fc5: several troubles at my first attempt
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 16 14:43:14 UTC 2006
Stephen Smalley wrote:
> On Wed, 2006-03-15 at 12:26 -0500, Stephen Smalley wrote:
>
>> On Wed, 2006-03-15 at 19:08 +0200, Maxim Britov wrote:
>>
>>> I have installed current fc5 by http about week or two ago. It updated from rawhide.
>>> It currently installed on hda2 and it ran from qemu.
>>>
>>> I see many avc denied messages in dmesg (repeated 210 times with different pids):
>>> audit(1142439027.188:2): avc: denied { search } for pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
>>> hda2 here is /
>>>
>> Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t.
>> Need to relabel?
>>
>>
>>> It can't mount /var/spool/squid at boot time. dmesg is:
>>> audit(1142439059.662:212): avc: denied { mounton } for pid=820 comm="mount" name="squid" dev=hda7 ino=261122 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:squid_cache_t:s0 tclass=dir
>>>
>> Might not be included in the current policy.
>>
>>
>>> hda7 here is /var
>>> After booting I can mount it with: # mount /var/spool/squid (/etc/fstab uses default options):
>>> "kjournald starting. Commit interval 5 seconds
>>> EXT3 FS on hda5, internal journal
>>> EXT3-fs: mounted filesystem with ordered data mode.
>>> SELinux: initialized (dev hda5, type ext3), uses xattr"
>>>
>>> I can't switch to strict mode.
>>> I did it by editing /etc/selinux/config and touch /.autorelabel
>>>
>> Strict policy (i.e. SELINUXTYPE=strict) or enforcing mode (i.e.
>> SELINUX=enforcing)? You want SELINUXTYPE=targeted, SELINUX=enforcing.
>> Boot with enforcing=0 if you need to temporarily boot permissive to
>> recover. Boot with enforcing=0 autorelabel to force a relabel.
>>
>
> I believe that the (highly modular) strict policy is known to be broken
> in fc5/rawhide because of the file contexts ordering issue, which
> requires further changes to libsemanage. Right, Dan? So only -targeted
> or -mls are in a working state. Possibly that -strict policy shouldn't
> be included in fc5 since it is known to be broken?
>
>
Yes. strict is broken, until we can update the tool chain. Which can
begin shortly after we ship FC5.
More information about the selinux
mailing list