FC5 LDAP issues

Daniel J Walsh dwalsh at redhat.com
Thu Mar 30 22:18:43 UTC 2006 

Jason L Tibbitts III wrote:
>>>>>> "DJW" == Daniel J Walsh <Daniel> writes:
>>>>>>             
>
> DJW> Looks like you have a labeling problem.
>
> The system relabeled itself as part of the boot.  But I've forced
> another relabel and there are eight fewer messages:
>
> audit(1143750802.325:2): avc:  denied  { search } for  pid=636 comm="pam_console_app" name="var" dev=dm-0 ino=98305 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
> audit(1143751052.509:3): avc:  denied  { search } for  pid=1723 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
> audit(1143751052.509:4): avc:  denied  { read } for  pid=1723 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
> audit(1143751052.517:5): avc:  denied  { getattr } for  pid=1723 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
> audit(1143751052.521:6): avc:  denied  { read } for  pid=1723 comm="dbus-daemon" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
> audit(1143751053.465:7): avc:  denied  { mounton } for  pid=1777 comm="mount" name="mail" dev=dm-4 ino=589827 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
> audit(1143751055.021:8): avc:  denied  { read } for  pid=1954 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
> audit(1143751055.021:9): avc:  denied  { getattr } for  pid=1954 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
> audit(1143751055.025:10): avc:  denied  { read } for  pid=1954 comm="automount" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
> audit(1143751064.226:11): avc:  denied  { getattr } for  pid=2244 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
> audit(1143751064.230:12): avc:  denied  { search } for  pid=2244 comm="hald" name="spool" dev=dm-4 ino=589825 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
> audit(1143751066.602:13): avc:  denied  { write } for  pid=2341 comm="mount" name="socket" dev=dm-4 ino=917527 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file
> audit(1143751066.602:14): avc:  denied  { connectto } for  pid=2341 comm="mount" name="socket" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket
> audit(1143751066.606:15): avc:  denied  { use } for  pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=fd
> audit(1143751066.606:16): avc:  denied  { read } for  pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file
> audit(1143751066.606:17): avc:  denied  { getattr } for  pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file
>
> I had been running with selinux disabled for some time, but when I
> enabled it earlier today the system relabeled itself and then it did
> so again when I switched to permissive.  Does the boot-time relabel
> log the changes it makes?  I'd like to see why the third relabel
> changed things.
>
> In any case, there are still the cert failures which will keep the
> machine from booting.
>
>  - J<
>   
You can use
audit2allow -l -M local -i /var/log/messages

to generate a loadable module, and work around this problem.  The 
question I have is why do dbus and automount want
to read the certificate files?

Dan

More information about the selinux mailing list