Re: sedispatch: Connection Error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/26/2013 03:23 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> Hi Dan,
> 
> Thanks for your prompt response.
> 
> Yes we have removed unconfined.pp from our system.
> 
> And here are the outputs for the ps command
> 
> [root@nw043b-vcma1 ~]# ps -eZ | grep sedispatch 
> system_u:system_r:audisp_t:s0   30135 ?        00:00:11 sedispatch 
> [root@nw043b-vcma1 ~]# [root@nw043b-vcma1 ~]# ps -eZ | grep
> setroubleshootd [root@nw043b-vcma1 ~]#
> 

Those look correct, is there a chance setroubleshootd is blowing up.
sedispatch sending a dbus message should activate it.

grep setroubleshoot /var/log/audit/audit.log

Writing policy for vmstoolsd, would require soemthing like

sepolgen PATHTO/vmstoolsd

to start

> What kind of policies to we need to add for vmtoolsd ?
> 
> Thanks, Anamitra
> 
> On 3/26/13 12:08 PM, "Daniel J Walsh" <dwalsh@xxxxxxxxxx> wrote:
> 
> Are you running this with unconfined.pp disabled?  Looks like you need 
> policy for vmtoolsd.
> 
> I was looking for auditd_t or setroubleshootd avc's.
> 
> ps -eZ | grep sedispatch ps -eZ | grep setroubleshootd
> 
> sedispatch sends avc messages via dbus to setroubleshootd, if 
> setroubleshootd gets an AVC about itself, it will drop it on the floor,
> 
> 
> 
> 
> 
> On 03/26/2013 03:01 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>> Hi Dan,
>>>> 
>>>> Yes there are many denials being seen. Here is an ouput from 
>>>> ausearch....
>>>> 
>>>> time->Tue Mar 26 13:58:16 2013 type=SYSCALL 
>>>> msg=audit(1364324296.810:915270): arch=c000003e syscall=16
>>>> success=yes exit=0 a0=15 a1=8912 a2=7ffffa54bf90 a3=0 items=0 ppid=1
>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" 
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" 
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC 
>>>> msg=audit(1364324296.810:915270): avc:  denied  { ioctl } for
>>>> pid=18992 comm="vmtoolsd" path="socket:[2348604]" dev=sockfs
>>>> ino=2348604 scontext=system_u:system_r:init_t:s0 
>>>> tcontext=system_u:system_r:init_t:s0 tclass=tcp_socket ---- time->Tue
>>>> Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.076:915272):
>>>> item=0 name="/" inode=2 dev=08:01 mode=040555 ouid=0 ogid=0
>>>> rdev=00:00 obj=system_u:object_r:root_t:s0 type=CWD
>>>> msg=audit(1364324306.076:915272):  cwd="/" type=SYSCALL 
>>>> msg=audit(1364324306.076:915272): arch=c000003e syscall=137
>>>> success=yes exit=0 a0=c45530 a1=7ffffa54c150 a2=1 a3=2 items=1 ppid=1
>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" 
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" 
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC 
>>>> msg=audit(1364324306.076:915272): avc:  denied  { getattr } for 
>>>> pid=18992 comm="vmtoolsd" name="/" dev=sda1 ino=2 
>>>> scontext=system_u:system_r:init_t:s0
>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Tue
>>>> Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.075:915271):
>>>> item=0 name="/dev/sda1" inode=5938 dev=00:05 mode=060660 ouid=0
>>>> ogid=6 rdev=08:01 obj=system_u:object_r:fixed_disk_device_t:s0
>>>> type=CWD msg=audit(1364324306.075:915271):  cwd="/" type=SYSCALL 
>>>> msg=audit(1364324306.075:915271): arch=c000003e syscall=4
>>>> success=yes exit=0 a0=c7d0b0 a1=7ffffa54c110 a2=7ffffa54c110 a3=a
>>>> items=1 ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>> comm="vmtoolsd" exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" 
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC 
>>>> msg=audit(1364324306.075:915271): avc:  denied  { getattr } for 
>>>> pid=18992 comm="vmtoolsd" path="/dev/sda1" dev=devtmpfs ino=5938 
>>>> scontext=system_u:system_r:init_t:s0 
>>>> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
>>>> ---- time->Tue Mar 26 13:58:26 2013 type=PATH 
>>>> msg=audit(1364324306.080:915273): item=0 name="/proc/net/dev"
>>>> inode=4026531979 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
>>>> obj=system_u:object_r:proc_net_t:s0 type=CWD 
>>>> msg=audit(1364324306.080:915273):  cwd="/" type=SYSCALL 
>>>> msg=audit(1364324306.080:915273): arch=c000003e syscall=2
>>>> success=yes exit=22 a0=7f783bc0e159 a1=0 a2=1b6 a3=0 items=1 ppid=1
>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" 
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" 
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC 
>>>> msg=audit(1364324306.080:915273): avc:  denied  { open } for
>>>> pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 
>>>> scontext=system_u:system_r:init_t:s0 
>>>> tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC 
>>>> msg=audit(1364324306.080:915273): avc:  denied  { read } for
>>>> pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979 
>>>> scontext=system_u:system_r:init_t:s0 
>>>> tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue
>>>> Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.081:915274): 
