Bug 173642 - SELinux denies access
SELinux denies access
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-11-18 14:29 EST by Graham Campbell
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-01-27 01:05:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
audit.log showing spamd and klogd denials (447.13 KB, text/plain)
2006-01-02 15:10 EST, Graham Campbell
no flags Details

  None (edit)
Description Graham Campbell 2005-11-18 14:29:45 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
Many denials reported by SELinux of the form:
type=AVC msg=audit(1132324132.220:8476): avc:  denied  { write } for  pid=1540 comm="klogd" name="log" dev=tmpfs ino=4750 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:device_t tclass=sock_file

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Use standard FC4, updated nightly by yum
2.Set SeLinux to enforcing/targeted
3.Examine /var/log/audit/audit.log Or run aureport -a --failed

Actual Results:  Many Selinux denials as cited above

Expected Results:  No denials

Additional info:
Comment 1 Daniel Walsh 2005-11-30 10:19:06 EST
This probably indicates a labeling problem on your machine.

touch /.autorelabel

should clean this up.
Comment 2 Graham Campbell 2005-11-30 19:29:51 EST
System rebooted with relabel at 19:05:01. When it came up an aureport gives:
4669. 11/30/05 19:18:25 klogd system_u:system_r:klogd_t 0 write
system_u:object_r:device_t denied 6139
4670. 11/30/05 19:18:25 klogd system_u:system_r:klogd_t 0 write
system_u:object_r:device_t denied 6140
4671. 11/30/05 19:19:12 klogd system_u:system_r:klogd_t 0 write
system_u:object_r:device_t denied 6145
last 3 lines only.
/etc/selinux/config is set to Enforcing/Targeted
uname -a
Linux sirius 2.6.14-1.1644_FC4 #1 Sun Nov 27 03:25:11 EST 2005 i686 i686 i386
rpm -qa|grep selinux
Comment 3 Daniel Walsh 2005-12-01 13:40:06 EST
Could you attach your /var/log/audit/audit.log
Comment 4 Daniel Walsh 2006-01-02 12:41:26 EST
Did this problem go away?

Comment 5 Graham Campbell 2006-01-02 14:19:08 EST
I added audit rules to allow this (I.e. klogd access). I will remove those and
try again.
Comment 6 Graham Campbell 2006-01-02 14:46:58 EST
I have had no audit denials since the update to
selinux-policy-targeted-1.27.1-2.16 on 9 Dec. '05.

I removed the rule that I added, rebooted and see no denials. I think that
update fixed the problem.
Comment 7 Graham Campbell 2006-01-02 15:06:08 EST
OOPS. I screwed up. I commented out the wrong line in
/etc/selinux/targeted/src/policy/domains/misc. When I correct that and reboot I
get from the aureport:
6782. 01/02/06 14:58:59 spamd system_u:system_r:spamd_t 102 write
system_u:object_r:device_t denied 6
6783. 01/02/06 14:59:15 klogd system_u:system_r:klogd_t 0 sendto
system_u:system_r:initrc_t denied 9
6784. 01/02/06 14:59:34 klogd system_u:system_r:klogd_t 0 sendto
system_u:system_r:initrc_t denied 11
I will attach the audit.log (I hope, I have not done that before)
Comment 8 Graham Campbell 2006-01-02 15:10:04 EST
Created attachment 122691 [details]
audit.log showing spamd and klogd denials
Comment 9 Daniel Walsh 2006-01-03 10:32:59 EST
Could you execute the following.  It appears that for some reason /dev/log is
labeled incorrectly on your machine?

# ps -eZ | grep klogd
system_u:system_r:klogd_t        1686 ?        00:00:00 klogd
# ls -lZ /dev/log
srw-rw-rw-  root     root     system_u:object_r:devlog_t       /dev/log
Comment 10 Graham Campbell 2006-01-03 10:54:49 EST
As requested:
[gc@sirius ~]$ ps -eZ | grep klogd
system_u:system_r:klogd_t        1551 ?        00:00:00 klogd
[gc@sirius ~]$  ls -lZ /dev/log
srw-rw-rw-  root     root     system_u:object_r:device_t       /dev/log
[gc@sirius ~]$

I will reboot/relabel and repeat. I will post if there is any change.
Comment 11 Daniel Walsh 2006-01-27 01:05:47 EST
I am closing as I have not heard back.

Note You need to log in before you can comment on or make changes to this bug.