>>>>> "DJW" == Daniel J Walsh <Daniel> writes: DJW> Can you setenforce now and then start it up, please collect all DJW> of the avc messages. Since I can't even boot in enforcing mode, I'm running in permissive mode and just after boot I have 24 denials. Many of these are probably normal but several are looking in /etc/pki for various certs. These are probably related to LDAP; /etc/ldap.conf requires encryption so anything that needs to look at users or groups before nscd starts will need to see the certs. > cat /etc/ldap.conf base dc=blah uri ldaps://xxxx ldaps://yyyy ldaps://zzzz bind_timelimit 3 idle_timelimit 3600 tls_checkpeer yes tls_cacertfile /etc/pki/cacert.pem > sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 20 Policy from config file: targeted > dmesg|grep avc audit(1143749462.567:2): avc: denied { search } for pid=659 comm="pam_console_app" name="var" dev=dm-0 ino=98305 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir audit(1143749475.708:3): avc: denied { read } for pid=1261 comm="fsck" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749475.708:4): avc: denied { getattr } for pid=1261 comm="fsck" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749475.772:5): avc: denied { read } for pid=1263 comm="fsck.ext3" name="mtab" dev=dm-0 ino=167311 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749475.772:6): avc: denied { getattr } for pid=1263 comm="fsck.ext3" name="mtab" dev=dm-0 ino=167311 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749476.672:7): avc: denied { write } for pid=1279 comm="mount" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749476.672:8): avc: denied { unlink } for pid=1279 comm="mount" name="blkid.tab.old" dev=dm-0 ino=165330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749476.672:9): avc: denied { link } for pid=1279 comm="mount" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749708.498:10): avc: denied { search } for pid=1719 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir audit(1143749708.498:11): avc: denied { read } for pid=1719 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749708.498:12): avc: denied { getattr } for pid=1719 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749708.498:13): avc: denied { read } for pid=1719 comm="dbus-daemon" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file audit(1143749710.051:14): avc: denied { mounton } for pid=1773 comm="mount" name="mail" dev=dm-4 ino=589827 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir audit(1143749711.663:15): avc: denied { read } for pid=1950 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749711.663:16): avc: denied { getattr } for pid=1950 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749711.663:17): avc: denied { read } for pid=1950 comm="automount" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file audit(1143749720.792:18): avc: denied { getattr } for pid=2240 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir audit(1143749720.792:19): avc: denied { search } for pid=2240 comm="hald" name="spool" dev=dm-4 ino=589825 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir audit(1143749801.841:20): avc: denied { write } for pid=2352 comm="mount" name="socket" dev=dm-4 ino=917527 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file audit(1143749801.841:21): avc: denied { connectto } for pid=2352 comm="mount" name="socket" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket audit(1143749801.841:22): avc: denied { use } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=fd audit(1143749801.841:23): avc: denied { read } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file audit(1143749801.841:24): avc: denied { getattr } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file audit(1143749801.869:25): avc: denied { getattr } for pid=2240 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir - J< -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list