With SELinux disabled, there are AVC denied records in the /var/log/messages

hop321 · 09-28-2011, 11:50 AM

This is a record from /var/log/messages

Sep 28 11:22:55 app-srv kernel: type=1400 audit(1316673006.058:21): avc: denied { execmod } for pid=23856 comm="dosmth" path="/home/user/path/some.so.1.0" dev=cciss/c0d0p3 ino=98557 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u

bject_r:user_home_t:s0 tclass=file

I checked sestatus and this is what it returns
[root@app-srv ~]# sestatus
SELinux status: disabled

I guess there is something that I'm missing. Any clues? Is it possible that some process temporarily starts selinux and then stops it? Unfortunately auditd was stopped and I have no log to check. Any ideas?

T3RM1NVT0R · 09-28-2011, 02:00 PM

Hi there,

Welcome to LQ!!!

Sometime disabling selinux create such issues. I would first give a try by enabling selinux in permissive mode and see if that makes any difference.

hop321 · 09-29-2011, 12:09 AM

Thanks for your reply.

SElinux was disabled 2-3 years ago. In the /var/log/messages log I can see records from a period of one month, mostly September with "avc: denied { execmod }". Could it be an issue that the machine was restarted a couple of months ago?

This is a production server and I want to be sure before I enable SElinux.

T3RM1NVT0R · 09-29-2011, 01:39 AM

Alright. Are you aware of any changes that were made a month ago? Like kernel upgrade or any other thing. You can look into /var/log/dmesg to see with which settings server rebooted/came up a month ago.

What exactly this application is used for? Any other relevant logs if you can paste will be helpful.