Hide Forgot
Description of problem: type=ANOM_ABEND msg=audit(1330428319.006:52715): auid=0 uid=0 gid=0 ses=133 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=13969 comm="sleep" sig=11 type=AVC msg=audit(1330428324.466:52716): avc: denied { rlimitinh } for pid=14036 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process type=AVC msg=audit(1330428324.466:52716): avc: denied { siginh } for pid=14036 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process type=AVC msg=audit(1330428324.466:52716): avc: denied { noatsecure } for pid=14036 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process type=SYSCALL msg=audit(1330428324.466:52716): arch=c000003e syscall=59 success=yes exit=0 a0=7fe486ab0dc0 a1=7fff7bfb3470 a2=7fe484b5b200 a3=7fff7bfb30e0 items=0 ppid=14032 pid=14036 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) I think it's because of: reporter-mailx -v -d $crash_PATH -c mailx.conf # cat mailx.conf EmailFrom = abrt@localhost EmailTo = root@localhost Subject = [abrt] crash Version-Release number of selected component (if applicable): libreport-2.0.9-1.el6.x86_64 abrt-2.0.8-1.el6.x86_64 selinux-policy-3.7.19-137.el6.noarch How reproducible: always
Could you test it in permissive module with disabled dontaudit rules?
Those AVCs appeared on a machine with disabled dontaudit rules, didn't they ? # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted # rpm -qa selinux-policy\* selinux-policy-3.7.19-137.el6.noarch selinux-policy-targeted-3.7.19-137.el6.noarch selinux-policy-minimum-3.7.19-137.el6.noarch selinux-policy-mls-3.7.19-137.el6.noarch selinux-policy-doc-3.7.19-137.el6.noarch # sesearch -s sendmail_t -t procmail_t -c process --all ERROR: Cannot get avrules: Neverallow rules requested but not available Found 2 semantic av rules: allow sendmail_t procmail_t : process { transition sigchld } ; dontaudit sendmail_t procmail_t : process { noatsecure siginh rlimitinh } ; #
(In reply to comment #2) > Could you test it in permissive module with disabled dontaudit rules? Yes, if you tell me how do I disable dontaudit rules in permissive mode. (In reply to comment #3) > Those AVCs appeared on a machine with disabled dontaudit rules, didn't they ? Don't remember changing anything on that Beaker box.
Following command enables dontaudit rules again. # semodule -B I believe that AVCs shown in comment#0 will not appear again.
After `setenforce 0; semodule -B` it's gone. Unfortunately I can't reproduce it after restart and `setenforce 1`; however I am not certain we care at all.
THose AVC's are dontaudited.
Ok, lets clean up it. I thought this was not working and you needed to turn off dontaudit rules.
I was wrong. After: # setenforce 0 # semodule -B I got: type=AVC msg=audit(1330528571.018:51700): avc: denied { rlimitinh } for pid=27020 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1330528571.018:51700): avc: denied { siginh } for pid=27020 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1330528571.018:51700): avc: denied { noatsecure } for pid=27020 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process Is that expected? After: # setenforce 1 # semodule -B It was clean.
I believe you see this avc msgs with semodule -DB. If I am wrong, please reopen the bug.