On Monday 13 August 2007 07:24:23 Daniel J Walsh wrote:
> I will put it in fedora-testing today along with fixes for your problem.
Thanks. I just installed it but afterwards, I still see these when I
run "sudo ldconfig" with setenforce 0:
type=AVC msg=audit(1187043238.692:2616): avc: denied { dac_override } for pid=15479 comm="ldconfig" capability=1 scontext=user_u:system_r:ldconfig_t:s0 tcontext=user_u:system_r:ldconfig_t:s0 tclass=capability
type=SYSCALL msg=audit(1187043238.692:2616): arch=40000003 syscall=195 success=yes exit=0 a0=89c1c08 a1=bf8b83e0 a2=89bf801 a3=89bf801 items=0 ppid=15457 pid=15479 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1187043239.334:2617): avc: denied { search } for pid=15479 comm="ldconfig" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1187043239.334:2617): arch=40000003 syscall=195 success=yes exit=0 a0=bf8b7460 a1=bf8b84bc a2=a000 a3=89c0a88 items=0 ppid=15457 pid=15479 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null)
> You can always modify selinux policy by executing
>
> grep ldconfig /var/log/audit/audit.log | audit2allow -M myldconfig
> semodule -i myldconfig.pp
Yes, it produces:
module myldconfig 1.0;
require {
type home_root_t;
type ldconfig_t;
class capability dac_override;
class dir search;
}
#============= ldconfig_t ==============
allow ldconfig_t home_root_t:dir search;
allow ldconfig_t self:capability dac_override;
I can't help but think that the AVCs are due to something I did
instead of ldconfig or its shipped policy. Any thoughts?
--
Garry T. Williams --- +1 678 656-4579
