FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-24-2010, 07:08 PM
"Daniel B. Thurman"
 
Default Setnenforce prevented?

Issuing the following command:
# setenforce 0

Results with log message:

Feb 24 12:04:31 <host> dbus: avc: received setenforce notice (enforcing=0)
Feb 24 12:04:31 <host> dbus: Can't send to audit system: USER_AVC avc:
received setenforce notice (enforcing=0)#012: exe="?" sauid=81
hostname=? addr=? terminal=?

And yet, selinux messages keep popping up where none should be showing?


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-24-2010, 07:12 PM
Dominick Grift
 
Default Setnenforce prevented?

On 02/24/2010 09:08 PM, Daniel B. Thurman wrote:
>
> Issuing the following command:
> # setenforce 0
>
> Results with log message:
>
> Feb 24 12:04:31 <host> dbus: avc: received setenforce notice (enforcing=0)
> Feb 24 12:04:31 <host> dbus: Can't send to audit system: USER_AVC avc:
> received setenforce notice (enforcing=0)#012: exe="?" sauid=81
> hostname=? addr=? terminal=?

This is a known bug in dbus, but it should not affect anything except
that it throws the messages.

> And yet, selinux messages keep popping up where none should be showing?

SELinux permissive mode means: allow all access but log would be denials.

What denials are you seeying?
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-24-2010, 07:30 PM
Daniel J Walsh
 
Default Setnenforce prevented?

On 02/24/2010 03:12 PM, Dominick Grift wrote:
> On 02/24/2010 09:08 PM, Daniel B. Thurman wrote:
>
>> Issuing the following command:
>> # setenforce 0
>>
>> Results with log message:
>>
>> Feb 24 12:04:31<host> dbus: avc: received setenforce notice (enforcing=0)
>> Feb 24 12:04:31<host> dbus: Can't send to audit system: USER_AVC avc:
>> received setenforce notice (enforcing=0)#012: exe="?" sauid=81
>> hostname=? addr=? terminal=?
>>
>
The funny/sad thing is this is not an SELinux avc error although it is
reported as such. I have sent a patch for this a couple of times.

This is what is happening. dbus uses SELinux policy and communicates
with the SELInux subsystem to query whether something is allowed or
not. When policy is reloaded the SELinux system sends a message to all
policy enforcers that there has been a policy reload.

Dbus gets the message that it recieved an updated policy and it decides
it needs to write the message to the audit subsystem. If dbus is
running as root it is allowed and every thing works correctly. If dbus
(session_bus) is running as non root, when it tries to send the audit
message it is blocked by DAC. (not by SELinux). Then it reports this
as an error to the syslog system.

The patch that has been sent to dbus is to understand when it is running
as non root that it does not need to send audit messages.


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:25 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org