On 8/4/06, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Fri, 2006-08-04 at 16:29 +0200, David Desscan wrote: > On 8/4/06, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Fri, 2006-08-04 at 04:25 +0200, David Desscan wrote: > > > uname -r > > rpm -q selinux-policy-targeted > > > My kernel version is 2.6.17-1.2142_FC4 > SElinux policy targeted version is 1.27.1-2.28 Ok, nothing interesting there (same kernel and policy works fine here for me). /etc/rc.d/rc.sysinit runs restorecon -R /dev to fix up the dev labels created before initial policy load, then udev handles labeling of all subsequent nodes. Can you verify that your rc.sysinit script contains the restorecon -R /dev command? If you run that sequence by hand (but don't redirect stderr to /dev/null), does it work? -- Stephen Smalley National Security Agency
I am getting another avc denied message when I add a user with useradd/adduser command. audit(1154719461.914:11): avc : denied {create} for pid=2394 comm="useradd" name=".bashrc" scontext=root:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=file audit(1154719461.930:12): avc : denied {create} for pid=2394 comm="useradd" name="passwd+" scontext=root:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file useradd : cannot rewrite password file. I have checked /etc for .lock files. Each time I delete them, they are recreated after the useradd command and the I get same error message. I did a fixfiles relabel and rebooted my system but still get same error message. I have also noted that some files have not been relabeled (avc denied relabel from;comm=setfiles) when I log on as root I also noticed an avc denied message with login audit(1154723141.305.3): avc : denied {relabel} for pid=2044 comm="login" name="tty1" dev=tmpfs ino=727 scontext=system_u:system_r:kernel_t tcontext=root:object_r:tty_device_t tclass=chr_file I rebooted my system with enforcing=0. I log in as root. It did not flag the error message I used to get when logging as root(it logged it however). I checked with sestatus that SElinux is in permissive mode. I created a user with useradd. It displayed the above avc denied message (when adding new user) but created the user. I added password and su to newuser. I got an avc denied with su for relabel as with login above and noted dev=tmpfs. Something strange. Subsequent adding of users does not flag the avc denied for .bashrc and passwd. I rebooted my system after that. I get the usual avc denied login relabel message and cannot create users. useradd:cannot rewrite password file. SElinux mode=enforcing. Thanks for your help. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list