RE:selinux problems, WAS: FC4 and No logs and Audit-logs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: fedora-list-bounces@xxxxxxxxxx 
> [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of nodata
> Sent: Saturday, July 23, 2005 5:28 PM
> To: For users of Fedora Core releases
> Subject: RE: FC4 and No logs and Audit-logs
> 
> 
> On Sat, 2005-07-23 at 13:33 +0200, Tomas Larsson wrote:
> > Looking in the "/var/logs/audit/audit.log"
> > 
> > I'll find the following entry:
> > type=AVC msg=audit(1122113324.490:351515): avc:  denied  { 
> read } for 
> > pid=2866 comm="syslogd" name="syslog.conf" dev=dm-0 ino=653814 
> > scontext=root:system_r:syslogd_t 
> > tcontext=system_u:object_r:etc_runtime_t
> > tclass=file
> > type=SYSCALL msg=audit(1122113324.490:351515): 
> arch=40000003 syscall=5
> > success=no exit=-13 a0=2998c6 a1=0 a2=1b6 a3=98f1298 
> items=1 pid=2866
> > auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > comm="syslogd" exe="/sbin/syslogd"
> > 
> > It seems that syslogd is denied to do its job.
> > 
> > With best regards
> > 
> > Tomas Larsson
> > Sweden
> > 
> > Verus Amicus Est Tamquam Alter Idem
> > 
> > > -----Original Message-----
> > > From: fedora-list-bounces@xxxxxxxxxx
> > > [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Tomas Larsson
> > > Sent: Saturday, July 23, 2005 1:12 PM
> > > To: 'For users of Fedora Core releases'
> > > Subject: RE: FC4 and No logs
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: fedora-list-bounces@xxxxxxxxxx 
> > > > [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of 
> Tomas Larsson
> > > > Sent: Saturday, July 23, 2005 9:09 AM
> > > > To: 'For users of Fedora Core releases'
> > > > Subject: RE: FC4 and No logs
> > > > 
> > > > 
> > > > > -----Original Message-----
> > > > > From: fedora-list-bounces@xxxxxxxxxx
> > > > > [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of 
> > > Thomas Cameron
> > > > > Sent: Saturday, July 23, 2005 1:33 AM
> > > > > To: For users of Fedora Core releases
> > > > > Subject: Re: FC4 and No logs
> > > > > 
> > > > > 
> > > > > On Fri, 2005-07-22 at 21:29 +0200, Tomas Larsson wrote:
> > > > > > By some strange reason, the logging seems to have
> > > stopped, boot,
> > > > > > messages, secure etc hasn't logged anything since yesterday.
> > > > > > 
> > > > > > Anyone got any clues?
> > > > > > 
> > > > > > 
> > > > > > With best regards
> > > > > > 
> > > > > > Tomas Larsson
> > > > > > Sweden
> > > > > > 
> > > > > > Verus Amicus Est Tamquam Alter Idem
> > > > > 
> > > > > That sounds like a potentially bad thing - some cracks involve
> > > > > killing off logging so that the sysadmin can't see what 
> > > the bad guy
> > > > > is doing. Are you sure your system isn't
> > > > compromised?
> > > > > --
> > > > > Thomas Cameron, RHCE, CNE, MCSE, MCT
> > > > > 512-241-0774 (office)
> > > > > 512-924-8592 (cell)
> > > > > 
> > > > > --
> > > > > fedora-list mailing list
> > > > > fedora-list@xxxxxxxxxx
> > > > > To unsubscribe: 
> > > > > http://www.redhat.com/mailman/listinfo/fedora-list
> > > > >
> > > > 
> > > > 
> > > > Cant think that it's being compromised (you never know, 
> do you), 
> > > > got it upp and running same day.
> > > > If it is compromised, then there is a serious flaw 
> within FEDORA.
> > > > 
> > > > My thinking is that I've done something else. Syslogd 
> is running, 
> > > > so it must be something else, question is what though.
> > > > 
> > > > 
> > > > With best regards
> > > > 
> > > > Tomas Larsson
> > > > Sweden
> > > > 
> > > > Verus Amicus Est Tamquam Alter Idem
> > > > 
> > > 
> > > When I do a "service syslog status", I'm getting the
> > > following response Translated to English,
> > > 
> > > Syslogd is dead, but PID exists
> > > Klogd (pid 1512) is running
> > > 
> > > On the console I'm getting "syslogd:0 /dev/console: permission 
> > > denied"
> > > 
> > > I'm starting to think that it might be selinux that has
> > > screwed something up.
> > > 
> > > With best regards
> > > 
> > > Tomas Larsson
> > > Sweden
> > > 
> > > Verus Amicus Est Tamquam Alter Idem
> > > 
> > --
> > fedora-list mailing list
> > fedora-list@xxxxxxxxxx
> > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 
> To test, turn off selinux, reboot then check the logs.
> Then file a bug quoting the avc messages above.
> 
> -- 
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list



 Turned off SELINUX, and logging started.

Could anyone running FEDORA Core 4, using SELINUX enforced, targeted
policy do a "ls -alZ /etc/syslog.conf"
And post the result here

My output looks like "-rw-r--r--  root     root
system_u:object_r:etc_t          /etc/syslog.conf"

With best regards

Tomas Larsson
Sweden

Verus Amicus Est Tamquam Alter Idem

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux