On Wed, 2006-03-15 at 19:08 +0200, Maxim Britov wrote:
> I have installed current fc5 by http about week or two ago. It updated from rawhide.
> It currently installed on hda2 and it ran from qemu.
>
> I see many avc denied messages in dmesg (repeated 210 times with different pids):
> audit(1142439027.188:2): avc: denied { search } for pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
> hda2 here is /
Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t.
Need to relabel?
> It can't mount /var/spool/squid at boot time. dmesg is:
> audit(1142439059.662:212): avc: denied { mounton } for pid=820 comm="mount" name="squid" dev=hda7 ino=261122 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:squid_cache_t:s0 tclass=dir
Might not be included in the current policy.
> hda7 here is /var
> After booting I can mount it with: # mount /var/spool/squid (/etc/fstab uses default options):
> "kjournald starting. Commit interval 5 seconds
> EXT3 FS on hda5, internal journal
> EXT3-fs: mounted filesystem with ordered data mode.
> SELinux: initialized (dev hda5, type ext3), uses xattr"
>
> I can't switch to strict mode.
> I did it by editing /etc/selinux/config and touch /.autorelabel
Strict policy (i.e. SELINUXTYPE=strict) or enforcing mode (i.e.
SELINUX=enforcing)? You want SELINUXTYPE=targeted, SELINUX=enforcing.
Boot with enforcing=0 if you need to temporarily boot permissive to
recover. Boot with enforcing=0 autorelabel to force a relabel.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
