Hi!
In mails from logwatch there is something like this:
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on df: `/mnt/FreeDOS': Access denied
I found this avc message:
Mar 21 17:14:05 X kernel: audit(1142957645.904:32): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
OS: FC5 selinux-policy-targeted: 2.2.23-15
How can I fix it?
Regards, Dawid
Dawid Gajownik wrote:
Hi!
In mails from logwatch there is something like this:
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on df: `/mnt/FreeDOS': Access denied
I found this avc message:
Mar 21 17:14:05 X kernel: audit(1142957645.904:32): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
OS: FC5 selinux-policy-targeted: 2.2.23-15
How can I fix it?
First make sure this is all the access that it needs by running logwatch with setenforce 0.
Then send us the AVC messages, so we can update policy.
You can also install a loadable module to allow this access by executing
grep logwatch /var/log/audit/audit.log | audit2allow -M logwatch semodule -i logwatch.pp
Regards, Dawid
Dnia 03/22/2006 04:15 PM, Użytkownik Daniel J Walsh napisał:
First make sure this is all the access that it needs by running logwatch with setenforce 0.
Then send us the AVC messages, so we can update policy.
I run today my system in permissive mode and logwatch showed disk usage of all partitions mounted in /mnt. Here are AVC messages:
[root@X ~]# grep -i logwatch /var/log/messages Mar 21 17:14:05 X kernel: audit(1142957645.904:32): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 21 17:14:05 X kernel: audit(1142957645.904:33): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 21 17:14:05 X kernel: audit(1142957645.904:34): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 21 17:14:05 X kernel: audit(1142957645.904:35): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 21 17:14:05 X kernel: audit(1142957645.904:36): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 21 17:14:05 X kernel: audit(1142957645.908:37): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.272:34): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.276:35): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.276:36): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.276:37): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.276:38): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.276:39): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 23 12:16:48 X kernel: audit(1143112608.114:7): avc: denied { search } for pid=3333 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir [root@X ~]#
(Yes, I don't have auditd.)
You can also install a loadable module to allow this access by executing
grep logwatch /var/log/audit/audit.log | audit2allow -M logwatch semodule -i logwatch.pp
I know about audit2allow, but this program sometimes allows to much. I wanted to ask about this issue developers of SELinux policy :)
Thanks, Dawid
Dawid Gajownik wrote:
Dnia 03/22/2006 04:15 PM, Użytkownik Daniel J Walsh napisał:
First make sure this is all the access that it needs by running logwatch with setenforce 0.
Then send us the AVC messages, so we can update policy.
I run today my system in permissive mode and logwatch showed disk usage of all partitions mounted in /mnt. Here are AVC messages:
[root@X ~]# grep -i logwatch /var/log/messages Mar 21 17:14:05 X kernel: audit(1142957645.904:32): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 21 17:14:05 X kernel: audit(1142957645.904:33): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 21 17:14:05 X kernel: audit(1142957645.904:34): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 21 17:14:05 X kernel: audit(1142957645.904:35): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 21 17:14:05 X kernel: audit(1142957645.904:36): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 21 17:14:05 X kernel: audit(1142957645.908:37): avc: denied { search } for pid=2588 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.272:34): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.276:35): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.276:36): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.276:37): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.276:38): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 22 12:31:53 X kernel: audit(1143027113.276:39): avc: denied { search } for pid=3307 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Mar 23 12:16:48 X kernel: audit(1143112608.114:7): avc: denied { search } for pid=3333 comm="df" name="mnt" dev=hda5 ino=809601 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir [root@X ~]#
(Yes, I don't have auditd.)
You can also install a loadable module to allow this access by executing
grep logwatch /var/log/audit/audit.log | audit2allow -M logwatch semodule -i logwatch.pp
I know about audit2allow, but this program sometimes allows to much. I wanted to ask about this issue developers of SELinux policy :)
Well I am a developer of SELinux policy. The policy I put out yesterday will dontaudit this, but now I am thinking it should be allowed.
Thanks, Dawid
Dnia 03/23/2006 05:11 PM, Użytkownik Daniel J Walsh napisał:
Well I am a developer of SELinux policy.
Yes, I know :)
BTW Thanks for the nice "SELinux for Dummies" articles.
The policy I put out yesterday will dontaudit this, but now I am thinking it should be allowed.
Thanks, I'll check the new policy.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dawid Gajownik