On Fri, 2006-06-30 at 14:19 +0100, Paul Howarth wrote: > Marc Schwartz wrote: > > I just got home and noted the following avc's which appear to be a > > post-reboot scenario. > > > > There are some that appear to be networking related, which may indeed be > > associated with the kernel related reports. I have more than one network > > profile, where I used one at home that has a fixed IP address behind a > > router. At work, I use NM with DHCP. As I noted in a prior post, some > > network things have been flaky with the new kernel. > > > > Is this an indication that I should consider the 'updates testing' > > initscripts update as referenced in other threads on the general lists? > > Possibly; my understanding of the update is that it fixes the order of > assignment of network devices at boot time. This is useful to me for > instance, as I have a two-interface firewall, which doesn't work if it > boots with the internal and external interfaces the wrong way around. Yeah, eth0 (should be a hardwired connection) and eth1 (which should be a wireless connection) have been frequently switching back and forth. Under the former kernel, the wireless was wlan0 when using ndiswrapper. OK. I updated the rpm. I have not fully tested the updated scripts, but what was interesting is that I had modified rc.sysinit to handle my LUKS partitions during boot, but the update (which includes the default file) did not overwrite my modified version. I presume that there may be an entry in the spec file for the rpm to check for this, though I have not taken the time to review it. > > Up until the reboot, there were no other avc's. > > > > Note also what appears to be a double "//" in the path to the > > razor-agent.log. Not sure where that comes from, as the mods that I > > made in the config files are: > > > > local.cf: > > razor_config /etc/mail/spamassassin/razor/razor-agent.conf > > > > razor-agent.conf : > > razorhome = /etc/mail/spamassassin/razor/ > > > > The trailing '/' in the second file was there previously. > > You could try it without the trailing slash and see what happens. Double > slashes aren't usually an issue though. I'll leave it for now and see if it continues to show. > > New avc's: > > > > type=AVC msg=audit(1151607255.655:1577): avc: denied { signal } for pid=2283 comm="spamd" scontext=system_u:system_r:spamd_t:s0 t context=system_u:system_r:dcc_client_t:s0 tclass=process > > type=SYSCALL msg=audit(1151607255.655:1577): arch=40000003 syscall=37 success=no exit=-13 a0=780b a1=f a2=2b5b8c a3=90e7894 items=0 pid=2283 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 > > Spamassassin signalling dcc_client. I wonder if the "a1" value is the > signal number? If so, that's SIGTERM. > > > type=AVC msg=audit(1151620643.074:452): avc: denied { append } for pid=2312 comm="spamd" name="razor-agent.log" dev=hdc7 ino=1081 390 scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:etc_mail_t:s0 tclass=file > > type=SYSCALL msg=audit(1151620643.074:452): arch=40000003 syscall=5 success=no exit=-13 a0=b5c6ee0 a1=8441 a2=1b6 a3=8441 items=1 pi d=2312 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="spamd" exe="/usr/bin/perl" subj=syst em_u:system_r:spamd_t:s0 > > type=CWD msg=audit(1151620643.074:452): cwd="/" > > type=PATH msg=audit(1151620643.074:452): item=0 name="/etc/mail/spamassassin/razor//razor-agent.log" parent=1081385 dev=16:07 mode=0 40755 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:etc_mail_t:s0 > > Trying to append to /etc/mail/spamassassin/razor/razor-agent.log, which > of course is etc_mail_t. Is there any way to persuade razor to put this > log in /var/log instead? Yep. Done. I made a change in: /etc/mail/spamassassin/razor/razor-agent.conf Now with a line: logfile = /var/log/razor-agent.log which was just logfile = razor-agent.log Specifying the full path overrides the normal home dir for razor files. After a spamassassin service restart, the log file is now: ls -lZ /var/log/razor-agent.log -rw-r--r-- root root user_u:object_r:var_log_t /var/log/razor-agent.log Note the change in context below. > > type=AVC msg=audit(1151620645.415:453): avc: denied { setgid } for pid=2410 comm="dccproc" capability=6 scontext=system_u:system_ r:dcc_client_t:s0 tcontext=system_u:system_r:dcc_client_t:s0 tclass=capability > > type=SYSCALL msg=audit(1151620645.415:453): arch=40000003 syscall=210 success=yes exit=0 a0=ffffffff a1=0 a2=ffffffff a3=47fcfcc0 it ems=0 pid=2410 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin /dccproc" subj=system_u:system_r:dcc_client_t:s0 > > dccproc changing its group ID. > > > type=AVC msg=audit(1151620795.471:481): avc: denied { use } for pid=5120 comm="dhclient" name="[10508]" dev=pipefs ino=10508 scon text=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd > > type=AVC msg=audit(1151620795.471:481): avc: denied { use } for pid=5120 comm="dhclient" name="[10508]" dev=pipefs ino=10508 scon text=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd > > type=SYSCALL msg=audit(1151620795.471:481): arch=40000003 syscall=11 success=yes exit=0 a0=99120f8 a1=993b580 a2=9912608 a3=993b5f0 items=2 pid=5120 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dhclient" exe="/sbin/dhcl ient" subj=user_u:system_r:dhcpc_t:s0 > > type=AVC_PATH msg=audit(1151620795.471:481): path="pipe:[10508]" > > type=AVC_PATH msg=audit(1151620795.471:481): path="pipe:[10508]" > > type=CWD msg=audit(1151620795.471:481): cwd="/etc/sysconfig/network-scripts" > > type=PATH msg=audit(1151620795.471:481): item=0 name="/sbin/dhclient" inode=3542818 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dhcpc_exec_t:s0 > > type=PATH msg=audit(1151620795.471:481): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_ u:object_r:ld_so_t:s0 > > type=AVC msg=audit(1151620808.228:498): avc: denied { use } for pid=5217 comm="dhclient-script" name="[10508]" dev=pipefs ino=105 08 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd > > type=AVC msg=audit(1151620808.228:498): avc: denied { use } for pid=5217 comm="dhclient-script" name="[10508]" dev=pipefs ino=105 08 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd > > type=SYSCALL msg=audit(1151620808.228:498): arch=40000003 syscall=11 success=yes exit=0 a0=9fdff30 a1=a0044c8 a2=9fe1378 a3=a002498 items=3 pid=5217 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dhclient-script" exe="/bi n/bash" subj=user_u:system_r:dhcpc_t:s0 > > type=AVC_PATH msg=audit(1151620808.228:498): path="pipe:[10508]" > > type=AVC_PATH msg=audit(1151620808.228:498): path="pipe:[10508]" > > type=CWD msg=audit(1151620808.228:498): cwd="/etc/sysconfig/network-scripts" > > type=PATH msg=audit(1151620808.228:498): item=0 name="/sbin/dhclient-script" inode=3548518 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev =00:00 obj=system_u:object_r:dhcpc_exec_t:s0 > > type=PATH msg=audit(1151620808.228:498): item=1 name=(null) inode=1966191 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:shell_exec_t:s0 > > type=PATH msg=audit(1151620808.228:498): item=2 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_ u:object_r:ld_so_t:s0 > > These appear to be unrelated network issues. > > Could be allowed by having > xserver_use_xdm_fds(dhcpc_t) > in the sysnetwork policy but I'm not sure what's happening there and if > that would be the right thing to do. > > Updated policy: > :::::::::::::: > mydcc.if > :::::::::::::: > ######################################## > ## <summary> > ## Signal the dcc client > ## </summary> > ## <param name="domain"> > ## <summary> > ## The type of the process performing this action. > ## </summary> > ## </param> > # > interface(`dcc_signal_client',` > gen_require(` > type dcc_client_t; > ') > > allow $1 dcc_client_t:process signal; > ') > > :::::::::::::: > myspamassassin.te > :::::::::::::: > policy_module(myspamassassin, 0.1.2) > > require { > type spamd_t; > } > > # This will be included in FC5 policy when dcc module is included > dcc_domtrans_client(spamd_t) > > # This is already supposed to be included but doesn't seem to be working > pyzor_domtrans(spamd_t) > > # This will be included in FC5 policy when razor module is included > razor_domtrans(spamd_t) > > # Signal the dcc client (SIGTERM is used?) > dcc_signal_client(spamd_t) > :::::::::::::: > mydcc.te > :::::::::::::: > policy_module(mydcc, 0.1.9) > > # ================================================== > # Declarations > # ================================================== > > require { > type dcc_client_t; > } > > # ================================================== > # DCC client local policy > # ================================================== > > allow dcc_client_t self:capability setgid; > allow dcc_client_t self:netlink_route_socket r_netlink_socket_perms; > > corenet_udp_bind_inaddr_any_node(dcc_client_t) > > # dcc_client probably doesn't need to be able to read /proc/meminfo > kernel_dontaudit_list_proc(dcc_client_t) > kernel_dontaudit_read_system_state(dcc_client_t) > > spamassassin_read_spamd_tmp_files(dcc_client_t) Policies updated: amavis 1.0.4 clamav 1.0.1 dcc 1.0.0 myclamav 0.1.5 mydcc 0.1.9 mypostfix 0.1.0 mypyzor 0.2.3 myspamassassin 0.1.2 procmail 0.5.4 pyzor 1.0.1 razor 1.0.0 I also ran a restorecon on /var/log/razor-agent.log, which is now: ls -lZ /var/log/razor-agent.log -rw-r--r-- root root system_u:object_r:razor_log_t /var/log/razor-agent.log New avc's so far, after manually running all relevant cron jobs and a re-boot: type=AVC msg=audit(1151774266.909:5311): avc: denied { search } for pid=11652 comm="spamd" name="log" dev=dm-1 ino=73126 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1151774266.909:5311): arch=40000003 syscall=5 success=no exit=-13 a0=b1676f0 a1=8441 a2=1b6 a3=8441 items=1 pid=11652 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 type=CWD msg=audit(1151774266.909:5311): cwd="/" type=PATH msg=audit(1151774266.909:5311): item=0 name="/var/log/razor-agent.log" obj=user_u:object_r:etc_mail_t:s0 type=AVC msg=audit(1151774267.629:5312): avc: denied { read } for pid=18080 comm="dccproc" name=".fonts.cache-2" dev=hdc7 ino=427877 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1151774267.629:5312): arch=40000003 syscall=11 success=yes exit=0 a0=b0c96b8 a1=a432fd8 a2=b18feb8 a3=bfce606c items=2 pid=18080 auid=500 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0 type=AVC_PATH msg=audit(1151774267.629:5312): path="/root/.rh-fontconfig/.fonts.cache-2" type=CWD msg=audit(1151774267.629:5312): cwd="/" type=PATH msg=audit(1151774267.629:5312): item=0 name="/usr/local/bin/dccproc" inode=3118478 dev=16:07 mode=0104555 ouid=0 ogid=1 rdev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0 type=PATH msg=audit(1151774267.629:5312): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 Thanks, Marc -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list