On Fri, 21 Dec 2007 09:05:55 -0800
"Daniel B. Thurman" <dant@xxxxxxxxx> wrote:
> Paul Howarth wrote:
> >Daniel B. Thurman wrote:
> >> Daniel B. Thurman wrote:
> >>> Due to reasons of my /usr space partition running out of
> >>> room, I had tar-copied my /usr/share directory into different
> >>> partition, deleted the contents of /usr/share, changed the
> >>> fstab to mount the /share partition /usr/share. Because there
> >>> is a filesystem change, I believed an autorelabel is necessary
> >>> to ensure that all of the selinux tags are properly labeled.
> >
> >...
> >
> >> I found some more problems with selinux tags and somehow it
> >> is not able to label files after a autorelabel which I was
> >> hoping it would fix but does not. Can someone please tell
> >> me how to fix these problems?
> >>
> >>>From /var/log/audit log:
> >> ============================================================>>
> >> type=SYSCALL msg=audit(1198252520.322:187): arch@000003
> >syscall�2 success=no exit=-13 a0=3 a1¿c093c0 a2·f6d31c
> >a3=0 items=0 ppid'00 pid667 auidB94967295 uid=0 gid=0
> >euid=0 suid=0 fsuid=0 egidQ sgidQ fsgidQ tty=(none)
> >comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
> >subj=system_u:system_r:sendmail_t:s0 key=(null)
> >> type=AVC msg=audit(1198252520.322:187): avc: denied {
> >connectto } for pid667 comm="sendmail"
> >path="/var/run/spamass-milter/spamass-milter.sock"
> >scontext=system_u:system_r:sendmail_t:s0
> >tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> >> type=AVC msg=audit(1198252486.805:186): avc: denied {
> >connectto } for pid647 comm="sendmail"
> >path="/var/run/spamass-milter/spamass-milter.sock"
> >scontext=system_u:system_r:sendmail_t:s0
> >tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> >
> >This looks remarkably like this bug report:
> >https://bugzilla.redhat.com/show_bug.cgi?idB5958
> >
> >You seem to have the socket labelled as initrc_t rather than
> >spamd_var_run_t, but I don't know why this should happen.
> >
> >Can you post the output of:
> >$ ls -lZd /var/run
>
> drwxr-xr-x root root system_u:object_r:var_run_t:s0 /var/run
>
> >$ ls -laZ /var/run/spamass-milter
>
> drwxr-x--- sa-milt root system_u:object_r:spamd_var_run_t:s0 .
> drwxr-xr-x root root system_u:object_r:var_run_t:s0 ..
> srwxr-xr-x sa-milt sa-milt system_u:object_r:spamd_var_run_t:s0
> spamass-milter.sock
This all looks normal so I guess you're not getting the AVCs from
spamass-milter anymore?
> >>From /var/log/messages log: (Note that all of these errors are
> >> coming from the /usr/share that is mounted from a drive partition
> >> while all in / is in its own partition, but /usr/share)
> >> ============================================================>> Dec
> >> 21 07:50:21 linux kernel: audit(1198252191.457:5): avc:
> >denied { search } for pid�69 comm="rhgb" name="share"
> >dev=sda2 ino�2929 scontext=system_u:system_r:rhgb_t:s0
> >tcontext=user_u:object_r:default_t:s0 tclass=dir
> >
> >Try unmounting /usr/share, labelling the now-empty directory as
> >mnt_t,
>
> How do I do this, please?
# umount /usr/share
# chcon -t mnt_t /usr/share
> >remounting /usr/share and labelling the mounted directory as usr_t.
# mount /usr/share
# chcon -t usr_t /usr/share
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
