Hello everyone.
the HTTP server don't start on boot, it send the following message sort of, it was difficult to copy because it showed only in the start up process and no log messages in any log file.
Message: Address Family for Hostname not supported: (EAI 9) alloc_listener failed to setup sockaddr for 127.0.0.1. That is the message sort of.
This happen when i setup the option Listen 127.0.0.1:80, when i start manually the httpd server start successfully, but not on boot.
It say too that there is an syntax error in the line where is the sentence Listen, but if i run the syntax check the HTTP said the syntax is OK.
I'm using fedora 9 with the latest updates. selinux 3.3.1-55 httpd 2.2.8-3 kernel 2.6.25.3-18
Carlos Chavez wrote:
Hello everyone.
the HTTP server don't start on boot, it send the following message sort of, it was difficult to copy because it showed only in the start up process and no log messages in any log file.
Message: Address Family for Hostname not supported: (EAI 9) alloc_listener failed to setup sockaddr for 127.0.0.1. That is the message sort of.
This happen when i setup the option Listen 127.0.0.1:80, when i start manually the httpd server start successfully, but not on boot.
It say too that there is an syntax error in the line where is the sentence Listen, but if i run the syntax check the HTTP said the syntax is OK.
I'm using fedora 9 with the latest updates. selinux 3.3.1-55 httpd 2.2.8-3 kernel 2.6.25.3-18
My wild guess at the cause of this would be that NetworkManager hasn't started the network at the time the httpd initscript runs.
Are there any indications in the logs (such as avc denials) that this is an selinux issue?
Paul.
Hi everyone,
Over the last few days, I have managed to upgrade myself from FC4 (yes, really!) all the way to Fedora 9.
My system is an X86_64 dual-core Intel box with 8GB of memory and it seems to run so much faster with a smaller memory footprint under F9. Thanks to all the Fedora developers!
My problem is that after the upgrades I was getting all sorts of SELinux errors (from practically every application), so I figured that I would go ahead and relabel the filesystems. After the relabel, I was still getting dozens of errors per second, so I changed SELinux to Permissive mode (via /etc/selinux/config), rebooted and the system is now working.
However, I would like to get SELinux to work in Enforcing mode.
I have the following SELinux related packages installed:
# yum list all selinux* Installed Packages
selinux-doc.noarch 1.26-1.1 installed selinux-policy.noarch 3.3.1-55.fc9 installed selinux-policy-targeted.noarch 3.3.1-55.fc9 installed
Available Packages selinux-policy-devel.noarch 3.3.1-55.fc9 updates selinux-policy-mls.noarch 3.3.1-55.fc9 updates
These are the types of errors I was seeing:
Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.144:12): avc: denied { getattr } for pid=1495 comm="restorecon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.316:13): avc: denied { getattr } for pid=1503 comm="dmsetup" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.934:14): avc: denied { getattr } for pid=1513 comm="fsck" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486110.804:15): avc: denied { getattr } for pid=1519 comm="mount" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486112.460:16): avc: denied { getattr } for pid=1564 comm="swapon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486124.825:21): avc: denied { getattr } for pid=1907 comm="restorecond" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486125.516:22): avc: denied { getattr } for pid=2015 comm="iptables" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486127.411:23): avc: denied { getattr } for pid=2888 comm="mcstransd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:43:58 satyr dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=4598 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus Jun 3 02:43:59 satyr dbus: avc: denied { acquire_svc } for service=org.kde.klauncher spid=4608 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus
Any help in getting this working would be very appreciated!
Thanks.
---Kayvan
Does anyone have any suggestions here?
I would really love to get SELinux working correctly on my F9 upgraded box.
What can I do to debug this?
On Tue, Jun 03, 2008 at 03:25:17AM -0700, Kayvan A. Sylvan wrote:
Hi everyone,
Over the last few days, I have managed to upgrade myself from FC4 (yes, really!) all the way to Fedora 9.
My system is an X86_64 dual-core Intel box with 8GB of memory and it seems to run so much faster with a smaller memory footprint under F9. Thanks to all the Fedora developers!
My problem is that after the upgrades I was getting all sorts of SELinux errors (from practically every application), so I figured that I would go ahead and relabel the filesystems. After the relabel, I was still getting dozens of errors per second, so I changed SELinux to Permissive mode (via /etc/selinux/config), rebooted and the system is now working.
However, I would like to get SELinux to work in Enforcing mode.
