-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all, > > selinux on rawhide is cranking out many denials. . These do not show up on dmesg. What is happening? I do not know enough to help myself fix them. > > Here's one of them > > Summary > SELinux is preventing dhclient-script (dhcpc_t) "getattr" to /sbin/setfiles > (setfiles_exec_t). > > Detailed Description > SELinux denied access requested by dhclient-script. It is not expected that > this access is required by dhclient-script and this access may signal an > intrusion attempt. It is also possible that the specific version or > configuration of the application is causing it to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for /sbin/setfiles, restorecon -v > /sbin/setfiles If this does not work, there is currently no automatic way to > allow this access. Instead, you can generate a local policy module to allow > this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > Or you can disable SELinux protection altogether. Disabling SELinux > protection is not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > > Additional Information > > Source Context user_u:system_r:dhcpc_t > Target Context system_u:object_r:setfiles_exec_t > Target Objects /sbin/setfiles [ file ] > Affected RPM Packages policycoreutils-2.0.19-1.fc8 [target] > Policy RPM selinux-policy-2.6.5-2.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name localhost > Platform Linux localhost 2.6.21-1.3194.fc7 #1 SMP Wed May > 23 22:35:01 EDT 2007 i686 athlon > Alert Count 1 > First Seen Tue 21 Aug 2007 07:41:12 AM CDT > Last Seen Tue 21 Aug 2007 07:41:12 AM CDT > Local ID 73dc2e0c-fc2c-496f-8f0e-87e72cfd3ce5 > Line Numbers > > Raw Audit Messages > > avc: denied { getattr } for comm="dhclient-script" dev=dm-0 egid=0 euid=0 > exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="setfiles" > path="/sbin/setfiles" pid=3563 scontext=user_u:system_r:dhcpc_t:s0 sgid=0 > subj=user_u:system_r:dhcpc_t:s0 suid=0 tclass=file > tcontext=system_u:object_r:setfiles_exec_t:s0 tty=(none) uid=0 > > > SELinux is preventing /usr/bin/uptime (logwatch_t) "read write" to utmp (initrc_var_run_t). > SELinux is preventing /usr/bin/uptime (logwatch_t) "read" to utmp (initrc_var_run_t). > SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t). > SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to sbin (bin_t). > > This one is a major one: > SELinux prevented /sbin/ldconfig from using the terminal /dev/pts/0. > > Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1."The following command will allow this access:setsebool -P allow_daemons_use_tty=1 > > > There are some more, but in reality. I cannot understand why they do not show up on a regular dmesg. How can I cure all these selinux denials. This is reminiscent on the installation of Fedora 7, with too many problems with selinux. > The audit subsystem intercepts this kind of message and places them in /var/log/audit/audit.log You are running a really old version of selinux policy for fc8. YOu should probably yum update. > Sorry to complain, but I need some help. I hope that I am not the only one with these kind of errors. > > Regards, > > Antonio > > > > > ____________________________________________________________________________________ > Luggage? GPS? Comic books? > Check out fitting gifts for grads at Yahoo! Search > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGzZAjrlYvE4MpobMRAnEQAJ9snXlhgfBHaHt7MMm2V458pDmpTgCgyZG4 BaPhZY6u+RMxCjvniithjJk= =mRsl -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
