Re: Denied { search } mingetty and can't log in

Emeric Maschino <maschino@xxxxxxxxxxxx> · Mon, 30 Jan 2006 10:20:18 +0100

Hi,

> Just to let you know that the above AVCs have been reported as bug
> #178747, #178748, #178789, #178750 and #178753. It seems they're all due
> to an ia64 specific issue (details in bug #178747). I don't know if my
> original problem in enforcing mode with mingetty is also concerned by
> this issue. Today kernel should provide a workaround for the AVCs in
> permissive mode. I'll test it and let you know the result.

With kernel 2.6.15-1.1878_FC5, execmod checks are disabled, so I'm no
more getting the corresponding AVCs. Furthermore, I'm now able to start
in enforcing mode (the problem with mingetty was also solved). However,
from the audit.log file, I'm still getting denied read and search AVCs,
mainly due to irqbalance and hald:

type=AVC msg=audit(1138388575.636:9): avc:  denied  { read } for
pid=1946 comm="irqbalance" name="mtab" dev=dm-0 ino=1899143
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=SYSCALL msg=audit(1138388575.636:9): arch=c0000032 syscall=1028
success=no
exit=13 a0=20000008002ae8d0 a1=0 a2=1b6 a3=558281 items=1 pid=1946
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="irqbalance" exe="/usr/sbin/irqbalance"

type=AVC msg=audit(1138388575.636:10): avc:  denied  { read } for
pid=1946 comm="irqbalance" name="fstab" dev=dm-0 ino=1901326
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1138388575.636:10): arch=c0000032 syscall=1028
success=no exit=13 a0=20000008002ae938 a1=0 a2=1b6 a3=558281 items=1
pid=1946 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="irqbalance" exe="/usr/sbin/irqbalance"

type=AVC msg=audit(1138385008.409:11): avc:  denied  { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir

type=AVC msg=audit(1138385008.477:12): avc:  denied  { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir

type=AVC msg=audit(1138385008.593:13): avc:  denied  { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir

type=AVC msg=audit(1138385008.677:14): avc:  denied  { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir

type=AVC msg=audit(1138385008.733:15): avc:  denied  { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir

type=AVC msg=audit(1138385012.697:17): avc:  denied  { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir

Cheers,

	M

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list