I have installed current fc5 by http about week or two ago. It updated from rawhide.
It currently installed on hda2 and it ran from qemu.
I see many avc denied messages in dmesg (repeated 210 times with different pids):
audit(1142439027.188:2): avc: denied { search } for pid=349
comm="pam_console_app" name="var" dev=hda2 ino=210081
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
hda2 here is /
It can't mount /var/spool/squid at boot time. dmesg is:
audit(1142439059.662:212): avc: denied { mounton } for pid=820 comm="mount"
name="squid" dev=hda7 ino=261122 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:squid_cache_t:s0 tclass=dir
hda7 here is /var
After booting I can mount it with: # mount /var/spool/squid (/etc/fstab uses default
options):
"kjournald starting. Commit interval 5 seconds
EXT3 FS on hda5, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda5, type ext3), uses xattr"
I can't switch to strict mode.
I did it by editing /etc/selinux/config and touch /.autorelabel
System can't boot after restarting: many avc denied for init_t, etc.
Where I wrong?
security: 5 users, 5 roles, 1555 types, 68 bools, 1 sens, 256 cats
security: 55 classes, 89189 rules
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev hda2, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
audit(1142442162.184:2): avc: denied { search } for pid=1 comm="init"
name="lib" dev=hda2 ino=775681 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=dir
audit(1142442162.188:3): avc: denied { read } for pid=1 comm="init"
name="ld-linux.so.2" dev=hda2 ino=775935 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=lnk_file
audit(1142442162.188:4): avc: denied { execute } for pid=1 comm="init"
name="ld-2.4.so" dev=hda2 ino=775682 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:ld_so_t:s0 tclass=file
audit(1142442162.188:5): avc: denied { read } for pid=1 comm="init"
name="ld-2.4.so" dev=hda2 ino=775682 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:ld_so_t:s0 tclass=file
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
audit(1142442163.580:6): avc: denied { sigchld } for pid=1 comm="init"
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:init_t:s0
tclass=process
audit(1142442169.142:7): avc: denied { execute } for pid=325 comm="udevd"
name="udev_run_hotplugd" dev=hda2 ino=775731
scontext=system_u:system_r:udev_t:s0-s0:c0.c255 tcontext=system_u:object_r:lib_t:s0
tclass=file
audit(1142442169.142:8): avc: denied { execute_no_trans } for pid=325
comm="udevd" name="udev_run_hotplugd" dev=hda2 ino=775731
scontext=system_u:system_r:udev_t:s0-s0:c0.c255 tcontext=system_u:object_r:lib_t:s0
tclass=file
audit(1142442171.434:9): avc: denied { search } for pid=364
comm="pam_console_app" name="var" dev=hda2 ino=210081
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
.........
Please excuse me for my engrish :)
--
Maxim Britov
GnuPG KeyID 0x4580A6D66F3DB1FB xmpp:maxim@modum.by icq 198171258
Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB
GnuPG-ru Team (
http://lists.gnupg.org/mailman/listinfo/gnupg-ru
xmpp:gnupg-ru@conference.jabber.ru)