Re: selinux denies dmesg

Stephen Smalley <sds@xxxxxxxxxxxxx> · Fri, 17 Oct 2008 10:32:53 -0400

On Thu, 2008-10-16 at 15:27 -0700, Antonio Olivares wrote:
> Dear fellow selinux experts,
> 
> After recovering from a kernel panic to check up on the filesystem, I run dmesg and I encounter some avc's
> 
> [olivares@riohigh ~]$ dmesg | grep avc
> type=1400 audit(1224195506.669:4): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.669:5): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.669:6): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.669:7): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:8): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:9): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:10): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:11): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:12): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> type=1400 audit(1224195506.670:13): avc:  denied  { sys_resource } for  pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> 
> 
> I have just updated to a newer kernel 2.6.27-13 and new selinux policy updates :)
> 
> [olivares@riohigh ~]$ rpm -qa selinux*
> selinux-policy-3.5.12-2.fc10.noarch
> selinux-policy-targeted-3.5.12-2.fc10.noarch
> [olivares@riohigh ~]$ 
> 
> 
> What do I do?

Enable syscall auditing and find out what syscall triggered the
CAP_SYS_RESOURCE check.

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list