SELinux troubleshooting
by Lopez, Denise
Hello everyone,
I keep getting the following messages in my messages log about every 30
seconds or so. I have SELinux set to enforcing and targeted mode. If I
do a getenforce on the command line it returns enforcing.
Dec 1 12:31:03 dev kernel: audit(1165005063.015:258313): avc: denied {
getattr } for pid=31342 comm="snmpd" name="/" dev=sda3 ino=2
scontext=system_u:system_r:snmpd_t
tcontext=system_u:object_r:home_root_t tclass=dir
I need help deciphering what is happening. I have a snmpd daemon
running that responds to queries from a Nagios host that performs
service checks.
Thanks in advance.
Denise Lopez
UCLA Center for Digital Humanities
Network Services
Systems Engineer
337 Charles E. Young Drive East
PPB 1020
Los Angeles, CA 90095
310/206-8216
17 years, 5 months
Re: fedora-selinux-list Digest, Vol 34, Issue 5
by stefano@proinco.net
esto es un mensaje automatico.
al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos
stefano bagnasco
17 years, 5 months
Re: fedora-selinux-list Digest, Vol 34, Issue 4
by stefano@proinco.net
esto es un mensaje automatico.
al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos
stefano bagnasco
17 years, 5 months
Re: fedora-selinux-list Digest, Vol 34, Issue 3
by stefano@proinco.net
esto es un mensaje automatico.
al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos
stefano bagnasco
17 years, 5 months
Re: Firefox on strict policy
by mantaray_1
I used grep as well. Adding a boolean sounds like a great idea.
-Ken-
Daniel J Walsh wrote:
> Ken wrote:
>> Thank you for your response. I inadvertently sent my response to the
>> previous message to your address rather than the list, and later
>> posted it to the list. I noticed that you did not send this reply to
>> the list so I did not know if it was appropriate to post my response
>> on the list or not, and I chose not to. I have already written a
>> program/script which removed the"dontaudit" statements from the ".te"
>> files in the policy while I was in the process of troubleshooting
>> this problem. This was helpful, but I have noticed dontaudit
>> statements occurring in other files as well, and I am interested in
>> learning more about the enableaudit module. I searched my hard drive
>> for the source code and did not find it. Where can I find the source
>> code for the module?
>>
>> -Ken-
>>
> I have no problem if this is on list. Problem is I am not sure which
> list it belongs to.
> enableaudit.pp is created from the same source file as the rest of the
> code. Basically it uses the grep -v dontaudit out of the policy file
> and rebuilds. So I am sure you did the same thing. The plan is to
> eventually add some kind of boolean to turn on/off dontaudit rules.
>> Daniel J Walsh wrote:
>>> Ken wrote:
>>>> Thanks for the suggestion, but it was not labeling. It appears to
>>>> have had something to do with mls, although I have not had the time
>>>> to figure out exactly what. I changed all the mls levels to s0 and
>>>> the problem went away. It sure would be nice if there were a
>>>> feature to disable all "dontaudit" statements for policy debugging.
>>>>
>>> semodule -b /usr/share/selinux/mls/enableaudit.pp
>>>
>>>> -Ken-
>>>>
>>>> Daniel J Walsh wrote:
>>>>> Ken wrote:
>>>>>> I am attempting to get a strict policy working on my FC-6 system
>>>>>> (version 2.4.3-2.fc6). I have successfully created a user
>>>>>> account, and I can log both the root and the user account into
>>>>>> the GUI. I am attempting to get Firefox to work and I am having
>>>>>> difficulties. If I click on the Firefox icon, I see the program
>>>>>> listed as opening, and it stays that way for a few seconds and
>>>>>> then disappears. If I check the message log (var/log/messages),
>>>>>> there are no messages (either avc or other) generated as a result
>>>>>> of the attempt. This only happens when the policy is enforcing.
>>>>>> When the policy is is not enforcing, Firefox loads properly --
>>>>>> also with no messages. I have noticed that Firefox is not
>>>>>> writing to its .mozilla folder when the policy is enforcing, and
>>>>>> that it does write to several files in this folder when it loads
>>>>>> properly. This problem affects both my user account and the root
>>>>>> account. Can someone please explain why I am not receiving any
>>>>>> error messages (or any messages at all), and let me know what
>>>>>> needs to be changed in order to load Firefox?
>>>>>>
>>>>>> --
>>>>>> fedora-selinux-list mailing list
>>>>>> fedora-selinux-list(a)redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>> check /var/log/audit/audit.log for avc messages.
>>>>>
>>>>> I would guess you have a labeling problem on your home dir.
>>>>>
>>>>> restorecon -R -v ~/
>>>>>
>>>
>>>
>
>
17 years, 5 months
Re: fedora-selinux-list Digest, Vol 34, Issue 2
by stefano@proinco.net
esto es un mensaje automatico.
al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos
stefano bagnasco
17 years, 5 months
Re: fedora-selinux-list Digest, Vol 34, Issue 1
by stefano@proinco.net
esto es un mensaje automatico.
al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos
stefano bagnasco
17 years, 5 months