Re: Issue with selinux and swapfiles in FC5?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Doug Fordham wrote:

Fabio Comolli wrote:

Hi.


On 2/16/06, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

Fabio Mollify wrote:

Who in the hell is Fabio Mollify???????



forgot the :-)


Hi. I found this line in my logs:

audit(1140033999.212:6): avc:  denied  { write } for  pid=2171
comm="swapon" name="swapfile" dev=sda2 ino=67052
scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=file
I'm just experimenting with selinux, so I set it up in permissive mode 
and the swap was activated.

Is there a way to get rid of it? (or can it be considered harmless?)

Thanks in advance.
Fabio



chcon -t swapfile_t swapfile

should fix the problem. (swapfile_t needs to be made a customizable
type.   Also needs a man page)



Unfortunately it didn't work:

root@kepler ~]# ls -Z /swapfile
-rw-r--r--  root     root     system_u:object_r:swapfile_t     /swapfile

but the warning in dmesg is still there:

audit(1140109455.801:6): avc:  denied  { read } for  pid=2165
comm="swapon" name="swapfile" dev=sda2 ino=67052
scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:swapfile_t:s0 tclass=file
audit(1140109455.810:7): avc:  denied  { write } for  pid=2165
comm="swapon" name="swapfile" dev=sda2 ino=67052
scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:swapfile_t:s0 tclass=file

Should I try: chcon -t fsadm_t /swapfile ?

Thanks again,
Fabio


After today's update, in addition to the swapfile entry:
audit(1140147570.846:4): avc: denied { write } for pid=1050 comm="mount" name="blkid.tab" dev=dm-0 ino=2127396 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0 tclass=file audit(1140147572.454:5): avc: denied { write } for pid=1099 comm="swapon" name="blkid.tab" dev=dm-0 ino=2127396 scontext=system_u:system_r:fsadm_t:s0 tcontext=user_u:object_r:etc_t:s0 tclass=file
This is mislabeled and we are working to find the source of the mislabeling. restorecon /etc/blkid.tab will fix it.
Adding 1048568k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1 across:1048568k 

...also, have the following in dmesg:
audit(1140129521.520:2): avc: denied { write } for pid=349 comm="restorecon" name="[952]" dev=pipefs ino=952 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:restorecon_t:s0 tclass=fifo_file 
Fixed in latest policy
audit(1140129521.520:3): avc: denied { read } for pid=348 comm="restorecon" name="[952]" dev=pipefs ino=952 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:restorecon_t:s0 tclass=fifo_file
audit(1140147577.742:6): avc: denied { read } for pid=1131 comm="readahead" name="display" dev=ramfs ino=3278 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=file audit(1140147577.742:7): avc: denied { read } for pid=1131 comm="readahead" name="rhgb-console" dev=ramfs ino=3350 scontext=system_u:system_r:readahead_t:s0 
tcontext=system_u:object_r:ramfs_t:s0 tclass=fifo_file



Fixed in latest policy

--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]