[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ossec-list] /etc/init.d/ossec uid is 1000
- Subject: [Ossec-list] /etc/init.d/ossec uid is 1000
- From: oleksander.panchuk at cbn-cis.org (Oleksander Panchuk)
- Date: Fri, 19 May 2006 17:19:53 +0300
Thank you very much Kayvan.
It's happened only one time.
I run
>/usr/sbin/audit2why < /var/log/audit.log
type=AVC msg=audit(1147955658.066:3615): avc: denied { recvfrom } for
pid=2376 comm="ossec-analysisd" scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings;
check boolean settings.
You can see the necessary allow rules by running audit2allow
with this audit message as input.
And "audit2allow" told
allow unlabeled_t self:association recvfrom;
Best regards,
Oleksander.
> -----Original Message-----
> From: Kayvan A. Sylvan [mailto:kayvan at sylvan.com]
> Sent: Friday, May 19, 2006 2:06 AM
> To: Oleksander Panchuk; ossec-list at ossec.net
> Subject: Re: [Ossec-list] /etc/init.d/ossec uid is 1000
>
> Hi Oleksander,
>
> Run
>
> /usr/sbin/audit2why < /var/log/audit.log
>
> And tell us what you see.
>
> I am running FC4 with the targeted policy and have no problems.
>
> ---Kayvan
>
> __________ NOD32 1.1548 (20060519) Information __________
>
> This message was checked by NOD32 antivirus system.
> part000.txt - is OK
>
> http://www.eset.com
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.