F17-Selinux troubles after upgrading

Daniel J Walsh dwalsh at redhat.com
Thu May 3 13:03:52 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/02/2012 05:08 PM, antonio montagnani wrote:
> Il 02/05/2012 22:54, Daniel J Walsh ha scritto: On 05/02/2012 04:35 PM,
> antonio montagnani wrote:
>>>> Il 02/05/2012 22:24, Daniel J Walsh ha scritto: On 05/02/2012 04:22
>>>> PM, Adam Williamson wrote:
>>>>>>> On Sat, 2012-04-28 at 20:30 +0100, Frank Murphy wrote:
>>>>>>>> On 28/04/12 20:26, antonio wrote:
>>>>>>>>> I upgraded from F-16 to F-17 Beta, then upgraded to find
>>>>>>>>> that I couldn't delete my own files!!! after disabling
>>>>>>>>> Selinux and enabling it again (i.e. relabeling) everything
>>>>>>>>> is o.k.Anybody experiencing it??
>>>>>>>> 
>>>>>>>> No, but it's good practice to do a relabel after an update.
>>>>>>>> As policies most likely have changed, even if subtly.
>>>>>>>> 
>>>>>>>> I'm surprised a full relabel wasn't done automatically.
>>>>>>> 
>>>>>>> Antonio doesn't really provide much detail on how exactly he 
>>>>>>> upgraded. I think anaconda-based upgrades do a relabel
>>>>>>> automatically, but obviously upgrading via yum won't
>>>>>>> necessarily do so.
>>>> 
>>>> We have not done a full relabel on upgrade,since it could take
>>>> potentially a very long time.  We could just drop the /.autorelabel
>>>> file in preupgrade which would trigger the relabel.  I have not heard
>>>> of other people having SELinux labeling issues on upgrade, I wish we
>>>> had the audit.log to see what the problem was. Dan,
>>>> 
>>>> where do I find the audit.log file???
>>>> 
>>>> Tnx
>>>> 
> 
> /var/log/audit/audit.log
> 
> ausearch -m avc
> 
> Will extract the parts I care about
> 
>> ausearch -m avc ---- time->Sat Apr 14 18:01:38 2012 type=SYSCALL
>> msg=audit(1334419298.900:159): arch=40000003 syscall=11 success=yes
>> exit=0 a0=8aee390 a1=8aee400 a2=8aed980 a3=8aed980 items=0 ppid=20996
>> pid=20997 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51
>> fsgid=51 tty=pts0 ses=2 comm="newaliases" 
>> exe="/usr/sbin/sendmail.sendmail" 
>> subj=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) 
>> type=AVC msg=audit(1334419298.900:159): avc:  denied  { read } for
>> pid=20997 comm="newaliases" path="/home/antonio" dev=dm-2 ino=1048577 
>> scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 
>> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC
>> msg=audit(1334419298.900:159): avc:  denied  { read } for  pid=20997 
>> comm="newaliases" path="/home/antonio" dev=dm-2 ino=1048577 
>> scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 
>> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir ---- 
>> time->Thu Apr 19 18:35:45 2012 type=SYSCALL msg=audit(1334853345.590:66):
>> arch=40000003 syscall=5 success=no exit=-13 a0=81159d0 a1=8000 a2=0 a3=0
>> items=0 ppid=1 pid=1845 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager"
>> exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0
>> key=(null) type=AVC msg=audit(1334853345.590:66): avc:  denied  { read }
>> for  pid=1845 comm="NetworkManager" name="sysctl.conf" dev="dm-1"
>> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Thu
>> Apr 19 18:39:05 2012 type=AVC msg=audit(1334853545.115:41): avc:  denied
>> { read } for  pid=892 comm="NetworkManager" name="sysctl.conf" dev="dm-1"
>> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Thu
>> Apr 19 21:40:30 2012 type=AVC msg=audit(1334864430.369:41): avc:  denied
>> { read } for  pid=902 comm="NetworkManager" name="sysctl.conf" dev="dm-1"
>> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Fri
>> Apr 20 07:02:19 2012 type=AVC msg=audit(1334898139.025:41): avc:  denied
>> { read } for  pid=921 comm="NetworkManager" name="sysctl.conf" dev="dm-1"
>> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Fri
>> Apr 20 18:11:40 2012 type=AVC msg=audit(1334938300.294:43): avc:  denied
>> { read } for  pid=886 comm="NetworkManager" name="sysctl.conf" dev="dm-1"
>> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Fri
>> Apr 20 22:49:42 2012 type=AVC msg=audit(1334954982.484:40): avc:  denied
>> { read } for  pid=928 comm="NetworkManager" name="sysctl.conf" dev="dm-1"
>> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sat
>> Apr 21 07:31:25 2012 type=AVC msg=audit(1334986285.449:40): avc:  denied
>> { read } for  pid=880 comm="NetworkManager" name="sysctl.conf" dev="dm-1"
>> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sat
>> Apr 21 10:25:11 2012 type=AVC msg=audit(1334996711.727:44): avc:  denied
>> { read } for  pid=914 comm="NetworkManager" name="sysctl.conf" dev="dm-1"
>> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sat
>> Apr 21 12:26:50 2012 type=AVC msg=audit(1335004010.139:41): avc:  denied
>> { read } for  pid=883 comm="NetworkManager" name="sysctl.conf" dev="dm-1"
>> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sun
>> Apr 22 07:07:06 2012 type=AVC msg=audit(1335071226.584:41): avc:  denied
>> { read } for  pid=892 comm="NetworkManager" name="sysctl.conf" dev="dm-1"
>> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sun
>> Apr 22 08:00:32 2012 type=AVC msg=audit(1335074432.589:40): avc:  denied
>> { read } for  pid=903 comm="NetworkManager" name="sysctl.conf" dev="dm-1"
>> ino=525148 scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:object_r:system_conf_t:s0 tclass=file ---- time->Sat
>> Apr 28 19:02:02 2012 type=AVC msg=audit(1335632522.668:9): avc:  denied
>> { read } for  pid=619 comm="dmesg" name="ld.so.cache" dev="dm-1"
>> ino=525985 scontext=system_u:system_r:dmesg_t:s0
>> tcontext=unconfined_u:object_r:etc_t:s0 tclass=file [root at exmarco ~]#
> 

The NetworkManager problem and the dmesg problem should be fixed by updating
to the latest Fedora policy.  restorecon -R /etc/ld.so.cache might also help.

newaliases trying to list your home directory seems pretty weird.  I guess if
you run that command in a directory it tries to list the current directory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+igjgACgkQrlYvE4MpobMuJQCfdhAJJGflQ+T/7bUIB/BeH6Mb
e2oAni0JGNZer87qNu0MMq1VfmGMsROc
=6D1y
-----END PGP SIGNATURE-----

More information about the test mailing list