Hi all,
I'm trying to create a policy for pidgin and hit the following problem:
When pidgin is started via the GNOME menu "Applications -> Internet ->
Pidgin" then I get the following AVC:
type=1400 audit(1264870417.250:22382): avc: denied { search } for
pid=9114 comm="pidgin" name="1" dev=proc ino=160141
scontext=unconfined_u:unconfined_r:pidgin_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=dir
type=1400 audit(1264870417.250:22382): avc: denied { read } for
pid=9114 comm="pidgin" name="exe" dev=proc ino=160142
scontext=unconfined_u:unconfined_r:pidgin_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=lnk_file
At the moment I just don't audit the denials:
require {
type init_t;
}
dontaudit pidgin_t init_t:dir search;
dontaudit pidgin_t init_t:lnk_file read;
What I would like to do is find out if pidgin itself is
accessing /proc/1/exe or if it is a library. A simple
"grep -R '/proc/' ./pidgin-source" does not provide any helpful output.
My guess is that it is a leaked file descriptor because if I start
pidgin from a shell, then I do not have this problem (I have a rule for
user terminals and so on).
Summarized, how can I find out which library or application part is
causing an AVC? I know there won't be any magical way to find the exact
part ;-) but some general rules or tips would be very appreciated.
Sometimes I use strace, e.g. to find out that a library is doing a call
I'm interested in but this time strace does not help me. So any
comments/suggestions are very welcomed.
cheers,
Stefan
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
