On 08/23/2010 10:09 AM, Arthur Dent wrote:
On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>
> snip...
>
>> My first guess is that you have mislabeled files. Try to relabel your
>> file system and then try again from scratch, then if you get any AVC
>> denials please send them here.
>
> OK - Fair point. In fact, now you come to mention it, I have done a lot
> of copying from my F11 setup and a lot of other configuration and
> haven't done a relabel since about half way through my implementation.
>
> Yesterday I updated with yum and it delivered:
> selinux-policy-3.7.19-47.fc13.noarch
> selinux-policy-targeted-3.7.19-47.fc13.noarch
>
> So now might be a good time for a relabel...
>
> I will report back (probably tomorrow).
Well this is interesting...
Since unloading my custom clamd module and relabelling I have had NO
avcs! - Not one.
Clamd is still being blocked however, so I have now activated the
semodule -DB thing...
No AVCs have been produced (in the sense that no setroubleshoot emails
have been produced), but here is the output of
ausearch -m avc -ts recent :
time->Mon Aug 23 08:57:02 2010
type=SYSCALL msg=audit(1282550222.014:42728): arch=40000003 syscall=11 success=yes exit=0
a0=9297fe0 a1=9297c90 a2=9297008 a3=929a1e8 items=0 ppid=23900 pid=23901 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282550222.014:42728): avc: denied { noatsecure } for pid=23901
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1282550222.014:42728): avc: denied { siginh } for pid=23901
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1282550222.014:42728): avc: denied { rlimitinh } for pid=23901
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
----
time->Mon Aug 23 08:57:02 2010
type=SYSCALL msg=audit(1282550222.302:42730): arch=40000003 syscall=33 success=no
exit=-13 a0=87ffc90 a1=2 a2=6fb4f8 a3=86b4088 items=0 ppid=23900 pid=23901 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282550222.302:42730): avc: denied { write } for pid=23901
comm="setroubleshootd" name="rpm" dev=sda6 ino=203
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Mon Aug 23 08:57:02 2010
type=SYSCALL msg=audit(1282550222.304:42731): arch=40000003 syscall=33 success=no
exit=-13 a0=87ffc90 a1=2 a2=6fb4f8 a3=87f9398 items=0 ppid=23900 pid=23901 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282550222.304:42731): avc: denied { write } for pid=23901
comm="setroubleshootd" name="rpm" dev=sda6 ino=203
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.040:42733): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfe490a0 a2=3 a3=0 items=0 ppid=23912 pid=23916 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282550227.040:42733): avc: denied { search } for pid=23916
comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for pid=23920
comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
This is still an issue:
some process running in the procmail_t domain is running
/usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
but it is not domain transitioning to the clamscan_t domain.
Policy defines that if a process running in the procmail_t domain runs a
file labelled clamscan_exec_t, that procmail_t will domain transition to
clamscan_t domain.
This did not happen on your config.
Either your clamdscan executable file is mislabelled or you are missing
a domain transition rule.
Where is your "clamdscan" executable file located, and what is it labelled?
What does the following return:
sesearch -SC --allow -s procmail_t -t clamscan_t -c process
sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.096:42735): arch=40000003 syscall=11 success=yes exit=0
a0=8e92dd0 a1=8e95760 a2=8e95888 a3=8e95760 items=0 ppid=23925 pid=23926 auid=4294967295
uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0
key=(null)
type=AVC msg=audit(1282550227.096:42735): avc: denied { noatsecure } for pid=23926
comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282550227.096:42735): avc: denied { siginh } for pid=23926
comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282550227.096:42735): avc: denied { rlimitinh } for pid=23926
comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
----
time->Mon Aug 23 08:57:06 2010
type=SYSCALL msg=audit(1282550226.692:42732): arch=40000003 syscall=11 success=yes exit=0
a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0 ppid=23909 pid=23910 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="procmail" exe="/usr/bin/procmail"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282550226.692:42732): avc: denied { noatsecure } for pid=23910
comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282550226.692:42732): avc: denied { siginh } for pid=23910
comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282550226.692:42732): avc: denied { rlimitinh } for pid=23910
comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.209:42736): arch=40000003 syscall=5 success=no exit=-13
a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0 ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd"
exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1282550227.209:42736): avc: denied { read } for pid=20954
comm="spamd" name="shadow" dev=sda6 ino=85497
scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
Audit2allow produce some funny stuff when I tried to run this through it
so I think it is best if you take a look at it!
Thanks again.
Mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux