List of selinux issues

[Warren Togami <wtogami@xxxxxxxxxx>]

This is my first time running with selinux enforcement enabled and this 
system has been apt upgraded from FC2test1 to latest rawhide, so please 
forgive me that some of these will be duplicates and others may be 
errors.  Please let me know which are not duplicates, and if you want me 
to bugzilla them.

To be clear, I did the following in order to ensure that my labels are 
correct during runtime.  I hope this was correct.

setenforce off
fixfiles relabel
setenforce 1



1) Infinite Loop of these messages when using "/sbin/ifup eth0" as 
non-root user.  This is allowed when enforcement is disabled.  CTRL-C is 
abled to stop the looping.

Apr  5 21:07:28 ibmlaptop kernel: audit(1081235248.571:0): avc:  denied 
 { setuid } for  pid=2463 exe=/bin/bash capability=7 
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
tclass=capability
Apr  5 21:07:28 ibmlaptop kernel: audit(1081235248.589:0): avc:  denied 
 { setuid } for  pid=2463 exe=/usr/sbin/usernetctl capability=7 
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
tclass=capability


2) "su -" from my non-root user caused this error.  I was however 
allowed to work as root.

Apr  5 21:07:42 ibmlaptop su(pam_unix)[12399]: session opened for user 
root by warren(uid=500)
Apr  5 21:07:42 ibmlaptop su[12399]: pam_xauth: error creating temporary 
file `/root/.xauthsDAz4e': Permission denied
Apr  5 21:07:42 ibmlaptop kernel: audit(1081235262.772:0): avc:  denied 
 { write } for  pid=12399 exe=/bin/su name=root dev=hda2 ino=1291809 
scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t 
tclass=dir


3) Then as root, I used "ifup eth0" which succeeded, but with the 
following in /var/log/messages.

Apr  5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:  denied 
 { search } for  pid=12493 exe=/sbin/dhclient name=lib dev=hda2 
ino=1389922 scontext=root:system_r:dhcpc_t 
tcontext=system_u:object_r:home_root_t tclass=dir
Apr  5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:  denied 
 { search } for  pid=12493 exe=/sbin/dhclient name=lib dev=hda2 
ino=1389922 scontext=root:system_r:dhcpc_t 
tcontext=system_u:object_r:home_root_t tclass=dir
Apr  5 21:07:45 ibmlaptop dhclient: can't create 
/var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr  5 21:07:46 ibmlaptop dhclient: sit0: unknown hardware address type 776
Apr  5 21:07:48 ibmlaptop dhclient: DHCPDISCOVER on eth0 to 
255.255.255.255 port 67 interval 4
Apr  5 21:07:48 ibmlaptop dhclient: DHCPOFFER from 172.31.16.1
Apr  5 21:07:48 ibmlaptop dhclient: DHCPREQUEST on eth0 to 
255.255.255.255 port 67
Apr  5 21:07:48 ibmlaptop dhclient: DHCPACK from 172.31.16.1
Apr  5 21:07:48 ibmlaptop dhclient: can't create 
/var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr  5 21:07:48 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal in 
356918 seconds.
Apr  5 21:07:48 ibmlaptop kernel: audit(1081235268.039:0): avc:  denied 
 { search } for  pid=12493 exe=/sbin/dhclient name=lib dev=hda2 
ino=1389922 scontext=root:system_r:dhcpc_t 
tcontext=system_u:object_r:home_root_t tclass=dir


4) GNOME mixer_applet2 is unable to reach the device.  Strangely this 
began failing in permissive mode too, but it works when selinux is 
totally disabled and not loaded.

Apr  5 21:07:10 ibmlaptop kernel: audit(1081235230.797:0): avc:  denied 
 { setattr } for  pid=2435 exe=/usr/libexec/mixer_applet2 
name=registry.xml dev=hda2 ino=1425367 scontext=user_u:user_r:user_t 
tcontext=system_u:object_r:var_t tclass=file


5) This is vmware from the VMWare WS 4.5.1 service startup.  The issues 
are ... complicated, numerous, and scary looking.

