Hey folks, I've got a bunch of SELinux errors on my newly installed F10 server. I'm a decently knowledgeable Linux user, but SELinux is pretty much over my head at this point. Rather then spam the IRC channel, I thought I would send a series of messages with the various errors to this list. If this is not the appropriate place to do this, please let me know and accept my apology in advance. This error occurred when installing icecast from the standard Fedora repo. According to the GUI troubleshoot tool, it tried it more then once. --- Begin SELinux Alert 1 --- Summary: SELinux is preventing nscd (nscd_t) "read" unconfined_notrans_t. Detailed Description: SELinux denied access requested by nscd. It is not expected that this access is required by nscd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:nscd_t:s0 Target Context unconfined_u:system_r:unconfined_notrans_t:s0 Target Objects pipe [ fifo_file ] Source nscd Source Path /usr/sbin/nscd Port <Unknown> Host boris Source RPM Packages nscd-2.9-2 Target RPM Packages Policy RPM selinux-policy-3.5.13-26.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name boris Platform Linux boris 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 athlon Alert Count 4 First Seen Sat 06 Dec 2008 04:16:14 PM EST Last Seen Sat 06 Dec 2008 04:16:14 PM EST Local ID cd43cbcd-4bae-4524-b52f-f8ab36f00764 Line Numbers Raw Audit Messages node=boris type=AVC msg=audit(1228598174.876:203): avc: denied { read } for pid=5357 comm="nscd" path="pipe:[35289]" dev=pipefs ino=35289 scontext=unconfined_u:system_r:nscd_t:s0 tcontext=unconfined_u:system_r:unconfined_notrans_t:s0 tclass=fifo_file node=boris type=SYSCALL msg=audit(1228598174.876:203): arch=40000003 syscall=11 success=yes exit=0 a0=8056c6b a1=bfb25c24 a2=bfb25c38 a3=0 items=0 ppid=5352 pid=5357 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="nscd" exe="/usr/sbin/nscd" subj=unconfined_u:system_r:nscd_t:s0 key=(null) --- End SELinux Alert --- When I removed the package with yum, it threw this error a bunch more times and added an additional one: --- Begin SELinux Alert 2 --- Summary: SELinux prevented semanage from using the terminal 0. Detailed Description: SELinux prevented semanage from using the terminal 0. In most cases daemons do not need to interact with the terminal, usually these avc messages can be ignored. All of the confined daemons should have dontaudit rules around using the terminal. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy. If you would like to allow all daemons to interact with the terminal, you can turn on the allow_daemons_use_tty boolean. Allowing Access: Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1." Fix Command: setsebool -P allow_daemons_use_tty=1 Additional Information: Source Context unconfined_u:system_r:semanage_t:s0 Target Context unconfined_u:object_r:devpts_t:s0 Target Objects 0 [ chr_file ] Source semanage Source Path /usr/bin/python Port <Unknown> Host boris Source RPM Packages python-2.5.2-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-26.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_daemons_use_tty Host Name boris Platform Linux boris 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 athlon Alert Count 1 First Seen Sun 07 Dec 2008 04:34:19 PM EST Last Seen Sun 07 Dec 2008 04:34:19 PM EST Local ID 5ff62f2f-d05d-46b3-9624-b1308e1a06f6 Line Numbers Raw Audit Messages node=boris type=AVC msg=audit(1228685659.553:6520): avc: denied { read write } for pid=32355 comm="semanage" name="0" dev=devpts ino=2 scontext=unconfined_u:system_r:semanage_t:s0 tcontext=unconfined_u:object_r:devpts_t:s0 tclass=chr_file node=boris type=SYSCALL msg=audit(1228685659.553:6520): arch=40000003 syscall=11 success=yes exit=0 a0=8050a82 a1=bf871adc a2=0 a3=0 items=0 ppid=32354 pid=32355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="semanage" exe="/usr/bin/python" subj=unconfined_u:system_r:semanage_t:s0 key=(null) -- End SELinux Alert --- The second one includes some instructions to repair the error, but it seems to be an "all or nothing" sort of command, and it seems even weirder to run it after I've uninstalled the package that appears to be using it. Thoughts? - Adam -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
