Garry T. Williams wrote:
On Monday 13 August 2007 07:24:23 Daniel J Walsh wrote:
I will put it in fedora-testing today along with fixes for your problem.
Thanks. I just installed it but afterwards, I still see these when I
run "sudo ldconfig" with setenforce 0:
type=AVC msg=audit(1187043238.692:2616): avc: denied { dac_override } for pid=15479 comm="ldconfig" capability=1 scontext=user_u:system_r:ldconfig_t:s0 tcontext=user_u:system_r:ldconfig_t:s0 tclass=capability
type=SYSCALL msg=audit(1187043238.692:2616): arch=40000003 syscall=195 success=yes exit=0 a0=89c1c08 a1=bf8b83e0 a2=89bf801 a3=89bf801 items=0 ppid=15457 pid=15479 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1187043239.334:2617): avc: denied { search } for pid=15479 comm="ldconfig" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1187043239.334:2617): arch=40000003 syscall=195 success=yes exit=0 a0=bf8b7460 a1=bf8b84bc a2=a000 a3=89c0a88 items=0 ppid=15457 pid=15479 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null)
You can always modify selinux policy by executing
grep ldconfig /var/log/audit/audit.log | audit2allow -M myldconfig
semodule -i myldconfig.pp
Yes, it produces:
module myldconfig 1.0;
require {
type home_root_t;
type ldconfig_t;
class capability dac_override;
class dir search;
}
#============= ldconfig_t ==============
allow ldconfig_t home_root_t:dir search;
allow ldconfig_t self:capability dac_override;
I can't help but think that the AVCs are due to something I did
instead of ldconfig or its shipped policy. Any thoughts?
No this is because you are running ldconfig on files in your homedir,
and we have not seen this before. See if selinux-policy-2.6.4-38 fixes
your problem
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list