Dear all, I have resolved one problem(Not getting internet at startup by default), but have not fixed the crontab one and other(s): This one does not go away :( Summary: SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by crontab. It is not expected that this access is required by crontab and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 .c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source crontab Source Path /usr/bin/crontab Port <Unknown> Host riohigh Source RPM Packages cronie-1.2-7.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 177 First Seen Mon 02 Mar 2009 07:11:37 PM CST Last Seen Wed 25 Mar 2009 04:57:03 PM CST Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1238021823.376:68): arch=40000003 syscall=11 success=yes exit=0 a0=9fcb5c8 a1=9fcbd10 a2=9fb5ae0 a3=9fcbd10 items=0 ppid=4295 pid=4331 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) I can't modify my crontab file: [olivares@riohigh ~]$ crontab -l Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration. [olivares@riohigh ~]$ if I disable selinux, I can modify it and view it, but not with selinux enabled. I got greeted with the following: Summary: SELinux is preventing access to files with the default label, default_t. Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access: If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects /.kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port <Unknown> Host riohigh Source RPM Packages kdelibs-4.2.1-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 7 First Seen Wed 25 Mar 2009 04:38:14 PM CST Last Seen Wed 25 Mar 2009 04:38:14 PM CST Local ID d3d42e40-6a28-48cf-8717-b85579c55bad Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1238020694.487:40): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir node=riohigh type=SYSCALL msg=audit(1238020694.487:40): arch=40000003 syscall=196 success=no exit=-13 a0=bfc3730b a1=bfc37258 a2=a12ff4 a3=a036c59 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing access to files with the default label, default_t. Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access: If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port <Unknown> Host riohigh Source RPM Packages kdelibs-4.2.1-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 23 First Seen Wed 25 Mar 2009 04:38:14 PM CST Last Seen Wed 25 Mar 2009 04:38:14 PM CST Local ID 711eec22-2695-4e57-91ad-622e9c5f3b53 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1238020694.489:42): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir node=riohigh type=SYSCALL msg=audit(1238020694.489:42): arch=40000003 syscall=196 success=no exit=-13 a0=a036c58 a1=bfc37230 a2=a12ff4 a3=a031250 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Startup did not take the 20 seconds, it took like 8 to 10 minutes with the relabeling and still see the same things. Is there an update that will fix this or do I have to disable selinux or boot in permissive in order to have a working machine. Please help this is no longer fun as it once was. Regards, Antonio -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
