Am Dienstag, den 29.12.2009, 12:16 +0100 schrieb Dominick Grift: > On Tue, Dec 29, 2009 at 10:17:36AM +0100, Klaus Lichtenwalder wrote: > > Hi, > > > > just tried receiving a fax with mgetty (and notifying me via email with > > the attached fax) > > Watching all denials flowing by (permissive mode, > > selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether > > someone already started preparing a policy or whether I should try to > > start it on myself? Anyone knows? Google does not find much of value > > Can you show us the AVC denials? Sure, no problem. One thing, as a first step I put new_fax into bin_t, as this was a suggestion from sealert output. I do think this probably does not belong to the getty policy, as mgetty, receiving a fax, does far more than standard getty, imho. Klaus -- ------------------------------------------------------------------------ Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/ PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
---- time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.657:57496): arch=c000003e syscall=59 success=yes exit=0 a0=3273d3ace3 a1=7fffef415d60 a2=7fffef418a30 a3=7f0863d089d0 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.657:57496): avc: denied { execute_no_trans } for pid=1283 comm="mgetty" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1262016758.657:57496): avc: denied { read open } for pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1262016758.657:57496): avc: denied { execute } for pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file ---- time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.659:57497): arch=c000003e syscall=2 success=yes exit=3 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.659:57497): avc: denied { open } for pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1262016758.659:57497): avc: denied { read } for pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.661:57498): arch=c000003e syscall=5 success=yes exit=128 a0=3 a1=7fff05edb290 a2=7fff05edb290 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.661:57498): avc: denied { getattr } for pid=1283 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.662:57499): arch=c000003e syscall=4 success=yes exit=128 a0=1090ab0 a1=7fff05edd2e0 a2=7fff05edd2e0 a3=8 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.662:57499): avc: denied { getattr } for pid=1283 comm="sh" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file ---- time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.664:57500): arch=c000003e syscall=59 success=yes exit=0 a0=1093a10 a1=1093b30 a2=1092b20 a3=18 items=0 ppid=1283 pid=1286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1262016758.664:57500): avc: denied { read write } for pid=1286 comm="sendmail" name="ttyS0" dev=tmpfs ino=2217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file ---- time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.806:57501): arch=c000003e syscall=2 success=yes exit=0 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.806:57501): avc: denied { open } for pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1262016758.806:57501): avc: denied { read } for pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.807:57502): arch=c000003e syscall=5 success=yes exit=128 a0=0 a1=7fff44b52830 a2=7fff44b52830 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.807:57502): avc: denied { getattr } for pid=1289 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.809:57503): arch=c000003e syscall=59 success=yes exit=0 a0=eb55b0 a1=eb5480 a2=eb3e50 a3=30 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.809:57503): avc: denied { execute_no_trans } for pid=1291 comm="sh" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1262016758.809:57503): avc: denied { read open } for pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1262016758.809:57503): avc: denied { execute } for pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file ---- time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.817:57504): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffcdc622a0 a3=2 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.817:57504): avc: denied { ioctl } for pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file ---- time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.817:57505): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7fffcdc62370 a2=7fffcdc62370 a3=0 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.817:57505): avc: denied { getattr } for pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list