FC8 enforcing auditd, mcstransd, NFS statd fail to start

All of lore.kernel.org
 help / color / mirror / Atom feed

* FC8 enforcing auditd, mcstransd, NFS statd fail to start
@ 2008-02-20 19:24 Xavier Toth
  2008-02-20 22:40 ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: Xavier Toth @ 2008-02-20 19:24 UTC (permalink / raw)
  To: SE Linux

type=AVC msg=audit(1197625021.926:66): avc:  denied  { write } for
pid=1494 comm="audispd" path="socket:[7238]" dev=sockfs ino=7238
scontext=system_u:system_r:auditd_t:s15:c0.c1023
tcontext=system_u:system_r:auditd_t:s0-s15:c0.c1023
tclass=unix_stream_socket

type=AVC msg=audit(1203524274.667:562): avc:  denied  { use } for
pid=19909 comm="mcstransd" path="/lib/ld-2.7.so" dev=dm-0 ino=2359430
scontext=system_u:system_r:setrans_t:s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: FC8 enforcing auditd, mcstransd, NFS statd fail to start
  2008-02-20 19:24 FC8 enforcing auditd, mcstransd, NFS statd fail to start Xavier Toth
@ 2008-02-20 22:40 ` Daniel J Walsh
  2008-02-21 19:58   ` Xavier Toth
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2008-02-20 22:40 UTC (permalink / raw)
  To: Xavier Toth; +Cc: SE Linux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Xavier Toth wrote:
> type=AVC msg=audit(1197625021.926:66): avc:  denied  { write } for
> pid=1494 comm="audispd" path="socket:[7238]" dev=sockfs ino=7238
> scontext=system_u:system_r:auditd_t:s15:c0.c1023
> tcontext=system_u:system_r:auditd_t:s0-s15:c0.c1023
> tclass=unix_stream_socket
> 
> type=AVC msg=audit(1203524274.667:562): avc:  denied  { use } for
> pid=19909 comm="mcstransd" path="/lib/ld-2.7.so" dev=dm-0 ino=2359430
> scontext=system_u:system_r:setrans_t:s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
Looks like you have an MLS constraint problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke8rEIACgkQrlYvE4MpobP0CACgqFCF2JTlJQVyHNNTpfx5pJpo
8poAoJlMUL0Qp529P5+jLhpOV/yJFNUl
=GfHP
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: FC8 enforcing auditd, mcstransd, NFS statd fail to start
  2008-02-20 22:40 ` Daniel J Walsh
@ 2008-02-21 19:58   ` Xavier Toth
  2008-02-22 17:11     ` Xavier Toth
  0 siblings, 1 reply; 4+ messages in thread
From: Xavier Toth @ 2008-02-21 19:58 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SE Linux

Everyone else will too.

--- serefpolicy-3.0.8/policy/modules/system/logging.te  2008-02-21
13:10:20.000000000 -0600
+++ serefpolicy-3.0.8.new/policy/modules/system/logging.te
2008-02-21 13:46:32.000000000 -0600
@@ -162,6 +162,8 @@

 miscfiles_read_localization(auditd_t)

+init_use_script_fds(auditd_t)
+mls_fd_use_all_levels(auditd_t)
 mls_file_read_all_levels(auditd_t)
 mls_file_write_all_levels(auditd_t) # Need to be able to write to
/var/run/ directory

--- serefpolicy-3.0.8/policy/modules/system/setrans.te  2007-09-18
09:48:05.000000000 -0500
+++ serefpolicy-3.0.8.new/policy/modules/system/setrans.te
2008-02-21 13:44:42.000000000 -0600
@@ -52,6 +52,7 @@

 files_read_etc_runtime_files(setrans_t)

+mls_fd_use_all_levels(setrans_t)
 mls_file_read_all_levels(setrans_t)
 mls_file_write_all_levels(setrans_t)
 mls_net_receive_all_levels(setrans_t)


