Navigation

SELinuxΒΆ

I enabled SELinux on my Kubuntu workstation and almost immediately received notifications from OSSEC. It has been a while since I reviewed the [http://www.centos.org/docs/4/html/rhel-selg-en-4/ RHEL SELinux documentation] that explains these log entries from /var/log/messages. There’s a very real possibility that I did not set SELinux up properly, it is not very well supported by Ubuntu at the moment. I may change this entry after I re-review the SELinux docs.

Anyway, here’s something to chew on FWIW ...

Feb 20 16:57:43 localhost kernel: [17180270.076000] audit(1172015863.889:2): avc:  denied  { append } for  pid=5621 comm="syslogd" name="syslog" dev=sda6 ino=2101168 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:43 localhost kernel: [17180270.076000] audit(1172015863.889:3): avc:  denied  { write } for  pid=5621 comm="syslogd" name="psadfifo" dev=sda6 ino=1466559 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file
Feb 20 16:57:43 localhost kernel: [17180270.076000] audit(1172015863.889:4): avc:  denied  { read } for  pid=6140 comm="kmsgsd" name="psadfifo" dev=sda6 ino=1466559 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file
Feb 20 16:57:43 localhost kernel: [17180270.100000] audit(1172015863.913:5): avc:  denied  { write } for  pid=5653 comm="dd" name="kmsg" dev=tmpfs ino=13022 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
Feb 20 16:57:43 localhost kernel: [17180270.100000] audit(1172015863.913:6): avc:  denied  { read } for  pid=5655 comm="klogd" name="kmsg" dev=tmpfs ino=13022 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
Feb 20 16:57:43 localhost kernel: [17180270.128000] inode_doinit_with_dentry:  no dentry for dev=sda7 ino=492342
Feb 20 16:57:44 localhost kernel: [17180270.404000] audit(1172015864.217:7): avc:  denied  { read } for  pid=5653 comm="dd" name="kmsg" dev=proc ino=-268435446 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:proc_kmsg_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:9): avc:  denied  { write } for  pid=5653 comm="dd" name="kmsg" dev=tmpfs ino=13022 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:10): avc:  denied  { read } for  pid=5653 comm="dd" name="kmsg" dev=proc ino=-268435446 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:proc_kmsg_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:11): avc:  denied  { syslog_mod } for  pid=5653 comm="dd" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=system
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:12): avc:  denied  { append } for  pid=5621 comm="syslogd" name="syslog" dev=sda6 ino=2101168 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:13): avc:  denied  { write } for  pid=5621 comm="syslogd" name="psadfifo" dev=sda6 ino=1466559 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:14): avc:  denied  { read } for  pid=5655 comm="klogd" name="kmsg" dev=tmpfs ino=13022 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:15): avc:  denied  { read } for  pid=6140 comm="kmsgsd" name="psadfifo" dev=sda6 ino=1466559 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file
Feb 20 16:57:44 localhost kernel: [17180270.428000] audit(1172015864.241:16): avc:  denied  { read } for  pid=12161 comm="make" name="touch" dev=sda7 ino=2065483 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=lnk_file
Feb 20 16:57:44 localhost kernel: [17180270.428000] audit(1172015864.241:17): avc:  denied  { create } for  pid=12161 comm="touch" name="load" scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.432000] audit(1172015864.245:18): avc:  denied  { write } for  pid=12161 comm="touch" name="load" dev=sda7 ino=2773152 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.536000] audit(1172015864.349:19): avc:  denied  { search } for  pid=5929 comm="hald-addon-stor" name="/" dev=tmpfs ino=1286 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=dir
Feb 20 16:57:44 localhost kernel: [17180270.536000] audit(1172015864.349:20): avc:  denied  { read } for  pid=5929 comm="hald-addon-stor" name="hdd" dev=tmpfs ino=5926 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file
Feb 20 16:57:44 localhost kernel: [17180270.540000] audit(1172015864.353:21): avc:  denied  { ioctl } for  pid=5929 comm="hald-addon-stor" name="hdd" dev=tmpfs ino=5926 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file
Feb 20 16:57:44 localhost kernel: [17180270.600000] audit(1172015864.413:22): avc:  denied  { write } for  pid=12162 comm="make" name="2" dev=devpts ino=4 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=chr_file
Feb 20 16:57:44 localhost kernel: [17180270.600000] audit(1172015864.413:23): avc:  denied  { read } for  pid=7441 comm="screen" name="ptmx" dev=tmpfs ino=2332 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=chr_file
Feb 20 16:57:44 localhost kernel: [17180270.600000] audit(1172015864.413:24): avc:  denied  { write } for  pid=7439 comm="konsole" name="konsoleWhxySb.tmp" dev=sda7 ino=2704183 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.984000] audit(1172015864.797:25): avc:  denied  { rename } for  pid=11026 comm="dpkg" name="tmp.i" dev=sda6 ino=1434551 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:43 localhost kernel: [17180270.076000] audit(1172015863.889:2): avc:  denied  { append } for  pid=5621 comm="syslogd" name="syslog" dev=sda6 ino=2101168 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:43 localhost kernel: [17180270.076000] audit(1172015863.889:3): avc:  denied  { write } for  pid=5621 comm="syslogd" name="psadfifo" dev=sda6 ino=1466559 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file
Feb 20 16:57:43 localhost kernel: [17180270.076000] audit(1172015863.889:4): avc:  denied  { read } for  pid=6140 comm="kmsgsd" name="psadfifo" dev=sda6 ino=1466559 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file
Feb 20 16:57:43 localhost kernel: [17180270.100000] audit(1172015863.913:5): avc:  denied  { write } for  pid=5653 comm="dd" name="kmsg" dev=tmpfs ino=13022 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
Feb 20 16:57:43 localhost kernel: [17180270.100000] audit(1172015863.913:6): avc:  denied  { read } for  pid=5655 comm="klogd" name="kmsg" dev=tmpfs ino=13022 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
Feb 20 16:57:44 localhost kernel: [17180270.404000] audit(1172015864.217:7): avc:  denied  { read } for  pid=5653 comm="dd" name="kmsg" dev=proc ino=-268435446 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:proc_kmsg_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:9): avc:  denied  { write } for  pid=5653 comm="dd" name="kmsg" dev=tmpfs ino=13022 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:10): avc:  denied  { read } for  pid=5653 comm="dd" name="kmsg" dev=proc ino=-268435446 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:proc_kmsg_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:11): avc:  denied  { syslog_mod } for  pid=5653 comm="dd" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=system
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:12): avc:  denied  { append } for  pid=5621 comm="syslogd" name="syslog" dev=sda6 ino=2101168 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:13): avc:  denied  { write } for  pid=5621 comm="syslogd" name="psadfifo" dev=sda6 ino=1466559 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:14): avc:  denied  { read } for  pid=5655 comm="klogd" name="kmsg" dev=tmpfs ino=13022 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
Feb 20 16:57:44 localhost kernel: [17180270.424000] audit(1172015864.237:15): avc:  denied  { read } for  pid=6140 comm="kmsgsd" name="psadfifo" dev=sda6 ino=1466559 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file
Feb 20 16:57:44 localhost kernel: [17180270.428000] audit(1172015864.241:16): avc:  denied  { read } for  pid=12161 comm="make" name="touch" dev=sda7 ino=2065483 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=lnk_file
Feb 20 16:57:44 localhost kernel: [17180270.428000] audit(1172015864.241:17): avc:  denied  { create } for  pid=12161 comm="touch" name="load" scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.432000] audit(1172015864.245:18): avc:  denied  { write } for  pid=12161 comm="touch" name="load" dev=sda7 ino=2773152 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.536000] audit(1172015864.349:19): avc:  denied  { search } for  pid=5929 comm="hald-addon-stor" name="/" dev=tmpfs ino=1286 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=dir
Feb 20 16:57:44 localhost kernel: [17180270.536000] audit(1172015864.349:20): avc:  denied  { read } for  pid=5929 comm="hald-addon-stor" name="hdd" dev=tmpfs ino=5926 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file
Feb 20 16:57:44 localhost kernel: [17180270.540000] audit(1172015864.353:21): avc:  denied  { ioctl } for  pid=5929 comm="hald-addon-stor" name="hdd" dev=tmpfs ino=5926 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file
Feb 20 16:57:44 localhost kernel: [17180270.600000] audit(1172015864.413:22): avc:  denied  { write } for  pid=12162 comm="make" name="2" dev=devpts ino=4 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=chr_file
Feb 20 16:57:44 localhost kernel: [17180270.600000] audit(1172015864.413:23): avc:  denied  { read } for  pid=7441 comm="screen" name="ptmx" dev=tmpfs ino=2332 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=chr_file
Feb 20 16:57:44 localhost kernel: [17180270.600000] audit(1172015864.413:24): avc:  denied  { write } for  pid=7439 comm="konsole" name="konsoleWhxySb.tmp" dev=sda7 ino=2704183 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
Feb 20 16:57:44 localhost kernel: [17180270.984000] audit(1172015864.797:25): avc:  denied  { rename } for  pid=11026 comm="dpkg" name="tmp.i" dev=sda6 ino=1434551 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:45 localhost kernel: [17180271.728000] audit(1172015865.541:26): avc:  denied  { unlink } for  pid=11026 comm="dpkg" name="status-old" dev=sda6 ino=1435199 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:45 localhost kernel: [17180271.728000] audit(1172015865.541:27): avc:  denied  { link } for  pid=11026 comm="dpkg" name="status" dev=sda6 ino=1436723 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:45 localhost kernel: [17180272.040000] audit(1172015865.853:28): avc:  denied  { getattr } for  pid=10911 comm="dselect" name="2" dev=devpts ino=4 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=chr_file
Feb 20 16:57:45 localhost kernel: [17180272.040000] audit(1172015865.853:29): avc:  denied  { read } for  pid=10911 comm="dselect" name="2" dev=devpts ino=4 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=chr_file
Feb 20 16:57:46 localhost kernel: [17180272.808000] audit(1172015866.621:30): avc:  denied  { read } for  pid=6031 comm="ossec-syscheckd" name="syschecklocal.db-11720152306028.tmp" dev=sda7 ino=2261816 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
Feb 20 16:57:46 localhost kernel: [17180272.948000] audit(1172015866.761:31): avc:  denied  { write } for  pid=7439 comm="konsole" name="ptmx" dev=tmpfs ino=2332 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=chr_file
Feb 20 16:57:46 localhost kernel: [17180272.948000] audit(1172015866.761:32): avc:  denied  { ioctl } for  pid=10911 comm="dselect" name="2" dev=devpts ino=4 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=chr_file
Feb 20 16:57:45 localhost kernel: [17180271.728000] audit(1172015865.541:26): avc:  denied  { unlink } for  pid=11026 comm="dpkg" name="status-old" dev=sda6 ino=1435199 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:45 localhost kernel: [17180271.728000] audit(1172015865.541:27): avc:  denied  { link } for  pid=11026 comm="dpkg" name="status" dev=sda6 ino=1436723 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:45 localhost kernel: [17180272.040000] audit(1172015865.853:28): avc:  denied  { getattr } for  pid=10911 comm="dselect" name="2" dev=devpts ino=4 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=chr_file
Feb 20 16:57:45 localhost kernel: [17180272.040000] audit(1172015865.853:29): avc:  denied  { read } for  pid=10911 comm="dselect" name="2" dev=devpts ino=4 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=chr_file
Feb 20 16:57:46 localhost kernel: [17180272.808000] audit(1172015866.621:30): avc:  denied  { read } for  pid=6031 comm="ossec-syscheckd" name="syschecklocal.db-11720152306028.tmp" dev=sda7 ino=2261816 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
Feb 20 16:57:46 localhost kernel: [17180272.948000] audit(1172015866.761:31): avc:  denied  { write } for  pid=7439 comm="konsole" name="ptmx" dev=tmpfs ino=2332 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=chr_file
Feb 20 16:57:46 localhost kernel: [17180272.948000] audit(1172015866.761:32): avc:  denied  { ioctl } for  pid=10911 comm="dselect" name="2" dev=devpts ino=4 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=chr_file
Feb 20 16:57:47 localhost kernel: [17180273.536000] audit(1172015867.349:33): avc:  denied  { search } for  pid=12167 comm="install" name="/" dev=devpts ino=1 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=dir
Feb 20 16:57:47 localhost kernel: [17180273.560000] audit(1172015867.373:34): avc:  denied  { setattr } for  pid=12169 comm="apt-get" name="pkgcache.bin" dev=sda6 ino=895850 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:48 localhost kernel: [17180274.768000] audit(1172015868.581:35): avc:  denied  { read } for  pid=6142 comm="psadwatchd" name="psad.pid" dev=tmpfs ino=15493 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=file
Feb 20 16:57:48 localhost kernel: [17180274.768000] audit(1172015868.581:36): avc:  denied  { getattr } for  pid=6142 comm="psadwatchd" name="psad.pid" dev=tmpfs ino=15493 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=file
Feb 20 16:57:47 localhost kernel: [17180273.536000] audit(1172015867.349:33): avc:  denied  { search } for  pid=12167 comm="install" name="/" dev=devpts ino=1 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=dir
Feb 20 16:57:47 localhost kernel: [17180273.560000] audit(1172015867.373:34): avc:  denied  { setattr } for  pid=12169 comm="apt-get" name="pkgcache.bin" dev=sda6 ino=895850 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
Feb 20 16:57:48 localhost kernel: [17180274.768000] audit(1172015868.581:35): avc:  denied  { read } for  pid=6142 comm="psadwatchd" name="psad.pid" dev=tmpfs ino=15493 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=file
Feb 20 16:57:48 localhost kernel: [17180274.768000] audit(1172015868.581:36): avc:  denied  { getattr } for  pid=6142 comm="psadwatchd" name="psad.pid" dev=tmpfs ino=15493 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:tmpfs_t tclass=file

Navigation

© Copyright 2019, OSSEC Project. Created using Sphinx 1.1.3.