audit ... denied messages

audit ... denied messages

[Lee]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just installed all the SELinux stuff on a Slackware 10 box using a
2.6.7 kernel.  I tried going about it myself, but wasn't making good
progress and then found some packages from http://www.diyab.net/selinux/
and installed those.

When I first booted with SELinux=1, I saw a bunch of audit <...> denied
<...> <program> <context> messages during my init and such.

Everything "seemed" to still be working, as far as my system went, so I
tried logging in, and it worked.  When I did a make relabel, it seemed
to work, but when I later checked dmesg for something, I had several
screens (at approx 132x60) full of these audit ... denied messages, all
in relation to relabeling.

So my questions have a few aspects to them.  Namely, do I need to be
concerned about these messages, and what can I do to make them go away?
~ I don't really know what I'm doing here and am probably not as read up
as I should be, but I suspect, and am hoping, that this is just due to
the way my policiy is set up and will be easy to correct.

I'd appreciate any help, and I'll be going through the docs that I do
have while waiting for a response from here.  FWIW, pointers to (more)
docs that address this would be more appreciated than just "do this,
that and the other", but I'll take what I can get, and will appreciate it.

Thanks.
- --
~  == FriedBob ==

"Hence to fight and conquer in all your battles is not supreme
excellence; supreme excellence consists in breaking the enemy's
resistance without fighting."
~  - Sun Tzu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFB4pPCvxumKxmOCzIRAgqGAJ9ou5odZNFcdzcm7nYesBoGgL49bACfTSTB
EDKSkIARGuxrSuN+z0shozA=
=bQMP
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: audit ... denied messages

[Timothy Wood]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lee wrote:

| I just installed all the SELinux stuff on a Slackware 10 box using a
| 2.6.7 kernel.  I tried going about it myself, but wasn't making good
| progress and then found some packages from http://www.diyab.net/selinux/
| and installed those.
|
| When I first booted with SELinux=1, I saw a bunch of audit <...> denied
| <...> <program> <context> messages during my init and such.

Are you passing enforcing=1 to the kernel at boot time?

|
| Everything "seemed" to still be working, as far as my system went, so I
| tried logging in, and it worked.  When I did a make relabel, it seemed
| to work, but when I later checked dmesg for something, I had several
| screens (at approx 132x60) full of these audit ... denied messages, all
| in relation to relabeling.

Those packages will give you basic system functionality while in
enforcing mode.  Some services and other things will need the policy
fixed, at least somewhat, in order for them to work in enforcing mode.

|
| So my questions have a few aspects to them.  Namely, do I need to be
| concerned about these messages, and what can I do to make them go away?
| ~ I don't really know what I'm doing here and am probably not as read up
| as I should be, but I suspect, and am hoping, that this is just due to
| the way my policiy is set up and will be easy to correct.
|

Can you include some of these messages?

| I'd appreciate any help, and I'll be going through the docs that I do
| have while waiting for a response from here.  FWIW, pointers to (more)
| docs that address this would be more appreciated than just "do this,
| that and the other", but I'll take what I can get, and will appreciate it.
|
| Thanks.
| --
| ~  == FriedBob ==
|
| "Hence to fight and conquer in all your battles is not supreme
| excellence; supreme excellence consists in breaking the enemy's
| resistance without fighting."
| ~  - Sun Tzu


Timothy,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFB4soZPT0XLCkCs2ARAgK6AJwNbo8OvqAjeWz5iDfbj1cFbXujKACfdn8z
RsKZyLsXoN80FTJgCPbwsGs=
=KD8B
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: audit ... denied messages

[Lee]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Timothy Wood wrote:

| Are you passing enforcing=1 to the kernel at boot time?

Yes, these errors/messages only occur when I pass "selinux=1" to the
kernel at boot, which I assume does the same thing as "enforcing=1" ?

| Those packages will give you basic system functionality while in
| enforcing mode.  Some services and other things will need the policy
| fixed, at least somewhat, in order for them to work in enforcing mode.

Well, I guess I need to find out where and what needs to be fixed. :)

| Can you include some of these messages?

I've got 5 pages of errors that I copied from dmesg.  One of them
changes the aspect of my problems, as I saw a line telling me my
reiserfs partition doesn't support labeling.  Here's a few select lines
from them.   Seems I need a kernel patch for the reiser issue, so I'll
look for that.


~ audit(1105370321.810:0): avc:  denied  { read } for  pid=446
exe=/sbin/ldconfig name=libartsc.so.0.0.0 dev=hdc1 ino=749412
scontext=system_u:system_r:ldconfig_t tcontext=system_u:object_r:usr_t
tclass=file
audit(1105370321.811:0): avc:  denied  { getattr } for  pid=446
exe=/sbin/ldconfig path=/opt/kde/lib/libartsc.so.0.0.0 dev=hdc1
ino=749412 scontext=system_u:system_r:ldconfig_t
tcontext=system_u:object_r:usr_t tclass=file
audit(1105370322.118:0): avc:  denied  { read } for  pid=446
exe=/sbin/ldconfig name=libmcop.so dev=hdc1 ino=749444
scontext=system_u:system_r:ldconfig_t tcontext=system_u:object_r:usr_t
tclass=lnk_file
audit(1105370322.511:0): avc:  denied  { read } for  pid=446
exe=/sbin/ldconfig name=libSegFault.so dev=hdc1 ino=650924
scontext=system_u:system_r:ldconfig_t tcontext=system_u:object_r:lib_t
tclass=file
audit(1105370322.512:0): avc:  denied  { getattr } for  pid=446
exe=/sbin/ldconfig path=/lib/libSegFault.so dev=hdc1 ino=650924
scontext=system_u:system_r:ldconfig_t tcontext=system_u:object_r:lib_t
tclass=file


And I've got some others along the same lines from after I log in, but
will spare you from them unless they are requested.
- --
~  == FriedBob ==

"Hence to fight and conquer in all your battles is not supreme
excellence; supreme excellence consists in breaking the enemy's
resistance without fighting."
~  - Sun Tzu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFB4zCpvxumKxmOCzIRAqgOAJ46N8OYAUn9Dg7cKKtgpwBYENF2TgCeNLRO
yMFpTlX6e8XVO64XYkuLqA8=
=J+Z2
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: audit ... denied messages

[Russell Coker]

On Tuesday 11 January 2005 12:49, Lee <FriedBob@sbcglobal.net> wrote:
> Timothy Wood wrote:
> | Are you passing enforcing=1 to the kernel at boot time?
>
> Yes, these errors/messages only occur when I pass "selinux=1" to the
> kernel at boot, which I assume does the same thing as "enforcing=1" ?

selinux=1 enables SE Linux (it may be disabled by default depending on kernel 
configuration).  enforcing=1 causes SE Linux to be in "enforcing mode" (where 
it prevents access that the policy doesn't permit) instead of "permissive 
mode" (where it just logs messages and doesn't prevent any access).

> | Can you include some of these messages?
>
> I've got 5 pages of errors that I copied from dmesg.  One of them
> changes the aspect of my problems, as I saw a line telling me my
> reiserfs partition doesn't support labeling.  Here's a few select lines
> from them.   Seems I need a kernel patch for the reiser issue, so I'll
> look for that.
>
>
> ~ audit(1105370321.810:0): avc:  denied  { read } for  pid=446
> exe=/sbin/ldconfig name=libartsc.so.0.0.0 dev=hdc1 ino=749412
> scontext=system_u:system_r:ldconfig_t tcontext=system_u:object_r:usr_t
> tclass=file

The file is mis-labelled.  Run "find $X -inum 749412" where $X is the root 
directory of the file system hdc1 to find the file in question.

The following messages are in the same category.

-- 
IT executives rate Red Hat #1 for value
http://www.redhat.com/promo/vendor/index.html

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.