selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: how to trace an avc denial

how to trace an avc denial

From: Stefan Schulze Frielinghaus <stefan_at_nospam>
Date: Sat Jan 30 2010 - 17:43:55 GMT
To: selinux <>

Hi all,

I'm trying to create a policy for pidgin and hit the following problem: When pidgin is started via the GNOME menu "Applications -> Internet -> Pidgin" then I get the following AVC:

type=1400 audit(1264870417.250:22382): avc: denied { search } for pid=9114 comm="pidgin" name="1" dev=proc ino=160141 scontext=unconfined_u:unconfined_r:pidgin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir type=1400 audit(1264870417.250:22382): avc: denied { read } for pid=9114 comm="pidgin" name="exe" dev=proc ino=160142 scontext=unconfined_u:unconfined_r:pidgin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file

At the moment I just don't audit the denials:

require {

        type init_t;

dontaudit pidgin_t init_t:dir search;
dontaudit pidgin_t init_t:lnk_file read;

What I would like to do is find out if pidgin itself is accessing /proc/1/exe or if it is a library. A simple "grep -R '/proc/' ./pidgin-source" does not provide any helpful output. My guess is that it is a leaked file descriptor because if I start pidgin from a shell, then I do not have this problem (I have a rule for user terminals and so on).

Summarized, how can I find out which library or application part is causing an AVC? I know there won't be any magical way to find the exact part ;-) but some general rules or tips would be very appreciated. Sometimes I use strace, e.g. to find out that a library is doing a call I'm interested in but this time strace does not help me. So any comments/suggestions are very welcomed.

Stefan -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.