On Fri, 2006-08-04 at 23:18 +0200, David Desscan wrote: > On 8/4/06, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Fri, 2006-08-04 at 16:29 +0200, David Desscan wrote: > > > On 8/4/06, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > > On Fri, 2006-08-04 at 04:25 +0200, David Desscan wrote: > > > > > > > uname -r > > > > rpm -q selinux-policy-targeted > > > > > > > My kernel version is 2.6.17-1.2142_FC4 > > > SElinux policy targeted version is 1.27.1-2.28 > > > > Ok, nothing interesting there (same kernel and policy works fine here > > for me). > > > > /etc/rc.d/rc.sysinit runs restorecon -R /dev to fix up the dev labels > > created before initial policy load, then udev handles labeling of all > > subsequent nodes. Can you verify that your rc.sysinit script contains > > the restorecon -R /dev command? If you run that sequence by hand (but > > don't redirect stderr to /dev/null), does it work? > > > > -- > > Stephen Smalley > > National Security Agency > > > I am getting another avc denied message when I add a user with > useradd/adduser command. > > audit(1154719461.914:11): avc : denied {create} for pid=2394 > comm="useradd" name=".bashrc" scontext=root:system_r:kernel_t > tcontext=user_u:object_r:user_home_t tclass=file > > audit(1154719461.930:12): avc : denied {create} for pid=2394 > comm="useradd" name="passwd+" scontext=root:system_r:kernel_t > tcontext=system_u:object_r:etc_t tclass=file > > useradd : cannot rewrite password file. > > I have checked /etc for .lock files. Each time I delete them, they > are recreated after the useradd command and the I get same error > message. > > I did a fixfiles relabel and rebooted my system but still get same > error message. I have also noted that some files have not been > relabeled (avc denied relabel from;comm=setfiles) > > when I log on as root I also noticed an avc denied message with login > > audit(1154723141.305.3): avc : denied {relabel} for pid=2044 > comm="login" name="tty1" dev=tmpfs ino=727 > scontext=system_u:system_r:kernel_t > tcontext=root:object_r:tty_device_t tclass=chr_file This looks like a similar problem to that reported by Axel Thimm on fedora-selinux-list last week, namely regular user processes running in kernel_t. > I rebooted my system with enforcing=0. I log in as root. It did not > flag the error message I used to get when logging as root(it logged it > however). I checked with sestatus that SElinux is in permissive mode. > I created a user with useradd. It displayed the above avc denied > message (when adding new user) but created the user. I added password > and su to newuser. I got an avc denied with su for relabel as with > login above and noted dev=tmpfs. > > Something strange. Subsequent adding of users does not flag the avc > denied for .bashrc and passwd. > > I rebooted my system after that. I get the usual avc denied login > relabel message and cannot create users. useradd:cannot rewrite > password file. SElinux mode=enforcing. > > Thanks for your help. Try doing another relabel, but make sure you have configured SELinux for permissive mode first. Once the relabel is done, then try switching back to enforcing mode: * put SELINUX=permissive in /etc/sysconfig/selinux * touch /.autorelabel * reboot * do a "ps uaxZ"; the only kernel_t processes should be the kernel threads, with process names in square brackets, plus "/bin/nash /init" Paul. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list