I have the following SELinux related packages installed:
# yum list all selinux* Installed Packages
selinux-doc.noarch 1.26-1.1 installed selinux-policy.noarch 3.3.1-55.fc9 installed selinux-policy-targeted.noarch 3.3.1-55.fc9 installed
Available Packages selinux-policy-devel.noarch 3.3.1-55.fc9 updates selinux-policy-mls.noarch 3.3.1-55.fc9 updates
These are the types of errors I was seeing:
Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.144:12): avc: denied { getattr } for pid=1495 comm="restorecon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.316:13): avc: denied { getattr } for pid=1503 comm="dmsetup" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.934:14): avc: denied { getattr } for pid=1513 comm="fsck" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486110.804:15): avc: denied { getattr } for pid=1519 comm="mount" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486112.460:16): avc: denied { getattr } for pid=1564 comm="swapon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486124.825:21): avc: denied { getattr } for pid=1907 comm="restorecond" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486125.516:22): avc: denied { getattr } for pid=2015 comm="iptables" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486127.411:23): avc: denied { getattr } for pid=2888 comm="mcstransd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:43:58 satyr dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=4598 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus Jun 3 02:43:59 satyr dbus: avc: denied { acquire_svc } for service=org.kde.klauncher spid=4608 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus
Any help in getting this working would be very appreciated!
Thanks.
---Kayvan
-- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Kayvan A. Sylvan wrote:
Hi everyone,
Over the last few days, I have managed to upgrade myself from FC4 (yes, really!) all the way to Fedora 9.
My system is an X86_64 dual-core Intel box with 8GB of memory and it seems to run so much faster with a smaller memory footprint under F9. Thanks to all the Fedora developers!
My problem is that after the upgrades I was getting all sorts of SELinux errors (from practically every application), so I figured that I would go ahead and relabel the filesystems. After the relabel, I was still getting dozens of errors per second, so I changed SELinux to Permissive mode (via /etc/selinux/config), rebooted and the system is now working.
However, I would like to get SELinux to work in Enforcing mode.
I have the following SELinux related packages installed:
# yum list all selinux* Installed Packages
selinux-doc.noarch 1.26-1.1 installed selinux-policy.noarch 3.3.1-55.fc9 installed selinux-policy-targeted.noarch 3.3.1-55.fc9 installed
Available Packages selinux-policy-devel.noarch 3.3.1-55.fc9 updates selinux-policy-mls.noarch 3.3.1-55.fc9 updates
These are the types of errors I was seeing:
Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.144:12): avc: denied { getattr } for pid=1495 comm="restorecon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.316:13): avc: denied { getattr } for pid=1503 comm="dmsetup" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.934:14): avc: denied { getattr } for pid=1513 comm="fsck" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486110.804:15): avc: denied { getattr } for pid=1519 comm="mount" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486112.460:16): avc: denied { getattr } for pid=1564 comm="swapon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486124.825:21): avc: denied { getattr } for pid=1907 comm="restorecond" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486125.516:22): avc: denied { getattr } for pid=2015 comm="iptables" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486127.411:23): avc: denied { getattr } for pid=2888 comm="mcstransd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:43:58 satyr dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=4598 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus Jun 3 02:43:59 satyr dbus: avc: denied { acquire_svc } for service=org.kde.klauncher spid=4608 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus
Any help in getting this working would be very appreciated!
Thanks.
---Kayvan
You might need to check your user database
semanage user -l semanage login -l
On Wed, Jun 04, 2008 at 03:13:08PM -0400, Daniel J Walsh wrote:
You might need to check your user database
semanage user -l semanage login -l
I do not know anything about how this is supposed to look. Here is what the commands report:
[root@satyr ~]# semanage user -l
Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 SystemLow-SystemHigh system_r sysadm_r user_r system_u user s0 SystemLow-SystemHigh system_r user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r
[root@satyr ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0 root root -s0:c0.c255 system_u system_u SystemLow-SystemHigh
Kayvan A. Sylvan wrote:
On Wed, Jun 04, 2008 at 03:13:08PM -0400, Daniel J Walsh wrote:
You might need to check your user database
semanage user -l semanage login -l
I do not know anything about how this is supposed to look. Here is what the commands report:
[root@satyr ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 SystemLow-SystemHigh system_r sysadm_r user_r system_u user s0 SystemLow-SystemHigh system_r user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r
[root@satyr ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0 root root -s0:c0.c255 system_u system_u SystemLow-SystemHigh
Kayvan A. Sylvan wrote:
On Wed, Jun 04, 2008 at 03:13:08PM -0400, Daniel J Walsh wrote:
You might need to check your user database
semanage user -l semanage login -l
I do not know anything about how this is supposed to look. Here is what the commands report:
[root@satyr ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
root user s0 SystemLow-SystemHigh
system_r sysadm_r user_r
system_u user s0 SystemLow-SystemHigh
system_r
user_u user s0 SystemLow-SystemHigh
system_r sysadm_r user_r
[root@satyr ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root -s0:c0.c255
system_u system_u
SystemLow-SystemHigh
This is an upgrade problem.
For some reason the selinux policy trigger did not fire so the default login on your machine is not setup for unconfined users.
If you execute the following three commands it should fix your system
# semanage user -a -S targeted -P user -R "unconfined_r system_r" -r0-s0:c0.c1023 unconfined_u # semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__ # semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
Hi Paul.
No, there is no avc denials error messages or other selinux related error messages in the logs. The error messages that i post is showed only in the start up process but no other messages is send to any log file.
What i did in order to associated the error to selinux was stoped selinux, when i stop selinux and restart the PC the httpd start with no problems at boot time.
I'm not sure about the NetworkManager in the logs it seems that load correctly at boot time and set the network parameter as soon as the process start, no delay for that.
I have configure the ntpd to synchronize the date/time and this works fine, this need the network device setup, so i think the NetworkManager works too.
Cheers. Carlos Chávez.
2008/6/3 Paul Howarth paul@city-fan.org:
Carlos Chavez wrote:
Hello everyone.
the HTTP server don't start on boot, it send the following message sort of, it was difficult to copy because it showed only in the start up process and no log messages in any log file.
Message: Address Family for Hostname not supported: (EAI 9) alloc_listener failed to setup sockaddr for 127.0.0.1. That is the message sort of.
This happen when i setup the option Listen 127.0.0.1:80, when i start manually the httpd server start successfully, but not on boot.
It say too that there is an syntax error in the line where is the sentence Listen, but if i run the syntax check the HTTP said the syntax is OK.
I'm using fedora 9 with the latest updates. selinux 3.3.1-55 httpd 2.2.8-3 kernel 2.6.25.3-18
My wild guess at the cause of this would be that NetworkManager hasn't started the network at the time the httpd initscript runs.
Are there any indications in the logs (such as avc denials) that this is an selinux issue?
Paul.
On Tue, 2008-06-03 at 05:46 -0600, Carlos Chavez wrote:
Hi Paul.
No, there is no avc denials error messages or other selinux related error messages in the logs. The error messages that i post is showed only in the start up process but no other messages is send to any log file.
What i did in order to associated the error to selinux was stoped selinux, when i stop selinux and restart the PC the httpd start with no problems at boot time.
I'm not sure about the NetworkManager in the logs it seems that load correctly at boot time and set the network parameter as soon as the process start, no delay for that.
I have configure the ntpd to synchronize the date/time and this works fine, this need the network device setup, so i think the NetworkManager works too.
Are you sure you are looking in the right place for those selinux denial messages? look for 'denied' in /var/log/messages and look at the output of ausearch -m AVC
-Eric
Hi Eric. I think so.
cat /var/log/messages | grep denied cat /var/log/messages | grep avc
any command show no output and
ausearch -m AVC
show this:
---- time->Tue Jun 3 23:39:03 2008 type=SYSCALL msg=audit(1212557943.344:16): arch=40000003 syscall=11 success=yes exit=0 a0=9872498 a1=9870c50 a2=9870af0 a3=0 items=0 ppid=2878 pid=2879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.data" dev=dm-0 ino=8356254 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.index" dev=dm-0 ino=8356253 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
that messages was when a restart the NetworkManager as root on a shell.
Cheers. Carlos Chávez.
2008/6/3 Eric Paris eparis@redhat.com:
On Tue, 2008-06-03 at 05:46 -0600, Carlos Chavez wrote:
Hi Paul.
No, there is no avc denials error messages or other selinux related error messages in the logs. The error messages that i post is showed only in the start up process but no other messages is send to any log file.
What i did in order to associated the error to selinux was stoped selinux, when i stop selinux and restart the PC the httpd start with no problems at boot time.
