Re: auditd went crazy

Chuck Anderson <cra@xxxxxxx> · Thu, 3 Jul 2008 16:42:02 -0400

On Thu, Jul 03, 2008 at 03:05:08PM -0400, Daniel J Walsh wrote:
> > type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc:  denied  { 
> > read write } for  pid=9726 comm=rndc path=socket:[13830433] dev=sockfs 
> > ino=13830433 scontext=unconfined_u:system_r:ndc_t:s0 
> > tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
> > type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc:  denied  { 
> > read write } for  pid=9726 comm=rndc path=socket:[13830431] dev=sockfs 
> > ino=13830431 scontext=unconfined_u:system_r:ndc_t:s0 
> > tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
> > type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc:  denied  { 
> > read write } for  pid=9726 comm=rndc path=socket:[13830360] dev=sockfs 
> > ino=13830360 scontext=unconfined_u:system_r:ndc_t:s0 
> > tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
> > 
> > Anyone know what happened?

> Seems like you have a mislabeld program running as initrc_t?
> 
> ps -eZ | grep initrc_t

No results currently, but I'll keep an eye on it.  I see these AVC 
mostly from "rndc" (part of the bind name server package) and also 
sometimes from "ifconfig" which is strange because I'm not running a 
DHCP client, nor NetworkManager, nor any other program that I know of 
that should be running "ifconfig".

type=AVC msg=audit(1214939740.621:142073): avc:  denied  { read write 
} for  pid=1330 comm="ifconfig" path="socket:[13885742]" dev=sockfs 
ino=13885742 scontext=unconfined_u:system_r:ifconfig_t:s0 
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1214939740.621:142073): avc:  denied  { read write 
} for  pid=1330 comm="ifconfig" path="socket:[13885749]" dev=sockfs 
ino=13885749 scontext=unconfined_u:system_r:ifconfig_t:s0 
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1214939740.621:142073): avc:  denied  { read write 
} for  pid=1330 comm="ifconfig" path="socket:[13885756]" dev=sockfs 
ino=13885756 scontext=unconfined_u:system_r:ifconfig_t:s0 
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1214939740.621:142073): arch=40000003 
syscall=11 success=yes exit=0 a0=bfe3a0e0 a1=bfe3a110 a2=bfe4ac84 
a3=bfe3a0e0 items=0 ppid=1306 pid=1330 auid=10000 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ifconfig" 
exe="/sbin/ifconfig" subj=unconfined_u:system_r:ifconfig_t:s0 
key=(null)

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list