-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/30/2013 08:11 PM, Andrew Jones wrote: > On Wed, 2013-01-30 at 08:33 -0500, Daniel J Walsh wrote: >> On 01/30/2013 02:13 AM, Andrew Jones wrote: >>> On Wed, 2013-01-30 at 01:14 +0100, Andrew Jones wrote: >>>> On Tue, 2013-01-29 at 10:07 -0500, m.roth@xxxxxxxxx wrote: >>>>> Andrew Jones wrote: >>>>>> (Apologies in advance for the length of this mail. I am a total >>>>>> noob at SELinux so my vocabulary is probably not correct. >>>>>> Hopefully you will be able to understand from context what I am >>>>>> trying to say.) >>>>>> >>>>>> I have been setting up x11vnc on some of my machines. It looks >>>>>> like there are a hundred different ways of setting it up but I >>>>>> have chosen to follow the spirit of this entry in the Fedora >>>>>> Forum: >>>>>> >>>>>> http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2 >>>>>> >>>>>> This works with SELinux permissive but fails completely when >>>>>> enforcing. >>>>>> >>>>>> Even when running permissively there are so many SELinux events >>>>>> in the first few seconds that many are dropped as shown here: >>>>>> >>>>>> Jan 29 03:44:10 ecafe audispd: queue is full - dropping event >>>>>> >>>>>> After several hours of scouring the system log, running sealert >>>>>> and creating policies, rinsing and repeating I think I have >>>>>> generated the command line that will identify all the events >>>>>> which occur during an x11vnc session: >>>>>> >>>>>> egrep ps\|x11vnc\|tcpd\|mission-control /var/log/audit/audit.log >>>>>> | audit2allow -M mypol >>>>>> >>>>>> By repetitively running that line, applying the generated policy >>>>>> then restarting the computer and launching a new vnc session >>>>>> eventually all the events are able to be recorded without filling >>>>>> the queue. >>>>>> >>>>> Andrew, >>>>> >>>>> First of all, how did you install x11vnc? Did you use yum, or is >>>>> this from a tarball. You should ALWAYS prefer yum install, since >>>>> this will get all dependencies, and install policy as part of the >>>>> package. >>>> >>>> Installed from yum. Having read the x11vnc man page I got the >>>> impression it's a bit of a swiss army knife and I had *assumed* that >>>> as it was so hard to predict how it would be used it would not make >>>> sense to enforce any particular policy. Is there a way of extracting >>>> and examining the policies in an rpm? >>>> >>>>> >>>>> Secondly, you should be looking at what it wants to do. For >>>>> example, the fact that mcelog is in there worries me, a *lot*, >>>>> since mcelog records ->hardware errors<-, meaning that you could be >>>>> having hardware issues. >>>>> >>>> It is necessary for x11vnc to discover the name of an X11 >>>> authorization file and the trick to do so is to do a `ps wwwaux | >>>> grep '/X.*-auth'` , followed by a bit more grep and sed trickery to >>>> isolate the name of the file that appears on the command line that >>>> launched xorg. >>>> >>>> The command above has this for output... root 26003 0.4 1.1 >>>> 24184 12120 tty9 Ss+ 12:34 2:46 /usr/bin/Xorg :0 -br -verbose >>>> -logverbose 7 -auth /var/run/gdm/auth-for-gdm-xpIgEt/database >>>> -nolisten tcp >>>> >>>> ... and the sed and grep trickery isolates the string >>>> '/var/run/gdm/auth-for-gdm-xpIgEt/database' which is a required >>>> parameter for x11vnc >>>> >>>> It did seem that many, many of the AVCs were caused by ps trying to >>>> get attributes of or open directories in /proc. >>>> >>>> Why have I told you all this? >>>> >>>> grep type=AVC audit.log.1 | grep mcelog | grep -v comm=\"ps\" has >>>> no output grep type=AVC audit.log.1 | grep mcelog has 21 lines of >>>> output >>>> >>>> So all the AVCs which mention mcelog include comm="ps" Here is a >>>> typical sequence type=AVC msg=audit(1359035800.677:1209): avc: >>>> denied { getattr } for pid=2248 comm="ps" path="/proc/539" >>>> dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 >>>> tcontext=system_u:system_r:mcelog_t:s0 tclass=dir >>>> >>>> type=AVC msg=audit(1359035800.677:1210): avc: denied { search } for >>>> pid=2248 comm="ps" name="539" dev="proc" ino=14875 >>>> scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 >>>> tcontext=system_u:system_r:mcelog_t:s0 tclass=dir >>>> >>>> type=AVC msg=audit(1359035800.677:1210): avc: denied { read } for >>>> pid=2248 comm="ps" name="stat" dev="proc" ino=14058 >>>> scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 >>>> tcontext=system_u:system_r:mcelog_t:s0 tclass=file >>>> >>>> type=AVC msg=audit(1359035800.677:1210): avc: denied { open } for >>>> pid=2248 comm="ps" path="/proc/539/stat" dev="proc" ino=14058 >>>> scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 >>>> tcontext=system_u:system_r:mcelog_t:s0 tclass=file >>>> >>>> There were just 3 /proc directories that prompted this sequence of >>>> AVCs containing mcelog and these were 539 (shown above), 517 and 509, >>>> but having rebooted since I don't now know what processes they >>>> correspond to and I suspect many other AVCs may have been omitted due >>>> to queue overflow. Audit.log currently contains 900 lines of AVCs >>>> related to ps accessing the /proc directory >>> >>> Having checked the timestamps in the system log I see that each set of >>> AVCs occurred just once between re-boots (I rebooted after every launch >>> of vnc / generation of new policies) so they could all be referring to >>> the same process. >>> >>> I also noted that on my Fedora 18 machines mcelog is running as a >>> daemon: $ ps -A www | grep mcelog 528 ? Ss 0:00 >>> /usr/sbin/mcelog --ignorenodev --daemon --foreground >>> >>> mcelog is not running as a daemon on my Fedora 16 machine ... So I >>> could be easily persuaded that the AVCs which mention mcelog refer to >>> the attempts of ps to access the mcelog process. >>> >>>> >>>> I tried to replicate the generation of AVCs by running ps from a >>>> command prompt but nothing happened. Could ps be running from the >>>> wrong context? Can you tell I hadn't a clue what I was talking about >>>> when I asked that question?? >>>> >>>> >>>>> Third, read the man page for audit2allow. It tells you how to >>>>> convert from text policy to compiled and install it. It's not >>>>> complicated. >>>> Thanks for that. >>>> >>>>> >>>>> Fourth, the "dropped" indicates that there are so many errors the >>>>> queue can't keep up. From an old closed bug, one note for this >>>>> problem is: -b 8192 in auditd.conf priority_boost = 4 in >>>>> auditd.conf priority_boost = 8 in audispd.conf q_depth = 2048 in >>>>> audispd.conf >>>> >>>> Thanks also for that. >>>>> >>>>> mark >>>>> >>>> Andy >>>> >>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> >>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >> Lets try this. >> >> chcon -t xserver_exec_t /usr/bin/x11vnc >> >> And create myvnc.te that looks like the following: >> >> cat myvnc.te >> #========================================================================== >> >> policy_module(myvnc,1.0) >> >> gen_require(` type xserver_exec_t, xserver_t; ') >> >> tcpd_wrapped_domain(xserver_t, xserver_exec_t) >> #======================================================================= >> >> make -f /usr/share/selinux/devel/Makefile myvnc.pp semodule -i myvpnc.pp >> >> Then try it again. >> >> The reason you are getting all the AVC's about random domains is the >> x11vnc is doing the equivalent of the ps command, it it is walking >> through /proc and looking at every process. The SELinux interface to >> handle this would have been: >> >> domain_read_all_domains_state(tcpd_t) >> >> But what we really want is tcpd_t to transition to xserver_t when running >> x11vnc. >> >> >> > Thank you for that - the difference was phenomenal! > > At first it didn't seem to do anything because it was a bash script, not > x11vnc, that was running ps. However, I read the x11vnc manual again and > finally realized how to make it run ps for me. > > Once I had made the change the AVCs reduced from several hundred to a large > handful. > > (Removing your myvnc.pol policy