Am Freitag, den 27.01.2006, 08:37 -0500 schrieb Stephen Smalley:
> On Fri, 2006-01-27 at 12:13 +0100, Roger Grosswiler wrote:
> > Hey,
> >
> > i still have AVC Denied while booting:
> >
> > SELinux: Completing initialization.
> > SELinux: Setting up existing superblocks.
> > SELinux: initialized (dev dm-0, type ext3), uses xattr
> > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
> > SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
> > SELinux: initialized (dev selinuxfs, type selinuxfs), uses
> > genfs_contexts
> > SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
> > SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses
> > genfs_contexts
> > SELinux: initialized (dev devpts, type devpts), uses transition SIDs
> > SELinux: initialized (dev eventpollfs, type eventpollfs), uses
> > genfs_contexts
> > SELinux: initialized (dev inotifyfs, type inotifyfs), uses
> > genfs_contexts
> > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
> > SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
> > SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
> > SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
> > SELinux: initialized (dev proc, type proc), uses genfs_contexts
> > SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
> > SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
> > SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> > SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
> > audit(1138363358.904:2): avc: denied { write } for pid=388
> > comm="restorecon" name="[984]" dev=pipefs ino=984
> > scontext=system_u:system_r:restorecon_t:s0 tcont
> > ext=system_u:system_r:restorecon_t:s0 tclass=fifo_file
> > audit(1138363358.912:3): avc: denied { read } for pid=387
> > comm="restorecon" n ame="[984]" dev=pipefs ino=984
> > scontext=system_u:system_r:restorecon_t:s0 tconte
> > xt=system_u:system_r:restorecon_t:s0 tclass=fifo_file
> >
> >
> > what does it concern? pipefs? where is that needed?
> >
> > Even gnome-power-manager,avahi and hal don't start if i have
> > selinux=enforcing. permissive still works fine.
>
> Hmm...the restorecon fix has been in policy for a while now, so if you
> have the latest policy, you shouldn't still be seeing those denials; I
> don't see them with current rawhide. There was a change made to the
> restorecon code that creates a child process and communicates with it
> via a pipe, which is why it suddenly started needing that permission.
> But that was added to the policy as I noted.
>
> There were other policy fixes associated with the other items you
> mentioned as well.
>
> rpm -q selinux-policy-targeted
> rpm -V selinux-policy-targeted
>
> --
> Stephen Smalley
> National Security Agency
>
Stephen,
Thanks, look this:
[roger@niobe ~]$ sudo rpm -qa | grep selinux-policy-targeted
[roger@niobe ~]$ sudo rpm -qa | grep selinux-policy
[roger@niobe ~]$
...seems i did not have ANY policy installed??????
btw. can somebody explain me the difference between
-targeted
-mls
-strict
??
Thanks,
Roger
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list