Steve wrote:
---- max bianco <maximilianbianco@xxxxxxxxx> wrote:
On Mon, Jul 14, 2008 at 8:55 AM, Steve <zephod@xxxxxxxxxx> wrote:
I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:
connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused
#ls -lZ /var/run/setroubleshoot/setroubleshoot_server
srw-rw-rw- root root system_u:object_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server
That looks right. Is it F8 or F9?
Found some more interesting AVC messages in /var/log/dmesg, This doesn't mean anything to me. Where is the best place to go to get a little more educated about what all this is supposed to mean?
Thanks,
Steve
That depends on what you already know about SELinux. I have found alot
of material but its never enough for me:^) This is as good a place to
start as any(probably better than most):
http://fedoraproject.org/wiki/SELinux
Depending on how deep you want to get you might look up the Flask
Security Architecture. There is a PDF available, its not very long but
its informative. There are also a few SELinux specific papers out there.
I am reading SELinux by Example, it seems very complete so far and
actually references some of the available papers throughout. As for the
errors below I am assuming this is the first time you've seen them since
you just installed policy. Did you uninstall the policy at some point?
Has the machine always, from day of install, been in permissive? Was
this a fresh install or an upgrade? Are there any AVC's or error
messages, related to SELinux, in the logs from before policy was installed?
...
SELinux:8192 avtab hash slots allocated. Num of rules:68341
SELinux:8192 avtab hash slots allocated. Num of rules:68341
security: 3 users, 6 roles, 1823 types, 80 bools, 1 sens, 1024 cats
security: 61 classes, 68341 rules
security: class peer not defined in policy
security: class capability2 not defined in policy
security: permission recvfrom in class node not defined in policy
security: permission sendto in class node not defined in policy
security: permission ingress in class netif not defined in policy
security: permission egress in class netif not defined in policy
security: permission setfcap in class capability not defined in policy
security: permission forward_in in class packet not defined in policy
security: permission forward_out in class packet not defined in policy
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev anon_inodefs, type anon_inodefs), not configured for labeling
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: policy loaded with handle_unknown=deny
type=1403 audit(1216200106.325:2): policy loaded auid=4294967295 ses=4294967295
type=1400 audit(1216200107.996:3): avc: denied { read write } for pid=505 comm="restorecon" path="/dev/console" dev=tmpfs ino=233 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
type=1400 audit(1216200109.580:4): avc: denied { create } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216200109.594:5): avc: denied { getattr } for pid=731 comm="hwclock" path="/etc/adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:adjtime_t:s0 tclass=file
type=1400 audit(1216200109.594:6): avc: denied { read } for pid=731 comm="hwclock" name="adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:adjtime_t:s0 tclass=file
type=1400 audit(1216200109.819:7): avc: denied { sys_time } for pid=731 comm="hwclock" capability=25 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1216214509.907:8): avc: denied { write } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216214510.000:9): avc: denied { nlmsg_relay } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216214510.000:10): avc: denied { audit_write } for pid=731 comm="hwclock" capability=29 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1216214510.000:11): avc: denied { read } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
...
--
Fortune favors the BOLD
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
