Marius Ghita <ghita.v.marius@xxxxxxxxx> writes:
> I have the following audit message
>
> Raw Audit Messages
> type=AVC msg=audit(1687022594.74:347): avc: denied { mmap_zero } for
> pid=3953 comm="check" scontext=system_u:system_r:spc_t:s0
> tcontext=system_u:system_r:spc_t:s0 tclass=memprotect permissive=0
>
spc_t is used for privileged root mode containers
> This warning gets triggered from time to time around system startup, and I
> cannot find the process involved. The name check is too generic to use the
> locate command and the process is no longer running by the time I would
> have the chance to peek at the PID.
>
auditd is configured to suppress audit event generation by default:
# auditctl -l
-a never,task
It means that you see only AVC type in audit log, e.g:
# ausearch -m avc -ts recent
----
time->Tue Jun 20 05:44:14 2023
type=AVC msg=audit(1687254254.954:409): avc: denied { entrypoint } for pid=1307 comm="runcon" path="/usr/bin/ls" dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
In order to get more information related to AVC you need to drop
"never,task" rule:
# auditctl -D
After that new audit events will contain more information:
# ausearch -m avc -ts 05:48:02
----
type=PROCTITLE msg=audit(06/20/2023 05:48:04.898:416) : proctitle=runcon -u system_u -r system_r -t httpd_t -- /bin/ls
type=SYSCALL msg=audit(06/20/2023 05:48:04.898:416) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffcc618b5df a1=0x7ffcc6189488 a2=0x7ffcc6189498 a3=0x60 items=0 ppid=1207 pid=1323 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/20/2023 05:48:04.898:416) : avc: denied { entrypoint } for pid=1323 comm=runcon path=/usr/bin/ls dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
You can also enable a full auditing and get even more information:
# auditctl -w /etc/shadow -p w
...
# ausearch -m avc -i -ts 05:52:02
----
type=PROCTITLE msg=audit(06/20/2023 05:52:31.059:419) : proctitle=runcon -u system_u -r system_r -t httpd_t -- /bin/ls
type=PATH msg=audit(06/20/2023 05:52:31.059:419) : item=0 name=/bin/ls inode=151456 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/20/2023 05:52:31.059:419) : cwd=/root
type=SYSCALL msg=audit(06/20/2023 05:52:31.059:419) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffc5b8945df a1=0x7ffc5b893708 a2=0x7ffc5b893718 a3=0x60 items=1 ppid=1207 pid=1335 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/20/2023 05:52:31.059:419) : avc: denied { entrypoint } for pid=1335 comm=runcon path=/usr/bin/ls dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
If you need this changes to be persistent you need to edit
/etc/audit/rules.d/audit.rules
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
