Often certain commands in linux will simply fail without any messages in /var/log/messages, or seemingly anywhere else... where we usually check. However, if you look at the selinux audit logs, sometimes the error messages are there. /var/log/audit/audit.log.
For example, every once in a while after a kernel update, I can't use the talk program. It simply says the connection is being refused by the other use. Since I already know Selinux is the culprit I grep the logs:
The result:
Two entries showing that talk is denied. If you really want to authorize this process grep the tail end of the file and use audit2allow to generate a policy file that will allow this.
audit2allow generates a talkpolicy.pp file and will also give you instructions on how to activate it. That would be:
This will take a minute or two and has effectively authorized the blocked program to run.
For example, every once in a while after a kernel update, I can't use the talk program. It simply says the connection is being refused by the other use. Since I already know Selinux is the culprit I grep the logs:
grep -i talkd /var/log/audit/audit.log
The result:
type=AVC msg=audit(1329155365.865:143): avc: denied { open } for pid=5631 comm="in.ntalkd" name="1" dev=devpts ino=4 scontext=system_u:system_r:ktalkd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1329155365.865:143): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc83c0eb8 a1=101 a2=7fffc83c0ec3 a3=7fffc83c0690 items=0 ppid=5630 pid=5631 auid=4294967295 uid=99 gid=5 euid=99 suid=99 fsuid=99 egid=5 sgid=5 fsgid=5 tty=(none) ses=4294967295 comm="in.ntalkd" exe="/usr/sbin/in.ntalkd" subj=system_u:system_r:ktalkd_t:s0-s0:c0.c1023 key=(null)
Two entries showing that talk is denied. If you really want to authorize this process grep the tail end of the file and use audit2allow to generate a policy file that will allow this.
tail /var/log/audit/audit.log | grep '1329155365.865:143' | audit2allow -M talkpolicy
audit2allow generates a talkpolicy.pp file and will also give you instructions on how to activate it. That would be:
semodule -i talkpolicy.pp
This will take a minute or two and has effectively authorized the blocked program to run.
No comments:
Post a Comment