Jason L Tibbitts III wrote:
"DJW" == Daniel J Walsh <Daniel> writes:
DJW> Looks like you have a labeling problem.
The system relabeled itself as part of the boot. But I've forced
another relabel and there are eight fewer messages:
audit(1143750802.325:2): avc: denied { search } for pid=636 comm="pam_console_app" name="var" dev=dm-0 ino=98305 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143751052.509:3): avc: denied { search } for pid=1723 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
audit(1143751052.509:4): avc: denied { read } for pid=1723 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
audit(1143751052.517:5): avc: denied { getattr } for pid=1723 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
audit(1143751052.521:6): avc: denied { read } for pid=1723 comm="dbus-daemon" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
audit(1143751053.465:7): avc: denied { mounton } for pid=1777 comm="mount" name="mail" dev=dm-4 ino=589827 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
audit(1143751055.021:8): avc: denied { read } for pid=1954 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
audit(1143751055.021:9): avc: denied { getattr } for pid=1954 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
audit(1143751055.025:10): avc: denied { read } for pid=1954 comm="automount" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
audit(1143751064.226:11): avc: denied { getattr } for pid=2244 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
audit(1143751064.230:12): avc: denied { search } for pid=2244 comm="hald" name="spool" dev=dm-4 ino=589825 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
audit(1143751066.602:13): avc: denied { write } for pid=2341 comm="mount" name="socket" dev=dm-4 ino=917527 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file
audit(1143751066.602:14): avc: denied { connectto } for pid=2341 comm="mount" name="socket" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket
audit(1143751066.606:15): avc: denied { use } for pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=fd
audit(1143751066.606:16): avc: denied { read } for pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file
audit(1143751066.606:17): avc: denied { getattr } for pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file
I had been running with selinux disabled for some time, but when I
enabled it earlier today the system relabeled itself and then it did
so again when I switched to permissive. Does the boot-time relabel
log the changes it makes? I'd like to see why the third relabel
changed things.
In any case, there are still the cert failures which will keep the
machine from booting.
- J<
You can use
audit2allow -l -M local -i /var/log/messages
to generate a loadable module, and work around this problem. The
question I have is why do dbus and automount want
to read the certificate files?
Dan
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
