-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/02/2012 05:08 PM, antonio montagnani wrote:
Il 02/05/2012 22:54, Daniel J Walsh ha scritto: On 05/02/2012 04:35
PM,
antonio montagnani wrote:
>>> Il 02/05/2012 22:24, Daniel J Walsh ha scritto: On 05/02/2012 04:22
>>> PM, Adam Williamson wrote:
>>>>>> On Sat, 2012-04-28 at 20:30 +0100, Frank Murphy wrote:
>>>>>>> On 28/04/12 20:26, antonio wrote:
>>>>>>>> I upgraded from F-16 to F-17 Beta, then upgraded to find
>>>>>>>> that I couldn't delete my own files!!! after
disabling
>>>>>>>> Selinux and enabling it again (i.e. relabeling)
everything
>>>>>>>> is o.k.Anybody experiencing it??
>>>>>>>
>>>>>>> No, but it's good practice to do a relabel after an
update.
>>>>>>> As policies most likely have changed, even if subtly.
>>>>>>>
>>>>>>> I'm surprised a full relabel wasn't done
automatically.
>>>>>>
>>>>>> Antonio doesn't really provide much detail on how exactly he
>>>>>> upgraded. I think anaconda-based upgrades do a relabel
>>>>>> automatically, but obviously upgrading via yum won't
>>>>>> necessarily do so.
>>>
>>> We have not done a full relabel on upgrade,since it could take
>>> potentially a very long time. We could just drop the /.autorelabel
>>> file in preupgrade which would trigger the relabel. I have not heard
>>> of other people having SELinux labeling issues on upgrade, I wish we
>>> had the audit.log to see what the problem was. Dan,
>>>
>>> where do I find the audit.log file???
>>>
>>> Tnx
>>>
/var/log/audit/audit.log
ausearch -m avc
Will extract the parts I care about
> ausearch -m avc ---- time->Sat Apr 14 18:01:38 2012 type=SYSCALL
> msg=audit(1334419298.900:159): arch=40000003 syscall=11 success=yes
> exit=0 a0=8aee390 a1=8aee400 a2=8aed980 a3=8aed980 items=0 ppid=20996
> pid=20997 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51
> fsgid=51 tty=pts0 ses=2 comm="newaliases"
> exe="/usr/sbin/sendmail.sendmail"
> subj=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1334419298.900:159): avc: denied { read } for
> pid=20997 comm="newaliases" path="/home/antonio" dev=dm-2
ino=1048577
> scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC
> msg=audit(1334419298.900:159): avc: denied { read } for pid=20997
> comm="newaliases" path="/home/antonio" dev=dm-2 ino=1048577
> scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir ----
> time->Thu Apr 19 18:35:45 2012 type=SYSCALL msg=audit(1334853345.590:66):
> arch=40000003 syscall=5 success=no exit=-13 a0=81159d0 a1=8000 a2=0 a3=0
> items=0 ppid=1 pid=1845 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager"
> exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0
> key=(null) type=AVC msg=audit(1334853345.590:66): avc: denied { read }
> for pid=1845 comm="NetworkManager" name="sysctl.conf"
dev="dm-1"
> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Thu
> Apr 19 18:39:05 2012 type=AVC msg=audit(1334853545.115:41): avc: denied
> { read } for pid=892 comm="NetworkManager" name="sysctl.conf"
dev="dm-1"
> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Thu
> Apr 19 21:40:30 2012 type=AVC msg=audit(1334864430.369:41): avc: denied
> { read } for pid=902 comm="NetworkManager" name="sysctl.conf"
dev="dm-1"
> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Fri
> Apr 20 07:02:19 2012 type=AVC msg=audit(1334898139.025:41): avc: denied
> { read } for pid=921 comm="NetworkManager" name="sysctl.conf"
dev="dm-1"
> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Fri
> Apr 20 18:11:40 2012 type=AVC msg=audit(1334938300.294:43): avc: denied
> { read } for pid=886 comm="NetworkManager" name="sysctl.conf"
dev="dm-1"
> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Fri
> Apr 20 22:49:42 2012 type=AVC msg=audit(1334954982.484:40): avc: denied
> { read } for pid=928 comm="NetworkManager" name="sysctl.conf"
dev="dm-1"
> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sat
> Apr 21 07:31:25 2012 type=AVC msg=audit(1334986285.449:40): avc: denied
> { read } for pid=880 comm="NetworkManager" name="sysctl.conf"
dev="dm-1"
> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sat
> Apr 21 10:25:11 2012 type=AVC msg=audit(1334996711.727:44): avc: denied
> { read } for pid=914 comm="NetworkManager" name="sysctl.conf"
dev="dm-1"
> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sat
> Apr 21 12:26:50 2012 type=AVC msg=audit(1335004010.139:41): avc: denied
> { read } for pid=883 comm="NetworkManager" name="sysctl.conf"
dev="dm-1"
> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sun
> Apr 22 07:07:06 2012 type=AVC msg=audit(1335071226.584:41): avc: denied
> { read } for pid=892 comm="NetworkManager" name="sysctl.conf"
dev="dm-1"
> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sun
> Apr 22 08:00:32 2012 type=AVC msg=audit(1335074432.589:40): avc: denied
> { read } for pid=903 comm="NetworkManager" name="sysctl.conf"
dev="dm-1"
> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sat
> Apr 28 19:02:02 2012 type=AVC msg=audit(1335632522.668:9): avc: denied
> { read } for pid=619 comm="dmesg" name="ld.so.cache"
dev="dm-1"
> ino=525985 scontext=system_u:system_r:dmesg_t:s0
> tcontext=unconfined_u:object_r:etc_t:s0 tclass=file [root@exmarco ~]#
The NetworkManager problem and the dmesg problem should be fixed by updating
to the latest Fedora policy. restorecon -R /etc/ld.so.cache might also help.
newaliases trying to list your home directory seems pretty weird. I guess if
you run that command in a directory it tries to list the current directory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk+igjgACgkQrlYvE4MpobMuJQCfdhAJJGflQ+T/7bUIB/BeH6Mb
e2oAni0JGNZer87qNu0MMq1VfmGMsROc
=6D1y
-----END PGP SIGNATURE-----