Sebastian Pfaff wrote: > Hey Temlakos, > >> Where do I find the logs to tell me what permissions a certain new >> application will need to operate? > > You find these messages in /var/log/audit/audit.log. Open this file > with a pager of your choice (e.g. less or more). Then look for > messages with type AVC. As an alternativ you can use ausearch to find > SELinux AVC (Access Vector Cache) denials/messages. > > this command: > > ausearch -m avc -ts today # shows you all auditd messages of type AVC > which are generated today. Consult manpage of ausearch for details. > > How to read AVC denials is described here: > > http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/ > > (Read topic "7.3. Fixing Problems") > >> I'm using Fedora 12 on an HP Pavilion machine with a dual-core >> processor. Several times I have tried to install an application called >> TweetDeck. And each time I do, I am told that TweetDeck is having >> trouble accessing some secure passwords that are stored on the machine. > > Redo your workflow and paste your AVC denials to this list. > >> I am convinced that SELinux is doing it. > > Probably yes. > >> But I don't know how to get >> SELinux to play nice, because I can't see where the problem is. > > You can use audit2allow to get SELinux to play nice. But be careful > when using this command. audit2allow simply generates SELinux rules > (aka Access Vector Rules) based on /var/log/audit/audit.log . It is > not uncommon that audit2allow allows more than you want. But for a > beginner this tool is a good choice. > > -- > Sebastian Pfaff > > Well, before I use audit2allow, I'll first want to know how to turn that off. Anyway, here's the output, after I un-hid the alerts: ------------------------------------------- [root@temlakosbeta temlakos]# semodule -DB [root@temlakosbeta temlakos]# ausearch -m avc -ts today ---- time->Thu Mar 4 12:39:11 2010 type=SYSCALL msg=audit(1267724351.038:22518): arch=40000003 syscall=5 success=no exit=-13 a0=1387d20 a1=98800 a2=c93ff4 a3=1387d20 items=0 ppid=1 pid=1545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1267724351.038:22518): avc: denied { search } for pid=1545 comm="dbus-daemon" name="root" dev=dm-0 ino=106497 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir ---- time->Thu Mar 4 12:39:11 2010 type=SYSCALL msg=audit(1267724351.050:22520): arch=40000003 syscall=11 success=yes exit=0 a0=12c2778 a1=746ae28 a2=0 a3=0 items=0 ppid=5873 pid=5879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1267724351.050:22520): avc: denied { noatsecure } for pid=5879 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1267724351.050:22520): avc: denied { siginh } for pid=5879 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1267724351.050:22520): avc: denied { rlimitinh } for pid=5879 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process ---- time->Thu Mar 4 12:39:11 2010 type=SYSCALL msg=audit(1267724351.052:22521): arch=40000003 syscall=11 success=yes exit=0 a0=9f05c30 a1=9f055a8 a2=9f05008 a3=9f081e8 items=0 ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1267724351.052:22521): avc: denied { noatsecure } for pid=5878 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1267724351.052:22521): avc: denied { siginh } for pid=5878 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1267724351.052:22521): avc: denied { rlimitinh } for pid=5878 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process ---- time->Thu Mar 4 12:39:11 2010 type=SYSCALL msg=audit(1267724351.227:22522): arch=40000003 syscall=33 success=no exit=-13 a0=9868e90 a1=2 a2=60f900 a3=9809c00 items=0 ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1267724351.227:22522): avc: denied { write } for pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Thu Mar 4 12:39:11 2010 type=SYSCALL msg=audit(1267724351.229:22523): arch=40000003 syscall=33 success=no exit=-13 a0=9898478 a1=2 a2=60f900 a3=9854390 items=0 ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1267724351.229:22523): avc: denied { write } for pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir [root@temlakosbeta temlakos]# ------------------------------------------ The workflow is this: using Adobe AIR Installer to install the TweetDeck application. I only just performed this test, and that's what I got from a single workflow. Temlakos -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
