Sebastian Pfaff wrote:
Hey Temlakos,
> Where do I find the logs to tell me what permissions a certain new
> application will need to operate?
You find these messages in /var/log/audit/audit.log. Open this file
with a pager of your choice (e.g. less or more). Then look for
messages with type AVC. As an alternativ you can use ausearch to find
SELinux AVC (Access Vector Cache) denials/messages.
this command:
ausearch -m avc -ts today # shows you all auditd messages of type AVC
which are generated today. Consult manpage of ausearch for details.
How to read AVC denials is described here:
http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/
(Read topic "7.3. Fixing Problems")
> I'm using Fedora 12 on an HP Pavilion machine with a dual-core
> processor. Several times I have tried to install an application called
> TweetDeck. And each time I do, I am told that TweetDeck is having
> trouble accessing some secure passwords that are stored on the machine.
Redo your workflow and paste your AVC denials to this list.
> I am convinced that SELinux is doing it.
Probably yes.
> But I don't know how to get
> SELinux to play nice, because I can't see where the problem is.
You can use audit2allow to get SELinux to play nice. But be careful
when using this command. audit2allow simply generates SELinux rules
(aka Access Vector Rules) based on /var/log/audit/audit.log . It is
not uncommon that audit2allow allows more than you want. But for a
beginner this tool is a good choice.
--
Sebastian Pfaff
Well, before I use audit2allow, I'll first want to know how to turn that
off. Anyway, here's the output, after I un-hid the alerts:
-------------------------------------------
[root@temlakosbeta temlakos]# semodule -DB
[root@temlakosbeta temlakos]# ausearch -m avc -ts today
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.038:22518): arch=40000003 syscall=5
success=no exit=-13 a0=1387d20 a1=98800 a2=c93ff4 a3=1387d20 items=0
ppid=1 pid=1545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon"
exe="/bin/dbus-daemon" subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1267724351.038:22518): avc: denied { search } for
pid=1545 comm="dbus-daemon" name="root" dev=dm-0 ino=106497
scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.050:22520): arch=40000003 syscall=11
success=yes exit=0 a0=12c2778 a1=746ae28 a2=0 a3=0 items=0 ppid=5873
pid=5879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles"
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.050:22520): avc: denied { noatsecure }
for pid=5879 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.050:22520): avc: denied { siginh } for
pid=5879 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.050:22520): avc: denied { rlimitinh }
for pid=5879 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.052:22521): arch=40000003 syscall=11
success=yes exit=0 a0=9f05c30 a1=9f055a8 a2=9f05008 a3=9f081e8 items=0
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.052:22521): avc: denied { noatsecure }
for pid=5878 comm="setroubleshootd"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.052:22521): avc: denied { siginh } for
pid=5878 comm="setroubleshootd"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.052:22521): avc: denied { rlimitinh }
for pid=5878 comm="setroubleshootd"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.227:22522): arch=40000003 syscall=33
success=no exit=-13 a0=9868e90 a1=2 a2=60f900 a3=9809c00 items=0
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.227:22522): avc: denied { write } for
pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.229:22523): arch=40000003 syscall=33
success=no exit=-13 a0=9898478 a1=2 a2=60f900 a3=9854390 items=0
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.229:22523): avc: denied { write } for
pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
[root@temlakosbeta temlakos]#
------------------------------------------
The workflow is this: using Adobe AIR Installer to install the TweetDeck
application. I only just performed this test, and that's what I got from
a single workflow.
Temlakos