On 05/29/2014 01:20 AM, Miroslav Grepl wrote: > On 05/28/2014 05:13 PM, Daniel J Walsh wrote: >> restorecon -R -v /etc/hosts >> >> Would fix this issue. > Yes, but he needs to repeat it. >> >> On 05/28/2014 06:36 AM, Miroslav Grepl wrote: >>> On 05/28/2014 12:24 AM, Emmett Culley wrote: >>>> On 05/22/2014 10:31 PM, Miroslav Grepl wrote: >>>>> On 05/22/2014 06:35 PM, Emmett Culley wrote: >>>>>> I am continually getting getattr and read AVC errors. From my >>>>>> research, I believe it is because my hosts file gets modified each >>>>>> time I VPN into my work network. >>>>>> >>>>>> I cause the host names and IP addresses that are part of the >>>>>> internal work network to be appended to the hosts file upon the VPN >>>>>> connection and then restore the original hosts file upon >>>>>> disconnection. >>>>>> >>>>>> I have tried restorecon /etc/hosts, but I still get the warnings. >>>>>> I have also done the mypol fixes suggested in the troubleshooting >>>>>> dialog's details page. Nothing I do resolves this issue. >>>>>> >>>>>> How can I prevent these AVC errors? Or at least properly modify my >>>>>> hosts file (and possibly others) the SELinux way? >>>>>> >>>>>> Emmett >>>>>> -- >>>>>> selinux mailing list >>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> What AVC message are you getting? >>>>> >>>>> What OS? >>>>> >>>>> Regards, >>>>> Miroslav >>>>> >>>> Linux (Fedora 20) >>>> >>>> type=AVC msg=audit(1401200342.155:473): avc: denied { read } for >>>> pid=5501 comm="httpd" name="hosts" dev="dm-0" ino=270007 >>>> scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 >>>> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file >>>> >>>> AND >>>> >>>> type=AVC msg=audit(1401195880.487:401): avc: denied { getattr } >>>> for pid=1064 comm="chronyd" path="/etc/hosts" dev="dm-0" ino=270007 >>>> scontext=system_u:system_r:chronyd_t:s0 >>>> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file >>>> >>>> >>>> type=SYSCALL msg=audit(1401195880.487:401): arch=x86_64 syscall=fstat >>>> success=yes exit=0 a0=4 a1=7fff126bb590 a2=7fff126bb590 a3=0 items=0 >>>> ppid=1 pid=1064 auid=4294967295 uid=997 gid=996 euid=997 suid=997 >>>> fsuid=997 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 >>>> comm=chronyd exe=/usr/sbin/chronyd >>>> subj=system_u:system_r:chronyd_t:s0 key=(null) >>>> >>>> Each of the errors are caused by attempts to access the hosts file. >>>> >>>> Emmett >>>> >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> "admin_home_t" is label for files/dirs in /root directory. It means >>> the /etc/hosts is moved from this directory. Any chance you have a >>> script which does it? >>> >>> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > Yes, I am using a script to save the current hosts file to /root when starting a VPN connection, then moving it back when closing the VPN connection. I will add the restorecon command to the script. Emmett -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
