On Mon, Nov 29, 2010 at 07:24:53AM -0500, Vadym Chepkov wrote:
>
> On Nov 29, 2010, at 4:36 AM, Miroslav Grepl wrote:
>
> > On 11/22/2010 02:07 PM, Vadym Chepkov wrote:
> >> Hi,
> >>
> >> I just upgraded to Fedora 14 and got a significant amount of all sort of denials.
> >> I thought maybe some relabeling went wrong - so I did it manually, just in case, didn't help much, still lots of issues.
> >> I tried to post raw audit log, but got bounced from mail-list with "message too big"
> >>
> >> Anyway, here is what audit2allow -R suggests
> >>
> >> #============= chkpwd_t ==============
> >> allow chkpwd_t self:capability sys_nice;
> >> allow chkpwd_t self:process setsched;
> >> files_list_tmp(chkpwd_t)
> >> files_read_usr_symlinks(chkpwd_t)
> >>
> >> #============= dovecot_auth_t ==============
> >> allow dovecot_auth_t self:capability sys_nice;
> >> allow dovecot_auth_t self:process setsched;
> >>
> >> #============= dovecot_t ==============
> >> allow dovecot_t self:capability sys_nice;
> >> files_read_usr_symlinks(dovecot_t)
> >> #============= nscd_t ==============
> >> files_list_tmp(nscd_t)
> >> files_read_usr_symlinks(nscd_t)
> >>
> >> #============= saslauthd_t ==============
> >> allow saslauthd_t self:capability sys_nice;
> >> allow saslauthd_t self:process setsched;
> >> files_read_usr_symlinks(saslauthd_t)
> >>
> >> #============= spamd_t ==============
> >> allow spamd_t admin_home_t:file { read ioctl open getattr append }; # spammers send e-mails to root@ , spamd needs to create working files in /root/
> >> allow spamd_t self:capability sys_nice;
> >> kernel_list_unlabeled(spamd_t) # razor and pyzor contexts gone
> >> kernel_read_unlabeled_state(spamd_t) # same
> >> userdom_read_user_home_content_files(spamd_t) # changed boolean spamd_enable_home_dirs
> >>
> >> Thanks,
> >> Vadym
> >>
> >> --
> >> selinux mailing list
> >> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > Vadym,
> > are you still getting all these AVC messages?
> >
> >
> > Some of these issues are known and some of these issues should be fixed in the latest SELinux policy.
> >
>
> Miroslav,
>
> If I remove locally added rules, then yes, I still see bunch:
>
> time->Mon Nov 29 06:59:27 2010
> type=SYSCALL msg=audit(1291031967.456:65945): arch=40000003 syscall=156 success=yes exit=0 a0=23cc a1=0 a2=bfcc9ca0 a3=b77328d0 items=0 ppid=9159 pid=9164
> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2296 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(
> null)type=AVC msg=audit(1291031967.456:65945): avc: denied { sys_nice } for pid=9164 comm="spamd" capability=23 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=capability
> ----
> time->Mon Nov 29 07:11:00 2010
> type=SYSCALL msg=audit(1291032660.140:66007): arch=40000003 syscall=5 success=yes exit=4 a0=145497 a1=0 a2=1b6 a3=15256a items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
> type=AVC msg=audit(1291032660.140:66007): avc: denied { read } for pid=9789 comm="unix_chkpwd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> ----
> time->Mon Nov 29 07:11:00 2010
> type=SYSCALL msg=audit(1291032660.109:66006): arch=40000003 syscall=156 success=yes exit=0 a0=263d a1=0 a2=bfd58eb0 a3=b7717930 items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
> type=AVC msg=audit(1291032660.109:66006): avc: denied { setsched } for pid=9789 comm="unix_chkpwd" scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=unconfined_u:system_r:chkpwd_t:s0 tclass=process
> type=AVC msg=audit(1291032660.109:66006): avc: denied { sys_nice } for pid=9789 comm="unix_chkpwd" capability=23 scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=unconfined_u:system_r:chkpwd_t:s0 tclass=capability
> ----
> time->Mon Nov 29 07:11:00 2010
> type=SYSCALL msg=audit(1291032660.141:66008): arch=40000003 syscall=195 success=yes exit=0 a0=14549c a1=bfd544c4 a2=efdff4 a3=3 items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null)
> type=AVC msg=audit(1291032660.141:66008): avc: denied { read } for pid=9789 comm="unix_chkpwd" name="tmp" dev=dm-0 ino=15581 scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
by the way i have /usr/tmp labeled tmp_t in my personal policy and then i could for example add files_list_generic_tmp_symlinks to files_list_tmp or something.
>
> I am pretty sure link related denials are due to:
> # ls -ld /usr/tmp
> lrwxrwxrwx. 1 root root 10 Nov 21 01:49 /usr/tmp -> ../var/tmp
>
> which is a standard link in Fedora
>
> I also had to manually set spamc_home_t on /root/.razor and $HOME/.razor
>
> I have selinux-policy-targeted-3.9.7-12.fc14.noarch installed.
>
> Vadym
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpJMqGVg0JQS.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
