I don't reboot my machine very often (about once per month after a "yum update") but each time I do I now get the following AVC:
=============8<========================================================= SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:abrt_helper_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source abrt-dump-oops Source Path /usr/bin/abrt-dump-oops Port <Unknown> Host example.com Source RPM Packages abrt-addon-kerneloops-2.0.3-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-34.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name example.com Platform Linux troodos.org.uk 2.6.38.8-35.fc15.i686.PAE #1 SMP Wed Jul 6 14:29:06 UTC 2011 i686 i686 Alert Count 3 First Seen Tue Jul 19 10:22:00 2011 Last Seen Thu Jul 21 11:34:47 2011 Local ID 9591fda1-fb84-4cd0-841e-650d306152f4
Raw Audit Messages type=AVC msg=audit(1311244487.906:41): avc: denied { syslog_read } for pid=1440 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1311244487.906:41): arch=i386 syscall=syslog success=no exit=EACCES a0=3 a1=90d70a8 a2=3fff a3=0 items=0 ppid=1 pid=1440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null)
Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read
audit2allow
#============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read;
audit2allow -R
#============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read; =============8<=========================================================
Should I allow it?
Thanks in advance
Mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/21/2011 02:26 PM, Arthur Dent wrote:
I don't reboot my machine very often (about once per month after a "yum update") but each time I do I now get the following AVC:
=============8<=========================================================
SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on
the system Unknown.
***** Plugin catchall (100. confidence) suggests
If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:abrt_helper_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source abrt-dump-oops Source Path /usr/bin/abrt-dump-oops Port <Unknown> Host example.com Source RPM Packages abrt-addon-kerneloops-2.0.3-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-34.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name example.com Platform Linux troodos.org.uk 2.6.38.8-35.fc15.i686.PAE #1 SMP Wed Jul 6 14:29:06 UTC 2011 i686 i686 Alert Count 3 First Seen Tue Jul 19 10:22:00 2011 Last Seen Thu Jul 21 11:34:47 2011 Local ID 9591fda1-fb84-4cd0-841e-650d306152f4
Raw Audit Messages type=AVC msg=audit(1311244487.906:41): avc: denied { syslog_read } for pid=1440 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1311244487.906:41): arch=i386 syscall=syslog success=no exit=EACCES a0=3 a1=90d70a8 a2=3fff a3=0 items=0 ppid=1 pid=1440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null)
Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read
audit2allow
#============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read;
audit2allow -R
#============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read; =============8<=========================================================
Should I allow it?
Thanks in advance
Mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Please report a bugzilla.
Miroslav I guess we need to back port the abrt policy from F16
On Thu, 2011-07-21 at 15:40 -0400, Daniel J Walsh wrote:
Please report a bugzilla.
Miroslav I guess we need to back port the abrt policy from F16
Done:
https://bugzilla.redhat.com/show_bug.cgi?id=724825
While I am waiting for this to work its way through the Fedora bug squash machine, what harm would be done by simply ignoring this?
(or should I create a local policy?)
Thanks for your help...
Mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/21/2011 06:24 PM, Arthur Dent wrote:
On Thu, 2011-07-21 at 15:40 -0400, Daniel J Walsh wrote:
Please report a bugzilla.
Miroslav I guess we need to back port the abrt policy from F16
Done:
https://bugzilla.redhat.com/show_bug.cgi?id=724825
While I am waiting for this to work its way through the Fedora bug squash machine, what harm would be done by simply ignoring this?
(or should I create a local policy?)
Thanks for your help...
Mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Ignoring it is probably the safest. You will probably not be able to report the kernel oops as well, but I am not a big fan of allow that access to the abrt_helper_t
selinux@lists.fedoraproject.org