On Wed, Feb 20, 2008 at 4:40 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>
>
>  Xavier Toth wrote:
>  > type=AVC msg=audit(1197625021.926:66): avc:  denied  { write } for
>  > pid=1494 comm="audispd" path="socket:[7238]" dev=sockfs ino=7238
>  > scontext=system_u:system_r:auditd_t:s15:c0.c1023
>  > tcontext=system_u:system_r:auditd_t:s0-s15:c0.c1023
>  > tclass=unix_stream_socket
>  >
>  > type=AVC msg=audit(1203524274.667:562): avc:  denied  { use } for
>  > pid=19909 comm="mcstransd" path="/lib/ld-2.7.so" dev=dm-0 ino=2359430
>  > scontext=system_u:system_r:setrans_t:s15:c0.c1023
>  > tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd
>  >
>  > --
>  > This message was distributed to subscribers of the selinux mailing list.
>  > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>  > the words "unsubscribe selinux" without quotes as the message.
>  Looks like you have an MLS constraint problem.
>  -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG v1.4.8 (GNU/Linux)
>  Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
>  iEYEARECAAYFAke8rEIACgkQrlYvE4MpobP0CACgqFCF2JTlJQVyHNNTpfx5pJpo
>  8poAoJlMUL0Qp529P5+jLhpOV/yJFNUl
>  =GfHP
>  -----END PGP SIGNATURE-----
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: FC8 enforcing auditd, mcstransd, NFS statd fail to start
  2008-02-21 19:58   ` Xavier Toth
@ 2008-02-22 17:11     ` Xavier Toth
  0 siblings, 0 replies; 4+ messages in thread
From: Xavier Toth @ 2008-02-22 17:11 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SE Linux

Dan,
Is this the right thing to do? If so will you apply it or should I open a bug?

Ted

On Thu, Feb 21, 2008 at 1:58 PM, Xavier Toth <txtoth@gmail.com> wrote:
> Everyone else will too.
>
>  --- serefpolicy-3.0.8/policy/modules/system/logging.te  2008-02-21
>  13:10:20.000000000 -0600
>  +++ serefpolicy-3.0.8.new/policy/modules/system/logging.te
>  2008-02-21 13:46:32.000000000 -0600
>  @@ -162,6 +162,8 @@
>
>   miscfiles_read_localization(auditd_t)
>
>  +init_use_script_fds(auditd_t)
>  +mls_fd_use_all_levels(auditd_t)
>   mls_file_read_all_levels(auditd_t)
>   mls_file_write_all_levels(auditd_t) # Need to be able to write to
>  /var/run/ directory
>
>  --- serefpolicy-3.0.8/policy/modules/system/setrans.te  2007-09-18
>  09:48:05.000000000 -0500
>  +++ serefpolicy-3.0.8.new/policy/modules/system/setrans.te
>  2008-02-21 13:44:42.000000000 -0600
>  @@ -52,6 +52,7 @@
>
>   files_read_etc_runtime_files(setrans_t)
>
>  +mls_fd_use_all_levels(setrans_t)
>   mls_file_read_all_levels(setrans_t)
>   mls_file_write_all_levels(setrans_t)
>   mls_net_receive_all_levels(setrans_t)
>
>
>
>
>  On Wed, Feb 20, 2008 at 4:40 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>  > -----BEGIN PGP SIGNED MESSAGE-----
>  >  Hash: SHA1
>  >
>  >
>  >
>  >  Xavier Toth wrote:
>  >  > type=AVC msg=audit(1197625021.926:66): avc:  denied  { write } for
>  >  > pid=1494 comm="audispd" path="socket:[7238]" dev=sockfs ino=7238
>  >  > scontext=system_u:system_r:auditd_t:s15:c0.c1023
>  >  > tcontext=system_u:system_r:auditd_t:s0-s15:c0.c1023
>  >  > tclass=unix_stream_socket
>  >  >
>  >  > type=AVC msg=audit(1203524274.667:562): avc:  denied  { use } for
>  >  > pid=19909 comm="mcstransd" path="/lib/ld-2.7.so" dev=dm-0 ino=2359430
>  >  > scontext=system_u:system_r:setrans_t:s15:c0.c1023
>  >  > tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd
>  >  >
>  >  > --
>  >  > This message was distributed to subscribers of the selinux mailing list.
>  >  > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>  >  > the words "unsubscribe selinux" without quotes as the message.
>  >  Looks like you have an MLS constraint problem.
>  >  -----BEGIN PGP SIGNATURE-----
>  >  Version: GnuPG v1.4.8 (GNU/Linux)
>  >  Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>  >
>  >  iEYEARECAAYFAke8rEIACgkQrlYvE4MpobP0CACgqFCF2JTlJQVyHNNTpfx5pJpo
>  >  8poAoJlMUL0Qp529P5+jLhpOV/yJFNUl
>  >  =GfHP
>  >  -----END PGP SIGNATURE-----
>  >
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2008-02-22 17:11 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-20 19:24 FC8 enforcing auditd, mcstransd, NFS statd fail to start Xavier Toth
2008-02-20 22:40 ` Daniel J Walsh
2008-02-21 19:58   ` Xavier Toth
2008-02-22 17:11     ` Xavier Toth

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.