Stephen Smalley wrote:
On Thu, 2005-09-15 at 08:15 -0700, Tom London wrote:
Running targeted/enforcing, latest rawhide.
Get the following from NetworkManager:
type=AVC msg=audit(1126796883.544:9): avc: denied { read } for
pid=2309 comm="ls" name="mls" dev=selinuxfs ino=12
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1126796883.544:9): arch=40000003 syscall=5
success=no exit=-13 a0=bfac4cf4 a1=8000 a2=0 a3=8000 items=1 pid=2309
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="ls" exe="/bin/ls"
type=CWD msg=audit(1126796883.544:9): cwd="/etc/sysconfig/network-scripts"
type=PATH msg=audit(1126796883.544:9): item=0 name="/selinux/mls"
flags=101 inode=12 dev=00:0d mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1126796887.764:10): avc: denied { read } for
pid=2578 comm="killall" name="mls" dev=selinuxfs ino=12
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1126796887.764:10): arch=40000003 syscall=5
success=no exit=-13 a0=bfd0c884 a1=8000 a2=0 a3=8000 items=1 pid=2578
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="killall" exe="/usr/bin/killall"
type=CWD msg=audit(1126796887.764:10): cwd="/"
type=PATH msg=audit(1126796887.764:10): item=0 name="/selinux/mls"
flags=101 inode=12 dev=00:0d mode=0100444 ouid=0 ogid=0 rdev=00:00
allow NetworkManager_t security_t:file read;
That right?
Should be macro-ized and applied to any domain that needs to get/set a
context, as it is really due to libsetrans checking to see whether MLS
is enabled during library initialization to decide whether or not to
enable context translations.
dontaudit NetworkManager_t security_t:dir search;
Is probably better.
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
