On 09/13/2009 12:03 PM, Antonio Olivares wrote: >>> No, the vast majority of the 'denials' aren't >> actually >>> denials. Dan >>> removed all unconfined domains and replaced them with >>> permissive >>> domains. An unconfined domain allows everything and >>> audits nothing. A >>> permissive domain allows everything but audits every >> time >>> there is no >>> allow rule for a given request. >>> >>> This has helped to define the actual needs of many of >> the >>> unconfined >>> domains. And hopefully we can remove them entirely >> in >>> the future. >>> Please keep filing bugs. >>> > Here's one for modprobe.d > > https://bugzilla.redhat.com/show_bug.cgi?id=523039 > > https://bugzilla.redhat.com/show_bug.cgi?id=523040 > > some from dmesg to support ones on top > > SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts > type=1403 audit(1252857173.233:3): policy loaded auid=4294967295 ses=4294967295 > load_policy used greatest stack depth: 5448 bytes left > dracut: Switching root > type=1305 audit(1252857175.267:6): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 > udev: starting version 145 > type=1400 audit(1252857180.016:7): avc: denied { read } for pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir > type=1400 audit(1252857180.017:8): avc: denied { open } for pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir > end_request: I/O error, dev fd0, sector 0 > sis900.c: v1.08.10 Apr. 2 2006 > sis900 0000:00:04.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19 > 0000:00:04.0: Realtek RTL8201 PHY transceiver found at address 1. > 0000:00:04.0: Using transceiver found at address 1 as default > eth0: SiS 900 PCI Fast Ethernet at 0xb000, IRQ 19, 00:16:ec:7d:be:bd > parport_pc 00:09: reported by Plug and Play ACPI > parport0: PC-style at 0x378 (0x778), irq 7 [PCSPP,TRISTATE] > ppdev: user-space parallel port driver > Intel ICH 0000:00:02.7: PCI INT C -> GSI 18 (level, low) -> IRQ 18 > intel8x0_measure_ac97_clock: measured 50745 usecs (2442 samples) > intel8x0: clocking to 48000 > type=1400 audit(1252857184.249:9): avc: denied { read } for pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir > type=1400 audit(1252857184.249:10): avc: denied { open } for pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir > device-mapper: multipath: version 1.1.0 loaded > EXT4-fs (dm-0): internal journal on dm-0:8 > kjournald starting. Commit interval 5 seconds > EXT3 FS on sda1, internal journal > EXT3-fs: mounted filesystem with ordered data mode. > SELinux: initialized (dev sda1, type ext3), uses xattr > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > Adding 950264k swap on /dev/mapper/vg_n63552-lv_swap. Priority:-1 extents:1 across:950264k > SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts > microcode: CPU0 sig=0xf29, pf=0x4, revision=0x0 > platform microcode: firmware: requesting intel-ucode/0f-02-09 > type=1400 audit(1252857189.780:11): avc: denied { read } for pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir > type=1400 audit(1252857189.780:12): avc: denied { open } for pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir > microcode: CPU1 sig=0xf29, pf=0x4, revision=0x0 > platform microcode: firmware: requesting intel-ucode/0f-02-09 > Microcode Update Driver: v2.00 <tigran@xxxxxxxxxxxxxxxxxxxx>, Peter Oruba > microcode: CPU0 updated to revision 0x2e, date = 2004-08-11 > microcode: CPU1 updated to revision 0x2e, date = 2004-08-11 > Microcode Update Driver: v2.00 removed. > p4-clockmod: P4/Xeon(TM) CPU On-Demand Clock Modulation available > type=1400 audit(1252857190.717:13): avc: denied { read } for pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir > type=1400 audit(1252857190.717:14): avc: denied { open } for pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir > NET: Registered protocol family 10 > lo: Disabled Privacy Extensions > ip6_tables: (C) 2000-2006 Netfilter Core Team > RPC: Registered udp transport module. > RPC: Registered tcp transport module. > SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts > eth0: Media Link On 100mbps full-duplex > Installing knfsd (copyright (C) 1996 okir@xxxxxxxxxxxx). > SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts > eth0: no IPv6 routers present > CPU0 attaching NULL sched-domain. > CPU1 attaching NULL sched-domain. > CPU0 attaching sched-domain: > domain 0: span 0-1 level SIBLING > groups: 0 1 > CPU1 attaching sched-domain: > domain 0: span 0-1 level SIBLING > groups: 1 0 > canberra-gtk-pl used greatest stack depth: 5236 bytes left > fuse init (API version 7.12) > SELinux: initialized (dev fuse, type fuse), uses genfs_contexts > [root@n6355-2 ~]# uname -r > 2.6.31-2.fc12.i686 > > Another one filed,but cut + paste failed :( > > Regards, > > Antonio > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Just imagine if you are on the recieving end of all these bugs. Wine is a huge culpret and is being turned back into unconfined_domain. abrt was also causing lots of these denials. Most of which are fixed in the latest policy builds. THe bugs I received this weekend including the modules_conf_t are legitimate. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
