Having upgraded selinux-policy(-targeted) from 3.7.19-37 to 3.7.19-39 I started getting heaps of the two avc types from variety of programs/processes. Logs follow below.
I have not done anything unusual apart from upgrading and patching 3 policy module files (though I am getting exactly the same avcs if using the pre-built policies packages!).
The OS image is built in exactly the same way (with kickstart file and using livecd tools) as it was with the 3.7.19-37 version (and it worked there without any problems). I first though that it might be labelling problem, but as is evident from the file label listings below that appear not to be the case.
When I try and boot from that image, the first sign of trouble comes when the auditd service does not start, hence why I do not have audit.log listing to include. The only way I could activate auditd is to force selinux into permissive mode (echo 0 > /selinux/enforce) and then execute "service auditd start".
What could be the cause for this? I can't see the file permissions to be too restrictive either (which was the root cause of my previous dac_* problems). Any ideas as to how to solve this sorry mess are welcome!
====================/var/log/messages Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.151:4): avc: denied { dac_override } for pid=378 comm="hostname" capability=1 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.152:5): avc: denied { dac_read_search } for pid=378 comm="hostname" capability=2 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:8): avc: denied { dac_override } for pid=386 comm="dmesg" capability=1 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:9): avc: denied { dac_read_search } for pid=386 comm="dmesg" capability=2 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.023:12): avc: denied { dac_override } for pid=689 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.027:13): avc: denied { dac_read_search } for pid=689 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.668:16): avc: denied { dac_override } for pid=714 comm="ifconfig" capability=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.671:17): avc: denied { dac_read_search } for pid=714 comm="ifconfig" capability=2 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.508:20): avc: denied { dac_override } for pid=729 comm="hostname" capability=1 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.510:21): avc: denied { dac_read_search } for pid=729 comm="hostname" capability=2 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:54): avc: denied { dac_override } for pid=922 comm="arping" capability=1 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:55): avc: denied { dac_read_search } for pid=922 comm="arping" capability=2 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.258:116): avc: denied { dac_override } for pid=973 comm="auditd" capability=1 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.260:117): avc: denied { dac_read_search } for pid=973 comm="auditd" capability=2 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.020:124): avc: denied { dac_override } for pid=1300 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.025:125): avc: denied { dac_read_search } for pid=1300 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.105:130): avc: denied { dac_override } for pid=1350 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.108:131): avc: denied { dac_read_search } for pid=1350 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:138): avc: denied { dac_override } for pid=1364 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:139): avc: denied { dac_read_search } for pid=1364 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.145:350): avc: denied { dac_override } for pid=1418 comm="tc" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.146:351): avc: denied { dac_read_search } for pid=1418 comm="tc" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.758:1176): avc: denied { dac_override } for pid=1615 comm="smartd" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.759:1177): avc: denied { dac_read_search } for pid=1615 comm="smartd" capability=2 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability ====================
====================service start auditd Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.362:1226): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.364:1227): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.370:1228): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.371:1229): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1230): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1231): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1232): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1233): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 auditd: Error opening config file (Permission denied) Aug 1 13:14:05 test1 auditd: The audit daemon is exiting. ====================
====================echo 0 > /selinux/enforce && service auditd start && service smartd start type=AVC msg=audit(1280608935.230:327): avc: denied { dac_override } for pid=1368 comm="smartd" capability=1 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=AVC msg=audit(1280608935.230:327): avc: denied { dac_read_search } for pid=1368 comm="smartd" capability=2 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1280608935.230:327): arch=40000003 syscall=33 success=no exit=-13 a0=21a814 a1=4 a2=21ffc4 a3=2208f8 items=0 ppid=1367 pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1280608935.245:328): avc: denied { dac_override } for pid=1368 comm="smartd" capability=1 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=AVC msg=audit(1280608935.245:328): avc: denied { dac_read_search } for pid=1368 comm="smartd" capability=2 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1280608935.245:328): arch=40000003 syscall=5 success=no exit=-13 a0=21a9fe a1=0 a2=0 a3=220880 items=0 ppid=1367 pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null) ====================
====================ls -lasZ /etc | grep audit drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 audit -rw-r-----. root root system_u:object_r:etc_t:s0 libaudit.conf ====================
====================ls -lasZ /etc/audit drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 . drw-r--r--. root root system_u:object_r:etc_t:s0 .. -rw-r-----. root root system_u:object_r:auditd_etc_t:s0 auditd.conf -rw-r-----. root root system_u:object_r:auditd_etc_t:s0 audit.rules ====================
====================ls -lasZ /etc/init.d/auditd -rwxr-xr-x. root root system_u:object_r:auditd_initrc_exec_t:s0 /etc/init.d/auditd ====================
====================ls -lasZ /sbin/auditd -rwxr-x---. root root system_u:object_r:auditd_exec_t:s0 /sbin/auditd ====================
====================ls -lasZ /var/log | grep audit drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 audit ====================
====================ls -lasZ /var/log/audit drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 . drwxr-xr-x. root root system_u:object_r:var_log_t:s0 .. -rw-------. root root system_u:object_r:auditd_log_t:s0 audit.log ====================
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/01/2010 10:53 AM, Mr Dash Four wrote:
Having upgraded selinux-policy(-targeted) from 3.7.19-37 to 3.7.19-39 I started getting heaps of the two avc types from variety of programs/processes. Logs follow below.
I have not done anything unusual apart from upgrading and patching 3 policy module files (though I am getting exactly the same avcs if using the pre-built policies packages!).
The OS image is built in exactly the same way (with kickstart file and using livecd tools) as it was with the 3.7.19-37 version (and it worked there without any problems). I first though that it might be labelling problem, but as is evident from the file label listings below that appear not to be the case.
When I try and boot from that image, the first sign of trouble comes when the auditd service does not start, hence why I do not have audit.log listing to include. The only way I could activate auditd is to force selinux into permissive mode (echo 0 > /selinux/enforce) and then execute "service auditd start".
What could be the cause for this? I can't see the file permissions to be too restrictive either (which was the root cause of my previous dac_* problems). Any ideas as to how to solve this sorry mess are welcome!
====================/var/log/messages Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.151:4): avc: denied { dac_override } for pid=378 comm="hostname" capability=1 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.152:5): avc: denied { dac_read_search } for pid=378 comm="hostname" capability=2 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:8): avc: denied { dac_override } for pid=386 comm="dmesg" capability=1 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:9): avc: denied { dac_read_search } for pid=386 comm="dmesg" capability=2 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.023:12): avc: denied { dac_override } for pid=689 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.027:13): avc: denied { dac_read_search } for pid=689 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.668:16): avc: denied { dac_override } for pid=714 comm="ifconfig" capability=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.671:17): avc: denied { dac_read_search } for pid=714 comm="ifconfig" capability=2 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.508:20): avc: denied { dac_override } for pid=729 comm="hostname" capability=1 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.510:21): avc: denied { dac_read_search } for pid=729 comm="hostname" capability=2 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:54): avc: denied { dac_override } for pid=922 comm="arping" capability=1 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:55): avc: denied { dac_read_search } for pid=922 comm="arping" capability=2 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.258:116): avc: denied { dac_override } for pid=973 comm="auditd" capability=1 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.260:117): avc: denied { dac_read_search } for pid=973 comm="auditd" capability=2 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.020:124): avc: denied { dac_override } for pid=1300 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.025:125): avc: denied { dac_read_search } for pid=1300 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.105:130): avc: denied { dac_override } for pid=1350 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.108:131): avc: denied { dac_read_search } for pid=1350 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:138): avc: denied { dac_override } for pid=1364 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:139): avc: denied { dac_read_search } for pid=1364 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.145:350): avc: denied { dac_override } for pid=1418 comm="tc" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.146:351): avc: denied { dac_read_search } for pid=1418 comm="tc" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.758:1176): avc: denied { dac_override } for pid=1615 comm="smartd" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.759:1177): avc: denied { dac_read_search } for pid=1615 comm="smartd" capability=2 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability ====================
