Not sure the best way to handle this one.

Not sure the best way to handle this one.

[Daniel J Walsh]

Oct 15 08:37:55 dhcppc1 kernel: audit(1097843874.920:692545): avc:  
denied  { sys_module } for  pid=4338 exe=/usr/bin/nifd capability=16 
scontext=system_u:system_r:howl_t tcontext=system_u:system_r:howl_t 
tclass=capability

Ideas.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Not sure the best way to handle this one.

[Russell Coker]

On Fri, 15 Oct 2004 23:26, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Oct 15 08:37:55 dhcppc1 kernel: audit(1097843874.920:692545): avc:
> denied  { sys_module } for  pid=4338 exe=/usr/bin/nifd capability=16
> scontext=system_u:system_r:howl_t tcontext=system_u:system_r:howl_t
> tclass=capability

What is it trying to do?  Does an strace shed any light on the matter?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Not sure the best way to handle this one.

[Daniel J Walsh]

Russell Coker wrote:

>On Fri, 15 Oct 2004 23:26, Daniel J Walsh <dwalsh@redhat.com> wrote:
>  
>
>>Oct 15 08:37:55 dhcppc1 kernel: audit(1097843874.920:692545): avc:
>>denied  { sys_module } for  pid=4338 exe=/usr/bin/nifd capability=16
>>scontext=system_u:system_r:howl_t tcontext=system_u:system_r:howl_t
>>tclass=capability
>>    
>>
>
>What is it trying to do?  Does an strace shed any light on the matter?
>
>  
>
Can't get it to happen regularly but I would submise that it is loading 
a network driver.  This
is happening on a laptop which switches from a builtin ethernet to a 
wireless pcmcia card. 
This behaviour might also occur with a docking station with a built in 
ethernet card.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Not sure the best way to handle this one.

[Russell Coker]

On Sun, 17 Oct 2004 00:25, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Russell Coker wrote:
> >On Fri, 15 Oct 2004 23:26, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >>Oct 15 08:37:55 dhcppc1 kernel: audit(1097843874.920:692545): avc:
> >>denied  { sys_module } for  pid=4338 exe=/usr/bin/nifd capability=16
> >>scontext=system_u:system_r:howl_t tcontext=system_u:system_r:howl_t
> >>tclass=capability
> >
> >What is it trying to do?  Does an strace shed any light on the matter?
>
> Can't get it to happen regularly but I would submise that it is loading
> a network driver.

I have just quickly reviewed the source to nifd and couldn't find any code to 
do any such thing.  The code isn't as clear as it might be and has no 
comments so I might have missed something, but I am reasonably sure that it's 
not trying to load a network driver.  In any case if it was trying to load a 
network driver then it would surely call system("modprobe ...") which would 
then result in insmod being the process that has the AVC message.

One problem we have with nifd is that it sends all it's log messages 
to /dev/null.  I have filed a bugzilla #136074 about this.  If it logged it's 
messages then it would be a lot easier to diagnose problems.

Also interestingly it seems that nifd has some error conditions in it's 
default configuration on my laptop, but I can only determine this with 
strace.  ;)

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Not sure the best way to handle this one.

[Stephen Smalley]

On Fri, 2004-10-15 at 09:26, Daniel J Walsh wrote:
> Oct 15 08:37:55 dhcppc1 kernel: audit(1097843874.920:692545): avc:  
> denied  { sys_module } for  pid=4338 exe=/usr/bin/nifd capability=16 
> scontext=system_u:system_r:howl_t tcontext=system_u:system_r:howl_t 
> tclass=capability

Boot with audit=1 and reproduce please, then provide the full syscall
audit information.  In general, SELinux users would likely always
benefit from enabling the syscall auditing as well.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.