On Fri, 2005-01-21 at 10:38, Tom London wrote:
> Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied
> { read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17
> scontext=system_u:system_r:hostname_t
> tcontext=system_u:object_r:root_t tclass=file
I think that this denial reflects a kernel bug - leaking a descriptor to
the rootfs to userspace. Shouldn't interfere with booting.
> Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied
> { read } for pid=576 exe=/sbin/restorecon name=customizable_types
> dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t
> tcontext=system_u:object_r:default_context_t tclass=file
This is more likely the culprit. restorecon is now trying to read the
customizable_types file to identify contexts that it shouldn't try to
relabel, but if it lacks permission to do so, then the current code is
going to prevent relabeling anything, as it is merely checking for a
non-zero return from is_context_customizable(), which could be an
error. Fix is to allow access by restorecon_t and setfiles_t, but also
likely change the calling code to distinguish the error case from > 0
case.
--
Stephen Smalley <sds@xxxxxxxxxxxxx>
National Security Agency
