Re: type 1400 avc denial messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/27/2010 10:59 AM, Hiisi wrote:
> Dear all!
> I would like one of the computers on a LAN to send some files to another
> computer on the same LAN using scp. Both computers can ping each other
> without any problems and I set up ssh using keys authentication to work
> without passwords. The task I'm talking about should be done in
> automatic way so I wrote the following script (the part of it has been
> erased for the purpose of simplicity):
> ...
> OUTFILE=$(mktemp /tmp/out.XXXXXX)
> chmod 666 $OUTFILE
> ...
> scp $OUTFILE user@xxxxxxxxxxxx:/home/user/
> ...
> 
> It doesn't work as expected. It creates the desired file in /tmp dir on
> local machine but it doesn't copy it to remote machine. Instead I see a
> lot of avc denial messages in dmesg output:
> type=1400 audit(1288189100.508:9): avc:  denied  { name_connect } for
> pid=9059 comm="ssh" dest=22 scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket
> 
> The script on the sender machine is invocated by procmail. I tested this
> scp command manually and it can be done without any restriction. However
> it doesn't work when it's in a script. How can I tell selinux (is it him
> whom to blame?) to allow scp from a script?
> TIA
> P.S. Additional info:
> # sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          enforcing
> Policy version:                 24
> Policy from config file:        targeted
> 
>  P.S.2 I don't want to disable SELinux completely  because this system
> is connected to the Interned and has static IP address. I see a lot of
> interesting in root mail every day :-)


Use audit2allow to add the rule

# grep procmail /var/log/audit/audit.log | audit2allow -M myprocmail
# semodule -i myprocmail.pp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzIP6sACgkQrlYvE4MpobO9sQCeLGuFWouWU8pQaQeBRJFvCLZn
mrMAn3S540LNZQCsMxz1eAHmJVj7UIHy
=k971
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux