-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/22/2011 06:23 PM, jackson byers wrote:
> # uname -r 2.6.35.14-103.fc14.i686.PAE
>
>
>
> I haven't paid much attention to avc warnings.
>
> did /.autorelabel, reboot, to see if that could stop avc.
>
> Still see 'avc: denied' in auditlog, involving firefox,
> plugin-config,...
>
> last 6 of # grep -n avc audit.log:
>
>
> 279:type=AVC msg=audit(1321983739.130:242): avc: denied { read }
> for pid=20223 comm="ldd" name="firefox" dev=sda8 ino=999863
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file
> 281:type=AVC msg=audit(1321983739.134:243): avc: denied {
> sys_ptrace } for pid=20215 comm="setroubleshootd" capability=19
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability
> 283:type=AVC msg=audit(1321983739.312:244): avc: denied { read }
> for pid=20225 comm="ldd" name="firefox" dev=sda8 ino=999863
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file
> 285:type=AVC msg=audit(1321983739.314:245): avc: denied {
> sys_ptrace } for pid=20215 comm="setroubleshootd" capability=19
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability
> 302:type=AVC msg=audit(1321989501.906:261): avc: denied {
> execstack } for pid=21019 comm="plugin-config"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process 304:type=AVC msg=audit(1321989519.158:262): avc:
> denied { read } for pid=21046 comm="ldd" name="plugin-config"
> dev=sda8 ino=1000054
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:nsplugin_config_exec_t:s0 tclass=file
> [root@f14 audit]#
>
>
> no 'file_t' seen:
>
> [root@f14 audit]# grep file_t audit.log [root@f14 audit]#
>
> I have put only minimal effort into learning selinux syntax,
> methods. Overwhelming, to me.
>
> are there simple rules on how to respond to 'avc denied'?
>
> If I do nothing?
>
> Jack
Interesting AVC's. SEtroubleshoot is trying to figure out why a
certain application required execstack privs. In this case
plugin-config. It looks like you have installed an application plugin
for firefox that requies execstack. setroubleshoot was trying to
figure out if you had any libraries labeled as requireing execstack by
executing
ldd plugin-config.
Sadly this generated additional AVCs.
The setroubleshoot avc's are fixed in F16.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7NEzQACgkQrlYvE4MpobPzlQCeLQtV1PU8w8wjgozHYi4JMs8E
ljYAnA3KMDuoy5wWBfT+wF4cN7lp7Wrq
=Vn19
-----END PGP SIGNATURE-----
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
