On Mon, 06 Jul 2009 08:12:26 -0400 Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > On 07/04/2009 07:41 AM, Jonathan Stott wrote: > > Hi > > > > # rpm -q selinux-policy selinux-policy-targeted > > selinux-policy-3.6.12-62.fc11.noarch > > selinux-policy-targeted-3.6.12-62.fc11.noarch > > > > (previously it was 3.6.12-53) > > > > And gitosis-serve is labelled gitosis_exec_t > > > > Even after upgrading the selinux policy versions, it still seems to > > hang in the same manner though. > > > > Regards, > > Jon > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Are you seeing any avc messages in /var/log/audit/audit.log? > > ps -eZ | grep gitosis > > Does this show apps running under the correct domain? > It's hard to tell whether it's running under the correct context (gitosis-serve seems to very quickly shell out to whatever git command is called and I'm not sure how to trigger ps at the correct time). However it definitely has the correct context on the executable (which is the only copy of gitosis-serve on the system), and I've relabeled the file system just to be sure. However, I still seem to get the same AVC denial: ----------------------------------------------------------------------------- Summary: SELinux is preventing bash (guest_t) "write" sshd_t. Detailed Description: SELinux denied access requested by bash. It is not expected that this access is required by bash and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context guest_u:guest_r:guest_t:s0 Target Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Objects pipe [ fifo_file ] Source bash Source Path /bin/bash Port <Unknown> Host hzhangpg02.ph.man.ac.uk Source RPM Packages bash-4.0-6.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-62.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name hzhangpg02.ph.man.ac.uk Platform Linux hzhangpg02.ph.man.ac.uk 2.6.29.5-191.fc11.x86_64 #1 SMP Tue Jun 16 23:23:21 EDT 2009 x86_64 x86_64 Alert Count 31 First Seen Tue 30 Jun 2009 16:48:17 BST Last Seen Tue 07 Jul 2009 10:51:13 BST Local ID 1cf6580e-12c8-48fb-bbb8-c06c3e55109d Line Numbers Raw Audit Messages node=hzhangpg02.ph.man.ac.uk type=AVC msg=audit(1246960273.947:80): avc: denied { write } for pid=3472 comm="bash" path="pipe:[51971]" dev=pipefs ino=51971 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fifo_file node=hzhangpg02.ph.man.ac.uk type=AVC msg=audit(1246960273.947:80): avc: denied { write } for pid=3472 comm="bash" path="pipe:[51972]" dev=pipefs ino=51972 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fifo_file node=hzhangpg02.ph.man.ac.uk type=SYSCALL msg=audit(1246960273.947:80): arch=c000003e syscall=59 success=yes exit=0 a0=7f5e932395d0 a1=7ffff16ddc90 a2=7f5e932314c0 a3=7ffff16dd940 items=0 ppid=3471 pid=3472 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=5 comm="bash" exe="/bin/bash" subj=guest_u:guest_r:guest_t:s0 key=(null) -------------------------------------------------------------------- Piping the raw audit messages into audit2allow and installing the module doesn't seem to remove them, though. Regards, Jon -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
