Having installed the latest bunch of Fedora 8 updates this morning, which included selinux-policy and setroubleshoot, I'm getting these denials:
type=AVC msg=audit(1204275163.032:209): avc: denied { connectto } for pid=26345 comm="setroubleshootd" path="/var/run/audispd_events" scontext=unconfined_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1204275171.133:210): avc: denied { read } for pid=26379 comm="setroubleshootd" name=".rpmmacros" dev=0:15 ino=6331637 scontext=unconfined_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
The first one looks like a policy issue but I can't fathom why setroubleshootd would be trying access ~/.rpmmacros for the second one.
Paul.
Paul Howarth wrote:
Having installed the latest bunch of Fedora 8 updates this morning, which included selinux-policy and setroubleshoot, I'm getting these denials:
type=AVC msg=audit(1204275163.032:209): avc: denied { connectto } for pid=26345 comm="setroubleshootd" path="/var/run/audispd_events" scontext=unconfined_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1204275171.133:210): avc: denied { read } for pid=26379 comm="setroubleshootd" name=".rpmmacros" dev=0:15 ino=6331637 scontext=unconfined_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
The first one looks like a policy issue but I can't fathom why setroubleshootd would be trying access ~/.rpmmacros for the second one.
Following a reboot, the socket /var/run/audispd_events changed from auditd_t to audisp_var_run_t and there are no more AVCs for this. I tried a restorecon before the reboot but that didn't do anything, which is strange given that policy does indeed specify context:
# semanage fcontext -l | grep audisp /sbin/audispd regular file system_u:object_r:audisp_exec_t:s0 /sbin/audisp-prelude regular file system_u:object_r:audisp_prelude_exec_t:s0 /var/run/audispd_events socket system_u:object_r:audisp_var_run_t:s0
Perhaps that was finger trouble?
Paul.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Paul Howarth wrote:
Paul Howarth wrote:
Having installed the latest bunch of Fedora 8 updates this morning, which included selinux-policy and setroubleshoot, I'm getting these denials:
type=AVC msg=audit(1204275163.032:209): avc: denied { connectto } for pid=26345 comm="setroubleshootd" path="/var/run/audispd_events" scontext=unconfined_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1204275171.133:210): avc: denied { read } for pid=26379 comm="setroubleshootd" name=".rpmmacros" dev=0:15 ino=6331637 scontext=unconfined_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
The first one looks like a policy issue but I can't fathom why setroubleshootd would be trying access ~/.rpmmacros for the second one.
Following a reboot, the socket /var/run/audispd_events changed from auditd_t to audisp_var_run_t and there are no more AVCs for this. I tried a restorecon before the reboot but that didn't do anything, which is strange given that policy does indeed specify context:
# semanage fcontext -l | grep audisp /sbin/audispd regular file system_u:object_r:audisp_exec_t:s0 /sbin/audisp-prelude regular file system_u:object_r:audisp_prelude_exec_t:s0 /var/run/audispd_events socket system_u:object_r:audisp_var_run_t:s0
Perhaps that was finger trouble?
You needed to restart the audit daemon to get the proper context. I probably should have left the policy for both.
setroubleshoot loads the rpm python bindings, which tries to read the .rpmmacros file in $HOME. So if you do a service setoubleshoot restart after su or sudo then you can see this avc. It is supposed to be dontaudited, but It must be missing the nfs_t one.
Paul.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org