Ian Blackwell wrote:
Craig White wrote:
Suggest that you make sure you are fully updated, then
'touch /.autorelabel' then reboot (reboot at a time you choose because
it may take a long time to relabel every file on your system -
especially if you have a lot of files).
Craig
What Craig implies is that your system won't be available for quite a
long time (relatively), while the relabel takes place. The boot time
with an autorelabel is very long, and you won't have access to the
server until the relabel is completed. So choose your time for the
reboot with that knowledge.
Ian
No problems there - I'm getting my selinux feet wet on a test box. Not
quite ready to risk torching a production machine.
The relabel did take some time after a reboot - portmap & httpd started
ok. WHile postgrey, clamd, postfix and amavisd all started, none could
access the libs & dirs they needed to process emails.
So I disabled selinux, rebooted, made sure everything worked alright -
which it did. Then enabled permissive mode & rebooted & it relabeled
itself this time.
After running some things, send/receive email, it still wants to deny:
type=AVC msg=audit(1216990772.410:72): avc: denied { read } for
pid=2037 comm="clamd" path="/var/clamav/main.cvd" dev=md0 ino=980355
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1216990777.968:73): avc: denied { read } for
pid=2037 comm="clamd" name="meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1216990777.969:74): avc: denied { getattr } for
pid=2037 comm="clamd" path="/proc/meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1216991822.928:113): avc: denied { signal } for
pid=2762 comm="postfix-script"
scontext=root:system_r:postfix_master_t:s0
tcontext=root:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0
tclass=lnk_filetcontext=root:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.372:123): avc: denied { unlink } for
pid=2116 comm="amavisd" name="p002.exe" dev=md0 ino=1005252
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
SO - is it normal to have to update policies on basic services? Am I
missing an rpm?
--
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240 ext203
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