returned it to producing hundreds of AVCs > again) > > So I ran sealert and audit2allow again and produced two more policies. > > Would it be possible to optimize them further knowing what they are trying > to do, or at least combine the policy for x11vnc into the existing > myvncpol? (I still haven't worked out the syntax of these things so I > can't do it myself yet) > > The policies created were as follows: > > # grep \"x11vnc\" /var/log/audit/audit.log | audit2allow -M myx11vncpol > Gave: > > module myx11vncpol 1.0; > > require { type tcpd_t; type var_log_t; type passwd_file_t; type > shell_exec_t; type admin_home_t; type tmpfs_t; type xserver_exec_t; class > dir search; class shm { write unix_read unix_write read destroy create }; > class file { write getattr read open execute execute_no_trans }; } > > #============= tcpd_t ============== allow tcpd_t admin_home_t:dir search; > allow tcpd_t admin_home_t:file { read getattr open }; allow tcpd_t > passwd_file_t:file { read getattr open }; allow tcpd_t self:shm { write > unix_read unix_write read destroy create }; allow tcpd_t shell_exec_t:file > { execute execute_no_trans }; allow tcpd_t tmpfs_t:file { read write }; > #!!!! The source type 'tcpd_t' can write to a 'file' of the following > type: # tcpd_tmp_t > > allow tcpd_t var_log_t:file { write open }; #!!!! This avc is allowed in > the current policy > > allow tcpd_t xserver_exec_t:file execute; > > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > (x11vnc_sh is the bash file that calls x11vnc) > > # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M myx11vnc_shpol > Gave: > > module myx11vnc_shpol 1.0; > > require { type tcpd_t; type bin_t; type passwd_file_t; type proc_t; type > xdm_var_run_t; type xserver_exec_t; class dir search; class file { execute > read open getattr execute_no_trans }; } > > #============= tcpd_t ============== allow tcpd_t bin_t:file { execute > execute_no_trans }; allow tcpd_t passwd_file_t:file { read getattr open }; > allow tcpd_t proc_t:file { read getattr open }; allow tcpd_t > xdm_var_run_t:dir search; allow tcpd_t xdm_var_run_t:file read; allow > tcpd_t xserver_exec_t:file execute_no_trans; #!!!! This avc is allowed in > the current policy > > allow tcpd_t xserver_exec_t:file { read execute open }; > > > In case it helps I will include the sealert messages below. If it doesn't > help there is no need to continue reading > > x11vnc SELinux is preventing /usr/bin/x11vnc from getattr access on the > file /etc/passwd. > > ***** Plugin catchall (100. confidence) suggests > *************************** > > If you believe that x11vnc should be allowed getattr access on the passwd > file by default. Then you should report this as a bug. You can generate a > local policy module to allow this access. Do allow this access for now by > executing: # grep x11vnc /var/log/audit/audit.log | audit2allow -M mypol # > semodule -i mypol.pp > > > Additional Information: Source Context > system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context > system_u:object_r:passwd_file_t:s0 Target Objects > /etc/passwd [ file ] Source x11vnc Source Path > /usr/bin/x11vnc Port <Unknown> Host > ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 > Target RPM Packages setup-2.8.57-1.fc18.noarch Policy RPM > selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True > Policy Type targeted Enforcing Mode > Permissive Host Name ecafe.hogwarts.local Platform > Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 > 16:58:41 UTC 2013 i686 i686 Alert Count 9 First Seen > 2013-01-30 18:37:03 CET Last Seen 2013-01-31 00:12:40 > CET Local ID 9b00da1e-2a33-4110-a6da-b4330452daf5 > > Raw Audit Messages type=AVC msg=audit(1359587560.172:432): avc: denied { > getattr } for pid=2320 comm="x11vnc_sh" path="/etc/passwd" dev="sda5" > ino=1314967 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:passwd_file_t:s0 tclass=file > > > type=SYSCALL msg=audit(1359587560.172:432): arch=i386 syscall=fstat64 > success=yes exit=0 a0=3 a1=bfe91060 