On Mon, 2009-06-29 at 20:49 -0700, Vadym Chepkov wrote:
It seems selinux memcache module has bugs in it or do I miss some
boolean?
I seriously doubt about first one.
memcached-selinux-1.2.8-1.fc11.i586
type=AVC msg=audit(1246327827.194:59): avc: denied { write } for pid=2559
comm="memcached" name="memcached.pid" dev=dm-3 ino=699
scontext=unconfined_u:system_r:memcached_t:s0
tcontext=unconfined_u:object_r:memcached_var_run_t:s0 tclass=file
type=AVC msg=audit(1246332806.070:95): avc: denied { write } for pid=3780
comm="memcached" scontext=unconfined_u:system_r:memcached_t:s0
tcontext=unconfined_u:system_r:memcached_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1246332806.070:97): avc: denied { name_bind } for pid=3780
comm="memcached" src=11211 scontext=unconfined_u:system_r:memcached_t:s0
tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1246332806.071:98): avc: denied { name_bind } for pid=3780
comm="memcached" src=11211 scontext=unconfined_u:system_r:memcached_t:s0
tcontext=system_u:object_r:memcache_port_t:s0 tclass=udp_socket
Sincerely yours,
Vadym Chepkov
This is what audit2why says here:
[root@notebook2 Desktop]# echo "type=AVC msg=audit(1246327827.194:59): avc: denied
{ write } for pid=2559 comm="memcached" name="memcached.pid" dev=dm-3
ino=699 scontext=unconfined_u:system_r:memcached_t:s0
tcontext=unconfined_u:object_r:memcached_var_run_t:s0 tclass=file" | audit2why
type=AVC msg=audit(1246327827.194:59): avc: denied { write } for pid=2559
comm=memcached name=memcached.pid dev=dm-3 ino=699
scontext=unconfined_u:system_r:memcached_t:s0
tcontext=unconfined_u:object_r:memcached_var_run_t:s0 tclass=file
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit
message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent
ones.
This is my version of selinux policy:
[root@notebook2 Desktop]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.6.12-61.fc11.noarch
selinux-policy-3.6.12-61.fc11.noarch
This is what sesearch says here:
[root@notebook2 Desktop]# sesearch --allow -s memcached_t -t memcache_port_t
Found 2 semantic av rules:
allow memcached_t memcache_port_t : tcp_socket name_bind ;
allow memcached_t memcache_port_t : udp_socket name_bind ;
Conslusion:
This access is allowed in 3.6.12-61. You can get it from
koji.fedoraproject.org/koji
Also have a look at this:
http://danwalsh.livejournal.com/29463.html
Hth,
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list