|
I'm getting an AVC in the boot process when systemd tries to mount a
drive. It's too early in the boot process for it to be in /var/log/audit/audit.log. I don't speak AVC well enough to generate a rule without the log entry: Nov 03 10:31:05 c3po.example.com audit[1]: AVC avc: denied { read } for pid=1 comm="systemd" name="lan" dev="dm-0" ino=100732081 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir permissive=0 [0:root@c3po shorewall 2]$ ls -ldZ /lan drwxr-xr-x. 4 root root system_u:object_r:samba_share_t:s0 37 Jan 15 2011 /lan /etc/fstab: # /dev/sdf1 - lvm - storage-LAN UUID=3817923e-98d6-4876-bffc-5aef71a2b9a2 /lan xfs defaults,nofail 0 2 Can anyone help me create a module from the AVC similar to the one I have for shorewall?: module my_shorewall 1.0; require { type var_lock_t; type shorewall_t; class file { create getattr relabelfrom relabelto setattr unlink write }; } #============= shorewall_t ============== #!!!! WARNING: 'var_lock_t' is a base type. #!!!! The file '/run/lock/subsys/shorewall' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /run/lock/subsys/shorewall allow shorewall_t var_lock_t:file { create getattr relabelfrom relabelto setattr unlink write }; Thanks, Bill |
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
