do I need SELinux?
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 15 15:16:15 UTC 2004
Steven Stern wrote:
>On Fri, 12 Nov 2004 11:07:00 -0500, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>
>
>>Steven Stern wrote:
>>
>>
>>
>
>
>
>>>Edit /etc/selinux/config and change the type of policy to
>>>SELINUXTYPE=policyname.
>>>
>>>What should "policyname" be?
>>>
>>>
>>>
>>>
>>targeted
>>
>>You can try to convert to an SELinux environment by doing the following.
>>
>>
>>>yum install selinux-policy-targeted
>>>touch /.autorelabel
>>>reboot
>>>
>>>
>
>I tried it. On startup, NFSD failed, my milters failed, and nothing was
>logging to /var/log/messages.
>
>I changed to permissive and extracted all "avc:" messages from the log. The
>log is attached as avc.txt. For now, I've changed the config to disabled. It
>looks like SELINUX was either incompletely installed or not completely
>configured. I suppose that enabling it only on fresh installs is a very good
>idea!
>
>
>------------------------------------------------------------------------
>
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.950:0): avc: denied { read } for pid=2337 exe=/sbin/syslogd name=ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.950:0): avc: denied { getattr } for pid=2337 exe=/sbin/syslogd path=/etc/ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.972:0): avc: denied { append } for pid=2338 exe=/sbin/syslogd name=messages dev=hda2 ino=589040 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.972:0): avc: denied { ioctl } for pid=2338 exe=/sbin/syslogd path=/var/log/messages dev=hda2 ino=589040 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.988:0): avc: denied { write } for pid=2338 exe=/sbin/syslogd dev=tmpfs ino=866 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=dir
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.988:0): avc: denied { remove_name } for pid=2338 exe=/sbin/syslogd name=log dev=tmpfs ino=7502 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=dir
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.988:0): avc: denied { unlink } for pid=2338 exe=/sbin/syslogd name=log dev=tmpfs ino=7502 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.989:0): avc: denied { add_name } for pid=2338 exe=/sbin/syslogd name=log scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=dir
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.989:0): avc: denied { create } for pid=2338 exe=/sbin/syslogd name=log scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.989:0): avc: denied { setattr } for pid=2338 exe=/sbin/syslogd name=log dev=tmpfs ino=7518 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file
>Nov 14 11:46:15 ciscy kernel: audit(1100454373.620:0): avc: denied { search } for pid=2367 exe=/sbin/portmap dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
>Nov 14 11:46:15 ciscy kernel: audit(1100454373.620:0): avc: denied { read } for pid=2367 exe=/sbin/portmap name=ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454373.620:0): avc: denied { getattr } for pid=2367 exe=/sbin/portmap path=/etc/ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454373.653:0): avc: denied { search } for pid=2368 exe=/sbin/portmap dev=tmpfs ino=866 scontext=user_u:system_r:portmap_t tcontext=user_u:object_r:tmpfs_t tclass=dir
>Nov 14 11:46:26 ciscy kernel: audit(1100454386.173:0): avc: denied { search } for pid=2619 exe=/usr/sbin/ntpdate dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
>Nov 14 11:46:26 ciscy kernel: audit(1100454386.174:0): avc: denied { read } for pid=2619 exe=/usr/sbin/ntpdate name=ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:26 ciscy kernel: audit(1100454386.174:0): avc: denied { getattr } for pid=2619 exe=/usr/sbin/ntpdate path=/etc/ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:26 ciscy kernel: audit(1100454386.198:0): avc: denied { search } for pid=2619 exe=/usr/sbin/ntpdate dev=tmpfs ino=866 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:tmpfs_t tclass=dir
>Nov 14 11:46:26 ciscy kernel: audit(1100454386.198:0): avc: denied { write } for pid=2619 exe=/usr/sbin/ntpdate name=log dev=tmpfs ino=7518 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file
>Nov 14 11:46:27 ciscy kernel: audit(1100454387.426:0): avc: denied { read } for pid=2622 exe=/usr/sbin/ntpd name=libcrypto.so.4 dev=hda2 ino=588932 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=lnk_file
>Nov 14 11:49:01 ciscy dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1
>
>
It does not look like the relabel was successful.
Try booting as single user, run fixfiles relabel and reboot.
Dan
More information about the users
mailing list