Hi.
From 11.06 journal is logging a lot of denied access to /proc for
unix_chkpwd by selinux. They are so frequent, that I see them in htop. :) Right now I have 2122 logges denials.
Is it OK for unix_chkpwd to poke in /proc? It has to know who is logged in, do probably yes, bit I'm not sure.
cheers
Once upon a time, Łukasz Posadowski mail@lukaszposadowski.pl said:
From 11.06 journal is logging a lot of denied access to /proc for unix_chkpwd by selinux. They are so frequent, that I see them in htop. :) Right now I have 2122 logges denials.
Is it OK for unix_chkpwd to poke in /proc? It has to know who is logged in, do probably yes, bit I'm not sure.
I haven't dug into it, but I'm thinking there was some policy or library change that isn't quite right... sssd_be also has the same denial on startup (so every boot).
Once upon a time, Chris Adams linux@cmadams.net said:
Once upon a time, Łukasz Posadowski mail@lukaszposadowski.pl said:
From 11.06 journal is logging a lot of denied access to /proc for unix_chkpwd by selinux. They are so frequent, that I see them in htop. :) Right now I have 2122 logges denials.
Is it OK for unix_chkpwd to poke in /proc? It has to know who is logged in, do probably yes, bit I'm not sure.
I haven't dug into it, but I'm thinking there was some policy or library change that isn't quite right... sssd_be also has the same denial on startup (so every boot).
Went ahead and poked at it - the issue is the new version of libcap-ng. Opened https://bugzilla.redhat.com/show_bug.cgi?id=1971688
-
Chris Adams -
Łukasz Posadowski