Jason L Tibbitts III wrote:
I'm seeing a ton of the following denials when installing packages:
audit(1187332559.271:77): avc: denied { use } for pid=3692 comm="ldconfig" name="console" dev=tmpfs ino=1143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd
My specific situation may be odd. I kickstart a small system from a
fully updated repo. Then when that system boots, /etc/rc.local calls
a script which calls yum to install the rest of the system. Is it
possible that this arrangement misses some essential domain
transition?
The selinux packages installed are:
selinux-policy-2.6.4-33.fc7.noarch
selinux-policy-targeted-2.6.4-33.fc7.noarch
- J<
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is probably not a problem. ldconfig gets passed an open file
descriptor to the console device, which the kernel promptly closes when
selinux sees that it does not have access. As long as ldconfig works, it
can be dontaudited.
Many domains currently use this interface.
init_dontaudit_use_fds
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
