Re: AVC on systemd mounting drive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/03/2016 05:42 PM, Bill shirley wrote:
> I'm getting an AVC in the boot process when systemd tries to mount a
> drive.  It's too early in the boot process
> for it to be in /var/log/audit/audit.log.  I don't speak AVC well enough
> to generate a rule without the log entry:
> Nov 03 10:31:05 c3po.example.com audit[1]: AVC avc:  denied  { read }
> for  pid=1 comm="systemd" name="lan" dev="dm-0" ino=100732081
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:samba_share_t:s0 tclass=dir permissive=0
Hi,
could you run

# semanage permissive -a init_t

re-test it

# ausearch -m avc -ts recent
# semanage permissive -d init_t

to see if we can get more AVCs so we can write a better rule if it is
needed.

> 
> [0:root@c3po shorewall 2]$ ls -ldZ /lan
> drwxr-xr-x. 4 root root system_u:object_r:samba_share_t:s0 37 Jan 15 
> 2011 /lan
> 
> /etc/fstab:
> # /dev/sdf1 - lvm - storage-LAN
> UUID=3817923e-98d6-4876-bffc-5aef71a2b9a2       /lan                   
> xfs     defaults,nofail         0       2
> 
> Can anyone help me create a module from the AVC similar to the one I
> have for shorewall?:
> module my_shorewall 1.0;
> 
> require {
>         type var_lock_t;
>         type shorewall_t;
>         class file { create getattr relabelfrom relabelto setattr unlink
> write };
> }
> 
> #============= shorewall_t ==============
> 
> #!!!! WARNING: 'var_lock_t' is a base type.
> #!!!! The file '/run/lock/subsys/shorewall' is mislabeled on your system. 
> #!!!! Fix with $ restorecon -R -v /run/lock/subsys/shorewall
> allow shorewall_t var_lock_t:file { create getattr relabelfrom relabelto
> setattr unlink write };

Note: Did you try to run

# restorecon -R -v /run/lock/subsys/shorewall

to fix this issue?

> 
> Thanks,
> Bill
> 
> 
> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux