Stephen Smalley wrote:
On Thu, 2006-07-13 at 07:16 -0700, Tom London wrote:Running selinux-policy-2.3.2-1 targeted/permissive. Doing my usual 'yum update' of yesterday's rawhide (including selinux-policy-2.3.2-2), I noticed this in audit log: type=AVC msg=audit(1152799768.153:34): avc: denied { audit_write } for pid=3084 comm="useradd" capability=29 scontext=user_u:system_r:useradd_t:s0 tcontext=user_u:system_r:useradd_t:s0 tclass=capability type=USER_CHAUTHTOK msg=audit(1152799768.153:35): user pid=3084 uid=0 auid=500 subj=user_u:system_r:useradd_t:s0 msg='op=adding user acct=dbus exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0 res=failed)' type=SYSCALL msg=audit(1152799768.153:34): arch=40000003 syscall=102 success=yes exit=116 a0=b a1=bf95a240 a2=6ecff4 a3=bf96068e items=0 ppid=3083 pid=3084 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="useradd" exe="/usr/sbin/useradd" subj=user_u:system_r:useradd_t:s0 key=(null) type=SOCKADDR msg=audit(1152799768.153:34): saddr=100000000000000000000000 type=SOCKETCALL msg=audit(1152799768.153:34): nargs=6 a0=3 a1=bf95e4dc a2=74 a3=0 a4=bf95a270 a5=cYes, another program instrumented for audit generation, needs that capability. Why wasn't this taken care of when these programs were originally instrumented for audit? (We are only now getting audit denials due to the netlink capability checking patch that went into recent kernels, but this would have been getting denied all along, so I would have expected it to show up in testing).
Testing in permissive mode I guess. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
