Re: Worrying AVC messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2007-01-21 at 12:24 +0000, Anne Wilson wrote:
> I'm seeing a lot of AVC message, a sample of which is
> 
> type=AVC msg=audit(1162463326.809:49): avc:  denied  { search } for  pid=4186 
> comm="postmap" name="nscd" dev=hdb1 ino=195773
> 
> type=AVC msg=audit(1162483288.034:31): avc:  denied  { write } for  pid=5804 
> comm="ip" name="[23145]" dev=pipefs ino=23145
> 
> type=AVC msg=audit(1162483738.762:39): avc:  denied  { write } for  pid=7191 
> comm="ip" name="[27659]" dev=pipefs ino=27659
> 
> type=AVC msg=audit(1169284673.188:58): avc:  denied  { ioctl } for  pid=4212 
> comm="smartd" name="hda" dev=tmpfs ino=879
> 
> type=AVC msg=audit(1162495544.436:62): avc:  denied  { write } for  pid=28024 
> comm="setfiles" name="[120832]" dev=pipefs ino=120832
> 
> type=AVC_PATH msg=audit(1169310171.523:150):  path="/dev/bus/usb/001/004"
> type=AVC msg=audit(1169310172.778:151): avc:  denied  { read } for  pid=2996 
> comm="hald-addon-stor" name="hdd" dev=tmpfs ino=7431
> 
> I don't really understand what is going on.  'postmap' to me implies postfix, 
> which seems odd.
> 
> There are many such messages about smartd.  This is something I'd want to be 
> working.  Why is this blocked?  Can/Should I enable it?  How?
> 
> I looked at /dev/bus/usb/001/004 but I can't tell what this is.  I'm guessing 
> that it's a card-reader, but it's sheer guesswork.
> 
> I'd be glad of any hints.  SELinux hasn't really caused me any problems up to 
> now, but one of my projects, which I'll address in a later thread, may be 
> being blocked, so I need to start to understand more.

You don't seem to have included the scontext, tcontext, and tclass
information, which is the real basis for the permission denial.

You can also get supplemental information about each avc denial by
enabling system call auditing.  Requires installing "audit" and adding
at least one audit rule to enable collection of the full audit context.
This will provide you with information like the system call number and
arguments, the path that has been looked up, etc.

audit2allow can be used to generate a local policy module to allow
permissions as appropriate; see its man page and the Fedora SELinux FAQ.
 
-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux