On 05/30/2014 01:25 PM, Emmett Culley wrote: > On 05/29/2014 01:20 AM, Miroslav Grepl wrote: >> On 05/28/2014 05:13 PM, Daniel J Walsh wrote: >>> restorecon -R -v /etc/hosts >>> >>> Would fix this issue. >> Yes, but he needs to repeat it. >>> On 05/28/2014 06:36 AM, Miroslav Grepl wrote: >>>> On 05/28/2014 12:24 AM, Emmett Culley wrote: >>>>> On 05/22/2014 10:31 PM, Miroslav Grepl wrote: >>>>>> On 05/22/2014 06:35 PM, Emmett Culley wrote: >>>>>>> I am continually getting getattr and read AVC errors. From my >>>>>>> research, I believe it is because my hosts file gets modified each >>>>>>> time I VPN into my work network. >>>>>>> >>>>>>> I cause the host names and IP addresses that are part of the >>>>>>> internal work network to be appended to the hosts file upon the VPN >>>>>>> connection and then restore the original hosts file upon >>>>>>> disconnection. >>>>>>> >>>>>>> I have tried restorecon /etc/hosts, but I still get the warnings. >>>>>>> I have also done the mypol fixes suggested in the troubleshooting >>>>>>> dialog's details page. Nothing I do resolves this issue. >>>>>>> >>>>>>> How can I prevent these AVC errors? Or at least properly modify my >>>>>>> hosts file (and possibly others) the SELinux way? >>>>>>> >>>>>>> Emmett >>>>>>> -- >>>>>>> selinux mailing list >>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>> What AVC message are you getting? >>>>>> >>>>>> What OS? >>>>>> >>>>>> Regards, >>>>>> Miroslav >>>>>> >>>>> Linux (Fedora 20) >>>>> >>>>> type=AVC msg=audit(1401200342.155:473): avc: denied { read } for >>>>> pid=5501 comm="httpd" name="hosts" dev="dm-0" ino=270007 >>>>> scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 >>>>> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file >>>>> >>>>> AND >>>>> >>>>> type=AVC msg=audit(1401195880.487:401): avc: denied { getattr } >>>>> for pid=1064 comm="chronyd" path="/etc/hosts" dev="dm-0" ino=270007 >>>>> scontext=system_u:system_r:chronyd_t:s0 >>>>> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file >>>>> >>>>> >>>>> type=SYSCALL msg=audit(1401195880.487:401): arch=x86_64 syscall=fstat >>>>> success=yes exit=0 a0=4 a1=7fff126bb590 a2=7fff126bb590 a3=0 items=0 >>>>> ppid=1 pid=1064 auid=4294967295 uid=997 gid=996 euid=997 suid=997 >>>>> fsuid=997 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 >>>>> comm=chronyd exe=/usr/sbin/chronyd >>>>> subj=system_u:system_r:chronyd_t:s0 key=(null) >>>>> >>>>> Each of the errors are caused by attempts to access the hosts file. >>>>> >>>>> Emmett >>>>> >>>>> -- >>>>> selinux mailing list >>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> "admin_home_t" is label for files/dirs in /root directory. It means >>>> the /etc/hosts is moved from this directory. Any chance you have a >>>> script which does it? >>>> >>>> >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> > Yes, I am using a script to save the current hosts file to /root when starting a VPN connection, then moving it back when closing the VPN connection. I will add the restorecon command to the script. > > Emmett > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > In Rawhide/Fedora 21 and RHEL7 you can just use mv -Z -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
