Dear all, running rawhide: [olivares@localhost ~]$ uname -a Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP Tue Dec 18 23:57:17 EST 2007 i686 athlon i386 GNU/Linux [olivares@localhost ~]$ cat /etc/fedora-release Fedora release 8.90 (Rawhide) [olivares@localhost ~]$ After a while of booting with enforcing=0, and now setroubleshoot kicks in, it is reporting lots of havoc, notably the following: Summary SELinux is preventing /usr/sbin/hald (hald_t) "read" to <Unknown> (system_crond_var_lib_t). Detailed Description SELinux denied access requested by /usr/sbin/hald. It is not expected that this access is required by /usr/sbin/hald and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context unconfined_u:system_r:hald_t Target Context system_u:object_r:system_crond_var_lib_t Target Objects None [ file ] Affected RPM Packages hal-0.5.10-3.fc9 [application] Policy RPM selinux-policy-3.2.5-2.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP Tue Dec 18 23:57:17 EST 2007 i686 athlon Alert Count 2 First Seen Fri 21 Dec 2007 01:49:40 PM CST Last Seen Fri 21 Dec 2007 01:49:53 PM CST Local ID c4301741-d5e1-42f5-9c6d-0008aeef8586 Line Numbers Raw Audit Messages avc: denied { read } for comm=hald dev=dm-0 egid=0 euid=0 exe=/usr/sbin/hald exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=PolicyKit.reload pid=30320 scontext=unconfined_u:system_r:hald_t:s0 sgid=0 subj=unconfined_u:system_r:hald_t:s0 suid=0 tclass=file tcontext=system_u:object_r:system_crond_var_lib_t:s0 tty=(none) uid=0 It now makes sense that haldeamon does not run because selinux prevents it from doing so: [root@localhost ~]# service haldaemon status hald is stopped [root@localhost ~]# service haldaemon start Starting HAL daemon: [FAILED] [root@localhost ~]# service haldaemon stop Stopping HAL daemon: [FAILED] [root@localhost ~]# service haldaemon restart Stopping HAL daemon: [FAILED] Starting HAL daemon: [FAILED] [root@localhost ~]# K3b tells me the following: * similar to what Antonio M. also previously told us * No CD/DVD writer found. K3b did not find an optical writing device in your system. Thus, you will not be able to burn CDs or DVDs. However, you can still use other K3b features like audio track extraction or audio transcoding or ISO9660 image creation. I am about to go to the holidays, just reporting an observation. Should I file bugs or has this been taken care of ? Thanks to all for reading this far. I also saw this : Summary SELinux prevented dbus-daemon from using the terminal /dev/tty1. Detailed Description SELinux prevented dbus-daemon from using the terminal /dev/tty1. In most cases daemons do not need to interact with the terminal, usually these avc messages can be ignored. All of the confined daemons should have dontaudit rules around using the terminal. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this selinux- policy. If you would like to allow all daemons to interact with the terminal, you can turn on the allow_daemons_use_tty boolean. Allowing Access Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1." The following command will allow this access: setsebool -P allow_daemons_use_tty=1 Additional Information Source Context unconfined_u:unconfined_r:unconfined_dbusd_t :SystemLow-SystemHigh Target Context unconfined_u:object_r:unconfined_tty_device_t Target Objects /dev/tty1 [ chr_file ] Affected RPM Packages Policy RPM selinux-policy-3.2.5-2.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_daemons_use_tty Host Name localhost Platform Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP Tue Dec 18 23:57:17 EST 2007 i686 athlon Alert Count 7 First Seen Wed 19 Dec 2007 07:36:11 PM CST Last Seen Fri 21 Dec 2007 01:29:01 PM CST Local ID 66ca0ade-760e-4112-9557-5c46b66b1296 Line Numbers Raw Audit Messages avc: denied { read write } for comm=dbus-daemon dev=tmpfs path=/dev/tty1 pid=28235 scontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=chr_file tcontext=unconfined_u:object_r:unconfined_tty_device_t:s0 and this one Summary SELinux is preventing access to files with the label, file_t. Detailed Description SELinux permission checks on files labeled file_t are being denied. file_t is the context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled file_t. If you have just added a new disk drive to the system you can relabel it using the restorecon command. Otherwise you should relabel the entire files system. Allowing Access You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot" Additional Information Source Context system_u:system_r:tmpreaper_t Target Context system_u:object_r:file_t Target Objects /tmp/virtual-olivares.1dNZIJ [ dir ] Affected RPM Packages Policy RPM selinux-policy-3.2.5-2.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.file Host Name localhost Platform Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP Tue Dec 18 23:57:17 EST 2007 i686 athlon Alert Count 1 First Seen Fri 21 Dec 2007 10:36:45 AM CST Last Seen Fri 21 Dec 2007 10:36:45 AM CST Local ID 59f19014-265b-4a97-96ff-b86653d2fe1d Line Numbers Raw Audit Messages avc: denied { getattr } for comm=tmpwatch dev=dm-0 path=/tmp/virtual- olivares.1dNZIJ pid=14502 scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir tcontext=system_u:object_r:file_t:s0 Happy Holidays -> Merry Christmas and a Happy New Year ! Regards, Antonio ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping