avc denied gone after reboot
Steve Brueckner
steve at atc-nycorp.com
Fri Jan 27 16:29:40 UTC 2006
I'm creating an SELinux-enabled Xen VM on FC4. I create the file system for
the VM by copying the filesystem from the underlying host. For the very
first boot of the VM, I have it /.auotrelabel. However, when I then try to
install an rpm inside the VM I get an avc denied, even though I can install
the same rpm on the underlying host just fine. Even stranger, if I reboot
the VM once, I then have no problem installing the rpm inside of it.
So there are two oddities:
1 - why does the rpm install fine on the host but not in the VM that clones
the host's file system?
2 - why does the rpm install correctly after a reboot, but not after the
initial boot?
Aside from upgrading my policy, how can I track down the problem here?
Here are some details:
# rpm -ivh jre:
error: unpacking of archive failed on file /usr/java/jre1.5.0_01/CHANGES:
cpio: lsetfilecon failed - Permission denied
/var/log/audit/audit.log:
type=AVC msg=audit(1138316170.719:32): avc: denied { relabelto } for
pid=1706 comm="rpm" name="CHANGES" dev=hda1 ino=16578
scontext=root:system_r:kernel_t tcontext=system_u:object_r:usr_t tclass=file
# rpm -qa | grep selinux:
libselinux-devel-1.23.10-2
libselinux-1.23.10-2
selinux-policy-targeted-sources-1.27.1-2.16
selinux-policy-targeted-1.27.1-2.16
I haven't altered the policy sources (yet).
Both host and VM are in enforcing mode.
Thanks,
- Steve
Stephen Brueckner, ATC-NY
More information about the selinux
mailing list