F17-Selinux troubles after upgrading

antonio montagnani antonio.montagnani at alice.it
Wed May 2 21:08:50 UTC 2012 

Il 02/05/2012 22:54, Daniel J Walsh ha scritto:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/02/2012 04:35 PM, antonio montagnani wrote:
>> Il 02/05/2012 22:24, Daniel J Walsh ha scritto: On 05/02/2012 04:22 PM,
>> Adam Williamson wrote:
>>>>> On Sat, 2012-04-28 at 20:30 +0100, Frank Murphy wrote:
>>>>>> On 28/04/12 20:26, antonio wrote:
>>>>>>> I upgraded from F-16 to F-17 Beta, then upgraded to find that I
>>>>>>> couldn't delete my own files!!! after disabling Selinux and
>>>>>>> enabling it again (i.e. relabeling) everything is o.k.Anybody
>>>>>>> experiencing it??
>>>>>>
>>>>>> No, but it's good practice to do a relabel after an update. As
>>>>>> policies most likely have changed, even if subtly.
>>>>>>
>>>>>> I'm surprised a full relabel wasn't done automatically.
>>>>>
>>>>> Antonio doesn't really provide much detail on how exactly he
>>>>> upgraded. I think anaconda-based upgrades do a relabel automatically,
>>>>> but obviously upgrading via yum won't necessarily do so.
>>
>> We have not done a full relabel on upgrade,since it could take potentially
>> a very long time.  We could just drop the /.autorelabel file in preupgrade
>> which would trigger the relabel.  I have not heard of other people having
>> SELinux labeling issues on upgrade, I wish we had the audit.log to see what
>> the problem was. Dan,
>>
>> where do I find the audit.log file???
>>
>> Tnx
>>
>
> /var/log/audit/audit.log
>
> ausearch -m avc
>
> Will extract the parts I care about
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk+hnv0ACgkQrlYvE4MpobNQAwCcDXO81RqSGRnrmloonTDc4Yxz
> my8AoNUYPshpqgTcYhcotVi4I3w1XGxJ
> =mrUV
> -----END PGP SIGNATURE-----

>  ausearch -m avc
> ----
> time->Sat Apr 14 18:01:38 2012
> type=SYSCALL msg=audit(1334419298.900:159): arch=40000003 syscall=11 success=yes exit=0 a0=8aee390 a1=8aee400 a2=8aed980 a3=8aed980 items=0 ppid=20996 pid=20997 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=pts0 ses=2 comm="newaliases" exe="/usr/sbin/sendmail.sendmail" subj=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1334419298.900:159): avc:  denied  { read } for  pid=20997 comm="newaliases" path="/home/antonio" dev=dm-2 ino=1048577 scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> type=AVC msg=audit(1334419298.900:159): avc:  denied  { read } for  pid=20997 comm="newaliases" path="/home/antonio" dev=dm-2 ino=1048577 scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> ----
> time->Thu Apr 19 18:35:45 2012
> type=SYSCALL msg=audit(1334853345.590:66): arch=40000003 syscall=5 success=no exit=-13 a0=81159d0 a1=8000 a2=0 a3=0 items=0 ppid=1 pid=1845 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(1334853345.590:66): avc:  denied  { read } for  pid=1845 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
> ----
> time->Thu Apr 19 18:39:05 2012
> type=AVC msg=audit(1334853545.115:41): avc:  denied  { read } for  pid=892 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
> ----
> time->Thu Apr 19 21:40:30 2012
> type=AVC msg=audit(1334864430.369:41): avc:  denied  { read } for  pid=902 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
> ----
> time->Fri Apr 20 07:02:19 2012
> type=AVC msg=audit(1334898139.025:41): avc:  denied  { read } for  pid=921 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
> ----
> time->Fri Apr 20 18:11:40 2012
> type=AVC msg=audit(1334938300.294:43): avc:  denied  { read } for  pid=886 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
> ----
> time->Fri Apr 20 22:49:42 2012
> type=AVC msg=audit(1334954982.484:40): avc:  denied  { read } for  pid=928 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
> ----
> time->Sat Apr 21 07:31:25 2012
> type=AVC msg=audit(1334986285.449:40): avc:  denied  { read } for  pid=880 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
> ----
> time->Sat Apr 21 10:25:11 2012
> type=AVC msg=audit(1334996711.727:44): avc:  denied  { read } for  pid=914 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
> ----
> time->Sat Apr 21 12:26:50 2012
> type=AVC msg=audit(1335004010.139:41): avc:  denied  { read } for  pid=883 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
> ----
> time->Sun Apr 22 07:07:06 2012
> type=AVC msg=audit(1335071226.584:41): avc:  denied  { read } for  pid=892 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
> ----
> time->Sun Apr 22 08:00:32 2012
> type=AVC msg=audit(1335074432.589:40): avc:  denied  { read } for  pid=903 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
> ----
> time->Sat Apr 28 19:02:02 2012
> type=AVC msg=audit(1335632522.668:9): avc:  denied  { read } for  pid=619 comm="dmesg" name="ld.so.cache" dev="dm-1" ino=525985 scontext=system_u:system_r:dmesg_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
> [root at exmarco ~]#

-- 
Antonio Montagnani
Fedora 17 Beta
Acer 5670
________________________
http://www.campingmonterosa.com

More information about the test mailing list