Re: More AVCs during boot

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Felipe Alfaro Solana wrote:

> Hi!
>
> With selinux-policy-targeted, I get this during boot:
>
> audit(1095721178.335:0): avc:  denied  { associate } for  pid=508 
> exe=/sbin/restorecon name=initctl dev=tmpfs ino=1992 
> scontext=system_u:object_r:initctl_t 
> tcontext=system_u:object_r:tmpfs_t tclass=filesystem
>
> audit(1095721179.084:0): avc:  denied  { associate } for  pid=721 
> exe=/usr/sbin/setfiles name=initctl dev=tmpfs ino=1992 
> scontext=system_u:object_r:initctl_t 
> tcontext=system_u:object_r:tmpfs_t tclass=filesystem
>
> which seem related related to "/dev/initctl".
>
> audit(1095721179.097:0): avc:  denied  { associate } for  pid=721 
> exe=/usr/sbin/setfiles name=.udev.tdb dev=tmpfs ino=366 
> scontext=system_u:object_r:udev_tbl_t 
> tcontext=system_u:object_r:tmpfs_t tclass=filesystem
>
> which is related to /dev/.udev.tdb
Latest policy should fix these.

> audit(1095714008.289:0): avc:  denied  { setrlimit } for  pid=2218 
> exe=/usr/sbin/named scontext=user_u:system_r:named_t 
> tcontext=user_u:system_r:named_t tclass=process
>
> related to bind

Added a rule to allow this in policy.

> audit(1095714008.771:0): avc:  denied  { read } for  pid=2251 
> exe=/usr/sbin/ntpd name=drift dev=hda2 ino=10289214 
> scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t 
> tclass=file

Which drift file are you accessing and where is it located?  It should 
not be marked file_t?

> related to ntpd.
>
> Any ideas?
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list