Below are the error messages from running 'yum update' today while in enforcing mode. Perhaps this will be helpful to someone.
warning: /etc/selinux/strict/contexts/files/file_contexts created as /etc/selinux/strict/contexts/files/file_contexts.rpmnew selinux-policy-striwarning: /etc/selinux/strict/policy/policy.17 created as /etc/selinux/strict/policy/policy.17.rpmnew selinux-policy-strict 100 % done 16/116 Can't open '/etc/selinux/strict/policy/policy.17': Permission denied warning: /etc/selinux/targeted/contexts/files/file_contexts created as /etc/selinux/targeted/contexts/files/file_contexts.rpmnew selinux-policy-targeted 100 % done 17/116 python-tools 100 % done 18/116 apr-devel 100 % done 19/116 dietlibc 100 % done 20/116 selinux-policy-strict-sources 100 % done 21/116 make: Entering directory `/etc/selinux/strict/src/policy' /usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat /selinux/policyvers` Can't open '/etc/selinux/strict/policy/policy.17': Permission denied make: *** [tmp/load] Error 2 make: Leaving directory `/etc/selinux/strict/src/policy' gimp-print-cups 100 % done 22/116
HTH Richard Hally
On Wed, 9 Jun 2004 07:37, Richard Hally rhally@mindspring.com wrote:
Below are the error messages from running 'yum update' today while in enforcing mode. Perhaps this will be helpful to someone.
What AVC messages did you get?
Russell Coker wrote:
On Wed, 9 Jun 2004 07:37, Richard Hally rhally@mindspring.com wrote:
Below are the error messages from running 'yum update' today while in enforcing mode. Perhaps this will be helpful to someone.
What AVC messages did you get?
Here are the avc messages that I think were from the update:
Jun 8 14:49:07 new2 kernel: audit(1086720547.359:0): avc: denied { read } for pid=5967 exe=/usr/sbin/load_policy name=policy.17 dev=hda2 ino=913086 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file Jun 8 14:49:43 new2 kernel: audit(1086720583.805:0): avc: denied { read } for pid=6032 exe=/usr/sbin/load_policy name=policy.17 dev=hda2 ino=913086 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file
Jun 8 14:50:42 new2 kernel: audit(1086720642.556:0): avc: denied { read } for pid=6040 exe=/usr/sbin/groupadd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jun 8 14:50:42 new2 kernel: audit(1086720642.857:0): avc: denied { read } for pid=6041 exe=/usr/sbin/groupadd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jun 8 14:50:42 new2 kernel: audit(1086720642.860:0): avc: denied { read } for pid=6042 exe=/usr/sbin/groupadd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jun 8 14:50:43 new2 kernel: audit(1086720643.071:0): avc: denied { read } for pid=6043 exe=/usr/sbin/useradd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:selinux_config_t tclass=file
Jun 8 14:53:13 new2 kernel: audit(1086720793.835:0): avc: denied { read } for pid=6446 exe=/usr/sbin/userdel name=config dev=hda2 ino=914871 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jun 8 14:53:14 new2 kernel: audit(1086720794.145:0): avc: denied { read } for pid=6447 exe=/usr/sbin/useradd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jun 8 14:54:22 new2 kernel: audit(1086720862.714:0): avc: denied { read } for pid=6504 exe=/usr/sbin/useradd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:selinux_config_t tclass=file ----------------------------------------------------------------------------- And a ton of these(that are probably not related to the policy update:)
Jun 8 14:58:49 new2 kernel: audit(1086721129.020:0): avc: denied { read } for pid=6718 exe=/sbin/ldconfig name=libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Jun 8 14:59:17 new2 kernel: audit(1086721157.931:0): avc: denied { getattr } for pid=6722 exe=/sbin/ldconfig path=/usr/lib/libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Jun 8 14:59:30 new2 kernel: audit(1086721170.335:0): avc: denied { read } for pid=6722 exe=/sbin/ldconfig name=libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Jun 8 15:00:13 new2 kernel: audit(1086721213.603:0): avc: denied { getattr } for pid=6760 exe=/sbin/ldconfig path=/usr/lib/libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Jun 8 15:00:28 new2 kernel: audit(1086721228.071:0): avc: denied { read } for pid=6760 exe=/sbin/ldconfig name=libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Jun 8 15:02:05 new2 kernel: audit(1086721325.781:0): avc: denied { getattr } for pid=6762 exe=/sbin/ldconfig path=/usr/lib/libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file :
THT Richard Hally
On Wed, 9 Jun 2004 13:28, Richard Hally rhally@mindspring.com wrote:
Jun 8 14:49:07 new2 kernel: audit(1086720547.359:0): avc: denied { read } for pid=5967 exe=/usr/sbin/load_policy name=policy.17 dev=hda2 ino=913086 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file
The file has the wrong type. Did you create it in permissive mode?
Russell Coker wrote:
On Wed, 9 Jun 2004 13:28, Richard Hally rhally@mindspring.com wrote:
Jun 8 14:49:07 new2 kernel: audit(1086720547.359:0): avc: denied { read } for pid=5967 exe=/usr/sbin/load_policy name=policy.17 dev=hda2 ino=913086 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file
The file has the wrong type. Did you create it in permissive mode?
It is possible that I did, although I am trying to stay in enforcing mode as much as possible. If I was in permissive mode how could the file have been labeled "etc_t"?
RH
selinux@lists.fedoraproject.org