I am not sure I understand how to interpret AVC errors and to determine if these AVC complaints need to be handled or not. Any advice would be appreciated! I have these in order of most current dates: ==================================== Summary: SELinux is preventing /usr/bin/perl "execute" access on /usr/bin/python2.6. Detailed Description: SELinux denied access requested by spamassassin. It is not expected that this access is required by spamassassin and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:spamc_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/bin/python2.6 [ file ] Source spamassassin Source Path /usr/bin/perl Port <Unknown> Host gold.cdkkt.com Source RPM Packages perl-5.10.0-87.fc12 Target RPM Packages python-2.6.2-2.fc12 Policy RPM selinux-policy-3.6.32-89.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.31.12-174.2.22.fc12.i686 #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686 Alert Count 5 First Seen Mon 22 Feb 2010 04:02:46 PM PST Last Seen Tue 23 Feb 2010 08:02:17 AM PST Local ID 080fd1f0-f784-4cd6-b2e3-7ec050a47323 Line Numbers Raw Audit Messages node=gold.cdkkt.com type=AVC msg=audit(1266940937.111:59356): avc: denied { execute } for pid=24253 comm="spamassassin" name="python2.6" dev=sdb10 ino=97611 scontext=unconfined_u:system_r:spamc_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file node=gold.cdkkt.com type=SYSCALL msg=audit(1266940937.111:59356): arch=40000003 syscall=11 success=no exit=-13 a0=92c1664 a1=929d99c a2=bf974eb4 a3=929d99c items=0 ppid=24246 pid=24253 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="spamassassin" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamc_t:s0 key=(null) ================================== NOTE: The following is one of many AVC complaints from which it peers into mounted filesystems of different OSes (F9, F11, Ubuntu, and so on) How do you prevent SELinux from peering into certain mounted filesystems it has no business to be doing? ================================== Summary: SELinux is preventing /usr/bin/updatedb "getattr" access to /md/RF11D1/etc/poker-network. Detailed Description: SELinux denied access requested by updatedb. /md/RF11D1/etc/poker-network may be a mislabeled. /md/RF11D1/etc/poker-network default SELinux type is default_t, but its current type is unlabeled_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/md/RF11D1/etc/poker-network', if this file is a directory, you can recursively restore using restorecon -R '/md/RF11D1/etc/poker-network'. Fix Command: /sbin/restorecon '/md/RF11D1/etc/poker-network' Additional Information: Source Context system_u:system_r:locate_t:s0-s0:c0.c1023 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /md/RF11D1/etc/poker-network [ dir ] Source updatedb Source Path /usr/bin/updatedb Port <Unknown> Host gold.cdkkt.com Source RPM Packages mlocate-0.22.2-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-89.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name restorecon Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.31.12-174.2.22.fc12.i686 #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686 Alert Count 1 First Seen Tue 23 Feb 2010 03:40:27 AM PST Last Seen Tue 23 Feb 2010 03:40:27 AM PST Local ID c9411c07-575a-466d-903f-054169906d38 Line Numbers Raw Audit Messages node=gold.cdkkt.com type=AVC msg=audit(1266925227.491:58792): avc: denied { getattr } for pid=17154 comm="updatedb" path="/md/RF11D1/etc/poker-network" dev=sda10 ino=413 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir node=gold.cdkkt.com type=SYSCALL msg=audit(1266925227.491:58792): arch=40000003 syscall=196 success=no exit=-13 a0=807709d a1=bf917c00 a2=42cff4 a3=807709d items=0 ppid=17148 pid=17154 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1278 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null) ================================== Summary: SELinux is preventing /usr/sbin/sendmail.sendmail "read" access on /var/log/messages. Detailed Description: [sendmail has a permissive type (system_mail_t). This access was not denied.] SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/messages [ file ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host gold.cdkkt.com Source RPM Packages sendmail-8.14.3-8.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-89.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.31.12-174.2.22.fc12.i686 #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686 Alert Count 3 First Seen Tue 23 Feb 2010 03:37:58 AM PST Last Seen Tue 23 Feb 2010 03:37:58 AM PST Local ID c6d1d2d8-7cdd-451a-9647-4a61fbc848c5 Line Numbers Raw Audit Messages node=gold.cdkkt.com type=AVC msg=audit(1266925078.757:58778): avc: denied { read } for pid=16966 comm="sendmail" path="/var/log/messages" dev=sdb10 ino=54039 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=gold.cdkkt.com type=AVC msg=audit(1266925078.757:58778): avc: denied { read } for pid=16966 comm="sendmail" path="/var/log/secure" dev=sdb10 ino=54090 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=gold.cdkkt.com type=AVC msg=audit(1266925078.757:58778): avc: denied { read } for pid=16966 comm="sendmail" path="/var/log/maillog" dev=sdb10 ino=54091 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=gold.cdkkt.com type=SYSCALL msg=audit(1266925078.757:58778): arch=40000003 syscall=11 success=yes exit=0 a0=97d58a0 a1=97d5928 a2=97d4eb0 a3=97d5928 items=0 ppid=16912 pid=16966 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=486 sgid=486 fsgid=486 tty=(none) ses=1278 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
