Hi Dan, The audit logs do not have any entry for setroubleshoot. However when I manually try to execute the setroubleshoot command I can the same denial [root@nw043b-vcma1 ~]# /usr/sbin/setroubleshootd [root@nw043b-vcma1 ~]# org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus") Running audit2allow shows the following... #============= init_t ============== allow init_t fixed_disk_device_t:blk_file getattr; allow init_t fs_t:filesystem getattr; allow init_t net_conf_t:file { read getattr open }; allow init_t proc_net_t:file { read getattr open }; allow init_t self:tcp_socket ioctl; #============= initrc_t ============== #!!!! The source type 'initrc_t' can write to a 'dir' of the following types: # var_log_t, ipsec_var_run_t, ricci_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t, dirsrv_var_run_t, snmpd_var_lib_t, udev_var_run_t, virt_var_lib_t, var_lib_nfs_t, plat_conf_t, mysqld_db_t, cisco_etc_t, named_conf_t, system_dbusd_var_lib_t, initrc_tmp_t, sanlock_var_run_t, common_t, bin_t, boot_t, cert_t, mnt_t, root_t, snmp_t, tmp_t, usr_t, var_t, device_t, etc_t, fonts_t, ibm_t, tmpfs_t, lockfile, etc_mail_t, core_log_t, initrc_state_t, postgresql_db_t, alsa_etc_rw_t, gconf_etc_t, var_spool_t, virt_cache_t, plat_log_t, var_lib_t, var_run_t, dhcpc_state_t, faillog_t, system_cron_spool_t, squid_log_t, opt_ibm_t, svc_svc_t allow initrc_t cm_lib_t:dir { write add_name }; allow initrc_t cm_lib_t:file { write create }; allow initrc_t db_t:file lock; allow initrc_t db_t:lnk_file unlink; allow initrc_t db_t:sock_file unlink; allow initrc_t plat_bin_t:file setattr; allow initrc_t self:sem getattr; #============= insmod_t ============== allow insmod_t ipprefsd_t:unix_stream_socket { read write }; #============= readahead_t ============== allow readahead_t os_t:file { read getattr open }; [root@nw043b-vcma1 ~]# /usr/sbin/setroubleshootd [root@nw043b-vcma1 ~]# org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus") On a physical system this behavior is not observed. Thanks, Anamitra On 3/26/13 12:27 PM, "Daniel J Walsh" <dwalsh@xxxxxxxxxx> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On 03/26/2013 03:23 PM, Anamitra Dutta Majumdar (anmajumd) wrote: >> Hi Dan, >> >> Thanks for your prompt response. >> >> Yes we have removed unconfined.pp from our system. >> >> And here are the outputs for the ps command >> >> [root@nw043b-vcma1 ~]# ps -eZ | grep sedispatch >> system_u:system_r:audisp_t:s0 30135 ? 00:00:11 sedispatch >> [root@nw043b-vcma1 ~]# [root@nw043b-vcma1 ~]# ps -eZ | grep >> setroubleshootd [root@nw043b-vcma1 ~]# >> > >Those look correct, is there a chance setroubleshootd is blowing up. >sedispatch sending a dbus message should activate it. > >grep setroubleshoot /var/log/audit/audit.log > >Writing policy for vmstoolsd, would require soemthing like > >sepolgen PATHTO/vmstoolsd > >to start > >> What kind of policies to we need to add for vmtoolsd ? >> >> Thanks, Anamitra >> >> On 3/26/13 12:08 PM, "Daniel J Walsh" <dwalsh@xxxxxxxxxx> wrote: >> >> Are you running this with unconfined.pp disabled? Looks like you need >> policy for vmtoolsd. >> >> I was looking for auditd_t or setroubleshootd avc's. >> >> ps -eZ | grep sedispatch ps -eZ | grep setroubleshootd >> >> sedispatch sends avc messages via dbus to setroubleshootd, if >> setroubleshootd gets an AVC about itself, it will drop it on the floor, >> >> >> >> >> >> On 03/26/2013 03:01 PM, Anamitra Dutta Majumdar (anmajumd) wrote: >>>>> Hi Dan, >>>>> >>>>> Yes there are many denials being seen. Here is an ouput from >>>>> ausearch.... >>>>> >>>>> time->Tue Mar 26 13:58:16 2013 type=SYSCALL >>>>> msg=audit(1364324296.810:915270): arch=c000003e syscall=16 >>>>> success=yes exit=0 a0=15 a1=8912 a2=7ffffa54bf90 a3=0 items=0 ppid=1 >>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" >>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" >>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC >>>>> msg=audit(1364324296.810:915270): avc: denied { ioctl } for >>>>> pid=18992 comm="vmtoolsd" path="socket:[2348604]" dev=sockfs >>>>> ino=2348604 scontext=system_u:system_r:init_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=tcp_socket ---- time->Tue >>>>> Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.076:915272): >>>>> item=0 name="/" inode=2 dev=08:01 mode=040555 ouid=0 ogid=0 >>>>> rdev=00:00 obj=system_u:object_r:root_t:s0 type=CWD >>>>> msg=audit(1364324306.076:915272): cwd="/" type=SYSCALL >>>>> msg=audit(1364324306.076:915272): arch=c000003e syscall=137 >>>>> success=yes exit=0 a0=c45530 a1=7ffffa54c150 a2=1 a3=2 items=1 ppid=1 >>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" >>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" >>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC >>>>> msg=audit(1364324306.076:915272): avc: denied { getattr } for >>>>> pid=18992 comm="vmtoolsd" name="/" dev=sda1 ino=2 >>>>> scontext=system_u:system_r:init_t:s0 >>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Tue >>>>> Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.075:915271): >>>>> item=0 name="/dev/sda1" inode=5938 dev=00:05 mode=060660 ouid=0 >>>>> ogid=6 rdev=08:01 obj=system_u:object_r:fixed_disk_device_t:s0 >>>>> type=CWD msg=audit(1364324306.075:915271): cwd="/" type=SYSCALL >>>>> msg=audit(1364324306.075:915271): arch=c000003e syscall=4 >>>>> success=yes exit=0 a0=c7d0b0 a1=7ffffa54c110 a2=7ffffa54c110 a3=a >>>>> items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>> comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" >>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC >>>>> msg=audit(1364324306.075:915271): avc: denied { getattr } for >>>>> pid=18992 comm="vmtoolsd" path="/dev/sda1" dev=devtmpfs ino=5938 >>>>> scontext=system_u:system_r:init_t:s0 >>>>> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file >>>>> ---- time->Tue Mar 26 13:58:26 2013 type=PATH >>>>> msg=audit(1364324306.080:915273): item=0 name="/proc/net/dev" >>>>> inode=4026531979 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 >>>>> obj=system_u:object_r:proc_net_t:s0 type=CWD >>>>> msg=audit(1364324306.080:915273): cwd="/" type=SYSCALL >>>>> msg=audit(1364324306.080:915273): arch=c000003e syscall=2 >>>>> success=yes exit=22 a0=7f783bc0e159 a1=0 a2=1b6 a3=0 items=1 ppid=1 >>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" >>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" >>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC >>>>> msg=audit(1364324306.080:915273): avc: denied { open } for >>>>> pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 >>>>> scontext=system_u:system_r:init_t:s0 >>>>> tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC >>>>> msg=audit(1364324306.080:915273): avc: denied { read } for >>>>> pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 >>>>> scontext=system_u:system_r:init_t:s0 >>>>> tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue >>>>> Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.081:915274): >>>>> arch=c000003e syscall=5 success=yes exit=0 a0=16 a1=7ffffa547f10 >>>>> a2=7ffffa547f10 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 >>>>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) >>>>> ses=4294967295 comm="vmtoolsd" >>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" >>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC >>>>> msg=audit(1364324306.081:915274): avc: denied { getattr } for >>>>> pid=18992 comm="vmtoolsd" path="/proc/18992/net/dev" dev=proc >>>>> ino=4026531979 scontext=system_u:system_r:init_t:s0 >>>>> tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue >>>>> Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.082:915275): >>>>> item=0 name="/etc/resolv.conf" inode=654095 dev=08:01 mode=0100644 >>>>> ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 >>>>> type=CWD msg=audit(1364324306.082:915275): cwd="/" type=SYSCALL >>>>> msg=audit(1364324306.082:915275): arch=c000003e syscall=2 >>>>> success=yes exit=21 a0=7f78443317fa a1=0 a2=1b6 a3=2 items=1 ppid=1 >>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" >>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" >>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC >>>>> msg=audit(1364324306.082:915275): avc: denied { open } for >>>>> pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 >>>>> scontext=system_u:system_r:init_t:s0 >>>>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC >>>>> msg=audit(1364324306.082:915275): avc: denied { read } for >>>>> pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 >>>>> scontext=system_u:system_r:init_t:s0 >>>>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file ---- time->Tue >>>>> Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.083:915276): >>>>> arch=c000003e syscall=5 success=yes exit=0 a0=15 a1=7ffffa549e80 >>>>> a2=7ffffa549e80 a3=2 items=0 ppid=1 pid=18992 auid=4294967295 uid=0 >>>>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) >>>>> ses=4294967295 comm="vmtoolsd" >>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" >>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC >>>>> msg=audit(1364324306.083:915276): avc: denied { getattr } for >>>>> pid=18992 comm="vmtoolsd" path="/etc/resolv.conf" dev=sda1 >>>>> ino=654095 scontext=system_u:system_r:init_t:s0 >>>>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file >>>>> >>>>> >>>>> >>>>> Thanks, Anamitra >>>>> >>>>> On 3/26/13 11:55 AM, "Daniel J Walsh" <dwalsh@xxxxxxxxxx> wrote: >>>>> >>>>> On 03/26/2013 12:50 PM, Anamitra Dutta Majumdar (anmajumd) wrote: >>>>>>>> >>>>>>>> On one of our system we see that the syslog/messages file has >>>>>>>> been flooded with the following messages >>>>>>>> >>>>>>>> r 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error >>>>>>>> (An SELinux policy prevents this sender from sending this >>>>>>>> message to this recipient (rejected message had sender >>>>>>>> "(unset)" interface "org.freedesktop.DBus" member "Hello" error >>>>>>>> name "(unset)" destination "org.freedesktop.DBus")): AVC Will >>>>>>>> be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch: >>>>>>>> Connection Error (An SELinux policy prevents this sender from >>>>>>>> sending this message to this recipient (rejected message had >>>>>>>> sender "(unset)" interface "org.freedesktop.DBus" member >>>>>>>> "Hello" error name "(unset)" destination >>>>>>>> "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56 >>>>>>>> nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux >>>>>>>> policy prevents this sender from sending this message to this >>>>>>>> recipient (rejected message had sender "(unset)" interface >>>>>>>> "org.freedesktop.DBus" member "Hello" error name "(unset)" >>>>>>>> destination "org.freedesktop.DBus")): AVC Will be dropped >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> We are on RHEL6.2 and running in permissive mode. >>>>>>>> >>>>>>>> Here are the version of the selinux related rpms. >>>>>>>> >>>>>>>> root@nw043b-vcma1 vos]# rpm -qa | grep selinux >>>>>>>> selinux-policy-3.7.19-126.el6.noarch >>>>>>>> libselinux-2.0.94-5.2.el6.i686 >>>>>>>> libselinux-2.0.94-5.2.el6.x86_64 >>>>>>>> selinux-policy-targeted-3.7.19-126.el6.noarch >>>>>>>> libselinux-utils-2.0.94-5.2.el6.i686 >>>>>>>> libselinux-utils-2.0.94-5.2.el6.x86_64 >>>>>>>> libselinux-python-2.0.94-5.2.el6.x86_64 [root@nw043b-vcma1 >>>>>>>> vos]# rpm -qa | grep setro >>>>>>>> setroubleshoot-server-3.0.38-2.1.el6.x86_64 >>>>>>>> setroubleshoot-plugins-3.0.16-1.el6.noarch >>>>>>>> >>>>>>>> What could be the root cause of these messages. >>>>>>>> >>>>>>>> Thanks, Anamitra >>>>>>>> >>>>>>>> >>>>>>>> >>>>> Are you seeing lots of AVC messages? >>>>> >>>>> ausearch -m avc -ts recent >>>>> >>>>> >>>>> >>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> >> >> >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.13 (GNU/Linux) >Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > >iEYEARECAAYFAlFR9rwACgkQrlYvE4MpobO5agCgvIKxlraxUWzUjyHKOtYHvEEd >IysAn3n2+sEP0lyLjICF2IpgEhIcJFlk >=bWQc >-----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux