strongswan problem
by Holger Burde
Hi;
I have a problem running strongswan (userland/ = pluto daemon) on my FC4
box with SELinux enabled.
[root@marvin strongswan-2.6.3]# ipsec setup start
ipsec_setup: Starting strongSwan IPsec U2.6.3/K2.6.16-1.2069_FC4...
ipsec_setup: Cannot talk to rtnetlink: Invalid argument
ipsec_setup: Cannot talk to rtnetlink: Invalid argument
With setenforce 0 everything works fine.
I looked through the policy and found only a partial (or my installation
is borken?) ipsec policy. domains/programs has no ipsec.te
and ipsec.fc is there. Do i have to create the ipsec policy (te) from
scratch or is there something to use (modify) ?
Policy Version: selinux-policy-targeted-sources-1.27.1-2.22
selinux-policy-targeted-1.27.1-2.22
thx in advance
--
--- -- -
Dipl. Inform. H. Burde
EMail : <hburde(a)t-online.de>| <hburde(a)uni-bremen.de>
18 years
- 1
- 0
Re: changed selinux to permissive get new avcs (Solved)
by Antonio Olivares
% parts of message removed
>That should be:
>
>touch /.autorelabel
>
>Then reboot.
>
>Bob
>
>--
>Bob Kashani
>----
Ok, Problem has been solved. Here's what I did,
I yum updated selinux*
[olivares@localhost ~]$ su -
Password:
[root@localhost ~]# yum update selinux*
Setting up Update Process
Setting up repositories
updates-released 100%
|=========================| 951 B 00:00
extras 100%
|=========================| 1.1 kB 00:00
base 100%
|=========================| 1.1 kB 00:00
Reading repository metadata in from local files
primary.xml.gz 100%
|=========================| 387 kB 01:24
updates-re:
##################################################
1075/1075
Added 1075 new packages, deleted 0 old in 12.94
seconds
primary.xml.gz 100%
|=========================| 1.2 MB 04:25
extras :
##################################################
3482/3482
Added 3482 new packages, deleted 0 old in 33.80
seconds
primary.xml.gz 100%
|=========================| 824 kB 03:40
base :
##################################################
2772/2772
Added 2772 new packages, deleted 0 old in 23.76
seconds
Resolving Dependencies
--> Populating transaction set with selected packages.
Please wait.
---> Downloading header for
selinux-policy-strict-sources to pack into transaction
set.
http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-st...:
[Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr
2006 04:12:44 GMT
Server: Apache/2.0.54 (Mandriva
Linux/PREFORK-13.2.20060mdk)
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Trying other mirror.
selinux-policy-strict-sou 100%
|=========================| 124 kB 00:09
---> Package selinux-policy-strict-sources.noarch
0:1.27.1-2.27 set to be updated
---> Downloading header for selinux-policy-strict to
pack into transaction set.
selinux-policy-strict-1.2 100%
|=========================| 47 kB 00:04
---> Package selinux-policy-strict.noarch
0:1.27.1-2.27 set to be updated
---> Downloading header for
selinux-policy-targeted-sources to pack into
transaction set.
selinux-policy-targeted-s 100%
|=========================| 93 kB 00:07
---> Package selinux-policy-targeted-sources.noarch
0:1.27.1-2.22 set to be updated
---> Downloading header for selinux-policy-targeted to
pack into transaction set.
selinux-policy-targeted-1 100%
|=========================| 50 kB 00:04
---> Package selinux-policy-targeted.noarch
0:1.27.1-2.22 set to be updated
--> Running transaction check
Dependencies Resolved
=============================================================================
Package Arch Version
Repository Size
=============================================================================
Updating:
selinux-policy-strict noarch 1.27.1-2.27
updates-released 1.9 M
selinux-policy-strict-sources noarch 1.27.1-2.27
updates-released 378 k
selinux-policy-targeted noarch 1.27.1-2.22
updates-released 924 k
selinux-policy-targeted-sources noarch
1.27.1-2.22 updates-released 281 k
Transaction Summary
=============================================================================
Install 0 Package(s)
Update 4 Package(s)
Remove 0 Package(s)
Total download size: 3.5 M
Is this ok [y/N]: y
Downloading Packages:
[olivares@localhost ~]$ su -
Password:
[root@localhost ~]# yum update selinux*
Setting up Update Process
Setting up repositories
updates-released 100%
|=========================| 951 B 00:00
extras 100%
|=========================| 1.1 kB 00:00
base 100%
|=========================| 1.1 kB 00:00
Reading repository metadata in from local files
primary.xml.gz 100%
|=========================| 387 kB 01:24
updates-re:
##################################################
1075/1075
Added 1075 new packages, deleted 0 old in 12.94
seconds
primary.xml.gz 100%
|=========================| 1.2 MB 04:25
extras :
##################################################
3482/3482
Added 3482 new packages, deleted 0 old in 33.80
seconds
primary.xml.gz 100%
|=========================| 824 kB 03:40
base :
##################################################
2772/2772
Added 2772 new packages, deleted 0 old in 23.76
seconds
Resolving Dependencies
--> Populating transaction set with selected packages.
Please wait.
---> Downloading header for
selinux-policy-strict-sources to pack into transaction
set.
http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-st...:
[Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr
2006 04:12:44 GMT
Server: Apache/2.0.54 (Mandriva
Linux/PREFORK-13.2.20060mdk)
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Trying other mirror.
selinux-policy-strict-sou 100%
|=========================| 124 kB 00:09
---> Package selinux-policy-strict-sources.noarch
0:1.27.1-2.27 set to be updated
---> Downloading header for selinux-policy-strict to
pack into transaction set.
selinux-policy-strict-1.2 100%
|=========================| 47 kB 00:04
---> Package selinux-policy-strict.noarch
0:1.27.1-2.27 set to be updated
---> Downloading header for
selinux-policy-targeted-sources to pack into
transaction set.
selinux-policy-targeted-s 100%
|=========================| 93 kB 00:07
---> Package selinux-policy-targeted-sources.noarch
0:1.27.1-2.22 set to be updated
---> Downloading header for selinux-policy-targeted to
pack into transaction set.
selinux-policy-targeted-1 100%
|=========================| 50 kB 00:04
---> Package selinux-policy-targeted.noarch
0:1.27.1-2.22 set to be updated
--> Running transaction check
Dependencies Resolved
=============================================================================
Package Arch Version
Repository Size
=============================================================================
Updating:
selinux-policy-strict noarch 1.27.1-2.27
updates-released 1.9 M
selinux-policy-strict-sources noarch 1.27.1-2.27
updates-released 378 k
selinux-policy-targeted noarch 1.27.1-2.22
updates-released 924 k
selinux-policy-targeted-sources noarch
1.27.1-2.22 updates-released 281 k
Transaction Summary
=============================================================================
Install 0 Package(s)
Update 4 Package(s)
Remove 0 Package(s)
Total download size: 3.5 M
Is this ok [y/N]: y
Downloading Packages:
[olivares@localhost ~]$ su -
Password:
[root@localhost ~]# yum update selinux*
Setting up Update Process
Setting up repositories
updates-released 100%
|=========================| 951 B 00:00
extras 100%
|=========================| 1.1 kB 00:00
base 100%
|=========================| 1.1 kB 00:00
Reading repository metadata in from local files
primary.xml.gz 100%
|=========================| 387 kB 01:24
updates-re:
##################################################
1075/1075
Added 1075 new packages, deleted 0 old in 12.94
seconds
primary.xml.gz 100%
|=========================| 1.2 MB 04:25
extras :
##################################################
3482/3482
Added 3482 new packages, deleted 0 old in 33.80
seconds
primary.xml.gz 100%
|=========================| 824 kB 03:40
base :
##################################################
2772/2772
Added 2772 new packages, deleted 0 old in 23.76
seconds
Resolving Dependencies
--> Populating transaction set with selected packages.
Please wait.
---> Downloading header for
selinux-policy-strict-sources to pack into transaction
set.
http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-st...:
[Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr
2006 04:12:44 GMT
Server: Apache/2.0.54 (Mandriva
Linux/PREFORK-13.2.20060mdk)
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Trying other mirror.
selinux-policy-strict-sou 100%
|=========================| 124 kB 00:09
---> Package selinux-policy-strict-sources.noarch
0:1.27.1-2.27 set to be updated
---> Downloading header for selinux-policy-strict to
pack into transaction set.
selinux-policy-strict-1.2 100%
|=========================| 47 kB 00:04
---> Package selinux-policy-strict.noarch
0:1.27.1-2.27 set to be updated
---> Downloading header for
selinux-policy-targeted-sources to pack into
transaction set.
selinux-policy-targeted-s 100%
|=========================| 93 kB 00:07
---> Package selinux-policy-targeted-sources.noarch
0:1.27.1-2.22 set to be updated
---> Downloading header for selinux-policy-targeted to
pack into transaction set.
selinux-policy-targeted-1 100%
|=========================| 50 kB 00:04
---> Package selinux-policy-targeted.noarch
0:1.27.1-2.22 set to be updated
--> Running transaction check
Dependencies Resolved
=============================================================================
Package Arch Version
Repository Size
=============================================================================
Updating:
selinux-policy-strict noarch 1.27.1-2.27
updates-released 1.9 M
selinux-policy-strict-sources noarch 1.27.1-2.27
updates-released 378 k
selinux-policy-targeted noarch 1.27.1-2.22
updates-released 924 k
selinux-policy-targeted-sources noarch
1.27.1-2.22 updates-released 281 k
Transaction Summary
=============================================================================
Install 0 Package(s)
Update 4 Package(s)
Remove 0 Package(s)
Total download size: 3.5 M
Is this ok [y/N]: y
Downloading Packages:
[olivares@localhost ~]$ su -
Password:
[root@localhost ~]# yum update selinux*
Setting up Update Process
Setting up repositories
updates-released 100%
|=========================| 951 B 00:00
extras 100%
|=========================| 1.1 kB 00:00
base 100%
|=========================| 1.1 kB 00:00
Reading repository metadata in from local files
primary.xml.gz 100%
|=========================| 387 kB 01:24
updates-re:
##################################################
1075/1075
Added 1075 new packages, deleted 0 old in 12.94
seconds
primary.xml.gz 100%
|=========================| 1.2 MB 04:25
extras :
##################################################
3482/3482
Added 3482 new packages, deleted 0 old in 33.80
seconds
primary.xml.gz 100%
|=========================| 824 kB 03:40
base :
##################################################
2772/2772
Added 2772 new packages, deleted 0 old in 23.76
seconds
Resolving Dependencies
--> Populating transaction set with selected packages.
Please wait.
---> Downloading header for
selinux-policy-strict-sources to pack into transaction
set.
http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-st...:
[Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr
2006 04:12:44 GMT
Server: Apache/2.0.54 (Mandriva
Linux/PREFORK-13.2.20060mdk)
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Trying other mirror.
selinux-policy-strict-sou 100%
|=========================| 124 kB 00:09
---> Package selinux-policy-strict-sources.noarch
0:1.27.1-2.27 set to be updated
---> Downloading header for selinux-policy-strict to
pack into transaction set.
selinux-policy-strict-1.2 100%
|=========================| 47 kB 00:04
---> Package selinux-policy-strict.noarch
0:1.27.1-2.27 set to be updated
---> Downloading header for
selinux-policy-targeted-sources to pack into
transaction set.
selinux-policy-targeted-s 100%
|=========================| 93 kB 00:07
---> Package selinux-policy-targeted-sources.noarch
0:1.27.1-2.22 set to be updated
---> Downloading header for selinux-policy-targeted to
pack into transaction set.
selinux-policy-targeted-1 100%
|=========================| 50 kB 00:04
---> Package selinux-policy-targeted.noarch
0:1.27.1-2.22 set to be updated
--> Running transaction check
Dependencies Resolved
=============================================================================
Package Arch Version
Repository Size
=============================================================================
Updating:
selinux-policy-strict noarch 1.27.1-2.27
updates-released 1.9 M
selinux-policy-strict-sources noarch 1.27.1-2.27
updates-released 378 k
selinux-policy-targeted noarch 1.27.1-2.22
updates-released 924 k
selinux-policy-targeted-sources noarch
1.27.1-2.22 updates-released 281 k
Transaction Summary
=============================================================================
Install 0 Package(s)
Update 4 Package(s)
Remove 0 Package(s)
Total download size: 3.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): selinux-policy-str 100%
|=========================| 378 kB 01:05
(2/4): selinux-policy-str 100%
|=========================| 1.9 MB 06:47
(3/4): selinux-policy-tar 100%
|=========================| 281 kB 00:48
(4/4): selinux-policy-tar 100%
|=========================| 924 kB 03:03
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : selinux-policy-targeted
######################### [1/8]
Updating : selinux-policy-strict
######################### [2/8]
Updating : selinux-policy-strict-source
######################### [3/8]
Updating : selinux-policy-targeted-sour
######################### [4/8]
/etc/selinux/targeted/contexts/files/file_contexts:
line 621 has invalid contex t
system_u:object_r:acct_exec_t
/sbin/restorecon reset /usr/bin/iiimx context
system_u:object_r:i18n_input_exec_t->system_u:object_r:bin_t
********** Lots more messages ommitted *************
l_t->system_u:object_r:var_spool_t
/sbin/restorecon reset /var/spool/postfix/saved
context
system_u:object_r:mail_spool_t->system_u:object_r:var_spool_t
/sbin/restorecon reset /var/spool/postfix/deferred
context
system_u:object_r:mail_spool_t->system_u:object_r:var_spool_t
Cleanup : selinux-policy-strict-source
######################### [5/8]
Cleanup : selinux-policy-strict
######################### [6/8]
Cleanup : selinux-policy-targeted-sour
######################### [7/8]
Cleanup : selinux-policy-targeted
######################### [8/8]
Updated: selinux-policy-strict.noarch 0:1.27.1-2.27
selinux-policy-strict-sources.noarch 0:1.27.1-2.27
selinux-policy-targeted.noarch 0:1.27.1-2.22
selinux-policy-targeted-sources.noarch 0:1.27.1-2.22
Complete!
[root@localhost ~]#
Did a touch /.autorelabel as Bob put it correctly, set
selinux back to enforcing and rebooted. I crossed my
fingers and voila, it worked!!!
Thanks to all who responded and helped.
>maybe I'm dense but the only thing I saw was the same
avc >denied several times for rpc.statd which relates
to nfs but has nothing to do with web
browsing/internet.
>
>are you saying that web browsing is working in
>permissive mode and not
>working in targeted/enforcing mode?
>
>Craig
That was the case Craig, but now all is well. Here's
part of the new avcs that I got after touch
./autorelabel
SELinux: initialized (dev hda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
audit(1143993007.681:2): avc: granted { setenforce }
for pid=545 comm="rc.sysinit"
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:security_t tclass=security
audit(1143993803.490:3): avc: granted { setenforce }
for pid=545 comm="rc.sysinit"
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:security_t tclass=security
Adding 786424k swap on /dev/VolGroup00/LogVol01.
Priority:-1 extents:1 across:786424k
SELinux: initialized (dev binfmt_misc, type
binfmt_misc), uses genfs_contexts
ip_tables: (C) 2000-2006 Netfilter Core Team
Netfilter messages via NETLINK v0.30.
ip_conntrack version 2.4 (3071 buckets, 24568 max) -
232 bytes per conntrack
SELinux: initialized (dev rpc_pipefs, type
rpc_pipefs), uses genfs_contexts
Now they were granted and all is well.
Best Regards,
Antonio
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years
- 1
- 0
changed selinux to permissive get new avcs
by Antonio Olivares
Dear all,
As I had some previous trouble with selinux, and
have gotten little to no advice, I read through the
fedora wiki, and fedora selinux-faq and previous
knowlege/advice from fedora-list
I did a ./touchrelabel and reboot.
I could still not connect to internet with latest FC4
kernel (2.6.16-1.2069_FC4). I have changed selinux
mode to permissive mode and I get new avc's.
SELinux: initialized (dev binfmt_misc, type
binfmt_misc), uses genfs_contexts
ip_tables: (C) 2000-2006 Netfilter Core Team
Netfilter messages via NETLINK v0.30.
ip_conntrack version 2.4 (3071 buckets, 24568 max) -
232 bytes per conntrack
audit(1143945599.518:2): avc: denied { sendto } for
pid=1620 comm="rpc.statd"
scontext=system_u:system_r:rpcd_t
tcontext=system_u:object_r:unlabeled_t
tclass=association
audit(1143945599.518:3): avc: denied { recvfrom }
for pid=1620 comm="rpc.statd"
scontext=system_u:system_r:portmap_t
tcontext=system_u:object_r:unlabeled_t
tclass=association
audit(1143945599.518:4): avc: denied { sendto } for
pid=1602 comm="portmap"
scontext=system_u:system_r:portmap_t
tcontext=system_u:object_r:unlabeled_t
tclass=association
audit(1143945599.518:5): avc: denied { recvfrom }
for pid=1602 comm="portmap"
scontext=system_u:system_r:rpcd_t
tcontext=system_u:object_r:unlabeled_t
tclass=association
SELinux: initialized (dev rpc_pipefs, type
rpc_pipefs), uses genfs_contexts
I will post inline complete dmesg to get better
advice.
[root@localhost ~]# dmesg
Linux version 2.6.16-1.2069_FC4
(bhcompile(a)hs20-bc1-7.build.redhat.com) (gcc version
4.0.2 20051125 (Red Hat 4.0.2-8)) #1 Tue Mar 28
12:19:10 EST 2006
BIOS-provided physical RAM map:
BIOS-e820: 0000000000000000 - 000000000009fc00
(usable)
BIOS-e820: 000000000009fc00 - 00000000000a0000
(reserved)
BIOS-e820: 00000000000f0000 - 0000000000100000
(reserved)
BIOS-e820: 0000000000100000 - 0000000017ff0000
(usable)
BIOS-e820: 0000000017ff0000 - 0000000017ff3000 (ACPI
NVS)
BIOS-e820: 0000000017ff3000 - 0000000018000000 (ACPI
data)
BIOS-e820: 00000000ffff0000 - 0000000100000000
(reserved)
0MB HIGHMEM available.
383MB LOWMEM available.
Using x86 segment limits to approximate NX protection
On node 0 totalpages: 98288
DMA zone: 4096 pages, LIFO batch:0
DMA32 zone: 0 pages, LIFO batch:0
Normal zone: 94192 pages, LIFO batch:31
HighMem zone: 0 pages, LIFO batch:0
DMI 2.2 present.
ACPI: RSDP (v000 AWARD
) @ 0x000f6280
ACPI: RSDT (v001 AWARD AWRDACPI 0x42302e31 AWRD
0x00000000) @ 0x17ff3000
ACPI: FADT (v001 AWARD AWRDACPI 0x42302e31 AWRD
0x00000000) @ 0x17ff3040
ACPI: DSDT (v001 AWARD AWRDACPI 0x00001000 MSFT
0x0100000c) @ 0x00000000
ACPI: PM-Timer IO Port: 0x508
Allocating PCI resources starting at 20000000 (gap:
18000000:e7ff0000)
Built 1 zonelists
Kernel command line: ro root=/dev/VolGroup00/LogVol00
rhgb quiet
Local APIC disabled by BIOS -- you can enable it with
"lapic"
mapped APIC to ffffd000 (01304000)
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Initializing CPU#0
CPU 0 irqstacks, hard=c040a000 soft=c040b000
PID hash table entries: 2048 (order: 11, 32768 bytes)
Detected 1466.863 MHz processor.
Using pmtmr for high-res timesource
Console: colour VGA+ 80x25
Dentry cache hash table entries: 65536 (order: 6,
262144 bytes)
Inode-cache hash table entries: 32768 (order: 5,
131072 bytes)
Memory: 383964k/393152k available (2131k kernel code,
8656k reserved, 754k data, 200k init, 0k highmem)
Checking if this processor honours the WP bit even in
supervisor mode... Ok.
Calibrating delay using timer specific routine..
2937.06 BogoMIPS (lpj=5874126)
Security Framework v1.0.0 initialized
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary
module capability
Capability LSM initialized as secondary
Mount-cache hash table entries: 512
CPU: After generic identify, caps: 0383f9ff c1c3f9ff
00000000 00000000 00000000 00000000 00000000
CPU: After vendor identify, caps: 0383f9ff c1c3f9ff
00000000 00000000 00000000 00000000 00000000
CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64
bytes/line)
CPU: L2 Cache: 256K (64 bytes/line)
CPU: After all inits, caps: 0383f1ff c1c3f9ff 00000000
00000020 00000000 00000000 00000000
Intel machine check architecture supported.
Intel machine check reporting enabled on CPU#0.
CPU: AMD Athlon(tm) XP 1700+ stepping 02
Checking 'hlt' instruction... OK.
ACPI: setting ELCR to 0200 (from 0c20)
checking if image is initramfs... it is
Freeing initrd memory: 1645k freed
NET: Registered protocol family 16
ACPI: bus type pci registered
PCI: PCI BIOS revision 2.10 entry at 0xfb330, last
bus=1
PCI: Using configuration type 1
ACPI: Subsystem revision 20060127
ACPI: Interpreter enabled
ACPI: Using PIC for interrupt routing
ACPI: PCI Root Bridge [PCI0] (0000:00)
PCI: Probing PCI hardware (bus 00)
ACPI: Assume root bridge [\_SB_.PCI0] bus is 0
Boot video device is 0000:00:09.0
PCI quirk: region 0500-053f claimed by ali7101 ACPI
PCI quirk: region 0400-041f claimed by ali7101 SMB
ACPI: PCI Interrupt Routing Table [\_SB_.PCI0._PRT]
ACPI: PCI Interrupt Link [LNK1] (IRQs 1 3 4 5 6 7 10
11 12 14 15) *0, disabled.
ACPI: PCI Interrupt Link [LNK2] (IRQs 1 3 4 5 6 7 *10
11 12 14 15)
ACPI: PCI Interrupt Link [LNK3] (IRQs 1 3 4 5 6 7 10
11 12 14 15) *0, disabled.
ACPI: PCI Interrupt Link [LNK4] (IRQs 1 3 4 5 6 7 10
*11 12 14 15)
ACPI: PCI Interrupt Link [LNK5] (IRQs 1 3 4 5 6 7 10
*11 12 14 15)
ACPI: PCI Interrupt Link [LNK6] (IRQs 1 3 4 5 6 7 10
11 12 14 15) *0, disabled.
ACPI: PCI Interrupt Link [LNK7] (IRQs 1 3 4 5 6 7 10
11 12 14 15) *0, disabled.
ACPI: PCI Interrupt Link [LNK8] (IRQs 1 3 4 *5 6 7 10
11 12 14 15)
ACPI: PCI Interrupt Link [LNK9] (IRQs 1 3 4 5 6 7 10
*11 12 14 15)
Linux Plug and Play Support v0.97 (c) Adam Belay
pnp: PnP ACPI init
pnp: PnP ACPI: found 13 devices
usbcore: registered new driver usbfs
usbcore: registered new driver hub
PCI: Using ACPI for IRQ routing
PCI: If a device doesn't work, try "pci=routeirq". If
it helps, post a report
PCI: Bridge: 0000:00:01.0
IO window: disabled.
MEM window: disabled.
PREFETCH window: disabled.
PCI: Setting latency timer of device 0000:00:01.0 to
64
apm: BIOS version 1.2 Flags 0x07 (Driver version
1.16ac)
apm: overridden by ACPI.
audit: initializing netlink socket (disabled)
audit(1143923979.008:1): initialized
Total HugeTLB memory allocated, 0
VFS: Disk quotas dquot_6.5.1
Dquot-cache hash table entries: 1024 (order 0, 4096
bytes)
SELinux: Registering netfilter hooks
Initializing Cryptographic API
ksign: Installing public key data
Loading keyring
- Added public key 6D8AC7E0298FAC35
- User ID: Red Hat, Inc. (Kernel Module GPG key)
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
Limiting direct PCI/PCI transfers.
Activating ISA DMA hang workarounds.
pci_hotplug: PCI Hot Plug PCI Core version: 0.5
ACPI: Fan [FAN] (on)
ACPI: Processor [CPU0] (supports 2 throttling states)
ACPI: Thermal Zone [THRM] (56 C)
isapnp: Scanning for PnP cards...
isapnp: No Plug & Play device found
Real Time Clock Driver v1.12ac
Linux agpgart interface v0.101 (c) Dave Jones
agpgart: Detected ALi M1647 chipset
agpgart: AGP aperture is 128M @ 0xd0000000
PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at
0x60,0x64 irq 1,12
serio: i8042 AUX port at 0x60,0x64 irq 12
serio: i8042 KBD port at 0x60,0x64 irq 1
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports,
IRQ sharing enabled
serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
00:08: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
00:09: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
ACPI: PCI Interrupt Link [LNK2] enabled at IRQ 10
PCI: setting IRQ 10 as level-triggered
ACPI: PCI Interrupt 0000:00:0d.0[A] -> Link [LNK2] ->
GSI 10 (level, low) -> IRQ 10
Couldn't register serial port 0000:00:0d.0: -28
RAMDISK driver initialized: 16 RAM disks of 16384K
size 1024 blocksize
Uniform Multi-Platform E-IDE driver Revision:
7.00alpha2
ide: Assuming 33MHz system bus speed for PIO modes;
override with idebus=xx
ALI15X3: IDE controller at PCI slot 0000:00:04.0
ACPI: PCI Interrupt 0000:00:04.0[A]: no GSI
ALI15X3: chipset revision 196
ALI15X3: not 100% native mode: will probe irqs later
ide0: BM-DMA at 0xd400-0xd407, BIOS settings:
hda:DMA, hdb:pio
ide1: BM-DMA at 0xd408-0xd40f, BIOS settings:
hdc:DMA, hdd:DMA
Probing IDE interface ide0...
hda: ST340016A, ATA DISK drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
Probing IDE interface ide1...
hdc: IDE DVD-ROM 16X, ATAPI CD/DVD-ROM drive
hdd: RW-241040, ATAPI CD/DVD-ROM drive
ide1 at 0x170-0x177,0x376 on irq 15
hda: max request size: 128KiB
hda: 78165360 sectors (40020 MB) w/2048KiB Cache,
CHS=65535/16/63, UDMA(100)
hda: cache flushes not supported
hda: hda1 hda2
hdc: ATAPI 48X DVD-ROM drive, 512kB Cache, UDMA(33)
Uniform CD-ROM driver Revision: 3.20
hdd: ATAPI 40X CD-ROM CD-R/RW drive, 2048kB Cache,
UDMA(33)
ide-floppy driver 0.99.newide
usbcore: registered new driver libusual
usbcore: registered new driver hiddev
usbcore: registered new driver usbhid
drivers/usb/input/hid-core.c: v2.6:USB HID core driver
mice: PS/2 mouse device common for all mice
md: md driver 0.90.3 MAX_MD_DEVS=256, MD_SB_DISKS=27
md: bitmap version 4.39
NET: Registered protocol family 2
input: AT Translated Set 2 keyboard as
/class/input/input0
IP route cache hash table entries: 4096 (order: 2,
16384 bytes)
TCP established hash table entries: 16384 (order: 6,
262144 bytes)
TCP bind hash table entries: 16384 (order: 6, 327680
bytes)
TCP: Hash tables configured (established 16384 bind
16384)
TCP reno registered
TCP bic registered
Initializing IPsec netlink socket
NET: Registered protocol family 1
NET: Registered protocol family 17
Using IPI Shortcut mode
ACPI wakeup devices:
PCI0 USB0 USB1
ACPI: (supports S0 S1 S4 S5)
Freeing unused kernel memory: 200k freed
Write protecting the kernel read-only data: 346k
device-mapper: 4.5.0-ioctl (2005-10-04) initialised:
dm-devel(a)redhat.com
kjournald starting. Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
input: ImPS/2 Generic Wheel Mouse as
/class/input/input1
security: 3 users, 6 roles, 764 types, 87 bools
security: 55 classes, 182383 rules
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
SELinux: initialized (dev debugfs, type debugfs), uses
genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs),
uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not
configured for labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs),
not configured for labeling
SELinux: initialized (dev devpts, type devpts), uses
transition SIDs
SELinux: initialized (dev eventpollfs, type
eventpollfs), uses genfs_contexts
SELinux: initialized (dev inotifyfs, type inotifyfs),
not configured for labeling
SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses
genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses
task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses
task SIDs
SELinux: initialized (dev proc, type proc), uses
genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses
genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses
genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses
genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses
genfs_contexts
Floppy drive(s): fd0 is 1.44M
FDC 0 is a post-1991 82077
ACPI: PCI Interrupt Link [LNK4] enabled at IRQ 11
PCI: setting IRQ 11 as level-triggered
ACPI: PCI Interrupt 0000:00:0b.0[A] -> Link [LNK4] ->
GSI 11 (level, low) -> IRQ 11
3c59x: Donald Becker and others.
