Having upgraded selinux-policy(-targeted) from 3.7.19-37 to 3.7.19-39 I
started getting heaps of the two avc types from variety of
programs/processes. Logs follow below.
I have not done anything unusual apart from upgrading and patching 3
policy module files (though I am getting exactly the same avcs if using
the pre-built policies packages!).
The OS image is built in exactly the same way (with kickstart file and
using livecd tools) as it was with the 3.7.19-37 version (and it worked
there without any problems). I first though that it might be labelling
problem, but as is evident from the file label listings below that
appear not to be the case.
When I try and boot from that image, the first sign of trouble comes
when the auditd service does not start, hence why I do not have
audit.log listing to include. The only way I could activate auditd is to
force selinux into permissive mode (echo 0 > /selinux/enforce) and then
execute "service auditd start".
What could be the cause for this? I can't see the file permissions to be
too restrictive either (which was the root cause of my previous dac_*
problems). Any ideas as to how to solve this sorry mess are welcome!
====================/var/log/messages
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.151:4): avc:
denied { dac_override } for pid=378 comm="hostname" capability=1
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:system_r:hostname_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.152:5): avc:
denied { dac_read_search } for pid=378 comm="hostname" capability=2
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:system_r:hostname_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:8): avc:
denied { dac_override } for pid=386 comm="dmesg" capability=1
scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:9): avc:
denied { dac_read_search } for pid=386 comm="dmesg" capability=2
scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.023:12): avc:
denied { dac_override } for pid=689 comm="ip" capability=1
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.027:13): avc:
denied { dac_read_search } for pid=689 comm="ip" capability=2
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.668:16): avc:
denied { dac_override } for pid=714 comm="ifconfig" capability=1
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.671:17): avc:
denied { dac_read_search } for pid=714 comm="ifconfig" capability=2
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.508:20): avc:
denied { dac_override } for pid=729 comm="hostname" capability=1
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:system_r:hostname_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.510:21): avc:
denied { dac_read_search } for pid=729 comm="hostname" capability=2
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:system_r:hostname_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:54): avc:
denied { dac_override } for pid=922 comm="arping" capability=1
scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:system_r:netutils_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:55): avc:
denied { dac_read_search } for pid=922 comm="arping" capability=2
scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:system_r:netutils_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.258:116): avc:
denied { dac_override } for pid=973 comm="auditd" capability=1
scontext=system_u:system_r:auditd_t:s0
tcontext=system_u:system_r:auditd_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.260:117): avc:
denied { dac_read_search } for pid=973 comm="auditd" capability=2
scontext=system_u:system_r:auditd_t:s0
tcontext=system_u:system_r:auditd_t:s0 tclass=capability
Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.020:124): avc:
denied { dac_override } for pid=1300 comm="ip" capability=1
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.025:125): avc:
denied { dac_read_search } for pid=1300 comm="ip" capability=2
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.105:130): avc:
denied { dac_override } for pid=1350 comm="ip" capability=1
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.108:131): avc:
denied { dac_read_search } for pid=1350 comm="ip" capability=2
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:138): avc:
denied { dac_override } for pid=1364 comm="ip" capability=1
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:139): avc:
denied { dac_read_search } for pid=1364 comm="ip" capability=2
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.145:350): avc:
denied { dac_override } for pid=1418 comm="tc" capability=1
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.146:351): avc:
denied { dac_read_search } for pid=1418 comm="tc" capability=2
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.758:1176):
avc: denied { dac_override } for pid=1615 comm="smartd" capability=1
scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability
Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.759:1177):
avc: denied { dac_read_search } for pid=1615 comm="smartd"
capability=2 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability
====================
====================service start auditd
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.362:1226):
avc: denied { dac_override } for pid=1583 comm="auditd" capability=1
scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.364:1227):
avc: denied { dac_read_search } for pid=1583 comm="auditd"
capability=2 scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.370:1228):
avc: denied { dac_override } for pid=1583 comm="auditd" capability=1
scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.371:1229):
avc: denied { dac_read_search } for pid=1583 comm="auditd"
capability=2 scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1230):
avc: denied { dac_override } for pid=1583 comm="auditd" capability=1
scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1231):
avc: denied { dac_read_search } for pid=1583 comm="auditd"
capability=2 scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1232):
avc: denied { dac_override } for pid=1583 comm="auditd" capability=1
scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1233):
avc: denied { dac_read_search } for pid=1583 comm="auditd"
capability=2 scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 auditd: Error opening config file (Permission denied)
Aug 1 13:14:05 test1 auditd: The audit daemon is exiting.
====================
====================echo 0 > /selinux/enforce && service auditd start &&
service smartd start
type=AVC msg=audit(1280608935.230:327): avc: denied { dac_override }
for pid=1368 comm="smartd" capability=1
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
type=AVC msg=audit(1280608935.230:327): avc: denied { dac_read_search
} for pid=1368 comm="smartd" capability=2
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
type=SYSCALL msg=audit(1280608935.230:327): arch=40000003 syscall=33
success=no exit=-13 a0=21a814 a1=4 a2=21ffc4 a3=2208f8 items=0 ppid=1367
pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd"
subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)
type=AVC msg=audit(1280608935.245:328): avc: denied { dac_override }
for pid=1368 comm="smartd" capability=1
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
type=AVC msg=audit(1280608935.245:328): avc: denied { dac_read_search
} for pid=1368 comm="smartd" capability=2
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
type=SYSCALL msg=audit(1280608935.245:328): arch=40000003 syscall=5
success=no exit=-13 a0=21a9fe a1=0 a2=0 a3=220880 items=0 ppid=1367
pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd"
subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)
====================
====================ls -lasZ /etc | grep audit
drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 audit
-rw-r-----. root root system_u:object_r:etc_t:s0 libaudit.conf
====================
====================ls -lasZ /etc/audit
drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 .
drw-r--r--. root root system_u:object_r:etc_t:s0 ..
-rw-r-----. root root system_u:object_r:auditd_etc_t:s0 auditd.conf
-rw-r-----. root root system_u:object_r:auditd_etc_t:s0 audit.rules
====================
====================ls -lasZ /etc/init.d/auditd
-rwxr-xr-x. root root system_u:object_r:auditd_initrc_exec_t:s0
/etc/init.d/auditd
====================
====================ls -lasZ /sbin/auditd
-rwxr-x---. root root system_u:object_r:auditd_exec_t:s0 /sbin/auditd
====================
====================ls -lasZ /var/log | grep audit
drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 audit
====================
====================ls -lasZ /var/log/audit
drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_log_t:s0 ..
-rw-------. root root system_u:object_r:auditd_log_t:s0 audit.log
====================
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
