April 2006 - selinux - Fedora Mailing-Lists

by Holger Burde

Hi; I have a problem running strongswan (userland/ = pluto daemon) on my FC4 box with SELinux enabled. [root@marvin strongswan-2.6.3]# ipsec setup start ipsec_setup: Starting strongSwan IPsec U2.6.3/K2.6.16-1.2069_FC4... ipsec_setup: Cannot talk to rtnetlink: Invalid argument ipsec_setup: Cannot talk to rtnetlink: Invalid argument With setenforce 0 everything works fine. I looked through the policy and found only a partial (or my installation is borken?) ipsec policy. domains/programs has no ipsec.te and ipsec.fc is there. Do i have to create the ipsec policy (te) from scratch or is there something to use (modify) ? Policy Version: selinux-policy-targeted-sources-1.27.1-2.22 selinux-policy-targeted-1.27.1-2.22 thx in advance -- --- -- - Dipl. Inform. H. Burde EMail : <hburde(a)t-online.de>| <hburde(a)uni-bremen.de>

17 years, 2 months

1
0
0 / 0

Re: changed selinux to permissive get new avcs (Solved)

by Antonio Olivares

% parts of message removed >That should be: > >touch /.autorelabel > >Then reboot. > >Bob > >-- >Bob Kashani >---- Ok, Problem has been solved. Here's what I did, I yum updated selinux* [olivares@localhost ~]$ su - Password: [root@localhost ~]# yum update selinux* Setting up Update Process Setting up repositories updates-released 100% |=========================| 951 B 00:00 extras 100% |=========================| 1.1 kB 00:00 base 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files primary.xml.gz 100% |=========================| 387 kB 01:24 updates-re: ################################################## 1075/1075 Added 1075 new packages, deleted 0 old in 12.94 seconds primary.xml.gz 100% |=========================| 1.2 MB 04:25 extras : ################################################## 3482/3482 Added 3482 new packages, deleted 0 old in 33.80 seconds primary.xml.gz 100% |=========================| 824 kB 03:40 base : ################################################## 2772/2772 Added 2772 new packages, deleted 0 old in 23.76 seconds Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Downloading header for selinux-policy-strict-sources to pack into transaction set. http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-st...: [Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr 2006 04:12:44 GMT Server: Apache/2.0.54 (Mandriva Linux/PREFORK-13.2.20060mdk) Vary: accept-language,accept-charset Accept-Ranges: bytes Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Content-Language: en Trying other mirror. selinux-policy-strict-sou 100% |=========================| 124 kB 00:09 ---> Package selinux-policy-strict-sources.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-strict to pack into transaction set. selinux-policy-strict-1.2 100% |=========================| 47 kB 00:04 ---> Package selinux-policy-strict.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-targeted-sources to pack into transaction set. selinux-policy-targeted-s 100% |=========================| 93 kB 00:07 ---> Package selinux-policy-targeted-sources.noarch 0:1.27.1-2.22 set to be updated ---> Downloading header for selinux-policy-targeted to pack into transaction set. selinux-policy-targeted-1 100% |=========================| 50 kB 00:04 ---> Package selinux-policy-targeted.noarch 0:1.27.1-2.22 set to be updated --> Running transaction check Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: selinux-policy-strict noarch 1.27.1-2.27 updates-released 1.9 M selinux-policy-strict-sources noarch 1.27.1-2.27 updates-released 378 k selinux-policy-targeted noarch 1.27.1-2.22 updates-released 924 k selinux-policy-targeted-sources noarch 1.27.1-2.22 updates-released 281 k Transaction Summary ============================================================================= Install 0 Package(s) Update 4 Package(s) Remove 0 Package(s) Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: [olivares@localhost ~]$ su - Password: [root@localhost ~]# yum update selinux* Setting up Update Process Setting up repositories updates-released 100% |=========================| 951 B 00:00 extras 100% |=========================| 1.1 kB 00:00 base 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files primary.xml.gz 100% |=========================| 387 kB 01:24 updates-re: ################################################## 1075/1075 Added 1075 new packages, deleted 0 old in 12.94 seconds primary.xml.gz 100% |=========================| 1.2 MB 04:25 extras : ################################################## 3482/3482 Added 3482 new packages, deleted 0 old in 33.80 seconds primary.xml.gz 100% |=========================| 824 kB 03:40 base : ################################################## 2772/2772 Added 2772 new packages, deleted 0 old in 23.76 seconds Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Downloading header for selinux-policy-strict-sources to pack into transaction set. http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-st...: [Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr 2006 04:12:44 GMT Server: Apache/2.0.54 (Mandriva Linux/PREFORK-13.2.20060mdk) Vary: accept-language,accept-charset Accept-Ranges: bytes Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Content-Language: en Trying other mirror. selinux-policy-strict-sou 100% |=========================| 124 kB 00:09 ---> Package selinux-policy-strict-sources.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-strict to pack into transaction set. selinux-policy-strict-1.2 100% |=========================| 47 kB 00:04 ---> Package selinux-policy-strict.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-targeted-sources to pack into transaction set. selinux-policy-targeted-s 100% |=========================| 93 kB 00:07 ---> Package selinux-policy-targeted-sources.noarch 0:1.27.1-2.22 set to be updated ---> Downloading header for selinux-policy-targeted to pack into transaction set. selinux-policy-targeted-1 100% |=========================| 50 kB 00:04 ---> Package selinux-policy-targeted.noarch 0:1.27.1-2.22 set to be updated --> Running transaction check Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: selinux-policy-strict noarch 1.27.1-2.27 updates-released 1.9 M selinux-policy-strict-sources noarch 1.27.1-2.27 updates-released 378 k selinux-policy-targeted noarch 1.27.1-2.22 updates-released 924 k selinux-policy-targeted-sources noarch 1.27.1-2.22 updates-released 281 k Transaction Summary ============================================================================= Install 0 Package(s) Update 4 Package(s) Remove 0 Package(s) Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: [olivares@localhost ~]$ su - Password: [root@localhost ~]# yum update selinux* Setting up Update Process Setting up repositories updates-released 100% |=========================| 951 B 00:00 extras 100% |=========================| 1.1 kB 00:00 base 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files primary.xml.gz 100% |=========================| 387 kB 01:24 updates-re: ################################################## 1075/1075 Added 1075 new packages, deleted 0 old in 12.94 seconds primary.xml.gz 100% |=========================| 1.2 MB 04:25 extras : ################################################## 3482/3482 Added 3482 new packages, deleted 0 old in 33.80 seconds primary.xml.gz 100% |=========================| 824 kB 03:40 base : ################################################## 2772/2772 Added 2772 new packages, deleted 0 old in 23.76 seconds Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Downloading header for selinux-policy-strict-sources to pack into transaction set. http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-st...: [Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr 2006 04:12:44 GMT Server: Apache/2.0.54 (Mandriva Linux/PREFORK-13.2.20060mdk) Vary: accept-language,accept-charset Accept-Ranges: bytes Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Content-Language: en Trying other mirror. selinux-policy-strict-sou 100% |=========================| 124 kB 00:09 ---> Package selinux-policy-strict-sources.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-strict to pack into transaction set. selinux-policy-strict-1.2 100% |=========================| 47 kB 00:04 ---> Package selinux-policy-strict.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-targeted-sources to pack into transaction set. selinux-policy-targeted-s 100% |=========================| 93 kB 00:07 ---> Package selinux-policy-targeted-sources.noarch 0:1.27.1-2.22 set to be updated ---> Downloading header for selinux-policy-targeted to pack into transaction set. selinux-policy-targeted-1 100% |=========================| 50 kB 00:04 ---> Package selinux-policy-targeted.noarch 0:1.27.1-2.22 set to be updated --> Running transaction check Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: selinux-policy-strict noarch 1.27.1-2.27 updates-released 1.9 M selinux-policy-strict-sources noarch 1.27.1-2.27 updates-released 378 k selinux-policy-targeted noarch 1.27.1-2.22 updates-released 924 k selinux-policy-targeted-sources noarch 1.27.1-2.22 updates-released 281 k Transaction Summary ============================================================================= Install 0 Package(s) Update 4 Package(s) Remove 0 Package(s) Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: [olivares@localhost ~]$ su - Password: [root@localhost ~]# yum update selinux* Setting up Update Process Setting up repositories updates-released 100% |=========================| 951 B 00:00 extras 100% |=========================| 1.1 kB 00:00 base 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files primary.xml.gz 100% |=========================| 387 kB 01:24 updates-re: ################################################## 1075/1075 Added 1075 new packages, deleted 0 old in 12.94 seconds primary.xml.gz 100% |=========================| 1.2 MB 04:25 extras : ################################################## 3482/3482 Added 3482 new packages, deleted 0 old in 33.80 seconds primary.xml.gz 100% |=========================| 824 kB 03:40 base : ################################################## 2772/2772 Added 2772 new packages, deleted 0 old in 23.76 seconds Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Downloading header for selinux-policy-strict-sources to pack into transaction set. http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-st...: [Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr 2006 04:12:44 GMT Server: Apache/2.0.54 (Mandriva Linux/PREFORK-13.2.20060mdk) Vary: accept-language,accept-charset Accept-Ranges: bytes Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Content-Language: en Trying other mirror. selinux-policy-strict-sou 100% |=========================| 124 kB 00:09 ---> Package selinux-policy-strict-sources.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-strict to pack into transaction set. selinux-policy-strict-1.2 100% |=========================| 47 kB 00:04 ---> Package selinux-policy-strict.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-targeted-sources to pack into transaction set. selinux-policy-targeted-s 100% |=========================| 93 kB 00:07 ---> Package selinux-policy-targeted-sources.noarch 0:1.27.1-2.22 set to be updated ---> Downloading header for selinux-policy-targeted to pack into transaction set. selinux-policy-targeted-1 100% |=========================| 50 kB 00:04 ---> Package selinux-policy-targeted.noarch 0:1.27.1-2.22 set to be updated --> Running transaction check Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: selinux-policy-strict noarch 1.27.1-2.27 updates-released 1.9 M selinux-policy-strict-sources noarch 1.27.1-2.27 updates-released 378 k selinux-policy-targeted noarch 1.27.1-2.22 updates-released 924 k selinux-policy-targeted-sources noarch 1.27.1-2.22 updates-released 281 k Transaction Summary ============================================================================= Install 0 Package(s) Update 4 Package(s) Remove 0 Package(s) Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: (1/4): selinux-policy-str 100% |=========================| 378 kB 01:05 (2/4): selinux-policy-str 100% |=========================| 1.9 MB 06:47 (3/4): selinux-policy-tar 100% |=========================| 281 kB 00:48 (4/4): selinux-policy-tar 100% |=========================| 924 kB 03:03 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : selinux-policy-targeted ######################### [1/8] Updating : selinux-policy-strict ######################### [2/8] Updating : selinux-policy-strict-source ######################### [3/8] Updating : selinux-policy-targeted-sour ######################### [4/8] /etc/selinux/targeted/contexts/files/file_contexts: line 621 has invalid contex t system_u:object_r:acct_exec_t /sbin/restorecon reset /usr/bin/iiimx context system_u:object_r:i18n_input_exec_t->system_u:object_r:bin_t ********** Lots more messages ommitted ************* l_t->system_u:object_r:var_spool_t /sbin/restorecon reset /var/spool/postfix/saved context system_u:object_r:mail_spool_t->system_u:object_r:var_spool_t /sbin/restorecon reset /var/spool/postfix/deferred context system_u:object_r:mail_spool_t->system_u:object_r:var_spool_t Cleanup : selinux-policy-strict-source ######################### [5/8] Cleanup : selinux-policy-strict ######################### [6/8] Cleanup : selinux-policy-targeted-sour ######################### [7/8] Cleanup : selinux-policy-targeted ######################### [8/8] Updated: selinux-policy-strict.noarch 0:1.27.1-2.27 selinux-policy-strict-sources.noarch 0:1.27.1-2.27 selinux-policy-targeted.noarch 0:1.27.1-2.22 selinux-policy-targeted-sources.noarch 0:1.27.1-2.22 Complete! [root@localhost ~]# Did a touch /.autorelabel as Bob put it correctly, set selinux back to enforcing and rebooted. I crossed my fingers and voila, it worked!!! Thanks to all who responded and helped. >maybe I'm dense but the only thing I saw was the same avc >denied several times for rpc.statd which relates to nfs but has nothing to do with web browsing/internet. > >are you saying that web browsing is working in >permissive mode and not >working in targeted/enforcing mode? > >Craig That was the case Craig, but now all is well. Here's part of the new avcs that I got after touch ./autorelabel SELinux: initialized (dev hda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs audit(1143993007.681:2): avc: granted { setenforce } for pid=545 comm="rc.sysinit" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=security audit(1143993803.490:3): avc: granted { setenforce } for pid=545 comm="rc.sysinit" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=security Adding 786424k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1 across:786424k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (3071 buckets, 24568 max) - 232 bytes per conntrack SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts Now they were granted and all is well. Best Regards, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

17 years, 2 months

1
0
0 / 0

changed selinux to permissive get new avcs

by Antonio Olivares

Dear all, As I had some previous trouble with selinux, and have gotten little to no advice, I read through the fedora wiki, and fedora selinux-faq and previous knowlege/advice from fedora-list I did a ./touchrelabel and reboot. I could still not connect to internet with latest FC4 kernel (2.6.16-1.2069_FC4). I have changed selinux mode to permissive mode and I get new avc's. SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (3071 buckets, 24568 max) - 232 bytes per conntrack audit(1143945599.518:2): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:3): avc: denied { recvfrom } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:4): avc: denied { sendto } for pid=1602 comm="portmap" scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:5): avc: denied { recvfrom } for pid=1602 comm="portmap" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts I will post inline complete dmesg to get better advice. [root@localhost ~]# dmesg Linux version 2.6.16-1.2069_FC4 (bhcompile(a)hs20-bc1-7.build.redhat.com) (gcc version 4.0.2 20051125 (Red Hat 4.0.2-8)) #1 Tue Mar 28 12:19:10 EST 2006 BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009fc00 (usable) BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved) BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved) BIOS-e820: 0000000000100000 - 0000000017ff0000 (usable) BIOS-e820: 0000000017ff0000 - 0000000017ff3000 (ACPI NVS) BIOS-e820: 0000000017ff3000 - 0000000018000000 (ACPI data) BIOS-e820: 00000000ffff0000 - 0000000100000000 (reserved) 0MB HIGHMEM available. 383MB LOWMEM available. Using x86 segment limits to approximate NX protection On node 0 totalpages: 98288 DMA zone: 4096 pages, LIFO batch:0 DMA32 zone: 0 pages, LIFO batch:0 Normal zone: 94192 pages, LIFO batch:31 HighMem zone: 0 pages, LIFO batch:0 DMI 2.2 present. ACPI: RSDP (v000 AWARD ) @ 0x000f6280 ACPI: RSDT (v001 AWARD AWRDACPI 0x42302e31 AWRD 0x00000000) @ 0x17ff3000 ACPI: FADT (v001 AWARD AWRDACPI 0x42302e31 AWRD 0x00000000) @ 0x17ff3040 ACPI: DSDT (v001 AWARD AWRDACPI 0x00001000 MSFT 0x0100000c) @ 0x00000000 ACPI: PM-Timer IO Port: 0x508 Allocating PCI resources starting at 20000000 (gap: 18000000:e7ff0000) Built 1 zonelists Kernel command line: ro root=/dev/VolGroup00/LogVol00 rhgb quiet Local APIC disabled by BIOS -- you can enable it with "lapic" mapped APIC to ffffd000 (01304000) Enabling fast FPU save and restore... done. Enabling unmasked SIMD FPU exception support... done. Initializing CPU#0 CPU 0 irqstacks, hard=c040a000 soft=c040b000 PID hash table entries: 2048 (order: 11, 32768 bytes) Detected 1466.863 MHz processor. Using pmtmr for high-res timesource Console: colour VGA+ 80x25 Dentry cache hash table entries: 65536 (order: 6, 262144 bytes) Inode-cache hash table entries: 32768 (order: 5, 131072 bytes) Memory: 383964k/393152k available (2131k kernel code, 8656k reserved, 754k data, 200k init, 0k highmem) Checking if this processor honours the WP bit even in supervisor mode... Ok. Calibrating delay using timer specific routine.. 2937.06 BogoMIPS (lpj=5874126) Security Framework v1.0.0 initialized SELinux: Initializing. SELinux: Starting in permissive mode selinux_register_security: Registering secondary module capability Capability LSM initialized as secondary Mount-cache hash table entries: 512 CPU: After generic identify, caps: 0383f9ff c1c3f9ff 00000000 00000000 00000000 00000000 00000000 CPU: After vendor identify, caps: 0383f9ff c1c3f9ff 00000000 00000000 00000000 00000000 00000000 CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line) CPU: L2 Cache: 256K (64 bytes/line) CPU: After all inits, caps: 0383f1ff c1c3f9ff 00000000 00000020 00000000 00000000 00000000 Intel machine check architecture supported. Intel machine check reporting enabled on CPU#0. CPU: AMD Athlon(tm) XP 1700+ stepping 02 Checking 'hlt' instruction... OK. ACPI: setting ELCR to 0200 (from 0c20) checking if image is initramfs... it is Freeing initrd memory: 1645k freed NET: Registered protocol family 16 ACPI: bus type pci registered PCI: PCI BIOS revision 2.10 entry at 0xfb330, last bus=1 PCI: Using configuration type 1 ACPI: Subsystem revision 20060127 ACPI: Interpreter enabled ACPI: Using PIC for interrupt routing ACPI: PCI Root Bridge [PCI0] (0000:00) PCI: Probing PCI hardware (bus 00) ACPI: Assume root bridge [\_SB_.PCI0] bus is 0 Boot video device is 0000:00:09.0 PCI quirk: region 0500-053f claimed by ali7101 ACPI PCI quirk: region 0400-041f claimed by ali7101 SMB ACPI: PCI Interrupt Routing Table [\_SB_.PCI0._PRT] ACPI: PCI Interrupt Link [LNK1] (IRQs 1 3 4 5 6 7 10 11 12 14 15) *0, disabled. ACPI: PCI Interrupt Link [LNK2] (IRQs 1 3 4 5 6 7 *10 11 12 14 15) ACPI: PCI Interrupt Link [LNK3] (IRQs 1 3 4 5 6 7 10 11 12 14 15) *0, disabled. ACPI: PCI Interrupt Link [LNK4] (IRQs 1 3 4 5 6 7 10 *11 12 14 15) ACPI: PCI Interrupt Link [LNK5] (IRQs 1 3 4 5 6 7 10 *11 12 14 15) ACPI: PCI Interrupt Link [LNK6] (IRQs 1 3 4 5 6 7 10 11 12 14 15) *0, disabled. ACPI: PCI Interrupt Link [LNK7] (IRQs 1 3 4 5 6 7 10 11 12 14 15) *0, disabled. ACPI: PCI Interrupt Link [LNK8] (IRQs 1 3 4 *5 6 7 10 11 12 14 15) ACPI: PCI Interrupt Link [LNK9] (IRQs 1 3 4 5 6 7 10 *11 12 14 15) Linux Plug and Play Support v0.97 (c) Adam Belay pnp: PnP ACPI init pnp: PnP ACPI: found 13 devices usbcore: registered new driver usbfs usbcore: registered new driver hub PCI: Using ACPI for IRQ routing PCI: If a device doesn't work, try "pci=routeirq". If it helps, post a report PCI: Bridge: 0000:00:01.0 IO window: disabled. MEM window: disabled. PREFETCH window: disabled. PCI: Setting latency timer of device 0000:00:01.0 to 64 apm: BIOS version 1.2 Flags 0x07 (Driver version 1.16ac) apm: overridden by ACPI. audit: initializing netlink socket (disabled) audit(1143923979.008:1): initialized Total HugeTLB memory allocated, 0 VFS: Disk quotas dquot_6.5.1 Dquot-cache hash table entries: 1024 (order 0, 4096 bytes) SELinux: Registering netfilter hooks Initializing Cryptographic API ksign: Installing public key data Loading keyring - Added public key 6D8AC7E0298FAC35 - User ID: Red Hat, Inc. (Kernel Module GPG key) io scheduler noop registered io scheduler anticipatory registered io scheduler deadline registered io scheduler cfq registered (default) Limiting direct PCI/PCI transfers. Activating ISA DMA hang workarounds. pci_hotplug: PCI Hot Plug PCI Core version: 0.5 ACPI: Fan [FAN] (on) ACPI: Processor [CPU0] (supports 2 throttling states) ACPI: Thermal Zone [THRM] (56 C) isapnp: Scanning for PnP cards... isapnp: No Plug & Play device found Real Time Clock Driver v1.12ac Linux agpgart interface v0.101 (c) Dave Jones agpgart: Detected ALi M1647 chipset agpgart: AGP aperture is 128M @ 0xd0000000 PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12 serio: i8042 AUX port at 0x60,0x64 irq 12 serio: i8042 KBD port at 0x60,0x64 irq 1 Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing enabled serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A 00:08: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A 00:09: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A ACPI: PCI Interrupt Link [LNK2] enabled at IRQ 10 PCI: setting IRQ 10 as level-triggered ACPI: PCI Interrupt 0000:00:0d.0[A] -> Link [LNK2] -> GSI 10 (level, low) -> IRQ 10 Couldn't register serial port 0000:00:0d.0: -28 RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2 ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx ALI15X3: IDE controller at PCI slot 0000:00:04.0 ACPI: PCI Interrupt 0000:00:04.0[A]: no GSI ALI15X3: chipset revision 196 ALI15X3: not 100% native mode: will probe irqs later ide0: BM-DMA at 0xd400-0xd407, BIOS settings: hda:DMA, hdb:pio ide1: BM-DMA at 0xd408-0xd40f, BIOS settings: hdc:DMA, hdd:DMA Probing IDE interface ide0... hda: ST340016A, ATA DISK drive ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 Probing IDE interface ide1... hdc: IDE DVD-ROM 16X, ATAPI CD/DVD-ROM drive hdd: RW-241040, ATAPI CD/DVD-ROM drive ide1 at 0x170-0x177,0x376 on irq 15 hda: max request size: 128KiB hda: 78165360 sectors (40020 MB) w/2048KiB Cache, CHS=65535/16/63, UDMA(100) hda: cache flushes not supported hda: hda1 hda2 hdc: ATAPI 48X DVD-ROM drive, 512kB Cache, UDMA(33) Uniform CD-ROM driver Revision: 3.20 hdd: ATAPI 40X CD-ROM CD-R/RW drive, 2048kB Cache, UDMA(33) ide-floppy driver 0.99.newide usbcore: registered new driver libusual usbcore: registered new driver hiddev usbcore: registered new driver usbhid drivers/usb/input/hid-core.c: v2.6:USB HID core driver mice: PS/2 mouse device common for all mice md: md driver 0.90.3 MAX_MD_DEVS=256, MD_SB_DISKS=27 md: bitmap version 4.39 NET: Registered protocol family 2 input: AT Translated Set 2 keyboard as /class/input/input0 IP route cache hash table entries: 4096 (order: 2, 16384 bytes) TCP established hash table entries: 16384 (order: 6, 262144 bytes) TCP bind hash table entries: 16384 (order: 6, 327680 bytes) TCP: Hash tables configured (established 16384 bind 16384) TCP reno registered TCP bic registered Initializing IPsec netlink socket NET: Registered protocol family 1 NET: Registered protocol family 17 Using IPI Shortcut mode ACPI wakeup devices: PCI0 USB0 USB1 ACPI: (supports S0 S1 S4 S5) Freeing unused kernel memory: 200k freed Write protecting the kernel read-only data: 346k device-mapper: 4.5.0-ioctl (2005-10-04) initialised: dm-devel(a)redhat.com kjournald starting. Commit interval 5 seconds EXT3-fs: mounted filesystem with ordered data mode. input: ImPS/2 Generic Wheel Mouse as /class/input/input1 security: 3 users, 6 roles, 764 types, 87 bools security: 55 classes, 182383 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev dm-0, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev inotifyfs, type inotifyfs), not configured for labeling SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts Floppy drive(s): fd0 is 1.44M FDC 0 is a post-1991 82077 ACPI: PCI Interrupt Link [LNK4] enabled at IRQ 11 PCI: setting IRQ 11 as level-triggered ACPI: PCI Interrupt 0000:00:0b.0[A] -> Link [LNK4] -> GSI 11 (level, low) -> IRQ 11 3c59x: Donald Becker and others. www.scyld.com/network/vortex.html 0000:00:0b.0: 3Com PCI 3c905 Boomerang 100baseTx at 0001dc00. Vers LK1.1.19 ACPI: PCI Interrupt Link [LNK8] enabled at IRQ 5 PCI: setting IRQ 5 as level-triggered ACPI: PCI Interrupt 0000:00:03.0[A] -> Link [LNK8] -> GSI 5 (level, low) -> IRQ 5 AC'97 1 does not respond - RESET AC'97 1 access is not valid [0xffffffff], removing mixer. ali mixer 1 creating error. slamr: module license 'Smart Link Ltd.' taints kernel. slamr: SmartLink AMRMO modem. slamr: device 163c:3052 is grabbed by another driver ohci_hcd: 2005 April 22 USB 1.1 'Open' Host Controller (OHCI) Driver (PCI) ACPI: PCI Interrupt Link [LNK9] enabled at IRQ 11 ACPI: PCI Interrupt 0000:00:02.0[A] -> Link [LNK9] -> GSI 11 (level, low) -> IRQ 11 ohci_hcd 0000:00:02.0: OHCI Host Controller ohci_hcd 0000:00:02.0: new USB bus registered, assigned bus number 1 ohci_hcd 0000:00:02.0: irq 11, io mem 0xe2001000 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 4 ports detected ACPI: PCI Interrupt Link [LNK5] enabled at IRQ 11 ACPI: PCI Interrupt 0000:00:06.0[A] -> Link [LNK5] -> GSI 11 (level, low) -> IRQ 11 ohci_hcd 0000:00:06.0: OHCI Host Controller ohci_hcd 0000:00:06.0: new USB bus registered, assigned bus number 2 ohci_hcd 0000:00:06.0: irq 11, io mem 0xe2003000 usb usb2: configuration #1 chosen from 1 choice hub 2-0:1.0: USB hub found hub 2-0:1.0: 4 ports detected usb 1-2: new full speed USB device using ohci_hcd and address 2 usb 1-2: configuration #1 chosen from 1 choice hub 1-2:1.0: USB hub found hub 1-2:1.0: 4 ports detected ACPI: Power Button (FF) [PWRF] ACPI: Sleep Button (FF) [SLPF] ACPI: Power Button (CM) [PWRB] ACPI: Sleep Button (CM) [SLPB] ibm_acpi: ec object not found md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. EXT3 FS on dm-0, internal journal kjournald starting. Commit interval 5 seconds EXT3 FS on hda1, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev hda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Adding 786424k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1 across:786424k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (3071 buckets, 24568 max) - 232 bytes per conntrack audit(1143945599.518:2): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:3): avc: denied { recvfrom } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:4): avc: denied { sendto } for pid=1602 comm="portmap" scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:5): avc: denied { recvfrom } for pid=1602 comm="portmap" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts Bluetooth: Core ver 2.8 NET: Registered protocol family 31 Bluetooth: HCI device and connection manager initialized Bluetooth: HCI socket layer initialized Bluetooth: L2CAP ver 2.8 Bluetooth: L2CAP socket layer initialized Bluetooth: RFCOMM socket layer initialized Bluetooth: RFCOMM TTY layer initialized Bluetooth: RFCOMM ver 1.7 SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts parport: PnPBIOS parport detected. parport0: PC-style at 0x378, irq 7 [PCSPP,EPP] lp0: using parport0 (interrupt-driven). lp0: console ready NET: Registered protocol family 10 lo: Disabled Privacy Extensions IPv6 over IPv4 tunneling driver device 163c:3052 is grabbed by driver serial: try to release ACPI: PCI interrupt for device 0000:00:0d.0 disabled slamr: SmartLink AMRMO modem. slamr: probe 163c:3052 SL1900 card... ACPI: PCI Interrupt 0000:00:0d.0[A] -> Link [LNK2] -> GSI 10 (level, low) -> IRQ 10 slamr: slamr0 is SL1900 card. Thank you for your time and help, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

17 years, 2 months

4
4
0 / 0

Plugins for Firefox and others common programs disallowed access

by John Griffiths

17 years, 2 months

4
6
0 / 0

Re: nfs avc messages with kernel-2.6.16-1.2069_FC4

by Antonio Olivares

RE: nfs avc messages with kernel-2.6.16-1.2069_FC4 Message: 6 Date: Sat, 1 Apr 2006 00:51:47 -0800 (PST) From: Antonio Olivares <olivares14031(a)yahoo.com> Subject: nfs avc messages with kernel-2.6.16-1.2069_FC4 To: fedora-selinux-list(a)redhat.com Message-ID: <20060401085147.91904.qmail(a)web52610.mail.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" Dear all, I decided to install latest FC4 kernel 2.6.16-1.2069_FC4 or so. Upon booting I can no longer surf the internet. I get some avc denied messages from dmesg. How can I fix this issue? I do not want to disable selinux. TIA, Antonio ====================================================== Here are the avc's. Since they were not present in the previous email to fedora-selinux-list(a)redhat.com I do not want to disable selinux to be able to surf the internet. How can I take care of this? I appreciate all comments/help I can get. SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (3071 buckets, 24568 max) - 232 bytes per conntrack audit(1143912938.407:2): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143912938.447:3): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143912938.463:4): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association Also on another machine I installed kernel-2.6.16.1 to an FC3 machine with selinux disabled and I tried to reenable it since this kernel comes with selinux in its options and i compiled it in. Yet when I rebooted it gave me a kernel panic that no policy was in place. How should I define such a policy? Is there a tarball somewhere that I can get, or suggestions since FC3 is in legacy already? Regards, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

17 years, 2 months

1
0
0 / 0

Plugins for Firefox and others common programs disallowed access

by John Griffiths

17 years, 2 months

1
0
0 / 0

Empty trash in Gnome

by Dawid Gajownik

Hi! My friend noticed that with SELinux in enforcing mode ~/.Trash is full of the files but he cannot remove them -- clicking on trash icon placed on the desktop shows empty directory. I reproduced this bug on my machine (FC5, selinux-policy-targeted-2.2.25-2.fc5, Gnome 2.14) and found this avc message: Mar 30 19:19:47 X kernel: audit(1143739187.507:65): avc: denied { getattr } for pid=1810 comm="hald" name="/" dev=hda6 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir Using audit2allow I created kosz.pp module and this resolved the problem (you need to reboot or restart haldaemon service). Here's the content of te file: [root@X ~]# cat kosz.te module kosz 1.0; require { role object_r; role system_r; class dir getattr; type hald_t; type home_root_t; }; allow hald_t home_root_t:dir getattr; [root@X ~]# Maybe default policy should be fixed? Thanks, Dawid -- ^_*

17 years, 2 months

3
4
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux April 2006