www.scyld.com/network/vortex.html
0000:00:0b.0: 3Com PCI 3c905 Boomerang 100baseTx at
0001dc00. Vers LK1.1.19
ACPI: PCI Interrupt Link [LNK8] enabled at IRQ 5
PCI: setting IRQ 5 as level-triggered
ACPI: PCI Interrupt 0000:00:03.0[A] -> Link [LNK8] ->
GSI 5 (level, low) -> IRQ 5
AC'97 1 does not respond - RESET
AC'97 1 access is not valid [0xffffffff], removing
mixer.
ali mixer 1 creating error.
slamr: module license 'Smart Link Ltd.' taints kernel.
slamr: SmartLink AMRMO modem.
slamr: device 163c:3052 is grabbed by another driver
ohci_hcd: 2005 April 22 USB 1.1 'Open' Host Controller
(OHCI) Driver (PCI)
ACPI: PCI Interrupt Link [LNK9] enabled at IRQ 11
ACPI: PCI Interrupt 0000:00:02.0[A] -> Link [LNK9] ->
GSI 11 (level, low) -> IRQ 11
ohci_hcd 0000:00:02.0: OHCI Host Controller
ohci_hcd 0000:00:02.0: new USB bus registered,
assigned bus number 1
ohci_hcd 0000:00:02.0: irq 11, io mem 0xe2001000
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 4 ports detected
ACPI: PCI Interrupt Link [LNK5] enabled at IRQ 11
ACPI: PCI Interrupt 0000:00:06.0[A] -> Link [LNK5] ->
GSI 11 (level, low) -> IRQ 11
ohci_hcd 0000:00:06.0: OHCI Host Controller
ohci_hcd 0000:00:06.0: new USB bus registered,
assigned bus number 2
ohci_hcd 0000:00:06.0: irq 11, io mem 0xe2003000
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 4 ports detected
usb 1-2: new full speed USB device using ohci_hcd and
address 2
usb 1-2: configuration #1 chosen from 1 choice
hub 1-2:1.0: USB hub found
hub 1-2:1.0: 4 ports detected
ACPI: Power Button (FF) [PWRF]
ACPI: Sleep Button (FF) [SLPF]
ACPI: Power Button (CM) [PWRB]
ACPI: Sleep Button (CM) [SLPB]
ibm_acpi: ec object not found
md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
EXT3 FS on dm-0, internal journal
kjournald starting. Commit interval 5 seconds
EXT3 FS on hda1, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
Adding 786424k swap on /dev/VolGroup00/LogVol01.
Priority:-1 extents:1 across:786424k
SELinux: initialized (dev binfmt_misc, type
binfmt_misc), uses genfs_contexts
ip_tables: (C) 2000-2006 Netfilter Core Team
Netfilter messages via NETLINK v0.30.
ip_conntrack version 2.4 (3071 buckets, 24568 max) -
232 bytes per conntrack
audit(1143945599.518:2): avc: denied { sendto } for
pid=1620 comm="rpc.statd"
scontext=system_u:system_r:rpcd_t
tcontext=system_u:object_r:unlabeled_t
tclass=association
audit(1143945599.518:3): avc: denied { recvfrom }
for pid=1620 comm="rpc.statd"
scontext=system_u:system_r:portmap_t
tcontext=system_u:object_r:unlabeled_t
tclass=association
audit(1143945599.518:4): avc: denied { sendto } for
pid=1602 comm="portmap"
scontext=system_u:system_r:portmap_t
tcontext=system_u:object_r:unlabeled_t
tclass=association
audit(1143945599.518:5): avc: denied { recvfrom }
for pid=1602 comm="portmap"
scontext=system_u:system_r:rpcd_t
tcontext=system_u:object_r:unlabeled_t
tclass=association
SELinux: initialized (dev rpc_pipefs, type
rpc_pipefs), uses genfs_contexts
Bluetooth: Core ver 2.8
NET: Registered protocol family 31
Bluetooth: HCI device and connection manager
initialized
Bluetooth: HCI socket layer initialized
Bluetooth: L2CAP ver 2.8
Bluetooth: L2CAP socket layer initialized
Bluetooth: RFCOMM socket layer initialized
Bluetooth: RFCOMM TTY layer initialized
Bluetooth: RFCOMM ver 1.7
SELinux: initialized (dev autofs, type autofs), uses
genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses
genfs_contexts
parport: PnPBIOS parport detected.
