Re: Can't boot FC4;avc denied error message

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2006-08-04 at 23:18 +0200, David Desscan wrote:
> On 8/4/06, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > On Fri, 2006-08-04 at 16:29 +0200, David Desscan wrote:
> > > On 8/4/06, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > > > On Fri, 2006-08-04 at 04:25 +0200, David Desscan wrote:
> > >
> > > > uname -r
> > > > rpm -q selinux-policy-targeted
> > > >
> > > My kernel version is 2.6.17-1.2142_FC4
> > > SElinux policy targeted version is 1.27.1-2.28
> >
> > Ok, nothing interesting there (same kernel and policy works fine here
> > for me).
> >
> > /etc/rc.d/rc.sysinit runs restorecon -R /dev to fix up the dev labels
> > created before initial policy load, then udev handles labeling of all
> > subsequent nodes.  Can you verify that your rc.sysinit script contains
> > the restorecon -R /dev command?  If you run that sequence by hand (but
> > don't redirect stderr to /dev/null), does it work?
> >
> > --
> > Stephen Smalley
> > National Security Agency
> >
> I am getting another avc denied message when I add a user with
> useradd/adduser command.
> 
> audit(1154719461.914:11): avc : denied {create} for pid=2394
> comm="useradd" name=".bashrc" scontext=root:system_r:kernel_t
> tcontext=user_u:object_r:user_home_t tclass=file
> 
> audit(1154719461.930:12): avc : denied {create} for pid=2394
> comm="useradd" name="passwd+" scontext=root:system_r:kernel_t
> tcontext=system_u:object_r:etc_t tclass=file
> 
> useradd : cannot rewrite password file.
> 
> I have checked /etc for .lock files.  Each time I delete them, they
> are recreated after the useradd command and the I get same error
> message.
> 
> I did a fixfiles relabel and rebooted my system but still get same
> error message.  I have also noted that some files have not been
> relabeled (avc denied relabel from;comm=setfiles)
> 
> when I log on as root I also noticed an avc denied message with login
> 
> audit(1154723141.305.3): avc : denied {relabel} for pid=2044
> comm="login" name="tty1"  dev=tmpfs ino=727
> scontext=system_u:system_r:kernel_t
> tcontext=root:object_r:tty_device_t tclass=chr_file

This looks like a similar problem to that reported by Axel Thimm on
fedora-selinux-list last week, namely regular user processes running in
kernel_t.

> I rebooted my system with enforcing=0. I log in as root.  It did not
> flag the error message I used to get when logging as root(it logged it
> however). I checked with sestatus that SElinux is in permissive mode.
> I created a user with useradd.  It displayed the above avc denied
> message (when adding new user) but created the user.  I added password
> and su to newuser.  I got an avc denied with su for relabel as with
> login above and noted dev=tmpfs.
> 
> Something strange.  Subsequent adding of users does not flag the avc
> denied for .bashrc and passwd.
> 
> I rebooted my system after that.  I get the usual avc denied login
> relabel message and cannot create users.  useradd:cannot rewrite
> password file.  SElinux mode=enforcing.
> 
> Thanks for your help.

Try doing another relabel, but make sure you have configured SELinux for
permissive mode first. Once the relabel is done, then try switching back
to enforcing mode:

* put SELINUX=permissive in /etc/sysconfig/selinux
* touch /.autorelabel
* reboot
* do a "ps uaxZ"; the only kernel_t processes should be the kernel
threads, with process names in square brackets, plus "/bin/nash /init"

Paul.


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux