selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Help with an SELinux AVC event...

Help with an SELinux AVC event...

From: Hasan Rezaul-CHR010 <CHR010_at_nospam>
Date: Thu Jan 07 2010 - 20:37:32 GMT
To: "Stephen Smalley" <sds@tycho.nsa.gov>, "Tomas, Gregg A (IS)" <Gregg.Tomas@ngc.com>


Hi All,

I have a C application task called "sswd" on my Linux system, that opens up the /var/log/audit/audit.log file every 5 seconds, and checks to see if there are any new AVC denies.

I have had this same task doing the same thing for the last few years on a Linux system running selinux. And I have never seen these events in audit.log before complaining about the sswd task... I used to use older selinux packages, and ran the Fedora Core 7 'strict' policy together with some custom policies.

Recently we upgraded our SELinux packages to the very latest (similar to Fedora 12), and we are using Refpolicy as a base policy.

In the /var/log/audit/audit.log file, I see the following event pop up every 5 seconds, and I am guessing its because "sswd" tries to open up the audit.log file every 5 seconds for reading.

  1. Can you help me understand what this event is really saying?
  2. I have already taken the audit.log file, and used audit2allow to generate any allow rules necessary, but it didnt help to get rid of this particular event.
  3. Can I add any specific policy allow lines or transition rules in my custom policy files to get rid of this repeated event ?

Thanks in advance.

The event that pops up every 5 seconds in audit.log is: type=SYSCALL msg=audit(1262874266.422:260): arch=14 syscall=5 success=yes exit=24 a0=1002b9e4 a1=0 a2=1b6 a3=1b6 items=1 ppid=2463 pid=2794 auid=4294967295 uid=0 gid=601 euid=0 suid=0 fsuid=0 egid=601 sgid=601 fsgid=601 tty=(none) ses=4294967295 comm="sswd" exe="/usr/app/bin/sswd" subj=system_u:system_r:init_t:s0-s15:c0.c255 key="LOG_audit" type=CWD msg=audit(1262874266.422:260): cwd="/data" type=PATH msg=audit(1262874266.422:260): item=0 name="/var/log/audit/audit.log" inode=2061 dev=fd:07 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_log_t:s15:c0.c255

root@hapWibbSc2:/var/log/audit# ps -eZ | grep sswd system_u:system_r:init_t:s0-s15:c0.c255 2781 ? 00:00:00 sswd

root@hapWibbSc2:/var/log/audit# cd /usr/app/bin root@hapWibbSc2:/usr/app/bin# ls -l sswd
-rwxrwxr-x 1 root root 217204 Jan 1 07:49 sswd
root@hapWibbSc2:/usr/app/bin# cd /var/log/audit/ root@hapWibbSc2:/var/log/audit# root@hapWibbSc2:/var/log/audit# ls -lZ
-rw------- root root system_u:object_r:auditd_log_t:s15:c0.c255 audit.log
 

--

This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.