Stephen Smalley wrote:
On Fri, 2005-01-21 at 10:38, Tom London wrote:
Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied { read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17
scontext=system_u:system_r:hostname_t
tcontext=system_u:object_r:root_t tclass=file
I think that this denial reflects a kernel bug - leaking a descriptor to the rootfs to userspace. Shouldn't interfere with booting.
Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied { read } for pid=576 exe=/sbin/restorecon name=customizable_types
dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:default_context_t tclass=file
This is more likely the culprit. restorecon is now trying to read the customizable_types file to identify contexts that it shouldn't try to relabel, but if it lacks permission to do so, then the current code is going to prevent relabeling anything, as it is merely checking for a non-zero return from is_context_customizable(), which could be an error. Fix is to allow access by restorecon_t and setfiles_t, but also likely change the calling code to distinguish the error case from > 0 case.
Fix in selinux-policy-*-1.21.2-7
