fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: NFSD warning?

Re: NFSD warning?

From: Dominick Grift <domg472_at_nospam>
Date: Thu Aug 26 2010 - 10:43:36 GMT
To: selinux@lists.fedoraproject.org

On 08/26/2010 12:37 PM, Arthur Dent wrote:
> On Thu, 2010-08-26 at 11:58 +0200, Dominick Grift wrote:
>> On 08/26/2010 11:48 AM, Arthur Dent wrote:
>>> Hello all,
>>>
>>> Working with Dominick to solve my clamd denial problem has caused me to
>>> use ausearch more often than I normally would.
>>>
>>> This has revealed a large and constant amount of these messages:
>>
>> Do semodule -B to hide any denials that are should not be displayed
>> (they are hidden on purpose)
>
> Actually Dominick, this *is* with semodule -B

only the "{ 0x400000 }"'s are with semodule -B i believe. The other AVC
denials are so called dontaudited (hidden by default)

> ----
> time->Thu Aug 26 11:25:11 2010
> type=AVC msg=audit(1282818311.906:55953): avc: denied { 0x400000 } for
> pid=1219 comm="nfsd" name="" dev=sda11 ino=28365
> scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
> ----
> time->Thu Aug 26 11:25:10 2010
> type=AVC msg=audit(1282818310.564:55924): avc: denied { 0x400000 } for
> pid=1219 comm="nfsd" name="" dev=sda11 ino=28365
> scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
> ----
> time->Thu Aug 26 11:25:51 2010
> type=AVC msg=audit(1282818351.672:55954): avc: denied { 0x400000 } for
> pid=1219 comm="nfsd" name="" dev=sda11 ino=28365
> scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
>
> Just a small sample. There are hundreds more. But if you say they are
> harmless then I guess I will just leave them alone...
>

In my previous reply i enclosed an URL to a related bug report. This
bugzilla report includes a method to hide the symptoms of this bug.

Basically it adds a dontaudit rule:
dontaudit kernel_t unlabeled_t:file *;

If that does not work for you then you can just ignore the denials for
now, and add a "me to" reply to the bugzilla report that i enclosed in
my previous reply

> Thanks
>
> Mark
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux