On Thu, Aug 20, 2009 at 05:27:33AM -0700, Antonio Olivares wrote: > Dear fellow selinux experts, > > I have encountered some weird denials while running rawhide. But selinux troubleshooter is not allowing me to file bugs. IT just hangs. While running livecd I was able to file some bugs. After installing(restoring a rawhide system using livecd), I can't do it. I will attach a set of denials by selinux. > > Thanks, > > Antonio > > > > Aug 12 02:41:26 localhost kernel: type=1400 audit(1250062886.941:25230): avc: denied { write } for pid=1590 comm="auditctl" path="/dev/null" dev=tmpfs ino=11264 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:4): avc: denied { execute } for pid=166 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1011 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:5): avc: denied { mmap_zero } for pid=166 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:6): avc: denied { execute } for pid=166 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1113 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.131:7): avc: denied { write } for pid=166 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.131:8): avc: denied { open } for pid=166 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062928.769:9): avc: denied { sys_module } for pid=459 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability > Aug 12 17:11:37 localhost setroubleshoot: [avc.ERROR] Plugin Exception leaks #012Traceback (most recent call last):#012 File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 148, in analyze_avc#012 report = plugin.analyze(avc)#012 File "/usr/share/setroubleshoot/plugins/leaks.py", line 46, in analyze#012 if avc.syscall == 'execve':#012AttributeError: AVC instance has no attribute 'syscall' > Aug 12 17:36:26 localhost kernel: type=1400 audit(1250116586.288:39547): avc: denied { write } for pid=23025 comm="auditctl" path="/dev/null" dev=tmpfs ino=161648 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 12 17:40:26 localhost kernel: type=1400 audit(1250116826.639:22972): avc: denied { write } for pid=2085 comm="auditctl" path="/dev/null" dev=tmpfs ino=14928 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.129:4): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.129:5): avc: denied { mmap_zero } for pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.130:6): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.130:7): avc: denied { write } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.131:8): avc: denied { open } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165525.340:9): avc: denied { sys_module } for pid=480 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability > Aug 13 12:40:40 localhost kernel: type=1400 audit(1250185240.254:91): avc: denied { write } for pid=2860 comm="auditctl" path="/dev/null" dev=tmpfs ino=40043 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.229:4): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.230:5): avc: denied { mmap_zero } for pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.231:6): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.231:7): avc: denied { write } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.232:8): avc: denied { open } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.790:9): avc: denied { sys_module } for pid=463 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability > Aug 14 17:14:31 localhost kernel: type=1400 audit(1250288071.151:120): avc: denied { write } for pid=2853 comm="auditctl" path="/dev/null" dev=tmpfs ino=83085 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 17 07:46:24 localhost kernel: type=1400 audit(1250513184.418:22958): avc: denied { write } for pid=2188 comm="auditctl" path="/dev/null" dev=tmpfs ino=19698 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.366:4): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.367:5): avc: denied { mmap_zero } for pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.367:6): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.368:7): avc: denied { write } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.368:8): avc: denied { open } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597974.538:9): avc: denied { sys_module } for pid=435 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability > Aug 19 15:53:41 localhost dbus: avc: received policyload notice (seqno=2) > Aug 19 15:53:41 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?) > Aug 19 16:04:57 localhost kernel: type=1400 audit(1250715897.391:279): avc: denied { write } for pid=5261 comm="auditctl" path="/dev/null" dev=tmpfs ino=283860 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.824:20606): avc: denied { unlink } for pid=1500 comm="chkconfig" name="K88auditd" dev=dm-0 ino=9509 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file > Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.825:20607): avc: denied { create } for pid=1500 comm="chkconfig" name="S11auditd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file > Aug 20 07:22:57 localhost dbus: avc: received policyload notice (seqno=2) > Aug 20 07:22:57 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Join the club :) I have a shedload of custom policy modules for rawhide. Some of it may not be recommended to add but it does fix most issues. have a look here: http://82.197.205.60/~dgrift/stuff/modules/rawhide12/ Also install the latest packages available (koji and [root@notebook3 ~]# less /etc/yum.repos.d/koji.repo [koji] name=Fedora 12 - x86_64 - Just Born baseurl=http://koji.fedoraproject.org/static-repos/dist-f12-build-current/x86_64 enabled=0 My rawhide runs surprisingly good in some regards even better than f11 ... hth > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgpXvJvfdFhVQ.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list