Hi Dan,
Yes there are many denials being seen. Here is an ouput from ausearch....
time->Tue Mar 26 13:58:16 2013
type=SYSCALL msg=audit(1364324296.810:915270): arch=c000003e syscall=16
success=yes exit=0 a0=15 a1=8912 a2=7ffffa54bf90 a3=0 items=0 ppid=1
pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd"
exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1364324296.810:915270): avc: denied { ioctl } for
pid=18992 comm="vmtoolsd" path="socket:[2348604]" dev=sockfs ino=2348604
scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0
tclass=tcp_socket
----
time->Tue Mar 26 13:58:26 2013
type=PATH msg=audit(1364324306.076:915272): item=0 name="/" inode=2
dev=08:01 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:root_t:s0
type=CWD msg=audit(1364324306.076:915272): cwd="/"
type=SYSCALL msg=audit(1364324306.076:915272): arch=c000003e syscall=137
success=yes exit=0 a0=c45530 a1=7ffffa54c150 a2=1 a3=2 items=1 ppid=1
pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd"
exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1364324306.076:915272): avc: denied { getattr } for
pid=18992 comm="vmtoolsd" name="/" dev=sda1 ino=2
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fs_t:s0
tclass=filesystem
----
time->Tue Mar 26 13:58:26 2013
type=PATH msg=audit(1364324306.075:915271): item=0 name="/dev/sda1"
inode=5938 dev=00:05 mode=060660 ouid=0 ogid=6 rdev=08:01
obj=system_u:object_r:fixed_disk_device_t:s0
type=CWD msg=audit(1364324306.075:915271): cwd="/"
type=SYSCALL msg=audit(1364324306.075:915271): arch=c000003e syscall=4
success=yes exit=0 a0=c7d0b0 a1=7ffffa54c110 a2=7ffffa54c110 a3=a items=1
ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd"
exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1364324306.075:915271): avc: denied { getattr } for
pid=18992 comm="vmtoolsd" path="/dev/sda1" dev=devtmpfs ino=5938
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
----
time->Tue Mar 26 13:58:26 2013
type=PATH msg=audit(1364324306.080:915273): item=0 name="/proc/net/dev"
inode=4026531979 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:proc_net_t:s0
type=CWD msg=audit(1364324306.080:915273): cwd="/"
type=SYSCALL msg=audit(1364324306.080:915273): arch=c000003e syscall=2
success=yes exit=22 a0=7f783bc0e159 a1=0 a2=1b6 a3=0 items=1 ppid=1
pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd"
exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1364324306.080:915273): avc: denied { open } for
pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1364324306.080:915273): avc: denied { read } for
pid=18992 comm="vmtoolsd" name="dev" dev=proc ino=4026531979
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Tue Mar 26 13:58:26 2013
type=SYSCALL msg=audit(1364324306.081:915274): arch=c000003e syscall=5
success=yes exit=0 a0=16 a1=7ffffa547f10 a2=7ffffa547f10 a3=0 items=0
ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd"
exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1364324306.081:915274): avc: denied { getattr } for
pid=18992 comm="vmtoolsd" path="/proc/18992/net/dev" dev=proc
ino=4026531979 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Tue Mar 26 13:58:26 2013
type=PATH msg=audit(1364324306.082:915275): item=0 name="/etc/resolv.conf"
inode=654095 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:net_conf_t:s0
type=CWD msg=audit(1364324306.082:915275): cwd="/"
type=SYSCALL msg=audit(1364324306.082:915275): arch=c000003e syscall=2
success=yes exit=21 a0=7f78443317fa a1=0 a2=1b6 a3=2 items=1 ppid=1
pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd"
exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1364324306.082:915275): avc: denied { open } for
pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1364324306.082:915275): avc: denied { read } for
pid=18992 comm="vmtoolsd" name="resolv.conf" dev=sda1 ino=654095
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
----
time->Tue Mar 26 13:58:26 2013
type=SYSCALL msg=audit(1364324306.083:915276): arch=c000003e syscall=5
success=yes exit=0 a0=15 a1=7ffffa549e80 a2=7ffffa549e80 a3=2 items=0
ppid=1 pid=18992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmtoolsd"
exe="/usr/lib/vmware-tools/sbin64/vmtoolsd"
subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1364324306.083:915276): avc: denied { getattr } for
pid=18992 comm="vmtoolsd" path="/etc/resolv.conf" dev=sda1 ino=654095
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
Thanks,
Anamitra
On 3/26/13 11:55 AM, "Daniel J Walsh" <dwalsh@xxxxxxxxxx> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 03/26/2013 12:50 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>
>> On one of our system we see that the syslog/messages file has been
>>flooded
>> with the following messages
>>
>> r 25 18:07:56 nw043b-vcma1 user 3 sedispatch: Connection Error (An
>>SELinux
>> policy prevents this sender from sending this message to this recipient
>> (rejected message had sender "(unset)" interface "org.freedesktop.DBus"
>> member "Hello" error name "(unset)" destination
>>"org.freedesktop.DBus")):
>> AVC Will be dropped Mar 25 18:07:56 nw043b-vcma1 user 3 sedispatch:
>> Connection Error (An SELinux policy prevents this sender from sending
>>this
>> message to this recipient (rejected message had sender "(unset)"
>>interface
>> "org.freedesktop.DBus" member "Hello" error name "(unset)" destination
>> "org.freedesktop.DBus")): AVC Will be dropped Mar 25 18:07:56
>>nw043b-vcma1
>> user 3 sedispatch: Connection Error (An SELinux policy prevents this
>>sender
>> from sending this message to this recipient (rejected message had sender
>> "(unset)" interface "org.freedesktop.DBus" member "Hello" error name
>> "(unset)" destination "org.freedesktop.DBus")): AVC Will be dropped
>>
>>
>>
>> We are on RHEL6.2 and running in permissive mode.
>>
>> Here are the version of the selinux related rpms.
>>
>> root@nw043b-vcma1 vos]# rpm -qa | grep selinux
>> selinux-policy-3.7.19-126.el6.noarch libselinux-2.0.94-5.2.el6.i686
>> libselinux-2.0.94-5.2.el6.x86_64
>> selinux-policy-targeted-3.7.19-126.el6.noarch
>> libselinux-utils-2.0.94-5.2.el6.i686
>> libselinux-utils-2.0.94-5.2.el6.x86_64
>> libselinux-python-2.0.94-5.2.el6.x86_64 [root@nw043b-vcma1 vos]# rpm
>>-qa |
>> grep setro setroubleshoot-server-3.0.38-2.1.el6.x86_64
>> setroubleshoot-plugins-3.0.16-1.el6.noarch
>>
>> What could be the root cause of these messages.
>>
>> Thanks, Anamitra
>>
>>
>>
>Are you seeing lots of AVC messages?
>
>ausearch -m avc -ts recent
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.13 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iEYEARECAAYFAlFR7woACgkQrlYvE4MpobMh1QCfWpUjoLmwWZCP9gXLKbrITyZj
>xZUAnjYxpQwqUE6sJ941oeBN7qX/KsAP
>=Gw0k
>-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
