Re: SELinux Policy in OpenSUSE 11.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02/16/2010 03:55 PM, Alan Rouse wrote:
le
> type=AVC msg=audit(1265904613.689:203): avc:  denied  { execstack } for  pid=2382 comm="cupsd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process
> type=AVC msg=audit(1265904613.690:204): avc:  denied  { execmem } for  pid=2382 comm="cupsd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process
> type=AVC msg=audit(1265904614.260:205): avc:  denied  { read write } for  pid=2448 comm="smartd" name="sda" dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
> type=AVC msg=audit(1265904614.260:206): avc:  denied  { open } for  pid=2448 comm="smartd" name="sda" dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
> type=AVC msg=audit(1265904614.261:207): avc:  denied  { ioctl } for  pid=2448 comm="smartd" path="/dev/sda" dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
> type=AVC msg=audit(1265904615.964:209): avc:  denied  { read } for  pid=2337 comm="auditd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket
> type=AVC msg=audit(1265904616.063:212): avc:  denied  { read } for  pid=308 comm="udevd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket
> type=AVC msg=audit(1265904616.063:213): avc:  denied  { write } for  pid=308 comm="udevd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket

With regard to the AVC denials above it seems that these services
(cupsd, smartd, auditd and udevd) run in the wrong domain. When you
restart services manually, you should use "run_init".

run_init /etc/rc.d/init.d/cupsd start

Besides that some if this might still not work. For example execstack
and execmem permissions for cupsd, but start by executing these daemons
in the proper domains first.

As for dbus i have not noticed any dbus specific AVC denials. It may be
the dbus denials are directed to /var/log/messages,
/var/log/audit/audit.log or dmesg.

> 
> 
>

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux