Re: Fedora 14 AVCs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Nov 29, 2010, at 4:36 AM, Miroslav Grepl wrote:

> On 11/22/2010 02:07 PM, Vadym Chepkov wrote:
>> Hi,
>> 
>> I just upgraded to Fedora 14 and got a significant amount of all sort of denials.
>> I thought maybe some relabeling went wrong - so I did it manually, just in case, didn't help much, still lots of issues.
>> I tried to post raw audit log, but got bounced from mail-list with "message too big"
>> 
>> Anyway, here is what audit2allow -R suggests
>> 
>> #============= chkpwd_t ==============
>> allow chkpwd_t self:capability sys_nice;
>> allow chkpwd_t self:process setsched;
>> files_list_tmp(chkpwd_t)
>> files_read_usr_symlinks(chkpwd_t)
>> 
>> #============= dovecot_auth_t ==============
>> allow dovecot_auth_t self:capability sys_nice;
>> allow dovecot_auth_t self:process setsched;
>> 
>> #============= dovecot_t ==============
>> allow dovecot_t self:capability sys_nice;
>> files_read_usr_symlinks(dovecot_t)
>> #============= nscd_t ==============
>> files_list_tmp(nscd_t)
>> files_read_usr_symlinks(nscd_t)
>> 
>> #============= saslauthd_t ==============
>> allow saslauthd_t self:capability sys_nice;
>> allow saslauthd_t self:process setsched;
>> files_read_usr_symlinks(saslauthd_t)
>> 
>> #============= spamd_t ==============
>> allow spamd_t admin_home_t:file { read ioctl open getattr append };  # spammers send e-mails to root@ , spamd needs to create working files in /root/
>> allow spamd_t self:capability sys_nice;
>> kernel_list_unlabeled(spamd_t)   # razor and pyzor contexts gone
>> kernel_read_unlabeled_state(spamd_t) # same
>> userdom_read_user_home_content_files(spamd_t) # changed boolean spamd_enable_home_dirs
>> 
>> Thanks,
>> Vadym
>> 
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> Vadym,
> are you still getting all these AVC messages?
> 
> 
> Some of these issues are known and some of these issues should be fixed in the latest SELinux policy.
> 

Miroslav,

If I remove locally added rules, then yes, I still see bunch:

time->Mon Nov 29 06:59:27 2010
type=SYSCALL msg=audit(1291031967.456:65945): arch=40000003 syscall=156 success=yes exit=0 a0=23cc a1=0 a2=bfcc9ca0 a3=b77328d0 items=0 ppid=9159 pid=9164 
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2296 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(
null)type=AVC msg=audit(1291031967.456:65945): avc:  denied  { sys_nice } for  pid=9164 comm="spamd" capability=23  scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=capability
----
time->Mon Nov 29 07:11:00 2010
type=SYSCALL msg=audit(1291032660.140:66007): arch=40000003 syscall=5 success=yes exit=4 a0=145497 a1=0 a2=1b6 a3=15256a items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
type=AVC msg=audit(1291032660.140:66007): avc:  denied  { read } for  pid=9789 comm="unix_chkpwd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Mon Nov 29 07:11:00 2010
type=SYSCALL msg=audit(1291032660.109:66006): arch=40000003 syscall=156 success=yes exit=0 a0=263d a1=0 a2=bfd58eb0 a3=b7717930 items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
type=AVC msg=audit(1291032660.109:66006): avc:  denied  { setsched } for  pid=9789 comm="unix_chkpwd" scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=unconfined_u:system_r:chkpwd_t:s0 tclass=process
type=AVC msg=audit(1291032660.109:66006): avc:  denied  { sys_nice } for  pid=9789 comm="unix_chkpwd" capability=23  scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=unconfined_u:system_r:chkpwd_t:s0 tclass=capability
----
time->Mon Nov 29 07:11:00 2010
type=SYSCALL msg=audit(1291032660.141:66008): arch=40000003 syscall=195 success=yes exit=0 a0=14549c a1=bfd544c4 a2=efdff4 a3=3 items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
type=AVC msg=audit(1291032660.141:66008): avc:  denied  { read } for  pid=9789 comm="unix_chkpwd" name="tmp" dev=dm-0 ino=15581 scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file

I am pretty sure link related denials are due to:
# ls -ld /usr/tmp
lrwxrwxrwx. 1 root root 10 Nov 21 01:49 /usr/tmp -> ../var/tmp

which is a standard link in Fedora

I also had to manually set spamc_home_t on /root/.razor and $HOME/.razor

I have selinux-policy-targeted-3.9.7-12.fc14.noarch installed.

Vadym


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux