aureport shows denied messages
Environment
- Red Hat OpenStack Platform 10.0
Issue
- Getting
avc: deniedmessages in/var/log/audit/audit.logfile. - What is the significance of
avc: deniedmessages -
How to avoid
avc: deniedmessages -
aureportshowing denied messages:/var/log/audit/audit.log.3:type=AVC msg=audit(1523143840.238:298992): avc: denied { read } for pid=834370 comm="ethtool" path="/dev/mem" dev="devtmpfs" ino=2051 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file /var/log/audit/audit.log.3:type=AVC msg=audit(1523143840.238:298992): avc: denied { read } for pid=834370 comm="ethtool" path="/dev/sda" dev="devtmpfs" ino=2947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file /var/log/audit/audit.log.3:type=AVC msg=audit(1523143840.372:298994): avc: denied { read } for pid=834374 comm="ethtool" path="/dev/mem" dev="devtmpfs" ino=2051 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file /var/log/audit/audit.log.3:type=AVC msg=audit(1523143840.372:298994): avc: denied { read } for pid=834374 comm="ethtool" path="/dev/sda" dev="devtmpfs" ino=2947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Resolution
-
The below article shows how to avoid AVC denials messages.
How to create SELinux dontaudit rules to hide avc denied warnings
Root Cause
- These messages are generated whenever
SELinuxdenies access for any operation. - It then gets cached into Access Vector Cache (AVC).
- And logged into locations like:
/var/log/audit/audit.log
/var/log/messages
Diagnostic Steps
-
You can check these messages using:
[root@server ~]# grep "SELinux is preventing" /var/log/messages[root@server ~]# grep "denied" /var/log/audit/audit.log -
Below is the meaning for each context for log:
/var/log/audit/audit.log.3:type=AVC msg=audit(1523143847.901:299050): avc: denied { read } for pid=834524 comm="ifconfig" path="/dev/sda" dev="devtmpfs" ino=2947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file -
{ read }
The item in the curly brackets indicates the permission that was denied. The read entry indicates the source process was trying to read the target file. -
comm="ifconfig"
The executable that launched the process. The full path of the executable is found in the exe= section of the system call (SYSCALL) message, which in this case, isexe="/usr/sbin/ifconfig". -
path="/dev/sda"
The path to the object (target) the process attempted to access. -
scontext=system_u
The SELinux context of the process that attempted the denied action. In this case, it is theSELinuxcontext of theifconfig, which is running in theifconfig_t domain. -
tcontext=system_u:object_r:fixed_disk_device_t:s0
The SELinux context of the object (target) the process attempted to access. In this case, it is the SELinux context of sda. Note that the fixed_disk_device_t type is not accessible to processes running in theifconfig_tdomain.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments