Re: Unable to use audit2allow on avc denials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




----- Original Message -----
> From: "Matthew Wilkinson" <MatthewWilkinson@xxxxxxxxxxxxxxxxx>
> To: "Lukas Vrabec" <lvrabec@xxxxxxxxxx>, selinux@xxxxxxxxxxxxxxxxxxxxxxx, "Zdenek Pytela" <zpytela@xxxxxxxxxx>
> Sent: Wednesday, September 20, 2017 7:06:16 AM
> Subject: RE: Unable to use audit2allow on avc denials
> 
> Sure thing, here is the AVC in the /var/log/messages file. I don't see this
> in /var/log/audit/audit.log but I see other logs in there.
> 
> Sep 20 09:03:14 redacted kernel: type=1400 audit(1505916193.999:16716): avc:
> denied  { read } for  pid=33245 comm="in:imfile" name="named.log"
> dev="dm-9" ino=143 scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:named_cache_t:s0 tclass=file
> 

Why is named.log in the /var/cache directory? Should it not be in /var/log?

This might explain why you are getting the SELinux warning

> Srangely, auditd doesn't seem to be running and systemctl can't interact with
> it. Possibly because of a dependency
> 
> Failed to stop auditd.service: Operation refused, unit auditd.service may be
> requested by dependency only.
> See system logs and 'systemctl status auditd.service' for details.
> 
> ● auditd.service - Security Auditing Service
>    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor
>    preset: enabled)
>    Active: failed (Result: exit-code) since Wed 2017-09-13 14:06:04 CDT; 6
>    days ago
>      Docs: man:auditd(8)
>            https://people.redhat.com/sgrubb/audit/
>   Process: 911 ExecStartPost=/sbin/augenrules --load (code=exited,
>   status=0/SUCCESS)
>   Process: 910 ExecStart=/sbin/auditd -n (code=exited, status=6)
>  Main PID: 910 (code=exited, status=6)
> 
> Warning: Journal has been rotated since unit was started. Log output is
> incomplete or unavailable.
> 
> --Matthew Wilkinson
> 
> 
> -----Original Message-----
> From: Lukas Vrabec [mailto:lvrabec@xxxxxxxxxx]
> Sent: Wednesday, September 20, 2017 01:55
> To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: Unable to use audit2allow on avc denials
> 
> [This is an external email. Be cautious with links, attachments and
> responses.]
> 
> **********************************************************************
> On 09/20/2017 08:09 AM, Zdenek Pytela wrote:
> > 
> > 
> > On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew
> > <MatthewWilkinson@xxxxxxxxxxxxxxxxx
> > <mailto:MatthewWilkinson@xxxxxxxxxxxxxxxxx>> wrote:
> > 
> >     Has anyone seen SELinux log to /var/log/messages but *not* to
> >     /var/log/audit/audit.log? I have a situation that is being denied by
> >     SELinux and logging avc denials to /var/log/messages, however I
> >     can't determine a way to fix it because I get nothing for this
> >     denial logged to /var/log/audit/audit.log. This prevents me from
> >     generating a policy using audit2allow or sealert.
> > 
> >     Situation: I have a RHEL 7-based server which is running bind-chroot
> >     and I'd like for rsyslog to collect and send the named.log and
> >     query.log to our centralized rsyslog server. With SELinux in
> >     enforcing mode, rsyslog cannot read the named logs.
> > 
> >     Do I need to write my own custom SELinux policy?
> > 
> > Hi Matthew,
> > 
> > I am afraid a new policy would not help you. Is auditd running and
> > writing other events (like intentionally triggered ones) to the audit.log?
> > 
> 
> Good question, is auditd running and writing other events? Also, it will be
> very helpful if you attach your AVC. There can be situation when auditd is
> not running yet during boot, so AVCs are logged into journal/syslog.
> 
> Please attach AVC and we can move forward.
> 
> Lukas.
> 
> 
> > Subsequent question, how the AVC's look like? Creating a policy module
> > might not be the best solution to your problem.
> > 
> > --
> > 
> > Zdenek Pytela, Technical support engineer and team lead Customer
> > Engagement and Experience, Red Hat Czech
> > E-mail: zpytela@xxxxxxxxxx <mailto:zpytela@xxxxxxxxxx>, IRC: zpytela
> > 
> > 
> > _______________________________________________
> > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe
> > send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > 
> 
> 
> --
> Lukas Vrabec
> Software Engineer, Security Technologies Red Hat, Inc.
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send
> an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> 

-- 
Simon Sekidde 
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux