ldconfig denials on F7
Daniel J Walsh
dwalsh at redhat.com
Fri Aug 17 11:05:15 UTC 2007
Jason L Tibbitts III wrote:
> I'm seeing a ton of the following denials when installing packages:
>
> audit(1187332559.271:77): avc: denied { use } for pid=3692 comm="ldconfig" name="console" dev=tmpfs ino=1143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd
>
> My specific situation may be odd. I kickstart a small system from a
> fully updated repo. Then when that system boots, /etc/rc.local calls
> a script which calls yum to install the rest of the system. Is it
> possible that this arrangement misses some essential domain
> transition?
>
> The selinux packages installed are:
> selinux-policy-2.6.4-33.fc7.noarch
> selinux-policy-targeted-2.6.4-33.fc7.noarch
>
> - J<
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
This is probably not a problem. ldconfig gets passed an open file
descriptor to the console device, which the kernel promptly closes when
selinux sees that it does not have access. As long as ldconfig works, it
can be dontaudited.
Many domains currently use this interface.
init_dontaudit_use_fds
More information about the selinux
mailing list