Re: Can't boot FC4;avc denied error message

"Tod Merley" <todbot88@xxxxxxxxx> · Wed, 2 Aug 2006 12:02:37 -0700

On 8/2/06, David Desscan <ddesscan@xxxxxxxxx> wrote:
I can't boot one of my FC4 system.  I am getting the following error message and init can't start.

audit(1154201702.315.303): avc :denied {search} for pid=748 comm="mingetty" name="/" dev tmpfs ino 504 scontext=system_u : system_r : getty_t tcontext=system_u: object_r : tmpfs_ tclass=dir

INIT : Id 1 respawning too fast : disabled for 5 mins
INIT : Id 3 respawning too fast : disabled for 5 mins
INIT : Id 4 respawning too fast : disabled for 5 mins
INIT : Id 6 respawning too fast : disabled for 5 mins
INIT : Id 2 respawning too fast : disabled for 5 mins
INIT : Id 5 respawning too fast : disabled for 5 mins

INIT : no more processes left in this runlevel.

I have commented the lines in inittab for mingetty and the error message changes to:

INIT: cannot execute /etc/rc.d/rc.sysinit
Entering runlevel 3
cannot execute /etc/rc.d/rc
INIT: no more processes left in this runlevel

the audit message id is incremented as well as the pid. ino 504, 505 but same mingetty error message.  I have already checked file attributes for rc and rc.sysinit.  It has not changed and is rwxr-xr-x.  The INIT Id changes as well.

Thanks for all help or reference to web sites for solutions.

David

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-list

Hi David!

Learning with you, not an expert!

I did find that AVC appears to be strongly associated, if not SElinux:

http://www.die.net/doc/linux/man/man3/avc_cache_stats.3.html

And is mentioned in at least one SElinux FAQ:

 From : http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2826243

Q:    
My application isn't working as expected and I am seeing avc: denied messages, how do I fix this?

A:    
This message means that the current SELinux policy is not allowing the application to do something. There are a number of reasons this could happen.

First, one of the files the application is trying to access could be mislabeled. If the AVC message refers to a specific file, inspect its current label with ls -alZ /path/to/file. If it seems wrong, you could try using restorecon -v /path/to/file. If you have a large number of denials related to files, you may want to use fixfiles relabel, or run restorecon with the -R option to recursively relabel a directory path.

Other times, denials may be due to a configuration change in the program not being allowed by the policy. For example, if you change Apache to also listen on port 8800, this will require a change in the security policy, 
apache.te. See External Link List for more information about writing policy.

If you are having trouble getting a specific application like Apache to work, see How to use system-config-securitylevel for how to disable enforcement just for that application. 

AVC may have to do with other things I am still googleing.

If I were you I would be looking at my policy file and turning off SElinux to see what is going on.

I hope this helps!

Good Hunting!

Tod

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list