hi;
I changed a SE linux system from a targeted policy to strict to do some
testing with strict & enforcing for a particular setup i plan. System is
FC3 (all patches up to 01.02.2005) with standard install up to that
point.
Policy change :
1 yum'ed the strict policy and policy sources
2 did a system-config-securelevel (changed targeted -> strict)
3 reboot (fingers crossed ..)
What happend was this :
Mass complains (avc: denies )
mass out of Memory errors .. (no way .. )// the system has 384MB RAM
rescue CD : mount and change to permissive /etc/selinux/config
touch /.autorelabel
this time autorelabel worked
still many avc denies from std. system services
fixfiles check // everything ok .. surprise
still many many avc denies from std system services ..
So my Question : is this normal (still no production quality) ? or a
bug / side effect from changing the policy (should work but does not) ?
Since there are to many errors i can't track each individual problem
down. any idea what to try?
----
Example /var/log/messages
Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied
{ getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/mem dev=tmpfs
ino=485 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied
{ getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/net/tun
dev=tmpfs ino=1816 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:tun_tap_device_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied
{ getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/ppp dev=tmpfs
ino=1817 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ppp_device_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.343:0): avc: denied
{ getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/zero dev=tmpfs
ino=1820 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:zero_device_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.554:0): avc: denied
{ read } for pid=2183 exe=/sbin/lvm.static name=hdf dev=tmpfs ino=1063
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.556:0): avc: denied
{ write } for pid=2183 exe=/sbin/lvm.static name=control dev=tmpfs
ino=4737 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:lvm_control_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.556:0): avc: denied
{ ioctl } for pid=2183 exe=/sbin/lvm.static path=/dev/mapper/control
dev=tmpfs ino=4737 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:lvm_control_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.557:0): avc: denied
{ write } for pid=2183 exe=/sbin/lvm.static name=.cache dev=hde1
ino=66753 scontext=system_u:system_r:initrc_t
tcontext=user_u:object_r:etc_t tclass=file
--
hb <hburde@xxxxxxxxxxx>
