Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> selinux keeps blocking modprobe
Screwballl
 Posted: Jun 29 2014, 04:36 PM
Quote Post


SLF Junior
**

Group: Members
Posts: 28
Member No.: 3067
Joined: 14-April 14









I have noticed lately a lot of entries in /var/log/messages about modprobe being blocked by selinux.

The odd part is when temporarily set it to permissive (echo 0 >/selinux/enforce), these entries never appear in the audit.log.

CODE
Jun 29 11:11:31 kernel: type=1400 audit(1404058291.593:39): avc:  denied  { read } for  pid=5696 comm="modprobe" name="modules.dep" dev=dm-0 ino=5638615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file

Jun 29 11:11:31 kernel: type=1400 audit(1404058291.610:40): avc:  denied  { open } for  pid=5699 comm="modprobe" name="modprobe.d" dev=dm-0 ino=4325382 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir

Jun 29 11:11:31 kernel: type=1400 audit(1404058291.610:41): avc:  denied  { open } for  pid=5699 comm="modprobe" name="modprobe.d" dev=dm-0 ino=4325382 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir

Jun 29 11:11:31 kernel: type=1400 audit(1404058291.611:42): avc:  denied  { read } for  pid=5699 comm="modprobe" name="modules.dep.bin" dev=dm-0 ino=5638616 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file

Jun 29 11:11:31 kernel: type=1400 audit(1404058291.611:43): avc:  denied  { read } for  pid=5699 comm="modprobe" name="modules.dep" dev=dm-0 ino=5638615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file

Jun 29 11:11:31 kernel: type=1400 audit(1404058291.627:44): avc:  denied  { open } for  pid=5702 comm="modprobe" name="modprobe.d" dev=dm-0 ino=4325382 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir


I have ran through the steps to allow it at least 4-5 times but it keeps coming back.

CODE
grep modprobe /var/log/messages | audit2allow -R


which returns:

CODE
require {
       type httpd_t;
}

#============= httpd_t ==============
files_list_kernel_modules(httpd_t)
files_read_kernel_modules(httpd_t)
modutils_list_module_config(httpd_t)
modutils_read_module_config(httpd_t)
modutils_read_module_deps(httpd_t)


then I create the module:

CODE
grep modprobe /var/log/messages | audit2allow -M modplocal4


Then enable it:

CODE
semodule -i modplocal4.pp


and always within 30-90 minutes, I get the same errors again as if the semodule entries are not taking effect.

So why does it keep blocking it when the allowances have been made in selinux?
PM
^
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll