Steve Brueckner wrote:
I appear to have borked my SELinux installation. I wanted to experimentNo you probably just picked the wrong day to update to rawhide. I have an updated policy on ftp://people.redhat.com/dwalsh/SELinux/Fedora.
with the new name_connect permission, which I read was available with the
latest rawhide kernel and selinux policy. So, in my first-ever attempt to
use rawhide, I enabled my /etc/yum.repos.d/fedora-devel.repo file and then
yum updated to the following:
It will fix some of the problems.
But you might want to do a complete yum update to get the latest stuff (FC4/Test2 plus updates).
Dan
kernel.i686 2.6.11-1.1267_FC4 installed selinux-policy-targeted.noarch 1.23.12-4 installed selinux-policy-targeted-sources.noarch 1.23.12-4 installed selinux-policy-strict.noarch 1.23.12-4 installed selinux-policy-strict-sources.noarch 1.23.12-4 installed libselinux.i386 1.23.7-3 installed libselinux-devel.i386 1.23.7-3 installed libselinux-debuginfo.i386 1.23.7-3 installed libsepol.i386 1.5.5-2 installed policycoreutils.i386 1.23.6-1 installed checkpolicy.i386 1.23.1-1 installed setools.i386 2.1.0-2 installed selinux-doc.noarch 1.19.5-1 installed
I then did a touch /.autorelabel; reboot, then after rebooting a make reload. I'm using the targeted policy in permissive mode (things freeze up when I setenforce 1). Policy version is 19.
I get a lot of avc denied messages on boot; enough to make me think I did something wrong with my policy update or kernel update. Did I even go about this the right way? Is there anything obviously wrong with the steps I took? I'm running FC3, and I wasn't certain about updating to an FC4 kernel but yum seemed to think it was OK so I went for it. I get the same errors when I revert to 2.6.11-1.14_FC3.
Thanks for any ideas. My boot log is included below, with anything non-SELinux related snipped out.
- Steve Brueckner, ATC-NY
$ dmesg Linux version 2.6.11-1.1267_FC4 (bhcompile@xxxxxxxxxxxxxxxxxxxxxx) (gcc version 4.0.0 20050423 (Red Hat 4.0.0-1)) #1 Mon Apr 25 19:22:44 EDT 2005 ... Security Framework v1.0.0 initialized SELinux: Initializing. SELinux: Starting in permissive mode selinux_register_security: Registering secondary module capability Capability LSM initialized as secondary ... audit: initializing netlink socket (disabled) audit(1114514592.659:0): initialized ... SELinux: Registering netfilter hooks ... security: 3 users, 6 roles, 684 types, 75 bools security: 55 classes, 126760 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev dm-0, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts audit(1114514601.951:0): avc: denied { use } for path=/init dev=rootfs ino=8 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=fd ... SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts ... SELinux: initialized (dev hda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Adding 2031608k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1 SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts ... audit(1114529038.066:0): avc: denied { read } for name=config dev=dm-0 ino=3837327 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file audit(1114529038.066:0): avc: denied { getattr } for path=/etc/selinux/config dev=dm-0 ino=3837327 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file audit(1114529038.092:0): avc: denied { execute } for name=restorecon dev=dm-0 ino=1802308 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:restorecon_exec_t tclass=file audit(1114529038.092:0): avc: denied { execute_no_trans } for path=/sbin/restorecon dev=dm-0 ino=1802308 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:restorecon_exec_t tclass=file audit(1114529038.092:0): avc: denied { read } for path=/sbin/restorecon dev=dm-0 ino=1802308 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:restorecon_exec_t tclass=file audit(1114529038.093:0): avc: denied { search } for name=contexts dev=dm-0 ino=3834258 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:default_context_t tclass=dir audit(1114529038.093:0): avc: denied { search } for name=files dev=dm-0 ino=3834262 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=dir audit(1114529038.093:0): avc: denied { read } for name=file_contexts dev=dm-0 ino=3834260 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=file audit(1114529038.093:0): avc: denied { getattr } for path=/etc/selinux/targeted/contexts/files/file_contexts dev=dm-0 ino=3834260 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=file audit(1114529038.096:0): avc: denied { search } for name=/ dev=selinuxfs ino=232 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=dir audit(1114529038.096:0): avc: denied { read write } for name=context dev=selinuxfs ino=5 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=file audit(1114529038.096:0): avc: denied { check_context } for scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=security audit(1114529038.479:0): avc: denied { use } for path=/init dev=rootfs ino=8 scontext=system_u:system_r:named_t tcontext=system_u:system_r:kernel_t tclass=fdSELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts audit(1114529040.947:0): avc: denied { use } for path=/init dev=rootfs ino=8 scontext=system_u:system_r:howl_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1114529043.069:0): avc: denied { use } for path=/init dev=rootfs ino=8 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:kernel_t tclass=fd ... audit(1114529047.672:0): avc: denied { read } for path=/init dev=rootfs ino=8 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:root_t tclass=file audit(1114529050.126:0): avc: denied { use } for path=/init dev=rootfs ino=8 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=fdaudit(1114529052.770:0): avc: denied { write } for name=etc dev=dm-0 ino=3833857 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t tclass=dir audit(1114529052.770:0): avc: denied { add_name } for name=.fstab.hal.S scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t tclass=dir audit(1114529052.770:0): avc: denied { create } for name=.fstab.hal.S scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t tclass=file audit(1114529053.042:0): avc: denied { write } for name=media dev=dm-0 ino=8552449 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t tclass=dir audit(1114529053.042:0): avc: denied { remove_name } for name=cdrecorder dev=dm-0 ino=8552450 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t tclass=dir audit(1114529053.042:0): avc: denied { rmdir } for name=cdrecorder dev=dm-0 ino=8552450 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t tclass=dir audit(1114529053.157:0): avc: denied { write } for path=/etc/.fstab.hal.S dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t tclass=file audit(1114529053.157:0): avc: denied { remove_name } for name=.fstab.hal.S dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t tclass=dir audit(1114529053.157:0): avc: denied { rename } for name=.fstab.hal.S dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t tclass=file audit(1114529053.157:0): avc: denied { unlink } for name=fstab dev=dm-0 ino=3834553 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t tclass=file audit(1114529053.179:0): avc: denied { write } for name=rhgb-socket dev=ramfs ino=4929 scontext=system_u:system_r:init_t tcontext=system_u:object_r:ramfs_t tclass=sock_file audit(1114529053.179:0): avc: denied { connectto } for path=/etc/rhgb/temp/rhgb-socket scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket audit(1114529053.577:0): avc: denied { getattr } for path=/dev/VolGroup00/LogVol00 dev=tmpfs ino=5807 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:device_t tclass=lnk_file audit(1114529053.653:0): avc: denied { add_name } for name=cdrecorder scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t tclass=dir audit(1114529053.654:0): avc: denied { create } for name=cdrecorder scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t tclass=dir audit(1114529053.674:0): avc: denied { getattr } for path=/dev/mapper/VolGroup00-LogVol00 dev=tmpfs ino=1128 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:device_t tclass=blk_file audit(1114529053.674:0): avc: denied { getattr } for path=/dev/pts dev=devpts ino=1 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:devpts_t tclass=dir ... audit(1114529081.451:0): avc: denied { getattr } for path=/dev/pts dev=devpts ino=1 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:devpts_t tclass=dir
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