I'm not sure about the NetworkManager in the logs it seems that load correctly at boot time and set the network parameter as soon as the process start, no delay for that.
I have configure the ntpd to synchronize the date/time and this works fine, this need the network device setup, so i think the NetworkManager works too.
Are you sure you are looking in the right place for those selinux denial messages? look for 'denied' in /var/log/messages and look at the output of ausearch -m AVC
-Eric
Carlos Chavez wrote:
Hi Eric. I think so.
cat /var/log/messages | grep denied cat /var/log/messages | grep avc
any command show no output and
ausearch -m AVC
show this:
time->Tue Jun 3 23:39:03 2008 type=SYSCALL msg=audit(1212557943.344:16): arch=40000003 syscall=11 success=yes exit=0 a0=9872498 a1=9870c50 a2=9870af0 a3=0 items=0 ppid=2878 pid=2879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.data" dev=dm-0 ino=8356254 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.index" dev=dm-0 ino=8356253 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
that messages was when a restart the NetworkManager as root on a shell.
You need to be looking in /var/log/audit/audit.log rather than /var/log/messages if you're running auditd.
Paul.
On Wed, 2008-06-04 at 00:29 -0600, Carlos Chavez wrote:
Hi Eric. I think so.
cat /var/log/messages | grep denied cat /var/log/messages | grep avc
any command show no output and
ausearch -m AVC
show this:
time->Tue Jun 3 23:39:03 2008
type=SYSCALL msg=audit(1212557943.344:16): arch=40000003 syscall=11 success=yes exit=0 a0=9872498 a1=9870c50 a2=9870af0 a3=0 items=0 ppid=2878 pid=2879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.data" dev=dm-0 ino=8356254 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.index" dev=dm-0 ino=8356253 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
that messages was when a restart the NetworkManager as root on a shell.
Cheers. Carlos Chávez.
Huh... If you system is new enough to support it, can you try
semodule -DB and then reboot after it comes up and fails give us the output of ausearch -m AVC again...
-Eric
Unfortunately the list has a limit so i can not post the full list of messages, the following is just part of the messages related to the httpd:
type=AVC msg=audit(1213067949.988:317): avc: denied { search } for pid=2004 comm="httpd" name="selinux" dev=dm-0 ino=5235563 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1213067949.988:317): arch=40000003 syscall=5 success=no exit=-13 a0=196e92 a1=8000 a2=1b6 a3=0 items=0 ppid=2003 pid=2004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1213067949.991:318): avc: denied { search } for pid=2004 comm="httpd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1213067949.991:318): arch=40000003 syscall=195 success=no exit=-13 a0=bfc9b81c a1=bfc9b7bc a2=555ff4 a3=bfc9b81c items=0 ppid=2003 pid=2004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1213067949.991:319): avc: denied { search } for pid=2004 comm="httpd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1213067949.991:319): arch=40000003 syscall=5 success=no exit=-13 a0=bfc9b7f4 a1=8000 a2=0 a3=8000 items=0 ppid=2003 pid=2004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=MAC_CONFIG_CHANGE msg=audit(1213069227.345:1828): bool=httpd_can_network_connect val=1 old_val=0 auid=500 ses=1 type=MAC_CONFIG_CHANGE msg=audit(1213069266.437:1833): bool=httpd_can_network_connect_db val=1 old_val=0 auid=500 ses=1
Cheers. Carlos Chávez.
2008/6/4 Eric Paris eparis@redhat.com:
On Wed, 2008-06-04 at 00:29 -0600, Carlos Chavez wrote:
Hi Eric. I think so.
cat /var/log/messages | grep denied cat /var/log/messages | grep avc
any command show no output and
ausearch -m AVC
show this:
time->Tue Jun 3 23:39:03 2008
type=SYSCALL msg=audit(1212557943.344:16): arch=40000003 syscall=11
success=yes exit=0 a0=9872498 a1=9870c50 a2=9870af0 a3=0 items=0 ppid=2878 pid=2879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for
pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.data" dev=dm-0 ino=8356254 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for
pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.index" dev=dm-0 ino=8356253 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
that messages was when a restart the NetworkManager as root on a shell.
Cheers. Carlos Chávez.
Huh... If you system is new enough to support it, can you try
semodule -DB and then reboot after it comes up and fails give us the output of ausearch -m AVC again...
-Eric
selinux@lists.fedoraproject.org