> > No, the vast majority of the 'denials' aren't > actually > > denials. Dan > > removed all unconfined domains and replaced them with > > permissive > > domains. An unconfined domain allows everything and > > audits nothing. A > > permissive domain allows everything but audits every > time > > there is no > > allow rule for a given request. > > > > This has helped to define the actual needs of many of > the > > unconfined > > domains. And hopefully we can remove them entirely > in > > the future. > > Please keep filing bugs. > > Here's one for modprobe.d https://bugzilla.redhat.com/show_bug.cgi?id=523039 https://bugzilla.redhat.com/show_bug.cgi?id=523040 some from dmesg to support ones on top SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts type=1403 audit(1252857173.233:3): policy loaded auid=4294967295 ses=4294967295 load_policy used greatest stack depth: 5448 bytes left dracut: Switching root type=1305 audit(1252857175.267:6): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 udev: starting version 145 type=1400 audit(1252857180.016:7): avc: denied { read } for pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857180.017:8): avc: denied { open } for pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir end_request: I/O error, dev fd0, sector 0 sis900.c: v1.08.10 Apr. 2 2006 sis900 0000:00:04.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19 0000:00:04.0: Realtek RTL8201 PHY transceiver found at address 1. 0000:00:04.0: Using transceiver found at address 1 as default eth0: SiS 900 PCI Fast Ethernet at 0xb000, IRQ 19, 00:16:ec:7d:be:bd parport_pc 00:09: reported by Plug and Play ACPI parport0: PC-style at 0x378 (0x778), irq 7 [PCSPP,TRISTATE] ppdev: user-space parallel port driver Intel ICH 0000:00:02.7: PCI INT C -> GSI 18 (level, low) -> IRQ 18 intel8x0_measure_ac97_clock: measured 50745 usecs (2442 samples) intel8x0: clocking to 48000 type=1400 audit(1252857184.249:9): avc: denied { read } for pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857184.249:10): avc: denied { open } for pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir device-mapper: multipath: version 1.1.0 loaded EXT4-fs (dm-0): internal journal on dm-0:8 kjournald starting. Commit interval 5 seconds EXT3 FS on sda1, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev sda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Adding 950264k swap on /dev/mapper/vg_n63552-lv_swap. Priority:-1 extents:1 across:950264k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts microcode: CPU0 sig=0xf29, pf=0x4, revision=0x0 platform microcode: firmware: requesting intel-ucode/0f-02-09 type=1400 audit(1252857189.780:11): avc: denied { read } for pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857189.780:12): avc: denied { open } for pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir microcode: CPU1 sig=0xf29, pf=0x4, revision=0x0 platform microcode: firmware: requesting intel-ucode/0f-02-09 Microcode Update Driver: v2.00 <tigran@xxxxxxxxxxxxxxxxxxxx>, Peter Oruba microcode: CPU0 updated to revision 0x2e, date = 2004-08-11 microcode: CPU1 updated to revision 0x2e, date = 2004-08-11 Microcode Update Driver: v2.00 removed. p4-clockmod: P4/Xeon(TM) CPU On-Demand Clock Modulation available type=1400 audit(1252857190.717:13): avc: denied { read } for pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857190.717:14): avc: denied { open } for pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir NET: Registered protocol family 10 lo: Disabled Privacy Extensions ip6_tables: (C) 2000-2006 Netfilter Core Team RPC: Registered udp transport module. RPC: Registered tcp transport module. SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts eth0: Media Link On 100mbps full-duplex Installing knfsd (copyright (C) 1996 okir@xxxxxxxxxxxx). SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts eth0: no IPv6 routers present CPU0 attaching NULL sched-domain. CPU1 attaching NULL sched-domain. CPU0 attaching sched-domain: domain 0: span 0-1 level SIBLING groups: 0 1 CPU1 attaching sched-domain: domain 0: span 0-1 level SIBLING groups: 1 0 canberra-gtk-pl used greatest stack depth: 5236 bytes left fuse init (API version 7.12) SELinux: initialized (dev fuse, type fuse), uses genfs_contexts [root@n6355-2 ~]# uname -r 2.6.31-2.fc12.i686 Another one filed,but cut + paste failed :( Regards, Antonio -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