a2=42896000 a3=82aa728 items=0 ppid=724 > pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash > subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null) > > Hash: x11vnc,tcpd_t,passwd_file_t,file,getattr > > audit2allow > > #============= tcpd_t ============== allow tcpd_t passwd_file_t:file > getattr; > > audit2allow -R > > #============= tcpd_t ============== allow tcpd_t passwd_file_t:file > getattr; > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > SELinux is preventing /usr/bin/x11vnc from read access on the file > /etc/passwd. > > ***** Plugin catchall (100. confidence) suggests > *************************** > > If you believe that x11vnc should be allowed read access on the passwd file > by default. Then you should report this as a bug. You can generate a local > policy module to allow this access. Do allow this access for now by > executing: # grep x11vnc /var/log/audit/audit.log | audit2allow -M mypol # > semodule -i mypol.pp > > > Additional Information: Source Context > system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context > system_u:object_r:passwd_file_t:s0 Target Objects > /etc/passwd [ file ] Source x11vnc Source Path > /usr/bin/x11vnc Port <Unknown> Host > ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 > Target RPM Packages setup-2.8.57-1.fc18.noarch Policy RPM > selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True > Policy Type targeted Enforcing Mode > Permissive Host Name ecafe.hogwarts.local Platform > Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 > 16:58:41 UTC 2013 i686 i686 Alert Count 9 First Seen > 2013-01-30 18:37:03 CET Last Seen 2013-01-31 00:12:40 > CET Local ID 48950c77-d55b-4222-9021-f93116a68a66 > > Raw Audit Messages type=AVC msg=audit(1359587560.170:431): avc: denied { > read } for pid=2320 comm="x11vnc_sh" name="passwd" dev="sda5" ino=1314967 > scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:passwd_file_t:s0 tclass=file > > > type=AVC msg=audit(1359587560.170:431): avc: denied { open } for pid=2320 > comm="x11vnc_sh" path="/etc/passwd" dev="sda5" ino=1314967 > scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:passwd_file_t:s0 tclass=file > > > type=SYSCALL msg=audit(1359587560.170:431): arch=i386 syscall=open > success=yes exit=ESRCH a0=b7554ef5 a1=80000 a2=1b6 a3=82aa728 items=0 > ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash > subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null) > > Hash: x11vnc,tcpd_t,passwd_file_t,file,read > > audit2allow > > #============= tcpd_t ============== allow tcpd_t passwd_file_t:file { read > open }; > > audit2allow -R > > #============= tcpd_t ============== allow tcpd_t passwd_file_t:file { read > open }; > > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ x11vnc_sh SELinux > is preventing /usr/bin/bash from read access on the file meminfo. > > ***** Plugin catchall (100. confidence) suggests > *************************** > > If you believe that bash should be allowed read access on the meminfo file > by default. Then you should report this as a bug. You can generate a local > policy module to allow this access. Do allow this access for now by > executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M > mypol # semodule -i mypol.pp > > > Additional Information: Source Context > system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context > system_u:object_r:proc_t:s0 Target Objects meminfo [ file ] > Source x11vnc_sh Source Path > /usr/bin/bash Port <Unknown> Host > ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 > Target RPM Packages Policy RPM > selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True > Policy Type targeted Enforcing Mode > Permissive Host Name ecafe.hogwarts.local Platform > Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 > 16:58:41 UTC 2013 i686 i686 Alert Count 3 First Seen > 2013-01-30 18:50:12 CET Last Seen 2013-01-31 00:12:40 > CET Local ID fc347cac-8bf1-47a6-a192-f46949682732 > > Raw Audit Messages type=AVC msg=audit(1359587560.136:429): avc: denied { > read } for pid=2320 comm="x11vnc_sh" name="meminfo" dev="proc" > ino=4026532026 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:proc_t:s0 tclass=file > > > type=AVC msg=audit(1359587560.136:429): avc: denied { open } for pid=2320 > comm="x11vnc_sh" path="/proc/meminfo" dev="proc" ino=4026532026 > scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:proc_t:s0 tclass=file > > > type=SYSCALL msg=audit(1359587560.136:429): arch=i386 syscall=open > success=yes exit=ESRCH a0=4285661e a1=80000 a2=1b6 a3=82a8a68 items=0 > ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash > subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null) > > Hash: x11vnc_sh,tcpd_t,proc_t,file,read > > audit2allow > > #============= tcpd_t ============== allow tcpd_t proc_t:file { read open > }; > > audit2allow -R > > #============= tcpd_t ============== allow tcpd_t proc_t:file { read open > }; > > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > SELinux is preventing /usr/bin/bash from execute access on the file > /usr/local/bin/x11vnc_sh. > > ***** Plugin catchall (100. confidence) suggests > *************************** > > If you believe that bash should be allowed execute access on the x11vnc_sh > file by default. Then you should report this as a bug. You can generate a > local policy module to allow this access. Do allow this access for now by > executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M > mypol # semodule -i mypol.pp > > > Additional Information: Source Context > system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context > unconfined_u:object_r:bin_t:s0 Target Objects > /usr/local/bin/x11vnc_sh [ file ] Source x11vnc_sh > Source Path /usr/bin/bash Port > <Unknown> Host ecafe.hogwarts.local Source RPM > Packages bash-4.2.42-1.fc18.i686 Target RPM Packages Policy RPM > selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True > Policy Type targeted Enforcing Mode > Permissive Host Name ecafe.hogwarts.local Platform > Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 > 16:58:41 UTC 2013 i686 i686 Alert Count 3 First Seen > 2013-01-30 18:50:12 CET Last Seen 2013-01-31 00:12:40 > CET Local ID f7cdf02d-2812-43cf-8a63-b3b389fd825a > > Raw Audit Messages type=AVC msg=audit(1359587560.130:428): avc: denied { > execute } for pid=2320 comm="tcpd" name="x11vnc_sh" dev="sda5" ino=2110225 > scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:bin_t:s0 tclass=file > > > type=AVC msg=audit(1359587560.130:428): avc: denied { execute_no_trans } > for pid=2320 comm="tcpd" path="/usr/local/bin/x11vnc_sh" dev="sda5" > ino=2110225 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:bin_t:s0 tclass=file > > > type=AVC msg=audit(1359587560.130:428): avc: denied { execute } for > pid=2320 comm="tcpd" name="bash" dev="sda5" ino=2123061 > scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:shell_exec_t:s0 tclass=file > > > type=SYSCALL msg=audit(1359587560.130:428): arch=i386 syscall=execve > success=yes exit=0 a0=bf9783ec a1=bf97a4a4 a2=bf97a4ac a3=bf9780b0 items=0 > ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash > subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null) > > Hash: x11vnc_sh,tcpd_t,bin_t,file,execute > > audit2allow > > #============= tcpd_t ============== allow tcpd_t bin_t:file { execute > execute_no_trans }; allow tcpd_t shell_exec_t:file execute; > > audit2allow -R > > #============= tcpd_t ============== allow tcpd_t bin_t:file { execute > execute_no_trans }; allow tcpd_t shell_exec_t:file execute; > > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > > SELinux is preventing /usr/bin/bash from getattr access on the file > /proc/meminfo. > > ***** Plugin catchall (100. confidence) suggests > *************************** > > If you believe that bash should be allowed getattr access on the meminfo > file by default. Then you should report this as a bug. You can generate a > local policy module to allow this access. Do allow this access for now by > executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M > mypol # semodule -i mypol.pp > > > Additional Information: Source Context > system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context > system_u:object_r:proc_t:s0 Target Objects /proc/meminfo [ > file ] Source x11vnc_sh Source Path > /usr/bin/bash Port <Unknown> Host > ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 > Target RPM Packages Policy RPM > selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True > Policy Type targeted Enforcing Mode > Permissive Host Name ecafe.hogwarts.local Platform > Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 > 16:58:41 UTC 2013 i686 i686 Alert Count 3 First Seen > 2013-01-30 18:50:12 CET Last Seen 2013-01-31 00:12:40 > CET Local ID db259bd3-49de-4e22-837d-efc6a403b604 > > Raw Audit Messages type=AVC msg=audit(1359587560.143:430): avc: denied { > getattr } for pid=2320 comm="x11vnc_sh" path="/proc/meminfo" dev="proc" > ino=4026532026 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:proc_t:s0 tclass=file > > > type=SYSCALL msg=audit(1359587560.143:430): arch=i386 syscall=fstat64 > success=yes exit=0 a0=3 a1=bfe8f0d0 a2=42896000 a3=82a8a68 items=0 ppid=724 > pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash > subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null) > > Hash: x11vnc_sh,tcpd_t,proc_t,file,getattr > > audit2allow > > #============= tcpd_t ============== allow tcpd_t proc_t:file getattr; > > audit2allow -R > > #============= tcpd_t ============== allow tcpd_t proc_t:file getattr; > > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > SELinux is preventing /usr/bin/bash from execute access on the file > /usr/bin/bash. > > ***** Plugin catchall (100. confidence) suggests > *************************** > > If you believe that bash should be allowed execute access on the bash file > by default. Then you should report this as a bug. You can generate a local > policy module to allow this access. Do allow this access for now by > executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M > mypol # semodule -i mypol.pp > > > Additional Information: Source Context > system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context > system_u:object_r:shell_exec_t:s0 Target Objects > /usr/bin/bash [ file ] Source x11vnc_sh Source Path > /usr/bin/bash Port <Unknown> Host > ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 > Target RPM Packages bash-4.2.42-1.fc18.i686 Policy RPM > selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True > Policy Type targeted Enforcing Mode > Permissive Host Name ecafe.hogwarts.local Platform > Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 > 16:58:41 UTC 2013 i686 i686 Alert Count 1 First Seen > 2013-01-31 00:11:10 CET Last Seen 2013-01-31 00:11:10 > CET Local ID a1ab3c5f-f530-4432-b696-25745895a33e > > Raw Audit Messages type=AVC msg=audit(1359587470.242:384): avc: denied { > execute } for pid=1739 comm="tcpd" name="bash" dev="sda5" ino=2123061 > scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:shell_exec_t:s0 tclass=file > > > type=SYSCALL msg=audit(1359587470.242:384): arch=i386 syscall=execve > success=yes exit=0 a0=bf9b3bfc a1=bf9b5cb4 a2=bf9b5cbc a3=bf9b38c0 items=0 > ppid=724 pid=1739 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash > subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null) > > Hash: x11vnc_sh,tcpd_t,shell_exec_t,file,execute > > audit2allow > > #============= tcpd_t ============== allow tcpd_t shell_exec_t:file > execute; > > audit2allow -R > > #============= tcpd_t ============== allow tcpd_t shell_exec_t:file > execute; > > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Well I am happy it is working for you, but we prefer the solution to get tcpd_t to transition to xserver_t, when running x11vnc. Which hopefully will be showing up in an update release. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlEKiAwACgkQrlYvE4MpobOF0QCfYVX4W4TRwlionFS8fiqTxMWN 5NQAoLfWA2kteGemf+++QOt7ljViUeWO =nk/v -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
