Hide Forgot
SELinux is preventing systemd-kmsg-sy from 'search' accesses on the directory 22673. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-kmsg-sy should be allowed search access on the 22673 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-kmsg-sy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 Target Objects 22673 [ dir ] Source systemd-kmsg-sy Source Path systemd-kmsg-sy Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.16-15.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.3-15.rc1.fc15.x86_64 #1 SMP Wed Apr 13 18:48:28 UTC 2011 x86_64 x86_64 Alert Count 2 First Seen Thu 14 Apr 2011 12:18:21 PM CEST Last Seen Fri 15 Apr 2011 11:51:18 AM CEST Local ID df650ee3-6c06-492f-873a-00774d9b9036 Raw Audit Messages type=AVC msg=audit(1302861078.237:103): avc: denied { search } for pid=455 comm="systemd-kmsg-sy" name="22673" dev=proc ino=168446 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=dir Hash: systemd-kmsg-sy,syslogd_t,system_cronjob_t,dir,search audit2allow #============= syslogd_t ============== allow syslogd_t system_cronjob_t:dir search; audit2allow -R #============= syslogd_t ============== allow syslogd_t system_cronjob_t:dir search; ------------------------------------------------- (I use rkhunter.)
Lennart, any reason systemd-kmsg-sy would want to look at random processes? Can I dontaudit this?
Hmm, which directory would that be? "22673" sounds like a directory in /proc? systemd-kmsg-syslogd tries to figure out the name of a process that logs to syslog, to show it next to the message. We use SCM_CREDENTIALS to figure out the PID of the logging client, and then read /proc/%lu/comm with that. This probably explains the access in question.
Miroslav lets add domain_read_all_domains_state(syslogd_t)
Fixed in selinux-policy-3.9.16-16.fc15
selinux-policy-3.9.16-16.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-16.fc15
Package selinux-policy-3.9.16-16.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-16.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-16.fc15 then log in and leave karma (feedback).
Package selinux-policy-3.9.16-18.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-18.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-18.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-18.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.