Paul Howarth wrote:
>Daniel B. Thurman wrote:
>> Daniel B. Thurman wrote:
>>> Due to reasons of my /usr space partition running out of
>>> room, I had tar-copied my /usr/share directory into different
>>> partition, deleted the contents of /usr/share, changed the
>>> fstab to mount the /share partition /usr/share. Because there
>>> is a filesystem change, I believed an autorelabel is necessary
>>> to ensure that all of the selinux tags are properly labeled.
>
>...
>
>> I found some more problems with selinux tags and somehow it
>> is not able to label files after a autorelabel which I was
>> hoping it would fix but does not. Can someone please tell
>> me how to fix these problems?
>>
>>>From /var/log/audit log:
>> =============================================================
>> type=SYSCALL msg=audit(1198252520.322:187): arch=40000003
>syscall=102 success=no exit=-13 a0=3 a1=bfc093c0 a2=b7f6d31c
>a3=0 items=0 ppid=2700 pid=3667 auid=4294967295 uid=0 gid=0
>euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none)
>comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
>subj=system_u:system_r:sendmail_t:s0 key=(null)
>> type=AVC msg=audit(1198252520.322:187): avc: denied {
>connectto } for pid=3667 comm="sendmail"
>path="/var/run/spamass-milter/spamass-milter.sock"
>scontext=system_u:system_r:sendmail_t:s0
>tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>> type=AVC msg=audit(1198252486.805:186): avc: denied {
>connectto } for pid=3647 comm="sendmail"
>path="/var/run/spamass-milter/spamass-milter.sock"
>scontext=system_u:system_r:sendmail_t:s0
>tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>
>This looks remarkably like this bug report:
>https://bugzilla.redhat.com/show_bug.cgi?id=425958
>
>You seem to have the socket labelled as initrc_t rather than
>spamd_var_run_t, but I don't know why this should happen.
>
>Can you post the output of:
>$ ls -lZd /var/run
drwxr-xr-x root root system_u:object_r:var_run_t:s0 /var/run
>$ ls -laZ /var/run/spamass-milter
drwxr-x--- sa-milt root system_u:object_r:spamd_var_run_t:s0 .
drwxr-xr-x root root system_u:object_r:var_run_t:s0 ..
srwxr-xr-x sa-milt sa-milt system_u:object_r:spamd_var_run_t:s0 spamass-milter.sock
>$ sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Process contexts:
Current context: unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/sbin/mingetty system_u:system_r:getty_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023
File contexts:
Controlling term: unconfined_u:object_r:unconfined_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:init_exec_t:s0
/sbin/mingetty system_u:object_r:getty_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0
>
>>From /var/log/messages log: (Note that all of these errors are
>> coming from the /usr/share that is mounted from a drive partition
>> while all in / is in its own partition, but /usr/share)
>> =============================================================
>> Dec 21 07:50:21 linux kernel: audit(1198252191.457:5): avc:
>denied { search } for pid=1169 comm="rhgb" name="share"
>dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0
>tcontext=user_u:object_r:default_t:s0 tclass=dir
>
>Try unmounting /usr/share, labelling the now-empty directory as mnt_t,
How do I do this, please?
>remounting /usr/share and labelling the mounted directory as usr_t.
>
>Paul.
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.17.6/1192 - Release Date: 12/21/2007 1:17 PM
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
