-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/19/2012 10:48 AM, m.roth@xxxxxxxxx wrote:
> From: Daniel J Walsh <dwalsh@xxxxxxxxxx> On 10/17/2012 01:22 PM,
> m.roth@xxxxxxxxx wrote:
>> Daniel J Walsh wrote:
>>> On 10/17/2012 11:48 AM, m.roth@xxxxxxxxx wrote:
>>>
>>> Did you check the label on /var/run/pcscd.pid? What is the actual
>>> avc you are seeing?
>> -rw-r--r--. root root system_u:object_r:pcscd_var_run_t:s0
>> /var/run/pcscd.pid
>>
>> And the sealert shows just the catchall.
>>
>> SELinux is preventing /usr/sbin/httpd from read access on the file
>> /var/run/pcscd.pid.
>>
>> ***** Plugin catchall (100. confidence)
>
>> Can you execute
>
>> ausearch -m avc
>
>> And get the AVC's that way.
>
> I was out yesterday, which is why I didn't get back to you before.
>
> Yup, and get a ton of type=AVC msg=audit(1350608218.778:42990): avc:
> denied { read write } for pid=27757 comm="iptables" path="socket:[20864]"
> dev=sockfs ino=20864 scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>
> mark
>
>
>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Well that is not the related AVC. This looks like a leaked file descriptor
from whatever process is running as initrc_t and execs iptables. Almost
surely something that could be dontaudited.
ps -eZ | grep initrc_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCBh2IACgkQrlYvE4MpobN2RQCeMfr9L+6jUFzKrDmoDQarmreb
Yw8AmwR457tTs2RsxzB6zGwLCsxH2A6C
=N9iG
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
