'avc denied'
# uname -r
2.6.35.14-103.fc14.i686.PAE I haven't paid much attention to avc warnings. did /.autorelabel, reboot, to see if that could stop avc. Still see 'avc: denied' in auditlog, involving firefox, plugin-config,... last 6 of # grep -n avc audit.log: 279:type=AVC msg=audit(1321983739.130:242): avc: denied { read } for pid=20223 comm="ldd" name="firefox" dev=sda8 ino=999863 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file 281:type=AVC msg=audit(1321983739.134:243): avc: denied { sys_ptrace } for pid=20215 comm="setroubleshootd" capability=19 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability 283:type=AVC msg=audit(1321983739.312:244): avc: denied { read } for pid=20225 comm="ldd" name="firefox" dev=sda8 ino=999863 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file 285:type=AVC msg=audit(1321983739.314:245): avc: denied { sys_ptrace } for pid=20215 comm="setroubleshootd" capability=19 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability 302:type=AVC msg=audit(1321989501.906:261): avc: denied { execstack } for pid=21019 comm="plugin-config" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process 304:type=AVC msg=audit(1321989519.158:262): avc: denied { read } for pid=21046 comm="ldd" name="plugin-config" dev=sda8 ino=1000054 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:nsplugin_config_exec_t: s0 tclass=file [root@f14 audit]# no 'file_t' seen: [root@f14 audit]# grep file_t audit.log [root@f14 audit]# I have put only minimal effort into learning selinux syntax, methods. Overwhelming, to me. are there simple rules on how to respond to 'avc denied'? If I do nothing? Jack -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines |
'avc denied'
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 11/22/2011 06:23 PM, jackson byers wrote: > # uname -r 2.6.35.14-103.fc14.i686.PAE > > > > I haven't paid much attention to avc warnings. > > did /.autorelabel, reboot, to see if that could stop avc. > > Still see 'avc: denied' in auditlog, involving firefox, > plugin-config,... > > last 6 of # grep -n avc audit.log: > > > 279:type=AVC msg=audit(1321983739.130:242): avc: denied { read } > for pid=20223 comm="ldd" name="firefox" dev=sda8 ino=999863 > scontext=system_u:system_r:setroubleshootd_t:s0 > tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file > 281:type=AVC msg=audit(1321983739.134:243): avc: denied { > sys_ptrace } for pid=20215 comm="setroubleshootd" capability=19 > scontext=system_u:system_r:setroubleshootd_t:s0 > tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability > 283:type=AVC msg=audit(1321983739.312:244): avc: denied { read } > for pid=20225 comm="ldd" name="firefox" dev=sda8 ino=999863 > scontext=system_u:system_r:setroubleshootd_t:s0 > tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file > 285:type=AVC msg=audit(1321983739.314:245): avc: denied { > sys_ptrace } for pid=20215 comm="setroubleshootd" capability=19 > scontext=system_u:system_r:setroubleshootd_t:s0 > tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability > 302:type=AVC msg=audit(1321989501.906:261): avc: denied { > execstack } for pid=21019 comm="plugin-config" > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=process 304:type=AVC msg=audit(1321989519.158:262): avc: > denied { read } for pid=21046 comm="ldd" name="plugin-config" > dev=sda8 ino=1000054 > scontext=system_u:system_r:setroubleshootd_t:s0 > tcontext=system_u:object_r:nsplugin_config_exec_t: s0 tclass=file > [root@f14 audit]# > > > no 'file_t' seen: > > [root@f14 audit]# grep file_t audit.log [root@f14 audit]# > > I have put only minimal effort into learning selinux syntax, > methods. Overwhelming, to me. > > are there simple rules on how to respond to 'avc denied'? > > If I do nothing? > > Jack Interesting AVC's. SEtroubleshoot is trying to figure out why a certain application required execstack privs. In this case plugin-config. It looks like you have installed an application plugin for firefox that requies execstack. setroubleshoot was trying to figure out if you had any libraries labeled as requireing execstack by executing ldd plugin-config. Sadly this generated additional AVCs. The setroubleshoot avc's are fixed in F16. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7NEzQACgkQrlYvE4MpobPzlQCeLQtV1PU8w8 wjgozHYi4JMs8E ljYAnA3KMDuoy5wWBfT+wF4cN7lp7Wrq =Vn19 -----END PGP SIGNATURE----- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines |
| All times are GMT. The time now is 11:38 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.