Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   AVCs whilst installing latest F8 update batch (http://www.linux-archive.org/fedora-selinux-support/2841-avcs-whilst-installing-latest-f8-update-batch.html)

Paul Howarth 11-22-2007 09:21 AM
AVCs whilst installing latest F8 update batch
 
Got a bunch of AVCs whilst installing these updates today:

Nov 22 07:50:15 Updated: bind-libs - 32:9.5.0-18.a7.fc8.x86_64
Nov 22 07:50:17 Updated: pilot-link - 2:0.12.2-7.fc8.x86_64
Nov 22 07:50:20 Updated: bind - 32:9.5.0-18.a7.fc8.x86_64
Nov 22 07:50:22 Updated: smolt - 1.0-1.fc8.noarch
Nov 22 07:50:25 Updated: system-config-firewall-tui - 1.0.11-1.fc8.noarch
Nov 22 07:50:25 Updated: bind-utils - 32:9.5.0-18.a7.fc8.x86_64
Nov 22 07:50:29 Updated: system-config-firewall - 1.0.11-1.fc8.noarch
Nov 22 07:50:29 Updated: smolt-firstboot - 1.0-1.fc8.noarch
Nov 22 07:50:35 Updated: bind-chroot - 32:9.5.0-18.a7.fc8.x86_64
Nov 22 07:50:37 Updated: setroubleshoot-plugins - 1.10.4-1.fc8.noarch
Nov 22 07:50:38 Updated: libao - 0.8.8-2.fc8.x86_64
Nov 22 07:50:40 Updated: pilot-link - 2:0.12.2-7.fc8.i386


Piping the AVCs into audit2allow -R yielded:

require {
type named_conf_t;
type setfiles_t;
type proc_t;
class lnk_file relabelfrom;
class dir relabelfrom;
class file relabelfrom;
class filesystem associate;
}

#============= named_conf_t ==============
allow named_conf_t proc_t:filesystem associate;

#============= setfiles_t ==============
allow setfiles_t self:dir relabelfrom;
allow setfiles_t self:file relabelfrom;
allow setfiles_t self:lnk_file relabelfrom;
kernel_getattr_core_if(setfiles_t)
kernel_getattr_message_if(setfiles_t)
kernel_read_device_sysctls(setfiles_t)
kernel_read_kernel_sysctls(setfiles_t)
kernel_read_net_sysctls(setfiles_t)
kernel_read_software_raid_state(setfiles_t)
kernel_read_vm_sysctls(setfiles_t)

As far as I can see, the updates installed OK.

I can post the raw audit messages if it's useful.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 12-03-2007 02:37 PM
AVCs whilst installing latest F8 update batch
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> Got a bunch of AVCs whilst installing these updates today:
>
> Nov 22 07:50:15 Updated: bind-libs - 32:9.5.0-18.a7.fc8.x86_64
> Nov 22 07:50:17 Updated: pilot-link - 2:0.12.2-7.fc8.x86_64
> Nov 22 07:50:20 Updated: bind - 32:9.5.0-18.a7.fc8.x86_64
> Nov 22 07:50:22 Updated: smolt - 1.0-1.fc8.noarch
> Nov 22 07:50:25 Updated: system-config-firewall-tui - 1.0.11-1.fc8.noarch
> Nov 22 07:50:25 Updated: bind-utils - 32:9.5.0-18.a7.fc8.x86_64
> Nov 22 07:50:29 Updated: system-config-firewall - 1.0.11-1.fc8.noarch
> Nov 22 07:50:29 Updated: smolt-firstboot - 1.0-1.fc8.noarch
> Nov 22 07:50:35 Updated: bind-chroot - 32:9.5.0-18.a7.fc8.x86_64
> Nov 22 07:50:37 Updated: setroubleshoot-plugins - 1.10.4-1.fc8.noarch
> Nov 22 07:50:38 Updated: libao - 0.8.8-2.fc8.x86_64
> Nov 22 07:50:40 Updated: pilot-link - 2:0.12.2-7.fc8.i386
>
>
> Piping the AVCs into audit2allow -R yielded:
>
> require {
> type named_conf_t;
> type setfiles_t;
> type proc_t;
> class lnk_file relabelfrom;
> class dir relabelfrom;
> class file relabelfrom;
> class filesystem associate;
> }
>
> #============= named_conf_t ==============
> allow named_conf_t proc_t:filesystem associate;
>
> #============= setfiles_t ==============
> allow setfiles_t self:dir relabelfrom;
> allow setfiles_t self:file relabelfrom;
> allow setfiles_t self:lnk_file relabelfrom;
> kernel_getattr_core_if(setfiles_t)
> kernel_getattr_message_if(setfiles_t)
> kernel_read_device_sysctls(setfiles_t)
> kernel_read_kernel_sysctls(setfiles_t)
> kernel_read_net_sysctls(setfiles_t)
> kernel_read_software_raid_state(setfiles_t)
> kernel_read_vm_sysctls(setfiles_t)
>
> As far as I can see, the updates installed OK.
>
> I can post the raw audit messages if it's useful.
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Most of these are caused by bind-chroot running a recursive restorecon
over the /var/chroot directory after /proc is mounted. The restorecon
command runs over all the directories and tries to relabel them
named_conf_t including the /proc mounted under the chroot. bind-chroot
should run the restorecon before mounting the file systems, which would
eliminate these avc's. I have updated the bugzilla.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHVCKmrlYvE4MpobMRAgzsAJsFX/TJCHznz3XTynhpG60tjspAfACeN8oL
OmS/X49YK/J9gNzvZTfFUHI=
=yetv
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 04:51 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.