Apr  5 21:06:08 ibmlaptop kernel: vmmon: module license 'unspecified' 
taints kernel.
Apr  5 21:06:08 ibmlaptop kernel: vmnet: module license 'unspecified' 
taints kernel.
Apr  5 21:06:08 ibmlaptop kernel: audit(1081235168.858:0): avc:  denied 
 { search } for  pid=1909 exe=/usr/bin/vmnet-netifup name=net dev= 
ino=344 scontext=system_u:system_r:vmware_t 
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr  5 21:06:08 ibmlaptop kernel: audit(1081235168.867:0): avc:  denied 
 { search } for  pid=1910 exe=/usr/bin/vmnet-netifup name=net dev= 
ino=344 scontext=system_u:system_r:vmware_t 
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr  5 21:06:09 ibmlaptop kernel: audit(1081235169.047:0): avc:  denied 
 { node_bind } for  pid=1931 exe=/usr/bin/vmnet-natd 
scontext=system_u:system_r:vmware_t 
tcontext=system_u:object_r:node_inaddr_any_t tclass=rawip_socket
Apr  5 21:06:09 ibmlaptop kernel: audit(1081235169.048:0): avc:  denied 
 { create } for  pid=1931 exe=/usr/bin/vmnet-natd name=vmnat.1931 
scontext=system_u:system_r:vmware_t tcontext=system_u:object_r:var_run_t 
tclass=sock_file
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP 
Server 2.0
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998, 
1999 The Internet Software Consortium.
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find 
this software useful.
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit 
http://www.isc.org/dhcp-contrib.html
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP 
Server 2.0
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998, 
1999 The Internet Software Consortium.
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.

Apr  5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP 
Server 2.0
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998, 
1999 The Internet Software Consortium.
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.18.0
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find 
this software useful.
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address: 
173.31.18.254
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit 
http://www.isc.org/dhcp-contrib.html
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Recving on 
VNet/vmnet1/173.31.18.0
Apr  5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr  5 21:06:10 ibmlaptop vmnet-dhcpd: Sending on 
VNet/vmnet1/173.31.18.0
Apr  5 21:06:11 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.17.0
Apr  5 21:06:12 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address: 
173.31.17.254
Apr  5 21:06:12 ibmlaptop vmnet-dhcpd: Recving on 
VNet/vmnet8/173.31.17.0
Apr  5 21:06:12 ibmlaptop vmnet-dhcpd: Sending on 
VNet/vmnet8/173.31.17.0
Apr  5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc:  denied 
 { create } for  pid=2253 exe=/usr/bin/vmware-nmbd 
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t 
tclass=udp_socket
Apr  5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc:  denied 
 { create } for  pid=2253 exe=/usr/bin/vmware-nmbd 
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t 
tclass=udp_socket
Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.460:0): avc:  denied 
 { read } for  pid=2254 exe=/usr/bin/vmware-smbd name=urandom dev=hda2 
ino=1270748 scontext=system_u:system_r:vmware_t 
tcontext=system_u:object_r:urandom_device_t tclass=chr_fileApr  5 
21:06:16 ibmlaptop kernel: audit(1081235176.461:0): avc:  denied  { read 
} for  pid=2254 exe=/usr/bin/vmware-smbd name=shadow dev=hda2 
ino=1963867 scontext=system_u:system_r:vmware_t 
tcontext=system_u:object_r:shadow_t tclass=file
Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc:  denied 
 { setgid } for  pid=2254 exe=/usr/bin/vmware-smbd capability=6 
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t 
tclass=capability
Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc:  denied 
 { setgid } for  pid=2254 exe=/usr/bin/vmware-smbd capability=6 
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t 
tclass=capability
Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.805:0): avc:  denied 
 { setgid } for  pid=2254 exe=/usr/bin/vmware-smbd capability=6 
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t 
tclass=capability
Apr  5 21:06:16 ibmlaptop last message repeated 2 times
Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc:  denied 
 { read } for  pid=2254 exe=/usr/bin/vmware-smbd name=printcap dev=hda2 
ino=1962265 scontext=system_u:system_r:vmware_t 
tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file
Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc:  denied 
 { create } for  pid=2254 exe=/usr/bin/vmware-smbd 
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t 
tclass=udp_socket Apr  5 21:06:17 ibmlaptop kernel: 
audit(1081235177.041:0): avc:  denied  { sys_resource } for  pid=2254 
exe=/usr/bin/vmware-smbd capability=24 
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t 
tclass=capability