Hello folks! On this freshly installed F11 machine (from the KDE Live CD) I often get selinux alerts similar to the one below. It's not just openvpn, but also mv (dhcpc_t) and ifconfig (ifconfig_t). I don't feel anything to be non-functional (aside from openvpn, but that's a different problem), but these alerts are confusing to me. I did a yum list selinux* and it replied with: Installed Packages selinux-policy.noarch selinux-policy-targeted.noarch Available Packages selinux-doc.noarch selinux-policy-doc.noarch selinux-policy-minimum.noarch selinux-policy-mls.noarch Here I can see that selinux-policy-mls is not installed, while all the alerts are related to mls. yum info selinux-policy-mls gives the description "SELinux Reference policy mls base module" which is not very informative (for me). So, five questions: 1) what is mls? 2) is installing selinux-policy-mls going to help with these alerts? 3) if yes, why wasn't it installed automatically? 4) is any of this actually related to the alerts I get? 5) are the alerts important, or is it safe to ignore them? TIA! Best, :-) Marko P.S. An example alert, triggered by openvpn: Summary: SELinux is preventing openvpn (openvpn_t) "read" security_t. Detailed Description: SELinux denied access requested by openvpn. It is not expected that this access is required by openvpn and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:openvpn_t:s0 Target Context system_u:object_r:security_t:s0 Target Objects mls [ file ] Source openvpn Source Path /usr/sbin/openvpn Port <Unknown> Host QuiGon.cii.fc.ul.pt Source RPM Packages openvpn-2.1-0.32.rc15.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-53.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name QuiGon.cii.fc.ul.pt Platform Linux QuiGon.cii.fc.ul.pt 2.6.29.5-191.fc11.x86_64 #1 SMP Tue Jun 16 23:23:21 EDT 2009 x86_64 x86_64 Alert Count 3 First Seen Tue Jun 30 18:19:36 2009 Last Seen Wed Jul 1 17:23:23 2009 Local ID 21d91c14-a449-42d6-86e9-96f04843e91e Line Numbers Raw Audit Messages node=QuiGon.cii.fc.ul.pt type=AVC msg=audit(1246465403.798:64): avc: denied { read } for pid=27303 comm="openvpn" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file node=QuiGon.cii.fc.ul.pt type=SYSCALL msg=audit(1246465403.798:64): arch=c000003e syscall=2 success=no exit=-13 a0=7fffb20f6880 a1=0 a2=7fffb20f688c a3=fffffff8 items=0 ppid=27290 pid=27303 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
