Re: Permission denied during rpm installation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2006-07-28 at 22:52 +0800, Deepak Shrestha wrote:
> looking for "avc:", I found lots of entries with "denied" in /var/log/messages
> 
> the entry is rather long so posting only the fragment (hope this will
> still make the point). Its is something like this
> ==============
> Jul 24 23:39:53 webcomp kernel: audit(1153755580.824:2): avc:  denied
> { getattr } for  pid=1153 comm="mount" name="kcore" dev=proc
> ino=-268435435 scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
> Jul 24 23:39:54 webcomp kernel: audit(1153755580.856:3): avc:  denied
> { getattr } for  pid=1153 comm="mount" name="kcore" dev=proc
> ino=-268435435 scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
> Jul 25 11:45:16 webcomp kernel: audit(1153799116.610:8): avc:  denied
> { use } for  pid=2467 comm="bluez-pin" name="[7581]" dev=pipefs
> ino=7581 scontext=user_u:system_r:bluetooth_helper_t:s0
> tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> Jul 25 11:45:16 webcomp kernel: audit(1153799116.610:9): avc:  denied
> { use } for  pid=2467 comm="bluez-pin" name="[7581]" dev=pipefs
> ino=7581 scontext=user_u:system_r:bluetooth_helper_t:s0
> tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> Jul 25 14:00:21 webcomp kernel: audit(1153807221.327:4): avc:  denied
> { use } for  pid=2291 comm="bluez-pin" name="[7243]" dev=pipefs
> ino=7243 scontext=user_u:system_r:bluetooth_helper_t:s0
> ......
> ......
> ......
> ......
> ..... and so on
> ==============
> 
> What does this mean??? and most importantly why? and what is the solution?

Those particular messages don't look related to your rpm installation
problems; look for avc messages with rpm_t or rpm_script_t in the
scontext or tcontext fields.

If you can narrow down what permission denials are relevant, you can
generate a local policy module that allows them as a temporary
workaround for your own use and file a bugzilla to get them added to the
base policy in a future update.

audit2allow can be used to generate policy from audit messages, but you
want to carefully review the result.  See 
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
and the audit2allow man page.

-- 
Stephen Smalley
National Security Agency

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux