)" interface "org.freedesktop.DBus" member "Hello" error > name "(unset)" destination "org.freedesktop.DBus")): AVC Will > be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: > Connection Error (An SELinux policy prevents this sender from > sending this message to this recipient (rejected message had > sender "(unset)" interface "org.freedesktop.DBus" member > "Hello" error name "(unset)" destination > "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 > nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux > policy prevents this sender from sending this message to this > recipient (rejected message had sender "(unset)" interface > "org.freedesktop.DBus" member "Hello" error name "(unset)" > destination "org.freedesktop.DBus")): AVC Will be dropped > > > > We are on RHEL6.2 and running in permissive mode. > > Here are the version of the selinux related rpms. > > root@nw043b-vcma1 vos]# rpm -qa | grep selinux > selinux-policy-3.7.19-126.el6.noarch > libselinux-2.0.94-5.2.el6.i686 > libselinux-2.0.94-5.2.el6.x86_64 > selinux-policy-targeted-3.7.19-126.el6.noarch > libselinux-utils-2.0.94-5.2.el6.i686 > libselinux-utils-2.0.94-5.2.el6.x86_64 > libselinux-python-2.0.94-5.2.el6.x86_64 [root@nw043b-vcma1 > vos]# rpm -qa | grep setro > setroubleshoot-server-3.0.38-2.1.el6.x86_64 > setroubleshoot-plugins-3.0.16-1.el6.noarch > > What could be the root cause of these messages. > > Thanks, Anamitra > > >
Are you seeing lots of AVC messages?
ausearch -m avc -ts recent
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Hi Dan,
The audit logs do not have any entry for setroubleshoot.
However when I manually try to execute the setroubleshoot command I can the same denial
[root@nw043b-vcma1 ~]# /usr/sbin/setroubleshootd [root@nw043b-vcma1 ~]# org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")
Running audit2allow shows the following...
#============= init_t ============== allow init_t fixed_disk_device_t:blk_file getattr; allow init_t fs_t:filesystem getattr; allow init_t net_conf_t:file { read getattr open }; allow init_t proc_net_t:file { read getattr open }; allow init_t self:tcp_socket ioctl;
#============= initrc_t ============== #!!!! The source type 'initrc_t' can write to a 'dir' of the following types: # var_log_t, ipsec_var_run_t, ricci_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t, dirsrv_var_run_t, snmpd_var_lib_t, udev_var_run_t, virt_var_lib_t, var_lib_nfs_t, plat_conf_t, mysqld_db_t, cisco_etc_t, named_conf_t, system_dbusd_var_lib_t, initrc_tmp_t, sanlock_var_run_t, common_t, bin_t, boot_t, cert_t, mnt_t, root_t, snmp_t, tmp_t, usr_t, var_t, device_t, etc_t, fonts_t, ibm_t, tmpfs_t, lockfile, etc_mail_t, core_log_t, initrc_state_t, postgresql_db_t, alsa_etc_rw_t, gconf_etc_t, var_spool_t, virt_cache_t, plat_log_t, var_lib_t, var_run_t, dhcpc_state_t, faillog_t, system_cron_spool_t, squid_log_t, opt_ibm_t, svc_svc_t
allow initrc_t cm_lib_t:dir { write add_name }; allow initrc_t cm_lib_t:file { write create }; allow initrc_t db_t:file lock; allow initrc_t db_t:lnk_file unlink; allow initrc_t db_t:sock_file unlink; allow initrc_t plat_bin_t:file setattr; allow initrc_t self:sem getattr;
#============= insmod_t ============== allow insmod_t ipprefsd_t:unix_stream_socket { read write };
#============= readahead_t ============== allow readahead_t os_t:file { read getattr open };
[root@nw043b-vcma1 ~]# /usr/sbin/setroubleshootd [root@nw043b-vcma1 ~]# org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")
On a physical system this behavior is not observed.
Thanks, Anamitra
On 3/26/13 12:27 PM, "Daniel J Walsh" dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/26/2013 03:23 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dan,
Thanks for your prompt response.
Yes we have removed unconfined.pp from our system.
And here are the outputs for the ps command
[root@nw043b-vcma1 ~]# ps -eZ | grep sedispatch system_u:system_r:audisp_t:s0 30135 ? 00:00:11 sedispatch [root@nw043b-vcma1 ~]# [root@nw043b-vcma1 ~]# ps -eZ | grep setroubleshootd [root@nw043b-vcma1 ~]#
Those look correct, is there a chance setroubleshootd is blowing up. sedispatch sending a dbus message should activate it.
grep setroubleshoot /var/log/audit/audit.log
Writing policy for vmstoolsd, would require soemthing like
sepolgen PATHTO/vmstoolsd
to start
What kind of policies to we need to add for vmtoolsd ?
Thanks, Anamitra
On 3/26/13 12:08 PM, "Daniel J Walsh" dwalsh@redhat.com wrote:
Are you running this with unconfined.pp disabled? Looks like you need policy for vmtoolsd.
