On Sat, 2 Jan 2010 10:10:27 -0800 Tom London selinux@gmail.com wrote:
On Sat, Jan 2, 2010 at 9:39 AM, Steve Blackwell zephod@cfl.rr.com wrote:
OK, here is one of my New Year's resolutions:
Get a better understanding of SELinux.
I'm running a F11 box in permissive mode and I get hundreds of AVCs. Let start with this one.
SELinux is preventing dbus-daemon (system_dbusd_t) "search" unconfined_t.
node=steve.blackwell type=AVC msg=audit(1262408462.863:1162): avc: denied { search } for pid=1613 comm="dbus-daemon" name="23667" dev=proc ino=584443 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
Now, if I'm reading this correctly, the dbus-daemon process tried to search a directory called 23667 but didn't have permission to do so.
The problem with that is that I don't have a directory called 23667. At least there isn't one now but I suppose it could have existed at the time the AVC was generated which was just after midnight. I'm getting one of these every hour with different numbers for the target directory. I thought that it might be related to a cron job but it seems that the hourly crom job just calls anacron to check to see if the daily, weekly or monthly cron job needs to be run. The other possibility is that it has something to do with BackupPC.
One thing I don't understand is why SELinux is flagging this in the first place. Since the target context is unconfined_t, should anything be able to search it?
Steve.
If you notice, the AVC says "dev=proc". That, and the name of the directory suggests that the target directory in question is '/proc/23677'. So, dbus-daemon (pid=1613) is attempting to search for some information about a running unconfined_t process (in this case, 23677) and the policy is not allowing it.
Since the attempted accesses are directed at running processes, they would almost certainly be different and/or change with time, reboots, etc.
I believe the policy does not allow unrestricted access by arbitrary domains to unconfined_t targets.
Hope this helps....
tom
Thanks Tom, it does help.
This is interesting. I just got another of the same type of AVC while I was watching and so I was able to look at the process and:
# ls -Zd /proc/29899 dr-xr-xr-x. steve steve unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /proc/29899
# ps -ef | grep 29899 steve 29899 1 2 13:55 ? 00:00:04 /usr/bin/python -E /usr/bin/sealert -s
so SELinux is complaining about sealert!?
# ps -Z 29899 LABEL PID TTY STAT TIME COMMAND unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 29899 ? S 0:04 /usr/bin/python -E /usr/bin/sealert -s
Is that context correct?
Steve.