>>>> arch=c000003e syscall=5 success=yes exit=0 a0=16 a1=7ffffa547f10
>>>> a2=7ffffa547f10 a3=0 items=0 ppid=1 pid=18992 auid=4294967295 uid=0
>>>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>>>> ses=4294967295 comm="vmtoolsd" 
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" 
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC 
>>>> msg=audit(1364324306.081:915274): avc:  denied  { getattr } for 
>>>> pid=18992 comm="vmtoolsd" path="/proc/18992/net/dev" dev=proc
>>>> ino=4026531979 scontext=system_u:system_r:init_t:s0 
>>>> tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Tue
>>>> Mar 26 13:58:26 2013 type=PATH msg=audit(1364324306.082:915275):
>>>> item=0 name="/etc/resolv.conf" inode=654095 dev=08:01 mode=0100644
>>>> ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0
>>>> type=CWD msg=audit(1364324306.082:915275):  cwd="/" type=SYSCALL 
>>>> msg=audit(1364324306.082:915275): arch=c000003e syscall=2
>>>> success=yes exit=21 a0=7f78443317fa a1=0 a2=1b6 a3=2 items=1 ppid=1
>>>> pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd" 
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" 
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC 
>>>> msg=audit(1364324306.082:915275): avc:  denied  { open } for
>>>> pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 
>>>> scontext=system_u:system_r:init_t:s0 
>>>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC 
>>>> msg=audit(1364324306.082:915275): avc:  denied  { read } for
>>>> pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095 
>>>> scontext=system_u:system_r:init_t:s0 
>>>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file ---- time->Tue
>>>> Mar 26 13:58:26 2013 type=SYSCALL msg=audit(1364324306.083:915276): 
>>>> arch=c000003e syscall=5 success=yes exit=0 a0=15 a1=7ffffa549e80
>>>> a2=7ffffa549e80 a3=2 items=0 ppid=1 pid=18992 auid=4294967295 uid=0
>>>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>>>> ses=4294967295 comm="vmtoolsd" 
>>>> exe="/usr/lib/vmware-tools/sbin64/vmtoolsd" 
>>>> subj=system_u:system_r:init_t:s0 key=(null) type=AVC 
>>>> msg=audit(1364324306.083:915276): avc:  denied  { getattr } for 
>>>> pid=18992 comm="vmtoolsd" path="/etc/resolv.conf" dev=sda1
>>>> ino=654095 scontext=system_u:system_r:init_t:s0 
>>>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
>>>> 
>>>> 
>>>> 
>>>> Thanks, Anamitra
>>>> 
>>>> On 3/26/13 11:55 AM, "Daniel J Walsh" <dwalsh@xxxxxxxxxx> wrote:
>>>> 
>>>> On 03/26/2013 12:50 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>>>>> 
>>>>>>> On one of our system we see that the syslog/messages file has
>>>>>>> been flooded with the following messages
>>>>>>> 
>>>>>>> r 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error
>>>>>>> (An SELinux policy prevents this sender from sending this
>>>>>>> message to this recipient (rejected message had sender
>>>>>>> "(unset)" interface "org.freedesktop.DBus" member "Hello" error
>>>>>>> name "(unset)" destination "org.freedesktop.DBus")): AVC Will
>>>>>>> be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch:
>>>>>>> Connection Error (An SELinux policy prevents this sender from
>>>>>>> sending this message to this recipient (rejected message had
>>>>>>> sender "(unset)" interface "org.freedesktop.DBus" member
>>>>>>> "Hello" error name "(unset)" destination
>>>>>>> "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56
>>>>>>> nw043b-vcma1 user 3 sedispatch: Connection Error (An SELinux 
>>>>>>> policy prevents this sender from sending this message to this 
>>>>>>> recipient (rejected message had sender "(unset)" interface 
>>>>>>> "org.freedesktop.DBus" member "Hello" error name "(unset)" 
>>>>>>> destination "org.freedesktop.DBus")): AVC Will be dropped
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> We are on RHEL6.2 and running in permissive mode.
>>>>>>> 
>>>>>>> Here are the version of the selinux related rpms.
>>>>>>> 
>>>>>>> root@nw043b-vcma1 vos]# rpm -qa | grep selinux 
>>>>>>> selinux-policy-3.7.19-126.el6.noarch
>>>>>>> libselinux-2.0.94-5.2.el6.i686 
>>>>>>> libselinux-2.0.94-5.2.el6.x86_64 
>>>>>>> selinux-policy-targeted-3.7.19-126.el6.noarch 
>>>>>>> libselinux-utils-2.0.94-5.2.el6.i686 
>>>>>>> libselinux-utils-2.0.94-5.2.el6.x86_64 
>>>>>>> libselinux-python-2.0.94-5.2.el6.x86_64 [root@nw043b-vcma1
>>>>>>> vos]# rpm -qa | grep setro
>>>>>>> setroubleshoot-server-3.0.38-2.1.el6.x86_64 
>>>>>>> setroubleshoot-plugins-3.0.16-1.el6.noarch
>>>>>>> 
>>>>>>> What could be the root cause of these messages.
>>>>>>> 
>>>>>>> Thanks, Anamitra
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>> Are you seeing lots of AVC messages?
>>>> 
>>>> ausearch -m avc -ts recent
>>>> 
>>>> 
>>>> 
>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFR9rwACgkQrlYvE4MpobO5agCgvIKxlraxUWzUjyHKOtYHvEEd
IysAn3n2+sEP0lyLjICF2IpgEhIcJFlk
=bWQc
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux