-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/25/2012 01:38 PM, David Highley wrote:

"Daniel J Walsh wrote:"

...

On 01/24/2012 10:39 PM, David Highley wrote:

...

...

...

time->Tue Jan 24 06:17:02 2012 type=SYSCALL msg=audit(1327414622.867:2517): arch=c000003e syscall=59 success=yes exit=0 a0=9669f0 a1=cc8170 a2=7fff1bf396c8 a3=1f items=0 ppid=5248 pid=5253 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=293 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1327414622.867:2517): avc: denied { transition } for pid=5253 comm="rpm" path="/bin/bash" dev=dm-1 ino=393240 scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.410:38): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1359 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.410:38): avc: denied { search } for pid=1359 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.410:39): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1360 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.410:39): avc: denied { search } for pid=1360 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.411:40): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1361 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.411:40): avc: denied { search } for pid=1361 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.411:41): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1362 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.411:41): avc: denied { search } for pid=1362 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.414:42): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1365 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.414:42): avc: denied { search } for pid=1365 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.414:43): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1364 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.414:43): avc: denied { search } for pid=1364 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.415:44): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1366 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.415:44): avc: denied { search } for pid=1366 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.416:45): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1363 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.416:45): avc: denied { search } for pid=1363 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.418:46): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367 pid=1369 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1327415018.418:46): avc: denied { name_connect } for pid=1369 comm="dbus-daemon-lau" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.418:47): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff07112f60 a2=10 a3=98 items=0 ppid=1367 pid=1369 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1327415018.418:47): avc: denied { name_bind } for pid=1369 comm="dbus-daemon-lau" src=697 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.418:48): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367 pid=1369 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1327415018.418:48): avc: denied { name_connect } for pid=1369 comm="dbus-daemon-lau" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

Do you have the allow_ypbind boolean permanantly turned on

setsebool -P allow_ypbind 1

...

Yes, we permanently set this bool.

If the init script is turning it on, you could see avc's like this.

Have no idea what the bootloader->rpm_script one is.

There used to be some kernel update scripts that were labeled as bootloader_exec_t?

...

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

Strange and these happen on every boot, and then stop?

On 01/26/2012 05:33 AM, David Highley wrote:

"Daniel J Walsh wrote:"

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/25/2012 01:38 PM, David Highley wrote:

...

"Daniel J Walsh wrote:" On 01/24/2012 10:39 PM, David Highley wrote:

...

...

...

time->Tue Jan 24 06:17:02 2012 type=SYSCALL msg=audit(1327414622.867:2517): arch=c000003e syscall=59 success=yes exit=0 a0=9669f0 a1=cc8170 a2=7fff1bf396c8 a3=1f items=0 ppid=5248 pid=5253 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=293 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1327414622.867:2517): avc: denied { transition } for pid=5253 comm="rpm" path="/bin/bash" dev=dm-1 ino=393240 scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.410:38): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1359 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.410:38): avc: denied { search } for pid=1359 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.410:39): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1360 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.410:39): avc: denied { search } for pid=1360 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.411:40): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1361 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.411:40): avc: denied { search } for pid=1361 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.411:41): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1362 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.411:41): avc: denied { search } for pid=1362 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.414:42): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1365 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.414:42): avc: denied { search } for pid=1365 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.414:43): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1364 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.414:43): avc: denied { search } for pid=1364 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.415:44): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1366 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.415:44): avc: denied { search } for pid=1366 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.416:45): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1363 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1327415018.416:45): avc: denied { search } for pid=1363 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.418:46): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367 pid=1369 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1327415018.418:46): avc: denied { name_connect } for pid=1369 comm="dbus-daemon-lau" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.418:47): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff07112f60 a2=10 a3=98 items=0 ppid=1367 pid=1369 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1327415018.418:47): avc: denied { name_bind } for pid=1369 comm="dbus-daemon-lau" src=697 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL msg=audit(1327415018.418:48): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367 pid=1369 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1327415018.418:48): avc: denied { name_connect } for pid=1369 comm="dbus-daemon-lau" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

Do you have the allow_ypbind boolean permanantly turned on

setsebool -P allow_ypbind 1

...

Yes, we permanently set this bool.

If the init script is turning it on, you could see avc's like this.

Have no idea what the bootloader->rpm_script one is.

There used to be some kernel update scripts that were labeled as bootloader_exec_t? -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

Strange and these happen on every boot, and then stop?

Just tried another reboot and got the same results so I would say that it happens on every boot.

...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8gXiIACgkQrlYvE4MpobMCQgCeNQgkkaZ2sMY0ZoR+UuS+xiSH dMwAn3XdqXX3VCqrpX+2ns5NizThEeW3 =xlB4 -----END PGP SIGNATURE-----

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

Could you make sure that the policy is installed correctly.

# yum reinstall selinux-policy-targeted

and see if something blows up.

"David Highley wrote:"

"Miroslav Grepl wrote:"

...

On 01/26/2012 05:33 AM, David Highley wrote:

...

"Daniel J Walsh wrote:"

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/25/2012 01:38 PM, David Highley wrote:

...

"Daniel J Walsh wrote:" On 01/24/2012 10:39 PM, David Highley wrote:

...

