FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-03-2008, 09:14 AM
Paul Howarth
 
Default AVCs from cron.daily (F9)

On my work box, which is an up-to-date F9 install, I get a set of AVCs
from cron.daily every day, which I don't get on my home boxes. I suspect
it's because we use LDAP auth at work. It boils down to this when passed
through audit2allow -R:


require {
type logwatch_t;
type locate_t;
type tmpreaper_t;
type logrotate_t;
}

#============= locate_t ==============
cron_rw_tcp_sockets(locate_t)

#============= logrotate_t ==============
cron_rw_tcp_sockets(logrotate_t)

#============= logwatch_t ==============
cron_rw_tcp_sockets(logwatch_t)

#============= tmpreaper_t ==============
cron_rw_tcp_sockets(tmpreaper_t)


Sample AVC:
time->Tue Jun 3 05:05:05 2008
type=SYSCALL msg=audit(1212465905.734:5714): arch=c000003e syscall=59
success=yes exit=0 a0=25545d0 a1=2551360 a2=25539a0 a3=8 items=0
ppid=12101 pid=12134 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=605 comm="tmpwatch"
exe="/usr/sbin/tmpwatch"
subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1212465905.734:5714): avc: denied { read write }
for pid=12134 comm="tmpwatch" path="socket:[24785059]" dev=sockfs
ino=24785059 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket


Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-04-2008, 07:05 PM
Daniel J Walsh
 
Default AVCs from cron.daily (F9)

Paul Howarth wrote:
> On my work box, which is an up-to-date F9 install, I get a set of AVCs
> from cron.daily every day, which I don't get on my home boxes. I suspect
> it's because we use LDAP auth at work. It boils down to this when passed
> through audit2allow -R:
>
> require {
> type logwatch_t;
> type locate_t;
> type tmpreaper_t;
> type logrotate_t;
> }
>
> #============= locate_t ==============
> cron_rw_tcp_sockets(locate_t)
>
> #============= logrotate_t ==============
> cron_rw_tcp_sockets(logrotate_t)
>
> #============= logwatch_t ==============
> cron_rw_tcp_sockets(logwatch_t)
>
> #============= tmpreaper_t ==============
> cron_rw_tcp_sockets(tmpreaper_t)
>
>
> Sample AVC:
> time->Tue Jun 3 05:05:05 2008
> type=SYSCALL msg=audit(1212465905.734:5714): arch=c000003e syscall=59
> success=yes exit=0 a0=25545d0 a1=2551360 a2=25539a0 a3=8 items=0
> ppid=12101 pid=12134 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=605 comm="tmpwatch"
> exe="/usr/sbin/tmpwatch"
> subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1212465905.734:5714): avc: denied { read write }
> for pid=12134 comm="tmpwatch" path="socket:[24785059]" dev=sockfs
> ino=24785059 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
> tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Leaked file descriptor in nssldap?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-04-2008, 07:19 PM
Paul Howarth
 
Default AVCs from cron.daily (F9)

On Wed, 04 Jun 2008 15:05:55 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:

> Paul Howarth wrote:
> > On my work box, which is an up-to-date F9 install, I get a set of
> > AVCs from cron.daily every day, which I don't get on my home boxes.
> > I suspect it's because we use LDAP auth at work. It boils down to
> > this when passed through audit2allow -R:
> >
> > require {
> > type logwatch_t;
> > type locate_t;
> > type tmpreaper_t;
> > type logrotate_t;
> > }
> >
> > #============= locate_t ==============
> > cron_rw_tcp_sockets(locate_t)
> >
> > #============= logrotate_t ==============
> > cron_rw_tcp_sockets(logrotate_t)
> >
> > #============= logwatch_t ==============
> > cron_rw_tcp_sockets(logwatch_t)
> >
> > #============= tmpreaper_t ==============
> > cron_rw_tcp_sockets(tmpreaper_t)
> >
> >
> > Sample AVC:
> > time->Tue Jun 3 05:05:05 2008
> > type=SYSCALL msg=audit(1212465905.734:5714): arch=c000003e
> > syscall=59 success=yes exit=0 a0=25545d0 a1=2551360 a2=25539a0 a3=8
> > items=0 ppid=12101 pid=12134 auid=0 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=605 comm="tmpwatch"
> > exe="/usr/sbin/tmpwatch"
> > subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1212465905.734:5714): avc: denied { read
> > write } for pid=12134 comm="tmpwatch" path="socket:[24785059]"
> > dev=sockfs ino=24785059
> > scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023
> > tclass=tcp_socket
> >
> > Paul.
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Leaked file descriptor in nssldap?

I expect so. The denials don't seem to cause any problems but it would
be nice if they were dontaudited.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-04-2008, 07:53 PM
Daniel J Walsh
 
Default AVCs from cron.daily (F9)

Paul Howarth wrote:
> On Wed, 04 Jun 2008 15:05:55 -0400
> Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>> Paul Howarth wrote:
>>> On my work box, which is an up-to-date F9 install, I get a set of
>>> AVCs from cron.daily every day, which I don't get on my home boxes.
>>> I suspect it's because we use LDAP auth at work. It boils down to
>>> this when passed through audit2allow -R:
>>>
>>> require {
>>> type logwatch_t;
>>> type locate_t;
>>> type tmpreaper_t;
>>> type logrotate_t;
>>> }
>>>
>>> #============= locate_t ==============
>>> cron_rw_tcp_sockets(locate_t)
>>>
>>> #============= logrotate_t ==============
>>> cron_rw_tcp_sockets(logrotate_t)
>>>
>>> #============= logwatch_t ==============
>>> cron_rw_tcp_sockets(logwatch_t)
>>>
>>> #============= tmpreaper_t ==============
>>> cron_rw_tcp_sockets(tmpreaper_t)
>>>
>>>
>>> Sample AVC:
>>> time->Tue Jun 3 05:05:05 2008
>>> type=SYSCALL msg=audit(1212465905.734:5714): arch=c000003e
>>> syscall=59 success=yes exit=0 a0=25545d0 a1=2551360 a2=25539a0 a3=8
>>> items=0 ppid=12101 pid=12134 auid=0 uid=0 gid=0 euid=0 suid=0
>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=605 comm="tmpwatch"
>>> exe="/usr/sbin/tmpwatch"
>>> subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
>>> type=AVC msg=audit(1212465905.734:5714): avc: denied { read
>>> write } for pid=12134 comm="tmpwatch" path="socket:[24785059]"
>>> dev=sockfs ino=24785059
>>> scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
>>> tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023
>>> tclass=tcp_socket
>>>
>>> Paul.
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Leaked file descriptor in nssldap?
>
> I expect so. The denials don't seem to cause any problems but it would
> be nice if they were dontaudited.
>
> Paul.
It would be nicer if the nssldap would be fixed...

I am working it.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:25 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org