-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alberto Ferrante wrote: > A thing I just tried: if I run "setfiles -n" it gives me the wrong > labels for the files: > setfiles -nd /etc/selinux/targeted/contexts/files/file_contexts > '/var/lib/xenstored' > setfiles: /var/lib/xenstored matched by > unconfined_u:object_r:unconfined_home_dir_t:s0 > setfiles: /var/lib/xenstored/tdb matched by > unconfined_u:object_r:unconfined_home_t:s0 > filespec_eval: hash table stats: 2 elements, 2/65536 buckets used, > longest chain length 1 > > In /etc/selinux/targeted/contexts/files/file_contexts I have the > following two entries for that directory: > /var/lib/xenstored(/.*)? system_u:object_r:xenstored_var_lib_t:s0 > /var/run/xenstored(/.*)? system_u:object_r:xenstored_var_run_t:s0 > > It sounds like it's not matching the entries in the file... > > Here is the AVC message related to xenstored, but I have many others! > > type=AVC msg=audit(1204647044.542:940): avc: denied { unlink } for > pid=2322 comm="xenstored" name="tdb" dev=sda8 ino=704271 > scontext=system_u:system_r:xenstored_t:s0 > tcontext=system_u:object_r:unconfined_home_dir_t:s0 tclass=file > type=SYSCALL msg=audit(1204647044.542:940): arch=c000003e syscall=82 > success=yes exit=0 a0=815480 a1=613780 a2=613796 a3=40da82 items=0 > ppid=1 pid=2322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="xenstored" exe="/usr/sbin/xenstored" > subj=system_u:system_r:xenstored_t:s0 key=(null) > > Thanks for your help. > > Best regards, > Alberto Ferrante > > |> > during the last days I have been experiencing some strange problems > on a > |> > pre-production server (planned to become a production one this > week...). > |> > I am running xen with two virtual hosts. The problem is in the real > host > |> > where something with selinux seems to have gone bad. I started having > |> > selinux blocking different file accesses from different services. I > |> > tried a full relabeling (the problems started after the last targeted > |> > policy update made by yum) but it did not work. It seems like > restorecon > |> > always assigns the unconfined_u:object_r:unconfined_home_t label to > all > |> > the files. I am using the targeted policy. Please give advices on > how to > |> > solve this problem. > |> > > | Please attach the AVC messages from the audit.log. What directory is > | labeled unconfined_home_t? > Do you have an entry in /etc/passwd with a homedir containing /var/lib? Does it have a UID > 500 and a login shell other than /bin/false or /sbin/nologin? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfNeR0ACgkQrlYvE4MpobPjfQCgwnih+F+ByOTQ4jKDoIUx3PLy u2MAn2Kr6iNgJHdXZVZVobM9aXZv9752 =UvkA -----END PGP SIGNATURE----- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list