Question on SELinux AVC messages with systemd.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am noticing the following in F14

type=1400 audit(1279559591.480:31): avc:  denied  { read } for  pid=526
comm="udevd" name="/" dev=autofs ino=9519
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:autofs_t:s0 tclass=dir
type=1400 audit(1279559595.968:35): avc:  denied  { read } for  pid=880
comm="blkid" name="/" dev=autofs ino=9522
scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:autofs_t:s0 tclass=dir
type=AVC msg=audit(1279559629.289:59): avc:  denied  { read } for
pid=2013 comm="vgchange" name="/" dev=autofs ino=9522
scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:autofs_t:s0 tclass=dir
type=PATH msg=audit(1279559629.289:59): item=0 name="/dev/mqueue"
inode=9522 dev=00:21 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:autofs_t:s0


These AVC messages indicate lots of daemons that are trying to list the
contents of a directory labeled autofs_t.  udevd, blkid, vgchange.

Do you have any idea what is going on here?  Am I going to have to allow
all daemons to list the contents of autofs_t?

Similarly

type=AVC msg=audit(1279559629.285:58): avc:  denied  { read } for
pid=2013 comm="vgchange" name="/" dev=hugetlbfs ino=9725
scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
type=PATH msg=audit(1279559629.285:58): item=0 name="/dev/hugepages"
inode=9725 dev=00:22 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:hugetlbfs_t:s0
type=1400 audit(1279559591.491:32): avc:  denied  { read } for  pid=526
comm="udevd" name="/" dev=hugetlbfs ino=9725
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
type=1400 audit(1279559591.491:33): avc:  denied  { open } for  pid=526
comm="udevd" name="/" dev=hugetlbfs ino=9725
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
type=1400 audit(1279559591.491:34): avc:  denied  { getattr } for
pid=526 comm="udevd" path="/dev/hugepages" dev=hugetlbfs ino=9725
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir

Will I have to allow all daemons to list the contents of hugetlbfs_t?

Or could these be leaks?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxEkMsACgkQrlYvE4MpobPjNQCg6KlNXTPfG13MHSfSTtn/Zk+a
AhkAnROR5WsxlM+w/SXHQ7RjO01C0m2Y
=fqQ4
-----END PGP SIGNATURE-----
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux