Marc Schwartz wrote:
I just got home and noted the following avc's which appear to be a
post-reboot scenario.
There are some that appear to be networking related, which may indeed be
associated with the kernel related reports. I have more than one network
profile, where I used one at home that has a fixed IP address behind a
router. At work, I use NM with DHCP. As I noted in a prior post, some
network things have been flaky with the new kernel.
Is this an indication that I should consider the 'updates testing'
initscripts update as referenced in other threads on the general lists?
Possibly; my understanding of the update is that it fixes the order of
assignment of network devices at boot time. This is useful to me for
instance, as I have a two-interface firewall, which doesn't work if it
boots with the internal and external interfaces the wrong way around.
Up until the reboot, there were no other avc's.
Note also what appears to be a double "//" in the path to the
razor-agent.log. Not sure where that comes from, as the mods that I
made in the config files are:
local.cf:
razor_config /etc/mail/spamassassin/razor/razor-agent.conf
razor-agent.conf :
razorhome = /etc/mail/spamassassin/razor/
The trailing '/' in the second file was there previously.
You could try it without the trailing slash and see what happens. Double
slashes aren't usually an issue though.
New avc's:
type=AVC msg=audit(1151607255.655:1577): avc: denied { signal } for pid=2283 comm="spamd" scontext=system_u:system_r:spamd_t:s0 t context=system_u:system_r:dcc_client_t:s0 tclass=process
type=SYSCALL msg=audit(1151607255.655:1577): arch=40000003 syscall=37 success=no exit=-13 a0=780b a1=f a2=2b5b8c a3=90e7894 items=0 pid=2283 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
Spamassassin signalling dcc_client. I wonder if the "a1" value is the
signal number? If so, that's SIGTERM.
type=AVC msg=audit(1151620643.074:452): avc: denied { append } for pid=2312 comm="spamd" name="razor-agent.log" dev=hdc7 ino=1081 390 scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:etc_mail_t:s0 tclass=file
type=SYSCALL msg=audit(1151620643.074:452): arch=40000003 syscall=5 success=no exit=-13 a0=b5c6ee0 a1=8441 a2=1b6 a3=8441 items=1 pi d=2312 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="spamd" exe="/usr/bin/perl" subj=syst em_u:system_r:spamd_t:s0
type=CWD msg=audit(1151620643.074:452): cwd="/"
type=PATH msg=audit(1151620643.074:452): item=0 name="/etc/mail/spamassassin/razor//razor-agent.log" parent=1081385 dev=16:07 mode=0 40755 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:etc_mail_t:s0
Trying to append to /etc/mail/spamassassin/razor/razor-agent.log, which
of course is etc_mail_t. Is there any way to persuade razor to put this
log in /var/log instead?
type=AVC msg=audit(1151620645.415:453): avc: denied { setgid } for pid=2410 comm="dccproc" capability=6 scontext=system_u:system_ r:dcc_client_t:s0 tcontext=system_u:system_r:dcc_client_t:s0 tclass=capability
type=SYSCALL msg=audit(1151620645.415:453): arch=40000003 syscall=210 success=yes exit=0 a0=ffffffff a1=0 a2=ffffffff a3=47fcfcc0 it ems=0 pid=2410 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin /dccproc" subj=system_u:system_r:dcc_client_t:s0
dccproc changing its group ID.
type=AVC msg=audit(1151620795.471:481): avc: denied { use } for pid=5120 comm="dhclient" name="[10508]" dev=pipefs ino=10508 scon text=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1151620795.471:481): avc: denied { use } for pid=5120 comm="dhclient" name="[10508]" dev=pipefs ino=10508 scon text=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=SYSCALL msg=audit(1151620795.471:481): arch=40000003 syscall=11 success=yes exit=0 a0=99120f8 a1=993b580 a2=9912608 a3=993b5f0 items=2 pid=5120 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dhclient" exe="/sbin/dhcl ient" subj=user_u:system_r:dhcpc_t:s0
type=AVC_PATH msg=audit(1151620795.471:481): path="pipe:[10508]"
type=AVC_PATH msg=audit(1151620795.471:481): path="pipe:[10508]"
type=CWD msg=audit(1151620795.471:481): cwd="/etc/sysconfig/network-scripts"
type=PATH msg=audit(1151620795.471:481): item=0 name="/sbin/dhclient" inode=3542818 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dhcpc_exec_t:s0
type=PATH msg=audit(1151620795.471:481): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_ u:object_r:ld_so_t:s0
type=AVC msg=audit(1151620808.228:498): avc: denied { use } for pid=5217 comm="dhclient-script" name="[10508]" dev=pipefs ino=105 08 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1151620808.228:498): avc: denied { use } for pid=5217 comm="dhclient-script" name="[10508]" dev=pipefs ino=105 08 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=SYSCALL msg=audit(1151620808.228:498): arch=40000003 syscall=11 success=yes exit=0 a0=9fdff30 a1=a0044c8 a2=9fe1378 a3=a002498 items=3 pid=5217 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dhclient-script" exe="/bi n/bash" subj=user_u:system_r:dhcpc_t:s0
type=AVC_PATH msg=audit(1151620808.228:498): path="pipe:[10508]"
type=AVC_PATH msg=audit(1151620808.228:498): path="pipe:[10508]"
type=CWD msg=audit(1151620808.228:498): cwd="/etc/sysconfig/network-scripts"
type=PATH msg=audit(1151620808.228:498): item=0 name="/sbin/dhclient-script" inode=3548518 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev =00:00 obj=system_u:object_r:dhcpc_exec_t:s0
type=PATH msg=audit(1151620808.228:498): item=1 name=(null) inode=1966191 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:shell_exec_t:s0
type=PATH msg=audit(1151620808.228:498): item=2 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_ u:object_r:ld_so_t:s0
These appear to be unrelated network issues.
Could be allowed by having
xserver_use_xdm_fds(dhcpc_t)
in the sysnetwork policy but I'm not sure what's happening there and if
that would be the right thing to do.
Updated policy:
::::::::::::::
mydcc.if
::::::::::::::
########################################
## <summary>
## Signal the dcc client
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`dcc_signal_client',`
gen_require(`
type dcc_client_t;
')
allow $1 dcc_client_t:process signal;
')
::::::::::::::
myspamassassin.te
::::::::::::::
policy_module(myspamassassin, 0.1.2)
require {
type spamd_t;
}
# This will be included in FC5 policy when dcc module is included
dcc_domtrans_client(spamd_t)
# This is already supposed to be included but doesn't seem to be working
pyzor_domtrans(spamd_t)
# This will be included in FC5 policy when razor module is included
razor_domtrans(spamd_t)
# Signal the dcc client (SIGTERM is used?)
dcc_signal_client(spamd_t)
::::::::::::::
mydcc.te
::::::::::::::
policy_module(mydcc, 0.1.9)
# ==================================================
# Declarations
# ==================================================
require {
type dcc_client_t;
}
# ==================================================
# DCC client local policy
# ==================================================
allow dcc_client_t self:capability setgid;
allow dcc_client_t self:netlink_route_socket r_netlink_socket_perms;
corenet_udp_bind_inaddr_any_node(dcc_client_t)
# dcc_client probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(dcc_client_t)
kernel_dontaudit_read_system_state(dcc_client_t)
spamassassin_read_spamd_tmp_files(dcc_client_t)
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
