Re: NFSD warning?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/26/2010 12:37 PM, Arthur Dent wrote:
> On Thu, 2010-08-26 at 11:58 +0200, Dominick Grift wrote:
>> On 08/26/2010 11:48 AM, Arthur Dent wrote:
>>> Hello all,
>>>
>>> Working with Dominick to solve my clamd denial problem has caused me to
>>> use ausearch more often than I normally would.
>>>
>>> This has revealed a large and constant amount of these messages:
>>
>> Do semodule -B to hide any denials that are should not be displayed
>> (they are hidden on purpose)
> 
> Actually Dominick, this *is* with semodule -B

only the "{ 0x400000 }"'s are with semodule -B i believe. The other AVC
denials are so called dontaudited (hidden by default)

> ----
> time->Thu Aug 26 11:25:11 2010
> type=AVC msg=audit(1282818311.906:55953): avc:  denied  { 0x400000 } for
> pid=1219 comm="nfsd" name="" dev=sda11 ino=28365
> scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
> ----
> time->Thu Aug 26 11:25:10 2010
> type=AVC msg=audit(1282818310.564:55924): avc:  denied  { 0x400000 } for
> pid=1219 comm="nfsd" name="" dev=sda11 ino=28365
> scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
> ----
> time->Thu Aug 26 11:25:51 2010
> type=AVC msg=audit(1282818351.672:55954): avc:  denied  { 0x400000 } for
> pid=1219 comm="nfsd" name="" dev=sda11 ino=28365
> scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
> 
> Just a small sample. There are hundreds more. But if you say they are
> harmless then I guess I will just leave them alone...
> 

In my previous reply i enclosed an URL to a related bug report. This
bugzilla report includes a method to hide the symptoms of this bug.

Basically it adds a dontaudit rule:
dontaudit kernel_t unlabeled_t:file *;

If that does not work for you then you can just ignore the denials for
now, and add a "me to" reply to the bugzilla report that i enclosed in
my previous reply

> Thanks
> 
> Mark
> 
> 
> 
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux