On Monday 13 August 2007 07:24:23 Daniel J Walsh wrote: > I will put it in fedora-testing today along with fixes for your problem. Thanks. I just installed it but afterwards, I still see these when I run "sudo ldconfig" with setenforce 0: type=AVC msg=audit(1187043238.692:2616): avc: denied { dac_override } for pid=15479 comm="ldconfig" capability=1 scontext=user_u:system_r:ldconfig_t:s0 tcontext=user_u:system_r:ldconfig_t:s0 tclass=capability type=SYSCALL msg=audit(1187043238.692:2616): arch=40000003 syscall=195 success=yes exit=0 a0=89c1c08 a1=bf8b83e0 a2=89bf801 a3=89bf801 items=0 ppid=15457 pid=15479 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1187043239.334:2617): avc: denied { search } for pid=15479 comm="ldconfig" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1187043239.334:2617): arch=40000003 syscall=195 success=yes exit=0 a0=bf8b7460 a1=bf8b84bc a2=a000 a3=89c0a88 items=0 ppid=15457 pid=15479 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null) > You can always modify selinux policy by executing > > grep ldconfig /var/log/audit/audit.log | audit2allow -M myldconfig > semodule -i myldconfig.pp Yes, it produces: module myldconfig 1.0; require { type home_root_t; type ldconfig_t; class capability dac_override; class dir search; } #============= ldconfig_t ============== allow ldconfig_t home_root_t:dir search; allow ldconfig_t self:capability dac_override; I can't help but think that the AVCs are due to something I did instead of ldconfig or its shipped policy. Any thoughts? -- Garry T. Williams --- +1 678 656-4579 -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list