I was looking for auditd_t or setroubleshootd avc's.
ps -eZ | grep sedispatch ps -eZ | grep setroubleshootd
sedispatch sends avc messages via dbus to setroubleshootd, if setroubleshootd gets an AVC about itself, it will drop it on the floor,
On 03/26/2013 03:01 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dan,
Yes there are many denials being seen. Here is an ouput from ausearch....
time->Tue Mar 26 13:58:16 2013 type=SYSCALL msg=audit(1364324296.810:915270): arch=c000003e syscall=16 success=yes exit=0 a0=15 a1=8912 a2=7ffffa54bf90 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324296.810:915270): avc: denied { ioctl } for pid=18992 comm="vmtoolsd" path="socket:[2348604]" dev=sockfs ino=2348604 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=tcp_socket ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.076:915272): item=0 name="/" inode=2 dev=08:01 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 type=CWD msg=audit(1364324306.076:915272): cwd="/" type=SYSCALL msg=audit(1364324306.076:915272): arch=c000003e syscall=137 success=yes exit=0 a0=c45530 a1=7ffffa54c150 a2=1 a3=2 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.076:915272): avc: denied { getattr } for pid=18992 comm="vmtoolsd" name="/" dev=sda1 ino=2 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.075:915271): item=0 name="/dev/sda1" inode=5938 dev=00:05 mode=060660 ouid=0 ogid=6 rdev=08:01 obj=system_u:object_r:fixed_disk_device_t:s0 type=CWD msg=audit(1364324306.075:915271): cwd="/" type=SYSCALL msg=audit(1364324306.075:915271): arch=c000003e syscall=4 success=yes exit=0 a0=c7d0b0 a1=7ffffa54c110 a2=7ffffa54c110 a3=a items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.075:915271): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/dev/sda1" dev=devtmpfs ino=5938 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.080:915273): item=0 name="/proc/net/dev" inode=4026531979 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 type=CWD msg=audit(1364324306.080:915273): cwd="/" type=SYSCALL msg=audit(1364324306.080:915273): arch=c000003e syscall=2 success=yes exit=22 a0=7f783bc0e159 a1=0 a2=1b6 a3=0 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.080:915273): avc: denied { open } for pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1364324306.080:915273): avc: denied { read } for pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.081:915274): arch=c000003e syscall=5 success=yes exit=0 a0=16 a1=7ffffa547f10 a2=7ffffa547f10 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.081:915274): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/proc/18992/net/dev" dev=proc ino=4026531979 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.082:915275): item=0 name="/etc/resolv.conf" inode=654095 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 type=CWD msg=audit(1364324306.082:915275): cwd="/" type=SYSCALL msg=audit(1364324306.082:915275): arch=c000003e syscall=2 success=yes exit=21 a0=7f78443317fa a1=0 a2=1b6 a3=2 items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.082:915275): avc: denied { open } for pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC msg=audit(1364324306.082:915275): avc: denied { read } for pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file ---- time->Tue Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.083:915276): arch=c000003e syscall=5 success=yes exit=0 a0=15 a1=7ffffa549e80 a2=7ffffa549e80 a3=2 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1364324306.083:915276): avc: denied { getattr } for pid=18992 comm="vmtoolsd" path="/etc/resolv.conf" dev=sda1 ino=654095 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
Thanks, Anamitra
On 3/26/13 11:55 AM, "Daniel J Walsh" dwalsh@redhat.com wrote:
On 03/26/2013 12:50 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>> >> On one of our system we see that the syslog/messages file has >> been flooded with the following messages >> >> r 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error >> (An SELinux policy prevents this sender from sending this >> message to this recipient (rejected message had sender >> "(unset)" interface "org.freedesktop.DBus" member "Hello" error >> name "(unset)" destination "org.freedesktop.DBus")): AVC Will >> be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: >> Connection Error (An SELinux policy prevents this sender from >> sending this message to this recipient (rejected message had >> sender "(unset)" interface "org.freedesktop.DBus" member >> "Hello" error name "(unset)" destination >> "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 >> nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux >> policy prevents this sender from sending this message to this >> recipient (rejected message had sender "(unset)" interface >> "org.freedesktop.DBus" member "Hello" error name "(unset)" >> destination "org.freedesktop.DBus")): AVC Will be dropped >> >> >> >> We are on RHEL6.2 and running in permissive mode. >> >> Here are the version of the selinux related rpms. >> >> root@nw043b-vcma1 vos]# rpm -qa | grep selinux >> selinux-policy-3.7.19-126.el6.noarch >> libselinux-2.0.94-5.2.el6.i686 >> libselinux-2.0.94-5.2.el6.x86_64 >> selinux-policy-targeted-3.7.19-126.el6.noarch >> libselinux-utils-2.0.94-5.2.el6.i686 >> libselinux-utils-2.0.94-5.2.el6.x86_64 >> libselinux-python-2.0.94-5.2.el6.x86_64 [root@nw043b-vcma1 >> vos]# rpm -qa | grep setro >> setroubleshoot-server-3.0.38-2.1.el6.x86_64 >> setroubleshoot-plugins-3.0.16-1.el6.noarch >> >> What could be the root cause of these messages. >> >> Thanks, Anamitra >> >> >>
Are you seeing lots of AVC messages?
ausearch -m avc -ts recent
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFR9rwACgkQrlYvE4MpobO5agCgvIKxlraxUWzUjyHKOtYHvEEd IysAn3n2+sEP0lyLjICF2IpgEhIcJFlk =bWQc -----END PGP SIGNATURE-----
selinux@lists.fedoraproject.org