Re: RHEL 5.3 and sealert -b

ESGLinux <esggrupos@xxxxxxxxx> · Tue, 3 Mar 2009 13:06:45 +0100

Hello,

I have updated with RHN using pup

here is the info you have requested:
# getenforce
Enforcing

#yum list installed | grep selinux

libselinux.i386                           1.33.4-5.1.el5
installed
libselinux-devel.i386                     1.33.4-5.1.el5
installed
libselinux-python.i386                    1.33.4-5.1.el5
installed
libselinux-utils.i386                     1.33.4-5.1.el5
installed
selinux-policy.noarch                     2.4.6-203.el5
installed
selinux-policy-devel.noarch               2.4.6-203.el5
installed
selinux-policy-targeted.noarch            2.4.6-203.el5
installed

#service setroubleshoot status
Se esta ejecutando setroubleshootd (pid 2425)...

in /var/log/audit/audit.log there are a lot of logs with AVC
...

u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1236072678.050:68): avc:  denied  { write } for  pid=2130
comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1236072738.057:69): avc:  denied  { write } for  pid=2130
comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1236085050.837:8): avc:  denied  { write } for  pid=2123
comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
type=USER_TTY msg=audit(1236085103.658:21): user pid=2940 uid=0 auid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='grep AVC audit.log '
type=AVC msg=audit(1236085110.848:22): avc:  denied  { write } for  pid=2123
comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
type=USE

...

But in the browser I dont see anything, I also think I used to log in the
/var/log/messages with the explanation of the alert but I dont see anything

Thanks

ESG

2009/3/3 George Magklaras <georgios@xxxxxxxxxxxxx>

> Trusting that your getenforce shows Enforcing, I have upgraded a bunch of
> 5.2 to 5.3 and sealert is active for me, so I do not think the problem is
> specific to RHEL 5.3, maybe something peculiar with your configuration. What
> does
>
> yum list installed | grep selinux
>
> says to your upgraded systems? Is the setroubleshootd process running?
> Finally, what's the frequency of AVC messages in /var/log/audit/audit.log
>  (cat /var/log/audit/audit.log | grep AVC) ?
>
> --
> --
> George Magklaras BSc Hons MPhil
> RHCE:805008309135525
>
> Senior Computer Systems Engineer/UNIX-Linux Systems Administrator
> EMBnet Technical Management Board
> The Biotechnology Centre of Oslo,
> University of Oslo
> http://folk.uio.no/georgios
>
>
>
>
> a bv wrote:
>
>> what method have you used for upgrading the system version?
>>
>> Regards
>>
>>
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list