The other day I rebooted my pc to check on the new configuration
(adding/removing) of services. Although the reboot wasn't _necessary_, I
wanted to see what effect the changes in booted services would do to the
bootup time. Unfortunately, I forgot about an earlier selinux problem I
had that required an ".autolabel" reboot of the system & have had some
interesting issues with windbind & snmpd. I am running the following
selinux packages:
libselinux-1.19.1-8.i386.rpm
libselinux-devel-1.19.1-8.i386.rpm
selinux-doc-1.14.1-1.noarch.rpm
selinux-policy-targeted-1.17.30-3.16.noarch.rpm
I have looked at the bugzilla logs and these issues are entirely
separate from those mentioned (or at least they seem to be different to
me). First, the snmpd service will not start because it is being denied
by selinux:
Aug 13 07:22:13 wowway kernel: audit(1123932133.514:20): avc: denied {
execmem } for pid=8352 comm="snmpd" scontext=root:system_r:snmpd_t
tcontext=root:system_r:snmpd_t tclass=process
Aug 13 18:18:35 wowway kernel: audit(1123971515.257:21): avc: denied {
execmem } for pid=10368 comm="snmpd" scontext=root:system_r:snmpd_t
tcontext=root:system_r:snmpd_t tclass=process
It was only after the searching the System log for avc denials that I
came across the windbind problem which, to my knowledge, has not
affected my ability to access shared mounts or the the printer connected
to my linux box. Apparently, selinux is not allowing windbind to append
or write to the windbindd.log:
Aug 12 19:46:12 wowway kernel: audit(1123890372.244:2): avc: denied {
execmem } for pid=3873 comm="snmpd" scontext=user_u:system_r:snmpd_t
tcontext=user_u:system_r:snmpd_t tclass=process
Aug 12 19:46:25 wowway kernel: audit(1123890385.354:3): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:4): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:5): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:6): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:7): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:8): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:9): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:10): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:11): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.392:12): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.392:13): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.392:14): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.414:15): avc: denied {
write } for pid=4120 comm="winbindd" name="secrets.tdb" dev=dm-2
ino=345283 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:etc_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.415:16): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.415:17): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.415:18): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.415:19): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
I admit that I have not had time to delve into selinux context
structures and rules, but these denials seem to be different, at least
so far as I can tell, from what has been reported. Please let me know if
there is any further information that can / need to provide.
Craig
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
