On Mon, 2011-06-20 at 10:52 +0100, Frank Murphy wrote:
> Raw Audit Messages
> type=AVC msg=audit(1308563002.180:97): avc: denied { search } for
> pid=1536 comm="clamd" name="selinux" dev=dm-3 ino=25
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
>
>
> type=SYSCALL msg=audit(1308563002.180:97): arch=x86_64 syscall=open
> success=no exit=EACCES a0=309376440a a1=0 a2=1b6 a3=9 items=0 ppid=1
> pid=1536 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494
> egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=clamd
> exe=/usr/sbin/clamd subj=system_u:system_r:clamd_t:s0 key=(null)
Looks like somehow the /selinux directory is unlabelled. I have it
currently labelled root_t here.
selinuxfs, the pseudo fs that was previously mounted on /selinux has
moved to /sys/fs/selinux.
Programs should not be looking for selinuxfs in /selinux anymore and
instead look in /sys/fs/selinux.
But besides that clamd does not need to be able to search it anyways.
The reason that it does is because of libselinux and that can be
ignored.
So in short: Fedora is aware of this issue. I believe you can for now
safely ignore it (run restorecon -R -v /selinux so that it actually has
a label). Heck i will probably remove the selinux directory from my /
pretty soon altogether.
dwalsh may know more about the current status of this issue, but as far
as i am concerned it is not worth adding a rule for.
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
