On 08/23/2010 10:09 AM, Arthur Dent wrote: > On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote: >> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote: >>> On 08/22/2010 08:24 PM, Arthur Dent wrote: >> >> snip... >> >>> My first guess is that you have mislabeled files. Try to relabel your >>> file system and then try again from scratch, then if you get any AVC >>> denials please send them here. >> >> OK - Fair point. In fact, now you come to mention it, I have done a lot >> of copying from my F11 setup and a lot of other configuration and >> haven't done a relabel since about half way through my implementation. >> >> Yesterday I updated with yum and it delivered: >> selinux-policy-3.7.19-47.fc13.noarch >> selinux-policy-targeted-3.7.19-47.fc13.noarch >> >> So now might be a good time for a relabel... >> >> I will report back (probably tomorrow). > > Well this is interesting... > > Since unloading my custom clamd module and relabelling I have had NO > avcs! - Not one. > > Clamd is still being blocked however, so I have now activated the > semodule -DB thing... > > No AVCs have been produced (in the sense that no setroubleshoot emails > have been produced), but here is the output of > ausearch -m avc -ts recent : > > time->Mon Aug 23 08:57:02 2010 > type=SYSCALL msg=audit(1282550222.014:42728): arch=40000003 syscall=11 success=yes exit=0 a0=9297fe0 a1=9297c90 a2=9297008 a3=929a1e8 items=0 ppid=23900 pid=23901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1282550222.014:42728): avc: denied { noatsecure } for pid=23901 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process > type=AVC msg=audit(1282550222.014:42728): avc: denied { siginh } for pid=23901 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process > type=AVC msg=audit(1282550222.014:42728): avc: denied { rlimitinh } for pid=23901 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process > ---- > time->Mon Aug 23 08:57:02 2010 > type=SYSCALL msg=audit(1282550222.302:42730): arch=40000003 syscall=33 success=no exit=-13 a0=87ffc90 a1=2 a2=6fb4f8 a3=86b4088 items=0 ppid=23900 pid=23901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1282550222.302:42730): avc: denied { write } for pid=23901 comm="setroubleshootd" name="rpm" dev=sda6 ino=203 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir > ---- > time->Mon Aug 23 08:57:02 2010 > type=SYSCALL msg=audit(1282550222.304:42731): arch=40000003 syscall=33 success=no exit=-13 a0=87ffc90 a1=2 a2=6fb4f8 a3=87f9398 items=0 ppid=23900 pid=23901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1282550222.304:42731): avc: denied { write } for pid=23901 comm="setroubleshootd" name="rpm" dev=sda6 ino=203 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir > ---- > time->Mon Aug 23 08:57:07 2010 > type=SYSCALL msg=audit(1282550227.040:42733): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe490a0 a2=3 a3=0 items=0 ppid=23912 pid=23916 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan" subj=system_u:system_r:procmail_t:s0 key=(null) > type=AVC msg=audit(1282550227.040:42733): avc: denied { search } for pid=23916 comm="clamdscan" name="clamd" dev=sda6 ino=269280 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir > ---- > time->Mon Aug 23 08:57:07 2010 > type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan" subj=system_u:system_r:procmail_t:s0 key=(null) > type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for pid=23920 comm="clamdscan" name="clamd" dev=sda6 ino=269280 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir This is still an issue: some process running in the procmail_t domain is running /usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context), but it is not domain transitioning to the clamscan_t domain. Policy defines that if a process running in the procmail_t domain runs a file labelled clamscan_exec_t, that procmail_t will domain transition to clamscan_t domain. This did not happen on your config. Either your clamdscan executable file is mislabelled or you are missing a domain transition rule. Where is your "clamdscan" executable file located, and what is it labelled? What does the following return: sesearch -SC --allow -s procmail_t -t clamscan_t -c process sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file > ---- > time->Mon Aug 23 08:57:07 2010 > type=SYSCALL msg=audit(1282550227.096:42735): arch=40000003 syscall=11 success=yes exit=0 a0=8e92dd0 a1=8e95760 a2=8e95888 a3=8e95760 items=0 ppid=23925 pid=23926 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null) > type=AVC msg=audit(1282550227.096:42735): avc: denied { noatsecure } for pid=23926 comm="spamc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=process > type=AVC msg=audit(1282550227.096:42735): avc: denied { siginh } for pid=23926 comm="spamc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=process > type=AVC msg=audit(1282550227.096:42735): avc: denied { rlimitinh } for pid=23926 comm="spamc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=process > ---- > time->Mon Aug 23 08:57:06 2010 > type=SYSCALL msg=audit(1282550226.692:42732): arch=40000003 syscall=11 success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0 ppid=23909 pid=23910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) > type=AVC msg=audit(1282550226.692:42732): avc: denied { noatsecure } for pid=23910 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process > type=AVC msg=audit(1282550226.692:42732): avc: denied { siginh } for pid=23910 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process > type=AVC msg=audit(1282550226.692:42732): avc: denied { rlimitinh } for pid=23910 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process > ---- > time->Mon Aug 23 08:57:07 2010 > type=SYSCALL msg=audit(1282550227.209:42736): arch=40000003 syscall=5 success=no exit=-13 a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0 ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null) > type=AVC msg=audit(1282550227.209:42736): avc: denied { read } for pid=20954 comm="spamd" name="shadow" dev=sda6 ino=85497 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file > > Audit2allow produce some funny stuff when I tried to run this through it > so I think it is best if you take a look at it! > > Thanks again. > > Mark > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux