Re: List of selinux issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 6 Apr 2004 21:19, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > Apr  5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:
> > denied  { search } for  pid=12493 exe=/sbin/dhclient name=lib dev=hda2
> > ino=1389922 scontext=root:system_r:dhcpc_t
> > tcontext=system_u:object_r:home_root_t tclass=dir
>
> Added policy to allow this , but not sure what it is trying todo.  Could
> you try it in non-enforcing mode and grab the avc messages.

Looks like /var/lib is mis-labeled as home_root_t.  Relabeling the file system 
is probably the best thing to do.

> > 5) This is vmware from the VMWare WS 4.5.1 service startup.  The
> > issues are ... complicated, numerous, and scary looking.
> >
> > Apr  5 21:06:08 ibmlaptop kernel: audit(1081235168.858:0): avc:
> > denied  { search } for  pid=1909 exe=/usr/bin/vmnet-netifup name=net
> > dev= ino=344 scontext=system_u:system_r:vmware_t
> > tcontext=system_u:object_r:sysfs_t tclass=dir
> > Apr  5 21:06:08 ibmlaptop kernel: audit(1081235168.867:0): avc:
> > denied  { search } for  pid=1910 exe=/usr/bin/vmnet-netifup name=net
> > dev= ino=344 scontext=system_u:system_r:vmware_t
> > tcontext=system_u:object_r:sysfs_t tclass=dir
> > Apr  5 21:06:09 ibmlaptop kernel: audit(1081235169.047:0): avc:
> > denied  { node_bind } for  pid=1931 exe=/usr/bin/vmnet-natd
> > scontext=system_u:system_r:vmware_t
> > tcontext=system_u:object_r:node_inaddr_any_t tclass=rawip_socket
> > Apr  5 21:06:09 ibmlaptop kernel: audit(1081235169.048:0): avc:
> > denied  { create } for  pid=1931 exe=/usr/bin/vmnet-natd
> > name=vmnat.1931 scontext=system_u:system_r:vmware_t
> > tcontext=system_u:object_r:var_run_t tclass=sock_file

The problem here is that we don't have any distinction between vmware 
processes started by the user and the vmware daemons.  Probably the best 
thing to do is to entirely re-write the vmware policy to fix this and the 
other problems.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux