On Nov 29, 2010, at 4:36 AM, Miroslav Grepl wrote:
On 11/22/2010 02:07 PM, Vadym Chepkov wrote:
Hi,
I just upgraded to Fedora 14 and got a significant amount of all sort of denials. I thought maybe some relabeling went wrong - so I did it manually, just in case, didn't help much, still lots of issues. I tried to post raw audit log, but got bounced from mail-list with "message too big"
Anyway, here is what audit2allow -R suggests
#============= chkpwd_t ============== allow chkpwd_t self:capability sys_nice; allow chkpwd_t self:process setsched; files_list_tmp(chkpwd_t) files_read_usr_symlinks(chkpwd_t)
#============= dovecot_auth_t ============== allow dovecot_auth_t self:capability sys_nice; allow dovecot_auth_t self:process setsched;
#============= dovecot_t ============== allow dovecot_t self:capability sys_nice; files_read_usr_symlinks(dovecot_t) #============= nscd_t ============== files_list_tmp(nscd_t) files_read_usr_symlinks(nscd_t)
#============= saslauthd_t ============== allow saslauthd_t self:capability sys_nice; allow saslauthd_t self:process setsched; files_read_usr_symlinks(saslauthd_t)
#============= spamd_t ============== allow spamd_t admin_home_t:file { read ioctl open getattr append }; # spammers send e-mails to root@ , spamd needs to create working files in /root/ allow spamd_t self:capability sys_nice; kernel_list_unlabeled(spamd_t) # razor and pyzor contexts gone kernel_read_unlabeled_state(spamd_t) # same userdom_read_user_home_content_files(spamd_t) # changed boolean spamd_enable_home_dirs
Thanks, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Vadym, are you still getting all these AVC messages?
Some of these issues are known and some of these issues should be fixed in the latest SELinux policy.
Miroslav,
If I remove locally added rules, then yes, I still see bunch:
time->Mon Nov 29 06:59:27 2010 type=SYSCALL msg=audit(1291031967.456:65945): arch=40000003 syscall=156 success=yes exit=0 a0=23cc a1=0 a2=bfcc9ca0 a3=b77328d0 items=0 ppid=9159 pid=9164 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2296 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=( null)type=AVC msg=audit(1291031967.456:65945): avc: denied { sys_nice } for pid=9164 comm="spamd" capability=23 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=capability ---- time->Mon Nov 29 07:11:00 2010 type=SYSCALL msg=audit(1291032660.140:66007): arch=40000003 syscall=5 success=yes exit=4 a0=145497 a1=0 a2=1b6 a3=15256a items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null) type=AVC msg=audit(1291032660.140:66007): avc: denied { read } for pid=9789 comm="unix_chkpwd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ---- time->Mon Nov 29 07:11:00 2010 type=SYSCALL msg=audit(1291032660.109:66006): arch=40000003 syscall=156 success=yes exit=0 a0=263d a1=0 a2=bfd58eb0 a3=b7717930 items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null) type=AVC msg=audit(1291032660.109:66006): avc: denied { setsched } for pid=9789 comm="unix_chkpwd" scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=unconfined_u:system_r:chkpwd_t:s0 tclass=process type=AVC msg=audit(1291032660.109:66006): avc: denied { sys_nice } for pid=9789 comm="unix_chkpwd" capability=23 scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=unconfined_u:system_r:chkpwd_t:s0 tclass=capability ---- time->Mon Nov 29 07:11:00 2010 type=SYSCALL msg=audit(1291032660.141:66008): arch=40000003 syscall=195 success=yes exit=0 a0=14549c a1=bfd544c4 a2=efdff4 a3=3 items=0 ppid=9321 pid=9789 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0 key=(null) type=AVC msg=audit(1291032660.141:66008): avc: denied { read } for pid=9789 comm="unix_chkpwd" name="tmp" dev=dm-0 ino=15581 scontext=unconfined_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
I am pretty sure link related denials are due to: # ls -ld /usr/tmp lrwxrwxrwx. 1 root root 10 Nov 21 01:49 /usr/tmp -> ../var/tmp
which is a standard link in Fedora
I also had to manually set spamc_home_t on /root/.razor and $HOME/.razor
I have selinux-policy-targeted-3.9.7-12.fc14.noarch installed.
Vadym