====================service start auditd Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.362:1226): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.364:1227): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.370:1228): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.371:1229): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1230): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1231): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1232): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1233): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 auditd: Error opening config file (Permission denied) Aug 1 13:14:05 test1 auditd: The audit daemon is exiting. ====================
====================echo 0 > /selinux/enforce && service auditd start && service smartd start type=AVC msg=audit(1280608935.230:327): avc: denied { dac_override } for pid=1368 comm="smartd" capability=1 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=AVC msg=audit(1280608935.230:327): avc: denied { dac_read_search } for pid=1368 comm="smartd" capability=2 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1280608935.230:327): arch=40000003 syscall=33 success=no exit=-13 a0=21a814 a1=4 a2=21ffc4 a3=2208f8 items=0 ppid=1367 pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1280608935.245:328): avc: denied { dac_override } for pid=1368 comm="smartd" capability=1 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=AVC msg=audit(1280608935.245:328): avc: denied { dac_read_search } for pid=1368 comm="smartd" capability=2 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1280608935.245:328): arch=40000003 syscall=5 success=no exit=-13 a0=21a9fe a1=0 a2=0 a3=220880 items=0 ppid=1367 pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null) ====================
====================ls -lasZ /etc | grep audit drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 audit
-rw-r-----. root root system_u:object_r:etc_t:s0 libaudit.conf
====================ls -lasZ /etc/audit drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 . drw-r--r--. root root system_u:object_r:etc_t:s0 .. -rw-r-----. root root system_u:object_r:auditd_etc_t:s0 auditd.conf
-rw-r-----. root root system_u:object_r:auditd_etc_t:s0 audit.rules
====================ls -lasZ /etc/init.d/auditd -rwxr-xr-x. root root system_u:object_r:auditd_initrc_exec_t:s0 /etc/init.d/auditd ====================
====================ls -lasZ /sbin/auditd
-rwxr-x---. root root system_u:object_r:auditd_exec_t:s0 /sbin/auditd
====================ls -lasZ /var/log | grep audit drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 audit ====================
====================ls -lasZ /var/log/audit drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 . drwxr-xr-x. root root system_u:object_r:var_log_t:s0 ..
-rw-------. root root system_u:object_r:auditd_log_t:s0 audit.log
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You have some file that has ownereship such that root can not access the file via permissions.
You need to turn on full auditing to get the path of the offending file.
Execute
auditctl -w /etc/shadow -p w
And see if you can generate the error again. Then you should get a path with the next avc message.
Please attach the message
You have some file that has ownereship such that root can not access the file via permissions.
You need to turn on full auditing to get the path of the offending file.
Execute
auditctl -w /etc/shadow -p w
And see if you can generate the error again. Then you should get a path with the next avc message.
As far as I know, for this to work I would need to have auditd running, isn't that the case? As I pointed in my initial post, auditd cannot start!
OK, I can force permissive mode, then start auditd, switch back to enforced mode and then execute auditctl. Then, may be, I could find the offending path/files causing the issues with the other programs I have listed in my logs, but how do I deal with the auditd itself? auditctl requires auditd to be running in order to show the paths, isn't that not the case?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/04/2010 02:07 PM, Mr Dash Four wrote:
You have some file that has ownereship such that root can not access the file via permissions.
You need to turn on full auditing to get the path of the offending file.
Execute
auditctl -w /etc/shadow -p w
And see if you can generate the error again. Then you should get a path with the next avc message.
As far as I know, for this to work I would need to have auditd running, isn't that the case? As I pointed in my initial post, auditd cannot start!
OK, I can force permissive mode, then start auditd, switch back to enforced mode and then execute auditctl. Then, may be, I could find the offending path/files causing the issues with the other programs I have listed in my logs, but how do I deal with the auditd itself? auditctl requires auditd to be running in order to show the paths, isn't that not the case? -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I would boot the machine in permissive mode and with the audit flag set. You should still get the audit messages and the PATH message.
Most likely this is a file in /etc/ Likely candidates would be something like resolv.conf, services hosts.
Some progress made today - I found what is causing the problem, though I have no explanation why it happens - I am simply lost for words.
As part of the image-building process I extract a group of files in the %post section of my kickstart file:
========%post section %post tar -zxf resources.tar.gz .... %end =================
======tar -ztf resources.tar.gz ./ ./etc/ ./etc/shorewall/ ./etc/shorewall/shorewall.conf ./etc/my.cnf ./etc/init.d/<xxx> (startup scripts for various programs) ./etc/ssh/ ./etc/ssh/<xxx> (sshd configuration files) ./usr/ ./usr/bin/ ./usr/bin/torctl ./usr/share/ ./usr/share/tor/ ./usr/share/tor/geoip ======================
After the image is built and booted in this way I am getting the various failures I described in the initial post of this thread.
However, if I do this:
========%post section %post tar -zxf resources.tar.gz ./etc/shorewall/* ./etc/my.cnf ./etc/init.d/* ./etc/ssh/* ./usr/bin/torctl ./usr/share/tor/geoip ... %end =================
and then boot the image all is OK - not a single AVC whatsoever and my auditd daemon runs perfectly!
Here is the place to mention that resources.tar.gz was built with 'tar -zcf resources.tar.gz .' executed from the directory where I have these files (a separate directory on which these resources are), so there is nothing fancy about creating the tar.gz file.
After doing this, I started to investigate to try and find out what might be the problem. I have extracted the files, but this time I did the following:
========%post section &post tar -zxf resources.tar.gz ./etc/shorewall/* ./etc/my.cnf ./etc/init.d/* ./etc/ssh/* ./usr/* ... %end =================
After booting up, auditd runs perfectly, but I've got the following variety of avcs (I have the paths after switching auditctl to watch over /usr and /etc):
======service start smartd========== type=AVC msg=audit(1281210535.957:2018): avc: denied { dac_override } for pid=1606 comm="smartd" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=AVC msg=audit(1281210535.957:2018): avc: denied { dac_read_search } for pid=1606 comm="smartd" capability=2 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1281210535.957:2018): arch=40000003 syscall=195 success=no exit=-13 a0=bfb92030 a1=bfb92088 a2=642ff4 a3=bfb92030 items=1 ppid=1 pid=1606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartd" exe="/usr/sbin/smartd" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=CWD msg=audit(1281210535.957:2018): cwd="/" type=PATH msg=audit(1281210535.957:2018): item=0 name="/usr/share/zoneinfo/GMT" =============================
repeated many times over.
-rw-r--r--. root root system_u:object_r:locale_t:s0 /usr/share/zoneinfo/GMT
So I do not see that there is a permission problem. I've also had quite a few avcs with paths originating from /usr when I tried to restart Shorewall. If I build the image with this:
========%post section %post tar -zxf resources.tar.gz ./etc/* ./usr/* ... %end =================
neither auditd nor any of my startup services start properly. This tells me that something is happening when the files are unpacked from the tar archive, though I could not, for the life of me, figure out what that might be!
At first I thought that it may be a labelling problem (i.e. if I saved the SELinux attributes in the archive and then when they are not extracted properly), but at the end of the kikstart file I execute 'restorecon -ripF /', which relabels everything and there are NO obvious problems. Besides, 'tar -zcf' by default does not include SELinux attributes as far as I know.
The problem seems to be that tar 'extracts' ./etc and ./usr in a way, which messes things up. /etc is needed by auditd as auditd.conf is there.
Again, this only happens with policy versions -39 and -41! With -37 I do NOT have this! In other words, if I extract all the files with 'tar -zxf resources.tar.gz' I have no problems with -37, but with -39 and -41 I do!
I have no idea what causes this, so any help is appreciated.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/07/2010 07:43 PM, Mr Dash Four wrote:
Some progress made today - I found what is causing the problem, though I have no explanation why it happens - I am simply lost for words.
As part of the image-building process I extract a group of files in the %post section of my kickstart file:
========%post section %post tar -zxf resources.tar.gz .... %end =================
======tar -ztf resources.tar.gz ./ ./etc/ ./etc/shorewall/ ./etc/shorewall/shorewall.conf ./etc/my.cnf ./etc/init.d/<xxx> (startup scripts for various programs) ./etc/ssh/ ./etc/ssh/<xxx> (sshd configuration files) ./usr/ ./usr/bin/ ./usr/bin/torctl ./usr/share/ ./usr/share/tor/ ./usr/share/tor/geoip ======================
After the image is built and booted in this way I am getting the various failures I described in the initial post of this thread.
However, if I do this:
========%post section %post tar -zxf resources.tar.gz ./etc/shorewall/* ./etc/my.cnf ./etc/init.d/* ./etc/ssh/* ./usr/bin/torctl ./usr/share/tor/geoip ... %end =================
and then boot the image all is OK - not a single AVC whatsoever and my auditd daemon runs perfectly!
Here is the place to mention that resources.tar.gz was built with 'tar -zcf resources.tar.gz .' executed from the directory where I have these files (a separate directory on which these resources are), so there is nothing fancy about creating the tar.gz file.
After doing this, I started to investigate to try and find out what might be the problem. I have extracted the files, but this time I did the following:
========%post section &post tar -zxf resources.tar.gz ./etc/shorewall/* ./etc/my.cnf ./etc/init.d/* ./etc/ssh/* ./usr/* ... %end =================
After booting up, auditd runs perfectly, but I've got the following variety of avcs (I have the paths after switching auditctl to watch over /usr and /etc):
======service start smartd========== type=AVC msg=audit(1281210535.957:2018): avc: denied { dac_override } for pid=1606 comm="smartd" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=AVC msg=audit(1281210535.957:2018): avc: denied { dac_read_search } for pid=1606 comm="smartd" capability=2 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1281210535.957:2018): arch=40000003 syscall=195 success=no exit=-13 a0=bfb92030 a1=bfb92088 a2=642ff4 a3=bfb92030 items=1 ppid=1 pid=1606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartd" exe="/usr/sbin/smartd" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=CWD msg=audit(1281210535.957:2018): cwd="/" type=PATH msg=audit(1281210535.957:2018): item=0 name="/usr/share/zoneinfo/GMT" =============================
repeated many times over.
-rw-r--r--. root root system_u:object_r:locale_t:s0 /usr/share/zoneinfo/GMT
So I do not see that there is a permission problem. I've also had quite a few avcs with paths originating from /usr when I tried to restart Shorewall. If I build the image with this:
========%post section %post tar -zxf resources.tar.gz ./etc/* ./usr/* ... %end =================
neither auditd nor any of my startup services start properly. This tells me that something is happening when the files are unpacked from the tar archive, though I could not, for the life of me, figure out what that might be!
At first I thought that it may be a labelling problem (i.e. if I saved the SELinux attributes in the archive and then when they are not extracted properly), but at the end of the kikstart file I execute 'restorecon -ripF /', which relabels everything and there are NO obvious problems. Besides, 'tar -zcf' by default does not include SELinux attributes as far as I know.
The problem seems to be that tar 'extracts' ./etc and ./usr in a way, which messes things up. /etc is needed by auditd as auditd.conf is there.
Again, this only happens with policy versions -39 and -41! With -37 I do NOT have this! In other words, if I extract all the files with 'tar -zxf resources.tar.gz' I have no problems with -37, but with -39 and -41 I do!
I have no idea what causes this, so any help is appreciated.
WHat is the permission on /etc
ls -ld /etc /usr
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Mr Dash Four