Zusammenfassung: SELinux is preventing /sbin/auditctl "setsched" access. Detaillierte Beschreibung: [auditctl hat einen toleranten Typ (auditctl_t). Dieser Zugriff wurde nicht verweigert.] SELinux denied access requested by auditctl. It is not expected that this access is required by auditctl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Zugriff erlauben: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Zusätzliche Informationen: Quellkontext system_u:system_r:auditctl_t:s0 Zielkontext system_u:system_r:kernel_t:s0 Zielobjekte None [ process ] Quelle auditctl Quellen-Pfad /sbin/auditctl Port <Unbekannt> Host (removed) Quellen-RPM-Pakete audit-2.0.4-1.fc12 Ziel-RPM-Pakete RPM-Richtlinie selinux-policy-3.6.32-78.fc12 SELinux aktiviert True Richtlinienversion targeted Enforcing-Modus Enforcing Plugin-Name catchall Hostname (removed) Plattform Linux (removed) 2.6.31.9-174.lsbfs.fc12.x86_64 #1 SMP Sat Dec 26 10:13:13 CET 2009 x86_64 x86_64 Anzahl der Alarme 8 Zuerst gesehen Mo 08 Feb 2010 16:47:26 CET Zuletzt gesehen Di 09 Feb 2010 08:20:13 CET Lokale ID ab927486-f927-41e9-bf06-da572ca30c6e Zeilennummern Raw-Audit-Meldungen node=(removed) type=AVC msg=audit(1265700013.771:23547): avc: denied { setsched } for pid=1419 comm="auditctl" scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process node=(removed) type=SYSCALL msg=audit(1265700013.771:23547): arch=c000003e syscall=44 success=yes exit=16 a0=3 a1=7fff57c1cba0 a2=10 a3=0 items=0 ppid=1407 pid=1419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditctl" exe="/sbin/auditctl" subj=system_u:system_r:auditctl_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-78.fc12,catchall,auditctl,auditctl_t,kernel_t,process,setsched audit2allow suggests: #============= auditctl_t ============== allow auditctl_t kernel_t:process setsched;
Miroslav add kernel_setsched(auditctl_t)
Fixed in selinux-policy-3.6.32-86.fc12
auditctl does not mess with the scheduler. I would ask the reporter how he was invoking auditctl to see if this can be duplicated before changing selinux policy.
selinux-policy-3.6.32-89.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-89.fc12
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1836
Why was this bug "fixed" in policy? Auditctl does not mess with the scheduler. By allowing this permission, you are certainly granting a right that is not expected. Unless strace shows a call to setsched, I would not "fix" this.
I have a feeling this is something access within the kernel that is causing this avc.
The fact that this came from a 'sendto' syscall leads me to believe that sgrubb is right, it shouldn't be in policy. I'll start digging....
Presumably we have a kernel-internal use of sched_setscheduler() that should be using sched_setscheduler_nocheck() instead?
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.