-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/01/2010 10:53 AM, Mr Dash Four wrote:
Having upgraded selinux-policy(-targeted) from 3.7.19-37 to 3.7.19-39 I started getting heaps of the two avc types from variety of programs/processes. Logs follow below.
I have not done anything unusual apart from upgrading and patching 3 policy module files (though I am getting exactly the same avcs if using the pre-built policies packages!).
The OS image is built in exactly the same way (with kickstart file and using livecd tools) as it was with the 3.7.19-37 version (and it worked there without any problems). I first though that it might be labelling problem, but as is evident from the file label listings below that appear not to be the case.
When I try and boot from that image, the first sign of trouble comes when the auditd service does not start, hence why I do not have audit.log listing to include. The only way I could activate auditd is to force selinux into permissive mode (echo 0 > /selinux/enforce) and then execute "service auditd start".
What could be the cause for this? I can't see the file permissions to be too restrictive either (which was the root cause of my previous dac_* problems). Any ideas as to how to solve this sorry mess are welcome!
====================/var/log/messages Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.151:4): avc: denied { dac_override } for pid=378 comm="hostname" capability=1 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.152:5): avc: denied { dac_read_search } for pid=378 comm="hostname" capability=2 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:8): avc: denied { dac_override } for pid=386 comm="dmesg" capability=1 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:9): avc: denied { dac_read_search } for pid=386 comm="dmesg" capability=2 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.023:12): avc: denied { dac_override } for pid=689 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.027:13): avc: denied { dac_read_search } for pid=689 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.668:16): avc: denied { dac_override } for pid=714 comm="ifconfig" capability=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.671:17): avc: denied { dac_read_search } for pid=714 comm="ifconfig" capability=2 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.508:20): avc: denied { dac_override } for pid=729 comm="hostname" capability=1 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.510:21): avc: denied { dac_read_search } for pid=729 comm="hostname" capability=2 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:54): avc: denied { dac_override } for pid=922 comm="arping" capability=1 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:55): avc: denied { dac_read_search } for pid=922 comm="arping" capability=2 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.258:116): avc: denied { dac_override } for pid=973 comm="auditd" capability=1 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.260:117): avc: denied { dac_read_search } for pid=973 comm="auditd" capability=2 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.020:124): avc: denied { dac_override } for pid=1300 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.025:125): avc: denied { dac_read_search } for pid=1300 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.105:130): avc: denied { dac_override } for pid=1350 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.108:131): avc: denied { dac_read_search } for pid=1350 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:138): avc: denied { dac_override } for pid=1364 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:139): avc: denied { dac_read_search } for pid=1364 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.145:350): avc: denied { dac_override } for pid=1418 comm="tc" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.146:351): avc: denied { dac_read_search } for pid=1418 comm="tc" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.758:1176): avc: denied { dac_override } for pid=1615 comm="smartd" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.759:1177): avc: denied { dac_read_search } for pid=1615 comm="smartd" capability=2 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability ====================
====================service start auditd Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.362:1226): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.364:1227): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.370:1228): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.371:1229): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1230): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1231): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1232): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1233): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 auditd: Error opening config file (Permission denied) Aug 1 13:14:05 test1 auditd: The audit daemon is exiting. ====================
====================echo 0 > /selinux/enforce && service auditd start && service smartd start type=AVC msg=audit(1280608935.230:327): avc: denied { dac_override } for pid=1368 comm="smartd" capability=1 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=AVC msg=audit(1280608935.230:327): avc: denied { dac_read_search } for pid=1368 comm="smartd" capability=2 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1280608935.230:327): arch=40000003 syscall=33 success=no exit=-13 a0=21a814 a1=4 a2=21ffc4 a3=2208f8 items=0 ppid=1367 pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1280608935.245:328): avc: denied { dac_override } for pid=1368 comm="smartd" capability=1 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=AVC msg=audit(1280608935.245:328): avc: denied { dac_read_search } for pid=1368 comm="smartd" capability=2 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1280608935.245:328): arch=40000003 syscall=5 success=no exit=-13 a0=21a9fe a1=0 a2=0 a3=220880 items=0 ppid=1367 pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null) ====================
====================ls -lasZ /etc | grep audit drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 audit
-rw-r-----. root root system_u:object_r:etc_t:s0 libaudit.conf
====================ls -lasZ /etc/audit drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 . drw-r--r--. root root system_u:object_r:etc_t:s0 .. -rw-r-----. root root system_u:object_r:auditd_etc_t:s0 auditd.conf
-rw-r-----. root root system_u:object_r:auditd_etc_t:s0 audit.rules
====================ls -lasZ /etc/init.d/auditd -rwxr-xr-x. root root system_u:object_r:auditd_initrc_exec_t:s0 /etc/init.d/auditd ====================
====================ls -lasZ /sbin/auditd
-rwxr-x---. root root system_u:object_r:auditd_exec_t:s0 /sbin/auditd
====================ls -lasZ /var/log | grep audit drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 audit ====================
====================ls -lasZ /var/log/audit drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 . drwxr-xr-x. root root system_u:object_r:var_log_t:s0 ..
-rw-------. root root system_u:object_r:auditd_log_t:s0 audit.log
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You have some file that has ownereship such that root can not access the file via permissions.
You need to turn on full auditing to get the path of the offending file.
Execute
auditctl -w /etc/shadow -p w
And see if you can generate the error again. Then you should get a path with the next avc message.
Please attach the message