Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   'avc denied' (http://www.linux-archive.org/fedora-user/601495-avc-denied.html)

jackson byers 11-22-2011 10:23 PM

'avc denied'
 
# uname -r
2.6.35.14-103.fc14.i686.PAE



I haven't paid much attention to avc warnings.

did /.autorelabel, reboot, to see if that could stop avc.

Still see
'avc: denied' in auditlog, involving firefox, plugin-config,...

last 6 of # grep -n avc audit.log:


279:type=AVC msg=audit(1321983739.130:242): avc: denied { read } for
pid=20223 comm="ldd" name="firefox" dev=sda8 ino=999863
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file
281:type=AVC msg=audit(1321983739.134:243): avc: denied { sys_ptrace
} for pid=20215 comm="setroubleshootd" capability=19
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability
283:type=AVC msg=audit(1321983739.312:244): avc: denied { read } for
pid=20225 comm="ldd" name="firefox" dev=sda8 ino=999863
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file
285:type=AVC msg=audit(1321983739.314:245): avc: denied { sys_ptrace
} for pid=20215 comm="setroubleshootd" capability=19
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability
302:type=AVC msg=audit(1321989501.906:261): avc: denied { execstack
} for pid=21019 comm="plugin-config"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
304:type=AVC msg=audit(1321989519.158:262): avc: denied { read } for
pid=21046 comm="ldd" name="plugin-config" dev=sda8 ino=1000054
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:nsplugin_config_exec_t: s0 tclass=file
[root@f14 audit]#


no 'file_t' seen:

[root@f14 audit]# grep file_t audit.log
[root@f14 audit]#

I have put only minimal effort into learning selinux syntax, methods.
Overwhelming, to me.

are there simple rules on how to respond to 'avc denied'?

If I do nothing?

Jack
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Daniel J Walsh 11-23-2011 02:37 PM

'avc denied'
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/22/2011 06:23 PM, jackson byers wrote:
> # uname -r 2.6.35.14-103.fc14.i686.PAE
>
>
>
> I haven't paid much attention to avc warnings.
>
> did /.autorelabel, reboot, to see if that could stop avc.
>
> Still see 'avc: denied' in auditlog, involving firefox,
> plugin-config,...
>
> last 6 of # grep -n avc audit.log:
>
>
> 279:type=AVC msg=audit(1321983739.130:242): avc: denied { read }
> for pid=20223 comm="ldd" name="firefox" dev=sda8 ino=999863
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file
> 281:type=AVC msg=audit(1321983739.134:243): avc: denied {
> sys_ptrace } for pid=20215 comm="setroubleshootd" capability=19
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability
> 283:type=AVC msg=audit(1321983739.312:244): avc: denied { read }
> for pid=20225 comm="ldd" name="firefox" dev=sda8 ino=999863
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file
> 285:type=AVC msg=audit(1321983739.314:245): avc: denied {
> sys_ptrace } for pid=20215 comm="setroubleshootd" capability=19
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability
> 302:type=AVC msg=audit(1321989501.906:261): avc: denied {
> execstack } for pid=21019 comm="plugin-config"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process 304:type=AVC msg=audit(1321989519.158:262): avc:
> denied { read } for pid=21046 comm="ldd" name="plugin-config"
> dev=sda8 ino=1000054
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:nsplugin_config_exec_t: s0 tclass=file
> [root@f14 audit]#
>
>
> no 'file_t' seen:
>
> [root@f14 audit]# grep file_t audit.log [root@f14 audit]#
>
> I have put only minimal effort into learning selinux syntax,
> methods. Overwhelming, to me.
>
> are there simple rules on how to respond to 'avc denied'?
>
> If I do nothing?
>
> Jack

Interesting AVC's. SEtroubleshoot is trying to figure out why a
certain application required execstack privs. In this case
plugin-config. It looks like you have installed an application plugin
for firefox that requies execstack. setroubleshoot was trying to
figure out if you had any libraries labeled as requireing execstack by
executing

ldd plugin-config.

Sadly this generated additional AVCs.

The setroubleshoot avc's are fixed in F16.






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NEzQACgkQrlYvE4MpobPzlQCeLQtV1PU8w8 wjgozHYi4JMs8E
ljYAnA3KMDuoy5wWBfT+wF4cN7lp7Wrq
=Vn19
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


All times are GMT. The time now is 07:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.