Description of problem: I can see in my audit log that I'm getting some AVC denial's about audit2allow not being granted access to a file /var/lib/sepolgen/perm_map. And these aren't being reported like the rest I normally get via email from the system. I have removed all custom policy fixes, and done a relabel on boot, but they showed up before that too... Version-Release number of selected component (if applicable): Policy RPM selinux-policy-3.11.1-91.fc18.noarch How reproducible: Always... Steps to Reproduce: 1. Generate an AVC denial 2. Watch the dispatcher do it's thing 3. Examine the audit log, and see the denials Actual results: # ausearch -ts 14:00:00 -m AVC | grep audit2allow type=SYSCALL msg=audit(1366460130.791:127): arch=40000003 syscall=5 success=yes exit=3 a0=9132f10 a1=8000 a2=1b6 a3=9134798 items=0 ppid=1666 pid=1677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="audit2allow" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366460130.791:127): avc: denied { open } for pid=1677 comm="audit2allow" path="/var/lib/sepolgen/interface_info" dev="dm-1" ino=525984 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1366460130.791:127): avc: denied { read } for pid=1677 comm="audit2allow" name="interface_info" dev="dm-1" ino=525984 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1366460138.361:128): arch=40000003 syscall=5 success=yes exit=3 a0=97d41b0 a1=8000 a2=1b6 a3=ce12380 items=0 ppid=1666 pid=1677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="audit2allow" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366460138.361:128): avc: denied { open } for pid=1677 comm="audit2allow" path="/var/lib/sepolgen/perm_map" dev="dm-1" ino=526828 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1366460138.361:128): avc: denied { read } for pid=1677 comm="audit2allow" name="perm_map" dev="dm-1" ino=526828 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file Expected results: No AVC denials Additional info: # ausearch -ts 14:00:00 -m AVC | grep audit2allow | audit2allow -m mypol -R policy_module(mypol, 1.0) require { type setroubleshootd_t; } #============= setroubleshootd_t ============== files_read_var_lib_files(setroubleshootd_t) # ausearch -ts 14:00:00 -m AVC | grep audit2allow | audit2allow -m mypol module mypol 1.0; require { type setroubleshootd_t; type var_lib_t; class file { read open }; } #============= setroubleshootd_t ============== allow setroubleshootd_t var_lib_t:file { read open };
Ok, this is not a problem with sealert but with "email_alert". /usr/lib64/python2.7/site-packages/setroubleshoot/server.py: email_alert(siginfo, to_addrs)
Miroslav, Would details trigger it also? Bugreport? Or are these only happening in the user session? I was thinking we should label this content as something other then var_lib_t, but I am not sure what?
Yes, I was also thinking about a new labeling. Details should be ok.
86a0f3d735701d8429a530493d0c67c31bb9ad21 fixes this in git.
selinux-policy-3.11.1-92.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-92.fc18
Package selinux-policy-3.11.1-92.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-92.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-6769/selinux-policy-3.11.1-92.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-92.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.