During update of today's rawhide, I get this in /var/log messages (and
a nice icon in the tray):
Sep 1 08:18:44 localhost Updated: kexec-tools.i386 1.101-51.fc6
Sep 1 08:19:14 localhost /usr/sbin/setroubleshootd: SELinux is
preventing /usr/sbin/lvm (lvm_t) "getattr" to /dev/nvram
(unlabeled_t). See audit.log for complete SELinux messages. id =
1fbf1f44-8ff6-4eb2-96dd-cdfe9ea35829
Sep 1 08:19:22 localhost Installed: kernel.i686 2.6.17-1.2608.fc6
Here's the associated AVC:
type=AVC msg=audit(1157123951.753:51): avc: denied { getattr } for
pid=7465 comm="lvs" name="nvram" dev=tmpfs ino=3418
scontext=user_u:system_r:lvm_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1157123951.753:51): arch=40000003 syscall=195
success=no exit=-13 a0=8611ef8 a1=bfc3281c a2=c4fff4 a3=8611ef8
items=0 ppid=7464 pid=7465 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="lvs" exe="/usr/sbin/lvm"
subj=user_u:system_r:lvm_t:s0 key=(null)
type=AVC_PATH msg=audit(1157123951.753:51): path="/dev/nvram"
On reboot, /dev/nvram seems to be labeled properly.
[tbl@localhost ~]$ ls -lZ /dev/nvram
crw-rw---- root root system_u:object_r:nvram_device_t /dev/nvram
[tbl@localhost ~]$
Anyway, setroubleshoot is neat.....
tom
--
Tom London
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
