After upgrading from FC5 to FC6, my first clue was that X-Windows
wouldn't come up because it could not find the 'fixed' font. This
meant the xfs server wasn't working. Sure enough, dmesg showed:
audit(1167922474.426:78): avc: denied { read } for pid=2399
comm="xfs" name="fonts.dir" dev=hda5 ino=3260727
scontext=system_u:system_r:xfs_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
Looking through dmesg, I discovered many other "avc: denied" messages:
audit(1167922423.998:4): avc: denied { audit_write } for pid=376
comm="hwclock" capability=29 scontext=system_u:system_r:hwclock_t:s0
tcontext=system_u:system_r:hwclock_t:s0 tclass=capability
audit(1167922427.986:5): avc: denied { getattr } for pid=1369
comm="pam_console_app" name="adsp1" dev=tmpfs ino=5904
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1167922462.739:7): avc: denied { search } for pid=2083
comm="auditd" name="bin" dev=hda5 ino=1042531
scontext=system_u:system_r:auditd_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=dir
audit(1167922463.659:12): avc: denied { write } for pid=2132
comm="dbus-daemon" name=".setrans-unix" dev=hda5 ino=423906
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:
var_run_t:s0 tclass=sock_file
audit(1167922464.088:15): avc: denied { setuid } for pid=2154
comm="mount" capability=7 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=capability
audit(1167922464.089:16): avc: denied { setgid } for pid=2154
comm="mount" capability=6 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=capability
audit(1167922464.531:23): avc: denied { search } for pid=2193
comm="automount" name="1" dev=proc ino=65538
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1167922470.796:75): avc: denied { search } for pid=2249
comm="ntpd" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1167922474.229:76): avc: denied { write } for pid=2396
comm="restorecon" name=".setrans-unix" dev=hda5 ino=423906
scontext=system_u:system_r:restorecon_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
audit(1167922474.426:78): avc: denied { read } for pid=2399
comm="xfs" name="fonts.dir" dev=hda5 ino=3260727
scontext=system_u:system_r:xfs_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
....and many, many more. Clearly, my SELinux policies were seriously
broken during the upgrade. So, how to recover? If I could get
X-Windows up, would the new SELinux GUI be the way to go? Do I need to
reinstall an SELinux package(s)? If so, which one(s)?
Suggestions, pointers much appreciated!
TIA,
Kirk
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