parport0: PC-style at 0x378, irq 7 [PCSPP,EPP]
lp0: using parport0 (interrupt-driven).
lp0: console ready
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver
device 163c:3052 is grabbed by driver serial: try to
release
ACPI: PCI interrupt for device 0000:00:0d.0 disabled
slamr: SmartLink AMRMO modem.
slamr: probe 163c:3052 SL1900 card...
ACPI: PCI Interrupt 0000:00:0d.0[A] -> Link [LNK2] ->
GSI 10 (level, low) -> IRQ 10
slamr: slamr0 is SL1900 card.
Thank you for your time and help,
Antonio
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years
- 4
- 4
Re: nfs avc messages with kernel-2.6.16-1.2069_FC4
by Antonio Olivares
RE: nfs avc messages with kernel-2.6.16-1.2069_FC4
Message: 6
Date: Sat, 1 Apr 2006 00:51:47 -0800 (PST)
From: Antonio Olivares <olivares14031(a)yahoo.com>
Subject: nfs avc messages with
kernel-2.6.16-1.2069_FC4
To: fedora-selinux-list(a)redhat.com
Message-ID:
<20060401085147.91904.qmail(a)web52610.mail.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"
Dear all,
I decided to install latest FC4 kernel
2.6.16-1.2069_FC4 or so. Upon booting I can no longer
surf the internet. I get some avc denied messages
from dmesg. How can I fix this issue?
I do not want to disable selinux.
TIA,
Antonio
======================================================
Here are the avc's. Since they were not present in
the previous email to fedora-selinux-list(a)redhat.com
I do not want to disable selinux to be able to surf
the internet. How can I take care of this?
I appreciate all comments/help I can get.
SELinux: initialized (dev binfmt_misc, type
binfmt_misc), uses genfs_contexts
ip_tables: (C) 2000-2006 Netfilter Core Team
Netfilter messages via NETLINK v0.30.
ip_conntrack version 2.4 (3071 buckets, 24568 max) -
232 bytes per conntrack
audit(1143912938.407:2): avc: denied { sendto } for
pid=1620 comm="rpc.statd"
scontext=system_u:system_r:rpcd_t
tcontext=system_u:object_r:unlabeled_t
tclass=association
audit(1143912938.447:3): avc: denied { sendto } for
pid=1620 comm="rpc.statd"
scontext=system_u:system_r:rpcd_t
tcontext=system_u:object_r:unlabeled_t
tclass=association
audit(1143912938.463:4): avc: denied { sendto } for
pid=1620 comm="rpc.statd"
scontext=system_u:system_r:rpcd_t
tcontext=system_u:object_r:unlabeled_t
tclass=association
Also on another machine
I installed kernel-2.6.16.1 to an FC3 machine with
selinux disabled and I tried to reenable it since this
kernel comes with selinux in its options and i
compiled it in. Yet when I rebooted it gave me a
kernel panic that no policy was in place. How should
I define such a policy? Is there a tarball somewhere
that I can get, or suggestions since FC3 is in legacy
already?
Regards,
Antonio
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years, 1 month
- 1
- 0
18 years, 1 month
- 1
- 0
Empty trash in Gnome
by Dawid Gajownik
Hi!
My friend noticed that with SELinux in enforcing mode ~/.Trash is full
of the files but he cannot remove them -- clicking on trash icon placed
on the desktop shows empty directory.
I reproduced this bug on my machine (FC5,
selinux-policy-targeted-2.2.25-2.fc5, Gnome 2.14) and found this avc
message:
Mar 30 19:19:47 X kernel: audit(1143739187.507:65): avc: denied {
getattr } for pid=1810 comm="hald" name="/" dev=hda6 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Using audit2allow I created kosz.pp module and this resolved the problem
(you need to reboot or restart haldaemon service). Here's the content of
te file:
[root@X ~]# cat kosz.te
module kosz 1.0;
require {
role object_r;
role system_r;
class dir getattr;
type hald_t;
type home_root_t;
};
allow hald_t home_root_t:dir getattr;
[root@X ~]#
Maybe default policy should be fixed?
Thanks,
Dawid
--
^_*
18 years, 1 month
- 3
- 4