Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan Thurman wrote:
Again, more issues. Suggested fix?
============================
Summary:
SELinux is preventing gam_server (gamin_t) "dac_override" to <Unknown>
(gamin_t).
Detailed Description:
SELinux denied access requested by gam_server. It is not expected that this
access is required by gam_server and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:gamin_t:s0
Target Context system_u:system_r:gamin_t:s0
Target Objects None [ capability ]
Source gam_server
Source Path /usr/libexec/gam_server
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages gamin-0.1.9-5.fc9
Target RPM Packages Policy RPM
selinux-policy-3.3.1-74.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP
Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 20
First Seen Thu 10 Jul 2008 10:35:43 AM PDT
Last Seen Thu 10 Jul 2008 11:11:40 AM PDT
Local ID 5eb1bf77-5c10-4071-9892-bac42ca11adb
Line Numbers
Raw Audit Messages
host=bronze.cdkkt.com type=AVC msg=audit(1215713500.169:272): avc:
denied { dac_override } for pid=11637 comm="gam_server" capability=1
scontext=system_u:system_r:gamin_t:s0
tcontext=system_u:system_r:gamin_t:s0 tclass=capability
host=bronze.cdkkt.com type=AVC msg=audit(1215713500.169:272): avc:
denied { dac_read_search } for pid=11637 comm="gam_server"
capability=2 scontext=system_u:system_r:gamin_t:s0
tcontext=system_u:system_r:gamin_t:s0 tclass=capability
host=bronze.cdkkt.com type=SYSCALL msg=audit(1215713500.169:272):
arch=40000003 syscall=33 success=no exit=-13 a0=96ca580 a1=0 a2=4b9264
a3=10 items=0 ppid=1 pid=11637 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="gam_server" exe="/usr/libexec/gam_server"
subj=system_u:system_r:gamin_t:s0 key=(null)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is a bad domain and will be fixed in the next update. For now it
is probably best to just relabel the gamin_exec_t to bin_t and stop the
transition.
After updating today I'm seeing thousands of these, to the extent that I
had to stop the setroubleshoot service:
Source RPM Packages gamin-0.1.9-5.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-78.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
2.6.25.10-86.fc9.x86_64 #1 SMP Mon Jul 7
20:23:46
EDT 2008 x86_64 x86_64
Alert Count 2565
First Seen Mon 21 Jul 2008 12:32:35 BST
Last Seen Mon 21 Jul 2008 12:38:10 BST
Local ID 6ec7acfe-2373-4bb0-b598-ed8c37265ac9
Line Numbers
Raw Audit Messages
type=AVC msg=audit(1216640290.738:969906): avc: denied { read } for
pid=3319 comm="gam_server" path="inotify" dev=inotifyfs ino=1
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1216640290.738:969906): arch=c000003e syscall=0
success=no exit=-13 a0=3 a1=23d9210 a2=400 a3=0 items=0 ppid=1 pid=3319
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="gam_server"
exe="/usr/libexec/gam_server" subj=system_u:object_r:unlabeled_t:s0
key=(null)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
