fc5: several troubles at my first attempt

Daniel J Walsh dwalsh at redhat.com
Thu Mar 16 14:43:14 UTC 2006 

Stephen Smalley wrote:
> On Wed, 2006-03-15 at 12:26 -0500, Stephen Smalley wrote:
>   
>> On Wed, 2006-03-15 at 19:08 +0200, Maxim Britov wrote:
>>     
>>> I have installed current fc5 by http about week or two ago. It updated from rawhide.
>>> It currently installed on hda2 and it ran from qemu.
>>>
>>> I see many avc denied messages in dmesg (repeated 210 times with different pids):
>>> audit(1142439027.188:2): avc:  denied  { search } for  pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
>>> hda2 here is /
>>>       
>> Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t.
>> Need to relabel?
>>
>>     
>>> It can't mount /var/spool/squid at boot time. dmesg is:
>>> audit(1142439059.662:212): avc:  denied  { mounton } for  pid=820 comm="mount" name="squid" dev=hda7 ino=261122 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:squid_cache_t:s0 tclass=dir
>>>       
>> Might not be included in the current policy.
>>
>>     
>>> hda7 here is /var
>>> After booting I can mount it with: # mount /var/spool/squid (/etc/fstab uses default options):
>>> "kjournald starting.  Commit interval 5 seconds
>>>  EXT3 FS on hda5, internal journal
>>>  EXT3-fs: mounted filesystem with ordered data mode.
>>>  SELinux: initialized (dev hda5, type ext3), uses xattr"
>>>
>>> I can't switch to strict mode.
>>> I did it by editing /etc/selinux/config and touch /.autorelabel
>>>       
>> Strict policy (i.e. SELINUXTYPE=strict) or enforcing mode (i.e.
>> SELINUX=enforcing)?  You want SELINUXTYPE=targeted, SELINUX=enforcing.
>> Boot with enforcing=0 if you need to temporarily boot permissive to
>> recover.  Boot with enforcing=0 autorelabel to force a relabel.
>>     
>
> I believe that the (highly modular) strict policy is known to be broken
> in fc5/rawhide because of the file contexts ordering issue, which
> requires further changes to libsemanage.  Right, Dan?  So only -targeted
> or -mls are in a working state.  Possibly that -strict policy shouldn't
> be included in fc5 since it is known to be broken?
>
>   
Yes. strict is broken, until we can update the tool chain.  Which can 
begin shortly after we ship FC5.

More information about the selinux mailing list