The sealert command can be run both as a CLI or GUI program. However, when you want to run it from the CLI, it is necessary to specify the path using the -a switch.
For example, here is the result if you run sealert from a TTY:
# sealert
could not attach to desktop process
On the other hand, if you specify the file to scan:
# sealert -a /var/log/audit/audit.log
You will get the expected result. If any failures were in the logs, they will show up with an analysis, similar to:
--------------------------------------------------------------------------------
SELinux is preventing /opt/brother/Printers/mfcj485dw/cupswrapper/brcupsconfpt1 from execute access on the file /etc/ld.so.cache.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that brcupsconfpt1 should be allowed execute access on the ld.so.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'brcupsconfpt1' --raw | audit2allow -M my-brcupsconfpt1
# semodule -i my-brcupsconfpt1.pp
Additional Information:
Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:ld_so_cache_t:s0
Target Objects /etc/ld.so.cache [ file ]
Source brcupsconfpt1
Source Path /opt/brother/Printers/mfcj485dw/cupswrapper/brcups
confpt1
Port
Host
Source RPM Packages mfcj485dwlpr-1.0.0-0.i386
Target RPM Packages glibc-2.17-157.el7_3.5.x86_64
glibc-2.17-157.el7_3.5.i686
Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name SOMENAME
Platform Linux SOMENAME 3.10.0-514.26.2.el7.x86_64 #1 SMP
Tue Jul 4 15:04:05 UTC 2017 x86_64 x86_64
Alert Count 20
First Seen 2017-08-21 18:04:39 EDT
Last Seen 2017-08-21 18:04:42 EDT
Local ID 9851dcdd-6b59-4310-8e26-573219f32e7e
Raw Audit Messages
type=AVC msg=audit(1503353082.145:499): avc: denied { execute } for pid=14664 comm="brmfcj485dwfilt" path="/etc/ld.so.cache" dev="dm-0" ino=146770715 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file
type=SYSCALL msg=audit(1503353082.145:499): arch=i386 syscall=lgetxattr per=400000 success=no exit=EACCES a0=0 a1=22671 a2=1 a3=2 items=0 ppid=14608 pid=14664 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=brmfcj485dwfilt exe=/opt/brother/Printers/mfcj485dw/lpd/brmfcj485dwfilter subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Hash: brcupsconfpt1,cupsd_t,ld_so_cache_t,file,execute
--------------------------------------------------------------------------------
For example, here is the result if you run sealert from a TTY:
# sealert
could not attach to desktop process
On the other hand, if you specify the file to scan:
# sealert -a /var/log/audit/audit.log
You will get the expected result. If any failures were in the logs, they will show up with an analysis, similar to:
--------------------------------------------------------------------------------
SELinux is preventing /opt/brother/Printers/mfcj485dw/cupswrapper/brcupsconfpt1 from execute access on the file /etc/ld.so.cache.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that brcupsconfpt1 should be allowed execute access on the ld.so.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'brcupsconfpt1' --raw | audit2allow -M my-brcupsconfpt1
# semodule -i my-brcupsconfpt1.pp
Additional Information:
Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:ld_so_cache_t:s0
Target Objects /etc/ld.so.cache [ file ]
Source brcupsconfpt1
Source Path /opt/brother/Printers/mfcj485dw/cupswrapper/brcups
confpt1
Port
Host
Source RPM Packages mfcj485dwlpr-1.0.0-0.i386
Target RPM Packages glibc-2.17-157.el7_3.5.x86_64
glibc-2.17-157.el7_3.5.i686
Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name SOMENAME
Platform Linux SOMENAME 3.10.0-514.26.2.el7.x86_64 #1 SMP
Tue Jul 4 15:04:05 UTC 2017 x86_64 x86_64
Alert Count 20
First Seen 2017-08-21 18:04:39 EDT
Last Seen 2017-08-21 18:04:42 EDT
Local ID 9851dcdd-6b59-4310-8e26-573219f32e7e
Raw Audit Messages
type=AVC msg=audit(1503353082.145:499): avc: denied { execute } for pid=14664 comm="brmfcj485dwfilt" path="/etc/ld.so.cache" dev="dm-0" ino=146770715 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file
type=SYSCALL msg=audit(1503353082.145:499): arch=i386 syscall=lgetxattr per=400000 success=no exit=EACCES a0=0 a1=22671 a2=1 a3=2 items=0 ppid=14608 pid=14664 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=brmfcj485dwfilt exe=/opt/brother/Printers/mfcj485dw/lpd/brmfcj485dwfilter subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Hash: brcupsconfpt1,cupsd_t,ld_so_cache_t,file,execute
--------------------------------------------------------------------------------
No comments:
Post a Comment