>> time->Tue Jan 24 06:17:02 2012 type=SYSCALL >> msg=audit(1327414622.867:2517): arch=c000003e syscall=59 >> success=yes exit=0 a0=9669f0 a1=cc8170 a2=7fff1bf396c8 a3=1f >> items=0 ppid=5248 pid=5253 auid=0 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=293 comm="sh" >> exe="/bin/bash" >> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 >> key=(null) type=AVC msg=audit(1327414622.867:2517): avc: >> denied { transition } for pid=5253 comm="rpm" >> path="/bin/bash" dev=dm-1 ino=393240 >> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 >> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 >> tclass=process ---- time->Tue Jan 24 06:23:38 2012 >> type=SYSCALL msg=audit(1327415018.410:38): arch=c000003e >> syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 >> a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1359 >> auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 >> sgid=48 fsgid=48 tty=(none) ses=4294967295 >> comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" >> subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC >> msg=audit(1327415018.410:38): avc: denied { search } for >> pid=1359 comm="/usr/sbin/httpd" name="yp" dev=dm-1 >> ino=1313161 scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- >> time->Tue Jan 24 06:23:38 2012 type=SYSCALL >> msg=audit(1327415018.410:39): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 >> a3=68 items=0 ppid=1180 pid=1360 auid=4294967295 uid=0 gid=48 >> euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) >> ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" >> subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC >> msg=audit(1327415018.410:39): avc: denied { search } for >> pid=1360 comm="/usr/sbin/httpd" name="yp" dev=dm-1 >> ino=1313161 scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- >> time->Tue Jan 24 06:23:38 2012 type=SYSCALL >> msg=audit(1327415018.411:40): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 >> a3=68 items=0 ppid=1180 pid=1361 auid=4294967295 uid=0 gid=48 >> euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) >> ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" >> subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC >> msg=audit(1327415018.411:40): avc: denied { search } for >> pid=1361 comm="/usr/sbin/httpd" name="yp" dev=dm-1 >> ino=1313161 scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- >> time->Tue Jan 24 06:23:38 2012 type=SYSCALL >> msg=audit(1327415018.411:41): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 >> a3=68 items=0 ppid=1180 pid=1362 auid=4294967295 uid=0 gid=48 >> euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) >> ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" >> subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC >> msg=audit(1327415018.411:41): avc: denied { search } for >> pid=1362 comm="/usr/sbin/httpd" name="yp" dev=dm-1 >> ino=1313161 scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- >> time->Tue Jan 24 06:23:38 2012 type=SYSCALL >> msg=audit(1327415018.414:42): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 >> a3=68 items=0 ppid=1180 pid=1365 auid=4294967295 uid=0 gid=48 >> euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) >> ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" >> subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC >> msg=audit(1327415018.414:42): avc: denied { search } for >> pid=1365 comm="/usr/sbin/httpd" name="yp" dev=dm-1 >> ino=1313161 scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- >> time->Tue Jan 24 06:23:38 2012 type=SYSCALL >> msg=audit(1327415018.414:43): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 >> a3=68 items=0 ppid=1180 pid=1364 auid=4294967295 uid=0 gid=48 >> euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) >> ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" >> subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC >> msg=audit(1327415018.414:43): avc: denied { search } for >> pid=1364 comm="/usr/sbin/httpd" name="yp" dev=dm-1 >> ino=1313161 scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- >> time->Tue Jan 24 06:23:38 2012 type=SYSCALL >> msg=audit(1327415018.415:44): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 >> a3=68 items=0 ppid=1180 pid=1366 auid=4294967295 uid=0 gid=48 >> euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) >> ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" >> subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC >> msg=audit(1327415018.415:44): avc: denied { search } for >> pid=1366 comm="/usr/sbin/httpd" name="yp" dev=dm-1 >> ino=1313161 scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- >> time->Tue Jan 24 06:23:38 2012 type=SYSCALL >> msg=audit(1327415018.416:45): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 >> a3=68 items=0 ppid=1180 pid=1363 auid=4294967295 uid=0 gid=48 >> euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) >> ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" >> subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC >> msg=audit(1327415018.416:45): avc: denied { search } for >> pid=1363 comm="/usr/sbin/httpd" name="yp" dev=dm-1 >> ino=1313161 scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- >> time->Tue Jan 24 06:23:38 2012 type=SYSCALL >> msg=audit(1327415018.418:46): arch=c000003e syscall=42 >> success=no exit=-13 a0=3 a1=7fff071131f0 a2=10 a3=98 items=0 >> ppid=1367 pid=1369 auid=4294967295 uid=81 gid=81 euid=0 >> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) >> ses=4294967295 comm="dbus-daemon-lau" >> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >> key=(null) type=AVC msg=audit(1327415018.418:46): avc: >> denied { name_connect } for pid=1369 comm="dbus-daemon-lau" >> dest=111 >> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:portmap_port_t:s0 >> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38 2012 >> type=SYSCALL msg=audit(1327415018.418:47): arch=c000003e >> syscall=49 success=no exit=-13 a0=3 a1=7fff07112f60 a2=10 >> a3=98 items=0 ppid=1367 pid=1369 auid=4294967295 uid=81 >> gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 >> tty=(none) ses=4294967295 comm="dbus-daemon-lau" >> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >> key=(null) type=AVC msg=audit(1327415018.418:47): avc: >> denied { name_bind } for pid=1369 comm="dbus-daemon-lau" >> src=697 >> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:hi_reserved_port_t:s0 >> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38 2012 >> type=SYSCALL msg=audit(1327415018.418:48): arch=c000003e >> syscall=42 success=no exit=-13 a0=3 a1=7fff071131f0 a2=10 >> a3=98 items=0 ppid=1367 pid=1369 auid=4294967295 uid=81 >> gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 >> tty=(none) ses=4294967295 comm="dbus-daemon-lau" >> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >> key=(null) type=AVC msg=audit(1327415018.418:48): avc: >> denied { name_connect } for pid=1369 comm="dbus-daemon-lau" >> dest=111 >> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:portmap_port_t:s0 >> tclass=tcp_socket

Do you have the allow_ypbind boolean permanantly turned on

setsebool -P allow_ypbind 1

...

Yes, we permanently set this bool.

If the init script is turning it on, you could see avc's like this.

Have no idea what the bootloader->rpm_script one is.

There used to be some kernel update scripts that were labeled as bootloader_exec_t? -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

Strange and these happen on every boot, and then stop?

Just tried another reboot and got the same results so I would say that it happens on every boot.

...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8gXiIACgkQrlYvE4MpobMCQgCeNQgkkaZ2sMY0ZoR+UuS+xiSH dMwAn3XdqXX3VCqrpX+2ns5NizThEeW3 =xlB4 -----END PGP SIGNATURE-----

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

Could you make sure that the policy is installed correctly.

# yum reinstall selinux-policy-targeted

and see if something blows up.

Same results as before. Did get a new avc just before the reboot doing a yum update.

To add more clarity to the boot up AVC, we did check for any sign of AVC when we reinstalled selinux-policy-targeted.

allow bootloader_t rpm_script_t:process transition;

time->Sat Jan 28 07:47:51 2012 type=SYSCALL msg=audit(1327765671.705:3395): arch=c000003e syscall=59 success=ye s exit=0 a0=1429290 a1=12e3550 a2=7fffd4c974c8 a3=20 items=0 ppid=24868 pid=2487 8 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0. c1023 key=(null) type=AVC msg=audit(1327765671.705:3395): avc: denied { transition } for pid=24878 comm="rpm" path="/bin/bash" dev=dm-1 ino=393240 scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process

Packages in this update were: Jan 28 07:46:28 Updated: libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated: libblkid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated: 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:29 Updated: libcurl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated: curl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated: 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31 Updated: libmount-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:32 Updated: setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28 07:46:32 Installed: python-tornado-2.1.1-1.fc16.noarch Jan 28 07:46:33 Updated: python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33 Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34 Updated: mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:39 Installed: kernel-3.2.2-1.fc16.x86_64 Jan 28 07:46:40 Updated: xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40 Updated: mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan 28 07:46:42 Updated: ipython-0.12-2.fc16.noarch Jan 28 07:46:43 Updated: setroubleshoot-3.1.2-1.fc16.x86_64 Jan 28 07:46:44 Updated: util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44 Updated: 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:46 Updated: libcurl-devel-7.21.7-6.fc16.x86_64 Jan 28 07:46:47 Updated: rsyslog-5.8.7-1.fc16.x86_64 Jan 28 07:46:48 Updated: t1lib-5.1.2-9.fc16.x86_64 Jan 28 07:46:49 Updated: kernel-headers-3.2.2-1.fc16.x86_64 Jan 28 07:46:59 Installed: kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00 Updated: mdadm-3.2.3-3.fc16.x86_64

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

"Daniel J Walsh wrote:"

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/28/2012 02:15 PM, David Highley wrote:

...

"David Highley wrote:"

...

"Miroslav Grepl wrote:"

...

On 01/26/2012 05:33 AM, David Highley wrote:

...

"Daniel J Walsh wrote:"

On 01/25/2012 01:38 PM, David Highley wrote:

...

...

...

...

>> "Daniel J Walsh wrote:" On 01/24/2012 10:39 PM, David >> Highley wrote: >>>>> time->Tue Jan 24 06:17:02 2012 type=SYSCALL >>>>> msg=audit(1327414622.867:2517): arch=c000003e >>>>> syscall=59 success=yes exit=0 a0=9669f0 a1=cc8170 >>>>> a2=7fff1bf396c8 a3=1f items=0 ppid=5248 pid=5253 >>>>> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>>>> sgid=0 fsgid=0 tty=(none) ses=293 comm="sh" >>>>> exe="/bin/bash" >>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 >>>>> >>>>>

key=(null) type=AVC msg=audit(1327414622.867:2517): avc:

...

...

...

...

...

>>>>> denied { transition } for pid=5253 comm="rpm" >>>>> path="/bin/bash" dev=dm-1 ino=393240 >>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 >>>>> >>>>>

tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023

...

...

...

...

...

>>>>> tclass=process ---- time->Tue Jan 24 06:23:38 >>>>> 2012 type=SYSCALL msg=audit(1327415018.410:38): >>>>> arch=c000003e syscall=2 success=no exit=-13 >>>>> a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 >>>>> items=0 ppid=1180 pid=1359 auid=4294967295 uid=0 >>>>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 >>>>> fsgid=48 tty=(none) ses=4294967295 >>>>> comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" >>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>> type=AVC msg=audit(1327415018.410:38): avc: >>>>> denied { search } for pid=1359 >>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>> ino=1313161 >>>>> scontext=system_u:system_r:httpd_t:s0 >>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>> msg=audit(1327415018.410:39): arch=c000003e >>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>> pid=1360 auid=4294967295 uid=0 gid=48 euid=0 >>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>> exe="/usr/sbin/httpd" >>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>> type=AVC msg=audit(1327415018.410:39): avc: >>>>> denied { search } for pid=1360 >>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>> ino=1313161 >>>>> scontext=system_u:system_r:httpd_t:s0 >>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>> msg=audit(1327415018.411:40): arch=c000003e >>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>> pid=1361 auid=4294967295 uid=0 gid=48 euid=0 >>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>> exe="/usr/sbin/httpd" >>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>> type=AVC msg=audit(1327415018.411:40): avc: >>>>> denied { search } for pid=1361 >>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>> ino=1313161 >>>>> scontext=system_u:system_r:httpd_t:s0 >>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>> msg=audit(1327415018.411:41): arch=c000003e >>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>> pid=1362 auid=4294967295 uid=0 gid=48 euid=0 >>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>> exe="/usr/sbin/httpd" >>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>> type=AVC msg=audit(1327415018.411:41): avc: >>>>> denied { search } for pid=1362 >>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>> ino=1313161 >>>>> scontext=system_u:system_r:httpd_t:s0 >>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>> msg=audit(1327415018.414:42): arch=c000003e >>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>> pid=1365 auid=4294967295 uid=0 gid=48 euid=0 >>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>> exe="/usr/sbin/httpd" >>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>> type=AVC msg=audit(1327415018.414:42): avc: >>>>> denied { search } for pid=1365 >>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>> ino=1313161 >>>>> scontext=system_u:system_r:httpd_t:s0 >>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>> msg=audit(1327415018.414:43): arch=c000003e >>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>> pid=1364 auid=4294967295 uid=0 gid=48 euid=0 >>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>> exe="/usr/sbin/httpd" >>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>> type=AVC msg=audit(1327415018.414:43): avc: >>>>> denied { search } for pid=1364 >>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>> ino=1313161 >>>>> scontext=system_u:system_r:httpd_t:s0 >>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>> msg=audit(1327415018.415:44): arch=c000003e >>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>> pid=1366 auid=4294967295 uid=0 gid=48 euid=0 >>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>> exe="/usr/sbin/httpd" >>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>> type=AVC msg=audit(1327415018.415:44): avc: >>>>> denied { search } for pid=1366 >>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>> ino=1313161 >>>>> scontext=system_u:system_r:httpd_t:s0 >>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>> msg=audit(1327415018.416:45): arch=c000003e >>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>> pid=1363 auid=4294967295 uid=0 gid=48 euid=0 >>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>> exe="/usr/sbin/httpd" >>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>> type=AVC msg=audit(1327415018.416:45): avc: >>>>> denied { search } for pid=1363 >>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>> ino=1313161 >>>>> scontext=system_u:system_r:httpd_t:s0 >>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>> msg=audit(1327415018.418:46): arch=c000003e >>>>> syscall=42 success=no exit=-13 a0=3 >>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367 >>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0 >>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 >>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau" >>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>> >>>>>

key=(null) type=AVC msg=audit(1327415018.418:46): avc:

...

...

...

...

...

>>>>> denied { name_connect } for pid=1369 >>>>> comm="dbus-daemon-lau" dest=111 >>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>> >>>>>

tcontext=system_u:object_r:portmap_port_t:s0

...

...

...

...

...

>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38 >>>>> 2012 type=SYSCALL msg=audit(1327415018.418:47): >>>>> arch=c000003e syscall=49 success=no exit=-13 a0=3 >>>>> a1=7fff07112f60 a2=10 a3=98 items=0 ppid=1367 >>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0 >>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 >>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau" >>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>> >>>>>

key=(null) type=AVC msg=audit(1327415018.418:47): avc:

...

...

...

...

...

>>>>> denied { name_bind } for pid=1369 >>>>> comm="dbus-daemon-lau" src=697 >>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>> >>>>>

tcontext=system_u:object_r:hi_reserved_port_t:s0

...

...

...

...

...

>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38 >>>>> 2012 type=SYSCALL msg=audit(1327415018.418:48): >>>>> arch=c000003e syscall=42 success=no exit=-13 a0=3 >>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367 >>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0 >>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 >>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau" >>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>> >>>>>

key=(null) type=AVC msg=audit(1327415018.418:48): avc:

...

...

...

...

...

>>>>> denied { name_connect } for pid=1369 >>>>> comm="dbus-daemon-lau" dest=111 >>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>> >>>>>

tcontext=system_u:object_r:portmap_port_t:s0

...

...

...

...

...

>>>>> tclass=tcp_socket >> Do you have the allow_ypbind boolean permanantly turned >> on >> >> setsebool -P allow_ypbind 1 >> >>> Yes, we permanently set this bool. >> If the init script is turning it on, you could see >> avc's like this. >> >> Have no idea what the bootloader->rpm_script one is. >> >> There used to be some kernel update scripts that were >> labeled as bootloader_exec_t? -- selinux mailing list >> selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux

...

...

...

...

>>

Strange and these happen on every boot, and then stop?

...

...

...

...

...

Just tried another reboot and got the same results so I would say that it happens on every boot.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

Could you make sure that the policy is installed correctly.

# yum reinstall selinux-policy-targeted

and see if something blows up.

Same results as before. Did get a new avc just before the reboot doing a yum update.

To add more clarity to the boot up AVC, we did check for any sign of AVC when we reinstalled selinux-policy-targeted.

...

allow bootloader_t rpm_script_t:process transition; ---- time->Sat Jan 28 07:47:51 2012 type=SYSCALL msg=audit(1327765671.705:3395): arch=c000003e syscall=59 success=ye s exit=0 a0=1429290 a1=12e3550 a2=7fffd4c974c8 a3=20 items=0 ppid=24868 pid=2487 8 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0. c1023 key=(null) type=AVC msg=audit(1327765671.705:3395): avc: denied { transition } for pid=24878 comm="rpm" path="/bin/bash" dev=dm-1 ino=393240 scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process

Packages in this update were: Jan 28 07:46:28 Updated: libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated: libblkid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated: 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:29 Updated: libcurl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated: curl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated: 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31 Updated: libmount-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:32 Updated: setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28 07:46:32 Installed: python-tornado-2.1.1-1.fc16.noarch Jan 28 07:46:33 Updated: python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33 Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34 Updated: mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:39 Installed: kernel-3.2.2-1.fc16.x86_64 Jan 28 07:46:40 Updated: xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40 Updated: mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan 28 07:46:42 Updated: ipython-0.12-2.fc16.noarch Jan 28 07:46:43 Updated: setroubleshoot-3.1.2-1.fc16.x86_64 Jan 28 07:46:44 Updated: util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44 Updated: 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:46 Updated: libcurl-devel-7.21.7-6.fc16.x86_64 Jan 28 07:46:47 Updated: rsyslog-5.8.7-1.fc16.x86_64 Jan 28 07:46:48 Updated: t1lib-5.1.2-9.fc16.x86_64 Jan 28 07:46:49 Updated: kernel-headers-3.2.2-1.fc16.x86_64 Jan 28 07:46:59 Installed: kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00 Updated: mdadm-3.2.3-3.fc16.x86_64

...

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

Any idea of what process is running as bootloader_t?

ps -eZ | grep bootloader_t or find /sbin/ -context "*:bootloader_exec_t*"

Since we were running yum update and there was a kernel update involved it could be several from the list below.

/sbin/grub2-setup /sbin/installkernel /sbin/grub2-reboot /sbin/grub2-probe /sbin/grub2-mkdevicemap /sbin/grub2-set-default /sbin/grubby /sbin/grub2-install /sbin/grub2-mkconfig /sbin/grub2-mknetdir /sbin/new-kernel-pkg

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8kSvwACgkQrlYvE4MpobOjywCghdmmQAxJ6Yw0Lg9Khj1RlPUV si0AoIAqVYMmf2pon92UL7gFTUk7nsEQ =5qAB -----END PGP SIGNATURE-----

"Dominick Grift wrote:"

On Sat, 2012-01-28 at 14:55 -0800, David Highley wrote:

...

"Daniel J Walsh wrote:"

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/28/2012 02:15 PM, David Highley wrote:

...

"David Highley wrote:"

...

"Miroslav Grepl wrote:"

...

On 01/26/2012 05:33 AM, David Highley wrote: > "Daniel J Walsh wrote:"

On 01/25/2012 01:38 PM, David Highley wrote:

...

...

>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39 PM, David >>>> Highley wrote: >>>>>>> time->Tue Jan 24 06:17:02 2012 type=SYSCALL >>>>>>> msg=audit(1327414622.867:2517): arch=c000003e >>>>>>> syscall=59 success=yes exit=0 a0=9669f0 a1=cc8170 >>>>>>> a2=7fff1bf396c8 a3=1f items=0 ppid=5248 pid=5253 >>>>>>> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>>>>>> sgid=0 fsgid=0 tty=(none) ses=293 comm="sh" >>>>>>> exe="/bin/bash" >>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 >>>>>>> >>>>>>>

key=(null) type=AVC msg=audit(1327414622.867:2517): avc:

...

...

...

>>>>>>> denied { transition } for pid=5253 comm="rpm" >>>>>>> path="/bin/bash" dev=dm-1 ino=393240 >>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 >>>>>>> >>>>>>>

tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023

...

...

...

>>>>>>> tclass=process ---- time->Tue Jan 24 06:23:38 >>>>>>> 2012 type=SYSCALL msg=audit(1327415018.410:38): >>>>>>> arch=c000003e syscall=2 success=no exit=-13 >>>>>>> a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 >>>>>>> items=0 ppid=1180 pid=1359 auid=4294967295 uid=0 >>>>>>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 >>>>>>> fsgid=48 tty=(none) ses=4294967295 >>>>>>> comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" >>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>> type=AVC msg=audit(1327415018.410:38): avc: >>>>>>> denied { search } for pid=1359 >>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>>>> ino=1313161 >>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>>>> msg=audit(1327415018.410:39): arch=c000003e >>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>>>> pid=1360 auid=4294967295 uid=0 gid=48 euid=0 >>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>>>> exe="/usr/sbin/httpd" >>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>> type=AVC msg=audit(1327415018.410:39): avc: >>>>>>> denied { search } for pid=1360 >>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>>>> ino=1313161 >>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>>>> msg=audit(1327415018.411:40): arch=c000003e >>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>>>> pid=1361 auid=4294967295 uid=0 gid=48 euid=0 >>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>>>> exe="/usr/sbin/httpd" >>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>> type=AVC msg=audit(1327415018.411:40): avc: >>>>>>> denied { search } for pid=1361 >>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>>>> ino=1313161 >>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>>>> msg=audit(1327415018.411:41): arch=c000003e >>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>>>> pid=1362 auid=4294967295 uid=0 gid=48 euid=0 >>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>>>> exe="/usr/sbin/httpd" >>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>> type=AVC msg=audit(1327415018.411:41): avc: >>>>>>> denied { search } for pid=1362 >>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>>>> ino=1313161 >>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>>>> msg=audit(1327415018.414:42): arch=c000003e >>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>>>> pid=1365 auid=4294967295 uid=0 gid=48 euid=0 >>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>>>> exe="/usr/sbin/httpd" >>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>> type=AVC msg=audit(1327415018.414:42): avc: >>>>>>> denied { search } for pid=1365 >>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>>>> ino=1313161 >>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>>>> msg=audit(1327415018.414:43): arch=c000003e >>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>>>> pid=1364 auid=4294967295 uid=0 gid=48 euid=0 >>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>>>> exe="/usr/sbin/httpd" >>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>> type=AVC msg=audit(1327415018.414:43): avc: >>>>>>> denied { search } for pid=1364 >>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>>>> ino=1313161 >>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>>>> msg=audit(1327415018.415:44): arch=c000003e >>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>>>> pid=1366 auid=4294967295 uid=0 gid=48 euid=0 >>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>>>> exe="/usr/sbin/httpd" >>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>> type=AVC msg=audit(1327415018.415:44): avc: >>>>>>> denied { search } for pid=1366 >>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>>>> ino=1313161 >>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>>>> msg=audit(1327415018.416:45): arch=c000003e >>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50 >>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 >>>>>>> pid=1363 auid=4294967295 uid=0 gid=48 euid=0 >>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 >>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd" >>>>>>> exe="/usr/sbin/httpd" >>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>> type=AVC msg=audit(1327415018.416:45): avc: >>>>>>> denied { search } for pid=1363 >>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 >>>>>>> ino=1313161 >>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir >>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL >>>>>>> msg=audit(1327415018.418:46): arch=c000003e >>>>>>> syscall=42 success=no exit=-13 a0=3 >>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367 >>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0 >>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 >>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau" >>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>> >>>>>>>

key=(null) type=AVC msg=audit(1327415018.418:46): avc:

...

...

...

>>>>>>> denied { name_connect } for pid=1369 >>>>>>> comm="dbus-daemon-lau" dest=111 >>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>> >>>>>>>

tcontext=system_u:object_r:portmap_port_t:s0

...

...

...

>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38 >>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:47): >>>>>>> arch=c000003e syscall=49 success=no exit=-13 a0=3 >>>>>>> a1=7fff07112f60 a2=10 a3=98 items=0 ppid=1367 >>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0 >>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 >>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau" >>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>> >>>>>>>

key=(null) type=AVC msg=audit(1327415018.418:47): avc:

...

...

...

>>>>>>> denied { name_bind } for pid=1369 >>>>>>> comm="dbus-daemon-lau" src=697 >>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>> >>>>>>>

tcontext=system_u:object_r:hi_reserved_port_t:s0

...

...

...

>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38 >>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:48): >>>>>>> arch=c000003e syscall=42 success=no exit=-13 a0=3 >>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367 >>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0 >>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 >>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau" >>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>> >>>>>>>

key=(null) type=AVC msg=audit(1327415018.418:48): avc:

...

...

...

>>>>>>> denied { name_connect } for pid=1369 >>>>>>> comm="dbus-daemon-lau" dest=111 >>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>> >>>>>>>

tcontext=system_u:object_r:portmap_port_t:s0

...

...

...

>>>>>>> tclass=tcp_socket >>>> Do you have the allow_ypbind boolean permanantly turned >>>> on >>>> >>>> setsebool -P allow_ypbind 1 >>>> >>>>> Yes, we permanently set this bool. >>>> If the init script is turning it on, you could see >>>> avc's like this. >>>> >>>> Have no idea what the bootloader->rpm_script one is. >>>> >>>> There used to be some kernel update scripts that were >>>> labeled as bootloader_exec_t? -- selinux mailing list >>>> selinux@lists.fedoraproject.org >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux

...

...

>>>>

Strange and these happen on every boot, and then stop?

...

...

...

>> Just tried another reboot and got the same results so I >> would say that it happens on every boot. >> >> > -- selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux Could you make sure that the policy is installed correctly.

# yum reinstall selinux-policy-targeted

and see if something blows up.

Same results as before. Did get a new avc just before the reboot doing a yum update.

To add more clarity to the boot up AVC, we did check for any sign of AVC when we reinstalled selinux-policy-targeted.

...

allow bootloader_t rpm_script_t:process transition; ---- time->Sat Jan 28 07:47:51 2012 type=SYSCALL msg=audit(1327765671.705:3395): arch=c000003e syscall=59 success=ye s exit=0 a0=1429290 a1=12e3550 a2=7fffd4c974c8 a3=20 items=0 ppid=24868 pid=2487 8 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0. c1023 key=(null) type=AVC msg=audit(1327765671.705:3395): avc: denied { transition } for pid=24878 comm="rpm" path="/bin/bash" dev=dm-1 ino=393240 scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process

Packages in this update were: Jan 28 07:46:28 Updated: libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated: libblkid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated: 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:29 Updated: libcurl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated: curl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated: 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31 Updated: libmount-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:32 Updated: setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28 07:46:32 Installed: python-tornado-2.1.1-1.fc16.noarch Jan 28 07:46:33 Updated: python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33 Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34 Updated: mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:39 Installed: kernel-3.2.2-1.fc16.x86_64 Jan 28 07:46:40 Updated: xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40 Updated: mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan 28 07:46:42 Updated: ipython-0.12-2.fc16.noarch Jan 28 07:46:43 Updated: setroubleshoot-3.1.2-1.fc16.x86_64 Jan 28 07:46:44 Updated: util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44 Updated: 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:46 Updated: libcurl-devel-7.21.7-6.fc16.x86_64 Jan 28 07:46:47 Updated: rsyslog-5.8.7-1.fc16.x86_64 Jan 28 07:46:48 Updated: t1lib-5.1.2-9.fc16.x86_64 Jan 28 07:46:49 Updated: kernel-headers-3.2.2-1.fc16.x86_64 Jan 28 07:46:59 Installed: kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00 Updated: mdadm-3.2.3-3.fc16.x86_64

...

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

Any idea of what process is running as bootloader_t?

ps -eZ | grep bootloader_t or find /sbin/ -context "*:bootloader_exec_t*"

Since we were running yum update and there was a kernel update involved it could be several from the list below.

/sbin/grub2-setup /sbin/installkernel /sbin/grub2-reboot /sbin/grub2-probe /sbin/grub2-mkdevicemap /sbin/grub2-set-default /sbin/grubby /sbin/grub2-install /sbin/grub2-mkconfig /sbin/grub2-mknetdir /sbin/new-kernel-pkg

Do you have any (a)?kmod packages installed from rpmfusion.

Yes, we run akmod for nvidia on that system and it also has the new ueif BIOS. You mentioned modifying grub for the BIOS, is that something that may need to be done? If so is there documentation about what needs to be changed?

I have specified labels for the above files bootloader_exec_t a while ago and i was not sure whether this would be a good idea.

I have not had any AVC denials related to this but i do not use grub manually often and i also do not have a default grub config because i am using uefi setup.

...

...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8kSvwACgkQrlYvE4MpobOjywCghdmmQAxJ6Yw0Lg9Khj1RlPUV si0AoIAqVYMmf2pon92UL7gFTUk7nsEQ =5qAB -----END PGP SIGNATURE-----

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/29/2012 05:39 PM, Dominick Grift wrote:

On Sun, 2012-01-29 at 09:48 -0800, David Highley wrote:

...

"Dominick Grift wrote:"

...

On Sat, 2012-01-28 at 14:55 -0800, David Highley wrote:

...

"Daniel J Walsh wrote:"

...

On 01/28/2012 02:15 PM, David Highley wrote:

...

...

...

...

...

> "David Highley wrote:" >> >> "Miroslav Grepl wrote:" >>> >>> On 01/26/2012 05:33 AM, David Highley wrote: >>>> "Daniel J Walsh wrote:" > On 01/25/2012 01:38 PM, David Highley wrote: >>>>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39 >>>>>>> PM, David Highley wrote: >>>>>>>>>> time->Tue Jan 24 06:17:02 2012 >>>>>>>>>> type=SYSCALL >>>>>>>>>> msg=audit(1327414622.867:2517): >>>>>>>>>> arch=c000003e syscall=59 success=yes >>>>>>>>>> exit=0 a0=9669f0 a1=cc8170 >>>>>>>>>> a2=7fff1bf396c8 a3=1f items=0 >>>>>>>>>> ppid=5248 pid=5253 auid=0 uid=0 gid=0 >>>>>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 >>>>>>>>>> fsgid=0 tty=(none) ses=293 comm="sh" >>>>>>>>>> exe="/bin/bash" >>>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 >>>>>>>>>> >>>>>>>>>>

...

...

...

...

...

>>>>>>>>>>

key=(null) type=AVC msg=audit(1327414622.867:2517): avc:

...

...

...

...

...

>>>>>>>>>> denied { transition } for pid=5253 >>>>>>>>>> comm="rpm" path="/bin/bash" dev=dm-1 >>>>>>>>>> ino=393240 >>>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 >>>>>>>>>> >>>>>>>>>>

...

...

...

...

...

>>>>>>>>>>

tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023

...

...

...

...

...

>>>>>>>>>> tclass=process ---- time->Tue Jan 24 >>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>> msg=audit(1327415018.410:38): >>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>> ppid=1180 pid=1359 auid=4294967295 >>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>> ses=4294967295 comm="/usr/sbin/httpd" >>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>> key=(null) type=AVC >>>>>>>>>> msg=audit(1327415018.410:38): avc: >>>>>>>>>> denied { search } for pid=1359 >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>> >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>> msg=audit(1327415018.410:39): >>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>> ppid=1180 pid=1360 auid=4294967295 >>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>> ses=4294967295 >>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>> key=(null) type=AVC >>>>>>>>>> msg=audit(1327415018.410:39): avc: >>>>>>>>>> denied { search } for pid=1360 >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>> >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>> msg=audit(1327415018.411:40): >>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>> ppid=1180 pid=1361 auid=4294967295 >>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>> ses=4294967295 >>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>> key=(null) type=AVC >>>>>>>>>> msg=audit(1327415018.411:40): avc: >>>>>>>>>> denied { search } for pid=1361 >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>> >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>> msg=audit(1327415018.411:41): >>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>> ppid=1180 pid=1362 auid=4294967295 >>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>> ses=4294967295 >>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>> key=(null) type=AVC >>>>>>>>>> msg=audit(1327415018.411:41): avc: >>>>>>>>>> denied { search } for pid=1362 >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>> >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>> msg=audit(1327415018.414:42): >>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>> ppid=1180 pid=1365 auid=4294967295 >>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>> ses=4294967295 >>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>> key=(null) type=AVC >>>>>>>>>> msg=audit(1327415018.414:42): avc: >>>>>>>>>> denied { search } for pid=1365 >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>> >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>> msg=audit(1327415018.414:43): >>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>> ppid=1180 pid=1364 auid=4294967295 >>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>> ses=4294967295 >>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>> key=(null) type=AVC >>>>>>>>>> msg=audit(1327415018.414:43): avc: >>>>>>>>>> denied { search } for pid=1364 >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>> >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>> msg=audit(1327415018.415:44): >>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>> ppid=1180 pid=1366 auid=4294967295 >>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>> ses=4294967295 >>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>> key=(null) type=AVC >>>>>>>>>> msg=audit(1327415018.415:44): avc: >>>>>>>>>> denied { search } for pid=1366 >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>> >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>> msg=audit(1327415018.416:45): >>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>> ppid=1180 pid=1363 auid=4294967295 >>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>> ses=4294967295 >>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>> key=(null) type=AVC >>>>>>>>>> msg=audit(1327415018.416:45): avc: >>>>>>>>>> denied { search } for pid=1363 >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>> >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>> msg=audit(1327415018.418:46): >>>>>>>>>> arch=c000003e syscall=42 success=no >>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0 a2=10 >>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369 >>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0 >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 >>>>>>>>>> fsgid=81 tty=(none) ses=4294967295 >>>>>>>>>> comm="dbus-daemon-lau" >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>>>>>>> >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>> >>>>>>>>>>

...

...

...

...

...

>>>>>>>>>>

key=(null) type=AVC msg=audit(1327415018.418:46): avc:

...

...

...

...

...

>>>>>>>>>> denied { name_connect } for >>>>>>>>>> pid=1369 comm="dbus-daemon-lau" >>>>>>>>>> dest=111 >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>> >>>>>>>>>>

...

...

...

...

...

>>>>>>>>>>

tcontext=system_u:object_r:portmap_port_t:s0

...

...

...

...

...

>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan >>>>>>>>>> 24 06:23:38 2012 type=SYSCALL >>>>>>>>>> msg=audit(1327415018.418:47): >>>>>>>>>> arch=c000003e syscall=49 success=no >>>>>>>>>> exit=-13 a0=3 a1=7fff07112f60 a2=10 >>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369 >>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0 >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 >>>>>>>>>> fsgid=81 tty=(none) ses=4294967295 >>>>>>>>>> comm="dbus-daemon-lau" >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>>>>>>> >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>> >>>>>>>>>>

...

...

...

...

...

>>>>>>>>>>

key=(null) type=AVC msg=audit(1327415018.418:47): avc:

...

...

...

...

...

>>>>>>>>>> denied { name_bind } for pid=1369 >>>>>>>>>> comm="dbus-daemon-lau" src=697 >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>> >>>>>>>>>>

...

...

...

...

...

>>>>>>>>>>

tcontext=system_u:object_r:hi_reserved_port_t:s0

...

...

...

...

...

>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan >>>>>>>>>> 24 06:23:38 2012 type=SYSCALL >>>>>>>>>> msg=audit(1327415018.418:48): >>>>>>>>>> arch=c000003e syscall=42 success=no >>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0 a2=10 >>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369 >>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0 >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 >>>>>>>>>> fsgid=81 tty=(none) ses=4294967295 >>>>>>>>>> comm="dbus-daemon-lau" >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>>>>>>> >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>> >>>>>>>>>>

...

...

...

...

...

>>>>>>>>>>

key=(null) type=AVC msg=audit(1327415018.418:48): avc:

...

...

...

...

...

>>>>>>>>>> denied { name_connect } for >>>>>>>>>> pid=1369 comm="dbus-daemon-lau" >>>>>>>>>> dest=111 >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>> >>>>>>>>>>

...

...

...

...

...

>>>>>>>>>>

tcontext=system_u:object_r:portmap_port_t:s0

...

...

...

...

...

>>>>>>>>>> tclass=tcp_socket >>>>>>> Do you have the allow_ypbind boolean >>>>>>> permanantly turned on >>>>>>> >>>>>>> setsebool -P allow_ypbind 1 >>>>>>> >>>>>>>> Yes, we permanently set this bool. >>>>>>> If the init script is turning it on, you >>>>>>> could see avc's like this. >>>>>>> >>>>>>> Have no idea what the >>>>>>> bootloader->rpm_script one is. >>>>>>> >>>>>>> There used to be some kernel update scripts >>>>>>> that were labeled as bootloader_exec_t? -- >>>>>>> selinux mailing list >>>>>>> selinux@lists.fedoraproject.org >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > >>>>>>>

...

...

...

...

...

>>>>>>>

Strange and these happen on every boot, and then stop?

...

...

...

...

...

>>>>> Just tried another reboot and got the same >>>>> results so I would say that it happens on every >>>>> boot. >>>>> >>>>> >>>> -- selinux mailing list >>>> selinux@lists.fedoraproject.org >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>>>

Could you make sure that the policy is installed correctly.

...

...

...

...

...

>>> >>> # yum reinstall selinux-policy-targeted >>> >>> and see if something blows up. >> >> Same results as before. Did get a new avc just before >> the reboot doing a yum update. > > To add more clarity to the boot up AVC, we did check > for any sign of AVC when we reinstalled > selinux-policy-targeted. > >> allow bootloader_t rpm_script_t:process transition; >> ---- time->Sat Jan 28 07:47:51 2012 type=SYSCALL >> msg=audit(1327765671.705:3395): arch=c000003e >> syscall=59 success=ye s exit=0 a0=1429290 a1=12e3550 >> a2=7fffd4c974c8 a3=20 items=0 ppid=24868 pid=2487 8 >> auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh" >> exe="/bin/bash" >> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0. >> c1023 key=(null) type=AVC >> msg=audit(1327765671.705:3395): avc: denied { >> transition } for pid=24878 comm="rpm" >> path="/bin/bash" dev=dm-1 ino=393240 >> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 >> >> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 >> tclass=process > > Packages in this update were: Jan 28 07:46:28 Updated: > libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 > Updated: libblkid-2.20.1-2.2.fc16.x86_64 Jan 28 > 07:46:29 Updated: 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64 > Jan 28 07:46:29 Updated: libcurl-7.21.7-6.fc16.x86_64 > Jan 28 07:46:30 Updated: curl-7.21.7-6.fc16.x86_64 Jan > 28 07:46:30 Updated: > 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31 > Updated: libmount-2.20.1-2.2.fc16.x86_64 Jan 28 > 07:46:32 Updated: > setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28 > 07:46:32 Installed: python-tornado-2.1.1-1.fc16.noarch > Jan 28 07:46:33 Updated: > python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33 > Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34 > Updated: > mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan > 28 07:46:39 Installed: kernel-3.2.2-1.fc16.x86_64 Jan > 28 07:46:40 Updated: > xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40 > Updated: > mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64 > Jan 28 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan > 28 07:46:42 Updated: ipython-0.12-2.fc16.noarch Jan 28 > 07:46:43 Updated: setroubleshoot-3.1.2-1.fc16.x86_64 > Jan 28 07:46:44 Updated: > util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44 > Updated: 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28 > 07:46:46 Updated: libcurl-devel-7.21.7-6.fc16.x86_64 > Jan 28 07:46:47 Updated: rsyslog-5.8.7-1.fc16.x86_64 > Jan 28 07:46:48 Updated: t1lib-5.1.2-9.fc16.x86_64 Jan > 28 07:46:49 Updated: kernel-headers-3.2.2-1.fc16.x86_64 > Jan 28 07:46:59 Installed: > kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00 > Updated: mdadm-3.2.3-3.fc16.x86_64 >> -- selinux mailing list >> selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> > >

...

...

...

...

...

>>

Any idea of what process is running as bootloader_t?

ps -eZ | grep bootloader_t or find /sbin/ -context "*:bootloader_exec_t*"

...

...

...

...

Since we were running yum update and there was a kernel update involved it could be several from the list below.

/sbin/grub2-setup /sbin/installkernel /sbin/grub2-reboot /sbin/grub2-probe /sbin/grub2-mkdevicemap /sbin/grub2-set-default /sbin/grubby /sbin/grub2-install /sbin/grub2-mkconfig /sbin/grub2-mknetdir /sbin/new-kernel-pkg

Do you have any (a)?kmod packages installed from rpmfusion.

Yes, we run akmod for nvidia on that system and it also has the new ueif BIOS. You mentioned modifying grub for the BIOS, is that something that may need to be done? If so is there documentation about what needs to be changed?

...

I meant "i also do not have a default grub config because i am using uefi setup." because a uefi setup requires package grub-efi which is not installed if you do not use uefi. I have not modified grub manually in any way.

...

I suspect above issue might be related to akmod. Not sure though. I use to have a policy module for akmod back in the day. Would maybe have been useful now to be able to determine whether this is actually akmod or something else running in the bootloader domain.

...

...

...

I have specified labels for the above files bootloader_exec_t a while ago and i was not sure whether this would be a good idea.

I have not had any AVC denials related to this but i do not use grub manually often and i also do not have a default grub config because i am using uefi setup.

...

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

These files are mislabeled. They should not be labeled grub_exec_t. /sbin/installkernel /sbin/new-kernel-pkg

If restorecon does not fix the labels, then you need to update policy.

On Mon, 2012-01-30 at 13:07 -0800, David Highley wrote:

"Daniel J Walsh wrote:"

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/29/2012 05:39 PM, Dominick Grift wrote:

...

On Sun, 2012-01-29 at 09:48 -0800, David Highley wrote:

...

"Dominick Grift wrote:"

...

On Sat, 2012-01-28 at 14:55 -0800, David Highley wrote:

...

"Daniel J Walsh wrote:" >

On 01/28/2012 02:15 PM, David Highley wrote:

...

...

...

>>> "David Highley wrote:" >>>> >>>> "Miroslav Grepl wrote:" >>>>> >>>>> On 01/26/2012 05:33 AM, David Highley wrote: >>>>>> "Daniel J Walsh wrote:" >>> On 01/25/2012 01:38 PM, David Highley wrote: >>>>>>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39 >>>>>>>>> PM, David Highley wrote: >>>>>>>>>>>> time->Tue Jan 24 06:17:02 2012 >>>>>>>>>>>> type=SYSCALL >>>>>>>>>>>> msg=audit(1327414622.867:2517): >>>>>>>>>>>> arch=c000003e syscall=59 success=yes >>>>>>>>>>>> exit=0 a0=9669f0 a1=cc8170 >>>>>>>>>>>> a2=7fff1bf396c8 a3=1f items=0 >>>>>>>>>>>> ppid=5248 pid=5253 auid=0 uid=0 gid=0 >>>>>>>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 >>>>>>>>>>>> fsgid=0 tty=(none) ses=293 comm="sh" >>>>>>>>>>>> exe="/bin/bash" >>>>>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 >>>>>>>>>>>> >>>>>>>>>>>>

...

...

...

>>>>>>>>>>>>

key=(null) type=AVC msg=audit(1327414622.867:2517): avc:

...

...

...

...

>>>>>>>>>>>> denied { transition } for pid=5253 >>>>>>>>>>>> comm="rpm" path="/bin/bash" dev=dm-1 >>>>>>>>>>>> ino=393240 >>>>>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 >>>>>>>>>>>> >>>>>>>>>>>>

...

...

...

>>>>>>>>>>>>

tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023

...

...

...

...

>>>>>>>>>>>> tclass=process ---- time->Tue Jan 24 >>>>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>>>> msg=audit(1327415018.410:38): >>>>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>>>> ppid=1180 pid=1359 auid=4294967295 >>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>>>> ses=4294967295 comm="/usr/sbin/httpd" >>>>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> key=(null) type=AVC >>>>>>>>>>>> msg=audit(1327415018.410:38): avc: >>>>>>>>>>>> denied { search } for pid=1359 >>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> >>>>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>>>> msg=audit(1327415018.410:39): >>>>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>>>> ppid=1180 pid=1360 auid=4294967295 >>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>>>> ses=4294967295 >>>>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> key=(null) type=AVC >>>>>>>>>>>> msg=audit(1327415018.410:39): avc: >>>>>>>>>>>> denied { search } for pid=1360 >>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> >>>>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>>>> msg=audit(1327415018.411:40): >>>>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>>>> ppid=1180 pid=1361 auid=4294967295 >>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>>>> ses=4294967295 >>>>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> key=(null) type=AVC >>>>>>>>>>>> msg=audit(1327415018.411:40): avc: >>>>>>>>>>>> denied { search } for pid=1361 >>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> >>>>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>>>> msg=audit(1327415018.411:41): >>>>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>>>> ppid=1180 pid=1362 auid=4294967295 >>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>>>> ses=4294967295 >>>>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> key=(null) type=AVC >>>>>>>>>>>> msg=audit(1327415018.411:41): avc: >>>>>>>>>>>> denied { search } for pid=1362 >>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> >>>>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>>>> msg=audit(1327415018.414:42): >>>>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>>>> ppid=1180 pid=1365 auid=4294967295 >>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>>>> ses=4294967295 >>>>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> key=(null) type=AVC >>>>>>>>>>>> msg=audit(1327415018.414:42): avc: >>>>>>>>>>>> denied { search } for pid=1365 >>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> >>>>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>>>> msg=audit(1327415018.414:43): >>>>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>>>> ppid=1180 pid=1364 auid=4294967295 >>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>>>> ses=4294967295 >>>>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> key=(null) type=AVC >>>>>>>>>>>> msg=audit(1327415018.414:43): avc: >>>>>>>>>>>> denied { search } for pid=1364 >>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> >>>>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>>>> msg=audit(1327415018.415:44): >>>>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>>>> ppid=1180 pid=1366 auid=4294967295 >>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>>>> ses=4294967295 >>>>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> key=(null) type=AVC >>>>>>>>>>>> msg=audit(1327415018.415:44): avc: >>>>>>>>>>>> denied { search } for pid=1366 >>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> >>>>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>>>> msg=audit(1327415018.416:45): >>>>>>>>>>>> arch=c000003e syscall=2 success=no >>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0 >>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0 >>>>>>>>>>>> ppid=1180 pid=1363 auid=4294967295 >>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) >>>>>>>>>>>> ses=4294967295 >>>>>>>>>>>> comm="/usr/sbin/httpd" >>>>>>>>>>>> exe="/usr/sbin/httpd" >>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> key=(null) type=AVC >>>>>>>>>>>> msg=audit(1327415018.416:45): avc: >>>>>>>>>>>> denied { search } for pid=1363 >>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" >>>>>>>>>>>> dev=dm-1 ino=1313161 >>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>>>>> >>>>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 >>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24 >>>>>>>>>>>> 06:23:38 2012 type=SYSCALL >>>>>>>>>>>> msg=audit(1327415018.418:46): >>>>>>>>>>>> arch=c000003e syscall=42 success=no >>>>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0 a2=10 >>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369 >>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0 >>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 >>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295 >>>>>>>>>>>> comm="dbus-daemon-lau" >>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>>>>>>>>> >>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>>>> >>>>>>>>>>>>

...

...

...

>>>>>>>>>>>>

key=(null) type=AVC msg=audit(1327415018.418:46): avc:

...

...

...

...

>>>>>>>>>>>> denied { name_connect } for >>>>>>>>>>>> pid=1369 comm="dbus-daemon-lau" >>>>>>>>>>>> dest=111 >>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>>>> >>>>>>>>>>>>

...

...

...

>>>>>>>>>>>>

tcontext=system_u:object_r:portmap_port_t:s0

...

...

...

...

>>>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan >>>>>>>>>>>> 24 06:23:38 2012 type=SYSCALL >>>>>>>>>>>> msg=audit(1327415018.418:47): >>>>>>>>>>>> arch=c000003e syscall=49 success=no >>>>>>>>>>>> exit=-13 a0=3 a1=7fff07112f60 a2=10 >>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369 >>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0 >>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 >>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295 >>>>>>>>>>>> comm="dbus-daemon-lau" >>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>>>>>>>>> >>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>>>> >>>>>>>>>>>>

...

...

...

>>>>>>>>>>>>

key=(null) type=AVC msg=audit(1327415018.418:47): avc:

...

...

...

...

>>>>>>>>>>>> denied { name_bind } for pid=1369 >>>>>>>>>>>> comm="dbus-daemon-lau" src=697 >>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>>>> >>>>>>>>>>>>

...

...

...

>>>>>>>>>>>>

tcontext=system_u:object_r:hi_reserved_port_t:s0

...

...

...

...

>>>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan >>>>>>>>>>>> 24 06:23:38 2012 type=SYSCALL >>>>>>>>>>>> msg=audit(1327415018.418:48): >>>>>>>>>>>> arch=c000003e syscall=42 success=no >>>>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0 a2=10 >>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369 >>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0 >>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 >>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295 >>>>>>>>>>>> comm="dbus-daemon-lau" >>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" >>>>>>>>>>>> >>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>>>> >>>>>>>>>>>>

...

...

...

>>>>>>>>>>>>

key=(null) type=AVC msg=audit(1327415018.418:48): avc:

...

...

...

...

>>>>>>>>>>>> denied { name_connect } for >>>>>>>>>>>> pid=1369 comm="dbus-daemon-lau" >>>>>>>>>>>> dest=111 >>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >>>>>>>>>>>> >>>>>>>>>>>>

...

...

...

>>>>>>>>>>>>

tcontext=system_u:object_r:portmap_port_t:s0

...

...

...

...

>>>>>>>>>>>> tclass=tcp_socket >>>>>>>>> Do you have the allow_ypbind boolean >>>>>>>>> permanantly turned on >>>>>>>>> >>>>>>>>> setsebool -P allow_ypbind 1 >>>>>>>>> >>>>>>>>>> Yes, we permanently set this bool. >>>>>>>>> If the init script is turning it on, you >>>>>>>>> could see avc's like this. >>>>>>>>> >>>>>>>>> Have no idea what the >>>>>>>>> bootloader->rpm_script one is. >>>>>>>>> >>>>>>>>> There used to be some kernel update scripts >>>>>>>>> that were labeled as bootloader_exec_t? -- >>>>>>>>> selinux mailing list >>>>>>>>> selinux@lists.fedoraproject.org >>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>>>>>>>>

...

...

...

>>>>>>>>>

Strange and these happen on every boot, and then stop?

...

...

...

...

>>>>>>> Just tried another reboot and got the same >>>>>>> results so I would say that it happens on every >>>>>>> boot. >>>>>>> >>>>>>> >>>>>> -- selinux mailing list >>>>>> selinux@lists.fedoraproject.org >>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> >>>>>>

Could you make sure that the policy is installed correctly.

...

...

...

...

>>>>> >>>>> # yum reinstall selinux-policy-targeted >>>>> >>>>> and see if something blows up. >>>> >>>> Same results as before. Did get a new avc just before >>>> the reboot doing a yum update. >>> >>> To add more clarity to the boot up AVC, we did check >>> for any sign of AVC when we reinstalled >>> selinux-policy-targeted. >>> >>>> allow bootloader_t rpm_script_t:process transition; >>>> ---- time->Sat Jan 28 07:47:51 2012 type=SYSCALL >>>> msg=audit(1327765671.705:3395): arch=c000003e >>>> syscall=59 success=ye s exit=0 a0=1429290 a1=12e3550 >>>> a2=7fffd4c974c8 a3=20 items=0 ppid=24868 pid=2487 8 >>>> auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>>> sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh" >>>> exe="/bin/bash" >>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0. >>>> c1023 key=(null) type=AVC >>>> msg=audit(1327765671.705:3395): avc: denied { >>>> transition } for pid=24878 comm="rpm" >>>> path="/bin/bash" dev=dm-1 ino=393240 >>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 >>>> >>>> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 >>>> tclass=process >>> >>> Packages in this update were: Jan 28 07:46:28 Updated: >>> libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 >>> Updated: libblkid-2.20.1-2.2.fc16.x86_64 Jan 28 >>> 07:46:29 Updated: 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64 >>> Jan 28 07:46:29 Updated: libcurl-7.21.7-6.fc16.x86_64 >>> Jan 28 07:46:30 Updated: curl-7.21.7-6.fc16.x86_64 Jan >>> 28 07:46:30 Updated: >>> 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31 >>> Updated: libmount-2.20.1-2.2.fc16.x86_64 Jan 28 >>> 07:46:32 Updated: >>> setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28 >>> 07:46:32 Installed: python-tornado-2.1.1-1.fc16.noarch >>> Jan 28 07:46:33 Updated: >>> python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33 >>> Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34 >>> Updated: >>> mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan >>> 28 07:46:39 Installed: kernel-3.2.2-1.fc16.x86_64 Jan >>> 28 07:46:40 Updated: >>> xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40 >>> Updated: >>> mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64 >>> Jan 28 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan >>> 28 07:46:42 Updated: ipython-0.12-2.fc16.noarch Jan 28 >>> 07:46:43 Updated: setroubleshoot-3.1.2-1.fc16.x86_64 >>> Jan 28 07:46:44 Updated: >>> util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44 >>> Updated: 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28 >>> 07:46:46 Updated: libcurl-devel-7.21.7-6.fc16.x86_64 >>> Jan 28 07:46:47 Updated: rsyslog-5.8.7-1.fc16.x86_64 >>> Jan 28 07:46:48 Updated: t1lib-5.1.2-9.fc16.x86_64 Jan >>> 28 07:46:49 Updated: kernel-headers-3.2.2-1.fc16.x86_64 >>> Jan 28 07:46:59 Installed: >>> kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00 >>> Updated: mdadm-3.2.3-3.fc16.x86_64 >>>> -- selinux mailing list >>>> selinux@lists.fedoraproject.org >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> >>> >>>

...

...

...

>>>>

Any idea of what process is running as bootloader_t?

ps -eZ | grep bootloader_t or find /sbin/ -context "*:bootloader_exec_t*"

...

...

...

> > Since we were running yum update and there was a kernel > update involved it could be several from the list below. > > /sbin/grub2-setup /sbin/installkernel /sbin/grub2-reboot > /sbin/grub2-probe /sbin/grub2-mkdevicemap > /sbin/grub2-set-default /sbin/grubby /sbin/grub2-install > /sbin/grub2-mkconfig /sbin/grub2-mknetdir > /sbin/new-kernel-pkg

Do you have any (a)?kmod packages installed from rpmfusion.

Yes, we run akmod for nvidia on that system and it also has the new ueif BIOS. You mentioned modifying grub for the BIOS, is that something that may need to be done? If so is there documentation about what needs to be changed?

...

I meant "i also do not have a default grub config because i am using uefi setup." because a uefi setup requires package grub-efi which is not installed if you do not use uefi. I have not modified grub manually in any way.

...

I suspect above issue might be related to akmod. Not sure though. I use to have a policy module for akmod back in the day. Would maybe have been useful now to be able to determine whether this is actually akmod or something else running in the bootloader domain.

...

...

...

I have specified labels for the above files bootloader_exec_t a while ago and i was not sure whether this would be a good idea.

I have not had any AVC denials related to this but i do not use grub manually often and i also do not have a default grub config because i am using uefi setup.

> -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

These files are mislabeled. They should not be labeled grub_exec_t. /sbin/installkernel /sbin/new-kernel-pkg

If restorecon does not fix the labels, then you need to update policy.

They did relabel, so we are wondering how they get incorrect labels?

they use to be labeled bootloader_exec_t at some point then later the file context specification changed and somehow the /sbin dir has not been restored from that point on is my best bet.

...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8m4a8ACgkQrlYvE4MpobPUcgCffvdg9eDYd3Gnj4vV2pxYW+HB CuMAoKg32tl1hxMkE3aNR3qYS3+IwCdx =n2Is

-----END PGP SIGNATURE-----

selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux