SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: help with an avc denial This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Stephen Smalley <sds_at_tycho.nsa.gov> Date: Fri, 14 Dec 2007 14:44:47 -0500 On Fri, 2007-12-14 at 11:31 -0800, Clarkson, Mike R (US SSA) wrote: > I'm running RHEL 5.1 with the mls policy. > > I'm getting an avc denial that I can't get past. Here are the entries > from the audit log: > > type=AVC msg=audit(1197658847.835:9499): avc: denied { create } for > pid=20432 comm="touch" name="tmp.log" > scontext=sysadm_u:sysadm_r:sysadm_t:s0-s4:c0.c255 > tcontext=sysadm_u:object_r:audit_log_t:s0-s4:c0.c255 tclass=file A file should be single level, not ranged. > type=SYSCALL msg=audit(1197658847.835:9499): arch=c000003e syscall=2 > success=no exit=-13 a0=7fff74eceb5c a1=941 a2=1b6 a3=328dd4b0ac items=0 > ppid=12410 pid=20432 auid=11000 uid=11000 gid=4500 euid=11000 suid=11000 > fsuid=11000 egid=4500 sgid=4500 fsgid=4500 tty=pts3 comm="touch" > exe="/bin/touch" subj=sysadm_u:sysadm_r:sysadm_t:s0-s4:c0.c255 > key=(null) > > > Here is what audit2allow returns: > #============= sysadm_t ============== > # src="sysadm_t" tgt="audit_log_t" class="file", perms="create" > # comm="touch" exe="" path="" > allow sysadm_t audit_log_t:file create; > > I have entered that exact allow rule into my policy to no effect. > > Audit2why indicates that the reason for the above audit log avc denial > is a missing allow rule, as opposed to a constraint problem. > > Any help would be greatly appreciated. > Thanks > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Fri 14 Dec 2007 - 14:44:51 EST This message: [ Message body ] Next message: Stephen Smalley: "Re: help with an avc denial" Previous message: Stephen Smalley: "Re: Network flow controls and subj/obj ordering" In reply to: Clarkson, Mike R \(US SSA\): "help with an avc denial" Next in thread: Stephen Smalley: "Re: help with an avc denial" Reply: Stephen Smalley: "Re: help with an avc denial" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom