Help with an SELinux AVC event...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: Help with an SELinux AVC event...

Hi All,

I have a C application task called "sswd" on my Linux system, that opens up the /var/log/audit/audit.log file every 5 seconds, and checks to see if there are any new AVC denies.

I have had this same task doing the same thing for the last few years on a Linux system running selinux. And I have never seen these events in audit.log before complaining about the sswd task... I used to use older selinux packages, and ran the Fedora Core 7 'strict' policy together with some custom policies.

Recently we upgraded our SELinux packages to the very latest (similar to Fedora 12), and we are using Refpolicy as a base policy.

In the /var/log/audit/audit.log file, I see the following event pop up every 5 seconds, and I am guessing its because "sswd" tries to open up the audit.log file every 5 seconds for reading.

1. Can you help me understand what this event is really saying?
2. I have already taken the audit.log file, and used audit2allow to generate any allow rules necessary, but it didnt help to get rid of this particular event.
3. Can I add any specific policy allow lines or transition rules in my custom policy files to get rid of this repeated event ?

Thanks in advance.

The event that pops up every 5 seconds in audit.log is:

type=SYSCALL msg=audit(1262874266.422:260): arch=14 syscall=5 success=yes exit=24 a0=1002b9e4 a1=0 a2=1b6 a3=1b6 items=1 ppid=2463 pid=2794 auid=4294967295 uid=0 gid=601 euid=0 suid=0 fsuid=0 egid=601 sgid=601 fsgid=601 tty=(none) ses=4294967295 comm="sswd" exe="/usr/app/bin/sswd" subj=system_u:system_r:init_t:s0-s15:c0.c255 key="LOG_audit"
type=CWD msg=audit(1262874266.422:260):  cwd="/data"
type=PATH msg=audit(1262874266.422:260): item=0 name="/var/log/audit/audit.log" inode=2061 dev=fd:07 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_log_t:s15:c0.c255

root@hapWibbSc2:/var/log/audit# ps -eZ | grep sswd
system_u:system_r:init_t:s0-s15:c0.c255 2781 ? 00:00:00 sswd

root@hapWibbSc2:/var/log/audit# cd /usr/app/bin
root@hapWibbSc2:/usr/app/bin# ls -l sswd
-rwxrwxr-x 1 root root 217204 Jan  1 07:49 sswd

root@hapWibbSc2:/usr/app/bin# cd /var/log/audit/
root@hapWibbSc2:/var/log/audit#
root@hapWibbSc2:/var/log/audit# ls -lZ
-rw-------  root root system_u:object_r:auditd_log_t:s15:c0.c255 audit.log

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux