AVC denial message

[Nuno]

Anyone knows what is the 59th system call? and which allow instruction I should use in the policy not to to blocked here?

type=SYSCALL msg=audit(1341223372.089:282): arch=c000003e syscall=59 success=no exit=-13 a0=34e1f75cc6 a1=7fff10c1c4b0 a2=7fff10c1c708 a3=8 items=0 ppid=3539 pid=3541 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="BE_app1" exe="/home/joao/trusted_folder/applications/app1/BE_app1" subj=unconfined_u:unconfined_r:trust_1_dom_t:s0-s0:c0.c1023 key=(null)

[zxq9]

Don't really have time for details, so this is just an unresearched driveby...

I'm pretty sure that 59 is a deprecated uname request that probably shouldn't be made in the first place. Could be wrong -- my cheatsheet is likely out of date (but then again, that means this syscall is really out of date).

To get a quicker picture of what SELinux is doing and get a recommendation based on the event try installing policycoreutils-gui (or some package named very nearly that) and see what it tells you. Try audit2allow as well -- this is usually my route, but as of Fedora 14 the GUI tools were looking quite good, so may as well use them.

"man audit2allow" and "man selinux" are your friends.

[zxq9]

Oh hey, check that out -- I hate leaving stub answers like that, so I peeked into /usr/include/asm/unistd_32.h and unistd_64.h...

Turns out that on 32-bit 59 is "__NR_oldolduname". No big deal, just a deprecated call.

But on 64 bit, 59 is "__NR_execve" -- which is a big deal because whatever program that is appears to be demanding protected memory access, so naturally SELinux would deny that without a reason written into policy.

Poorly written stuff is probably the number one reason people turn SELinux off. There is a loud irony to this.