From: David Cottle <webmaster@aus-city.com>
To: SE Linux <selinux@tycho.nsa.gov>
Subject: Can someone please assist me with selinux issue
Date: Tue, 03 Jul 2007 21:15:46 +1000 [thread overview]
Message-ID: <468A2FE2.5000903@aus-city.com> (raw)
In-Reply-To: <1183425133.32465.16.camel@code.and.org>
[-- Attachment #1: Type: text/plain, Size: 2157 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I got a ftp session from a IP camera sending images every 1 minute.
I keep getting these AVC messages in /var/logs/messages:
Jul 1 04:43:40 server kernel: audit(1183229020.232:8256): avc:
denied { link } for pid=2043 comm="in.proftpd"
scontext=system_u:system_r:ftpd_t:s0
tcontext=system_u:system_r:ftpd_t:s0 tclass=key
Jul 1 04:44:40 server kernel: audit(1183229080.245:8257): avc:
denied { link } for pid=2061 comm="in.proftpd"
scontext=system_u:system_r:ftpd_t:s0
tcontext=system_u:system_r:ftpd_t:s0 tclass=key
Jul 1 04:45:40 server kernel: audit(1183229140.367:8258): avc:
denied { link } for pid=2259 comm="in.proftpd"
scontext=system_u:system_r:ftpd_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
Jul 1 04:46:40 server kernel: audit(1183229200.238:8259): avc:
denied { link } for pid=2267 comm="in.proftpd"
scontext=system_u:system_r:ftpd_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
Every time there is a transfer. So at 1 minute intervals there are
too many. Also I want to add more webcams so no doubt its going to
get worse.
However I read and created a policy:
grep proftpd /var/log/messages | audit2allow -M proftpd
selinux -i proftpd.pp
However the above I STILL get the annoying AVC denied messages.
Can someone please explain and tell me how can I update and get rid of
the denied messages?
This is the proftpd.te rule it made:
module proftpd 1.0;
require {
type ftpd_t;
type crond_t;
type httpd_suexec_t;
class capability dac_override;
class key { write search };
}
#============= ftpd_t ==============
allow ftpd_t crond_t:key search;
allow ftpd_t httpd_suexec_t:key search;
allow ftpd_t self:capability dac_override;
allow ftpd_t self:key { write search };
But I see crond, httpd and ftpd all there but this rule does nothing :(
I also
Thanks!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFGii/ii1lOcz5YUMgRAn/rAKCnY3qmgNoYKd6t77OTHc834Yx6NQCgsAAF
lwnIP6dBcXqqKfyoYg90yoI=
=x4nB
-----END PGP SIGNATURE-----
[-- Attachment #2: webmaster.vcf --]
[-- Type: text/x-vcard, Size: 120 bytes --]
begin:vcard
fn:David Cottle
n:Cottle;David
email;internet:webmaster@aus-city.com
title:Webmaster
version:2.1
end:vcard
next prev parent reply other threads:[~2007-07-03 11:15 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-21 9:54 [patch 0/3] genhomedircon replacement in libsemanage jbrindle
2007-05-21 9:54 ` [patch 1/3] libsemanage: genhomedircon replacement jbrindle
2007-05-22 21:08 ` Karl MacMillan
2007-05-24 14:04 ` Mark Goldman
2007-05-24 14:45 ` Karl MacMillan
2007-05-24 15:44 ` Daniel J Walsh
2007-05-24 19:20 ` Mark Goldman
2007-05-25 15:52 ` Karl MacMillan
2007-05-25 17:06 ` Joshua Brindle
2007-05-26 0:02 ` Karl MacMillan
2007-05-29 20:25 ` audit2allow module generation Anand Patel
2007-05-29 21:11 ` Karl MacMillan
2007-05-30 14:44 ` Anand Patel
2007-05-31 16:05 ` Karl MacMillan
2007-06-08 15:36 ` Karl MacMillan
2007-06-11 13:47 ` Anand Patel
2007-08-30 13:43 ` Anand Patel
2007-09-03 16:13 ` Karl MacMillan
2007-09-10 14:10 ` Anand Patel
2007-09-10 16:01 ` Karl MacMillan
2007-06-19 15:09 ` [patch 1/3] libsemanage: genhomedircon replacement Joshua Brindle
2007-06-21 16:29 ` Karl MacMillan
2007-06-21 16:49 ` Joshua Brindle
2007-06-21 18:04 ` Karl MacMillan
2007-06-21 18:09 ` Joshua Brindle
2007-06-21 18:18 ` Karl MacMillan
2007-06-21 18:25 ` Joshua Brindle
2007-06-21 18:35 ` Karl MacMillan
2007-06-21 20:54 ` Eamon Walsh
2007-06-22 11:50 ` Daniel J Walsh
2007-06-22 15:22 ` Karl MacMillan
2007-06-22 15:31 ` Joshua Brindle
2007-06-22 16:04 ` Karl MacMillan
2007-06-22 16:58 ` Eamon Walsh
2007-06-22 19:30 ` Karl MacMillan
2007-06-22 20:55 ` Eamon Walsh
2007-07-02 14:00 ` Joshua Brindle
2007-07-02 14:23 ` Karl MacMillan
2007-07-02 15:54 ` Joshua Brindle
2007-07-02 21:26 ` Joshua Brindle
2007-07-03 1:12 ` James Antill
2007-07-03 11:15 ` David Cottle [this message]
[not found] ` <1183464455.12218.243.camel@moss-spartans.epoch.ncs! c.mil>
2007-07-03 12:07 ` Can someone please assist me with selinux issue Stephen Smalley
2007-07-04 23:30 ` David Cottle
2007-07-05 12:33 ` Stephen Smalley
2007-07-12 19:03 ` Libsemanage dependency on version of Linux Hasan Rezaul-CHR010
2007-07-12 19:39 ` Stephen Smalley
2007-07-12 19:48 ` Hasan Rezaul-CHR010
2007-07-12 19:57 ` Stephen Smalley
2007-07-12 19:49 ` Stephen Smalley
2007-07-02 14:54 ` [patch 1/3] libsemanage: genhomedircon replacement James Antill
2007-06-22 20:00 ` James Antill
2007-05-24 15:05 ` Steve G
2007-05-24 15:27 ` Karl MacMillan
2007-05-24 16:00 ` James Antill
2007-05-25 14:22 ` Mark Goldman
2007-05-21 9:54 ` [patch 2/3] libsemanage: test functions jbrindle
2007-05-21 9:54 ` [patch 3/3] Remove legacy genhomedircon python script jbrindle
2007-05-22 17:23 ` [patch 0/3] genhomedircon replacement in libsemanage Daniel J Walsh
2007-05-22 17:35 ` Joshua Brindle
2007-05-22 21:10 ` Karl MacMillan
2007-05-22 21:11 ` Karl MacMillan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=468A2FE2.5000903@aus-city.com \
--to=webmaster@aus-city.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.