do I need SELinux?

Daniel J Walsh dwalsh at redhat.com
Mon Nov 15 15:16:15 UTC 2004 

Steven Stern wrote:

>On Fri, 12 Nov 2004 11:07:00 -0500, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>  
>
>>Steven Stern wrote:
>>
>>    
>>
>
>  
>
>>>Edit /etc/selinux/config and change the type of policy to
>>>SELINUXTYPE=policyname. 
>>>
>>>What should "policyname" be?
>>> 
>>>
>>>      
>>>
>>targeted
>>
>>You can try to convert to an SELinux environment by doing the following.
>>    
>>
>>>yum install selinux-policy-targeted
>>>touch /.autorelabel
>>>reboot
>>>      
>>>
>
>I tried it. On startup, NFSD failed, my milters failed, and nothing was
>logging to /var/log/messages.
>
>I changed to permissive and extracted all "avc:" messages from the log.  The
>log is attached as avc.txt.  For now, I've changed the config to disabled.  It
>looks like SELINUX was either incompletely installed or not completely
>configured. I suppose that enabling it only on fresh installs is a very good
>idea!
>  
>
>------------------------------------------------------------------------
>
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.950:0): avc:  denied  { read } for  pid=2337 exe=/sbin/syslogd name=ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.950:0): avc:  denied  { getattr } for  pid=2337 exe=/sbin/syslogd path=/etc/ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.972:0): avc:  denied  { append } for  pid=2338 exe=/sbin/syslogd name=messages dev=hda2 ino=589040 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.972:0): avc:  denied  { ioctl } for  pid=2338 exe=/sbin/syslogd path=/var/log/messages dev=hda2 ino=589040 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.988:0): avc:  denied  { write } for  pid=2338 exe=/sbin/syslogd dev=tmpfs ino=866 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=dir
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.988:0): avc:  denied  { remove_name } for  pid=2338 exe=/sbin/syslogd name=log dev=tmpfs ino=7502 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=dir
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.988:0): avc:  denied  { unlink } for  pid=2338 exe=/sbin/syslogd name=log dev=tmpfs ino=7502 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.989:0): avc:  denied  { add_name } for  pid=2338 exe=/sbin/syslogd name=log scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=dir
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.989:0): avc:  denied  { create } for  pid=2338 exe=/sbin/syslogd name=log scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file
>Nov 14 11:46:15 ciscy kernel: audit(1100454372.989:0): avc:  denied  { setattr } for  pid=2338 exe=/sbin/syslogd name=log dev=tmpfs ino=7518 scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file
>Nov 14 11:46:15 ciscy kernel: audit(1100454373.620:0): avc:  denied  { search } for  pid=2367 exe=/sbin/portmap dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
>Nov 14 11:46:15 ciscy kernel: audit(1100454373.620:0): avc:  denied  { read } for  pid=2367 exe=/sbin/portmap name=ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454373.620:0): avc:  denied  { getattr } for  pid=2367 exe=/sbin/portmap path=/etc/ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:15 ciscy kernel: audit(1100454373.653:0): avc:  denied  { search } for  pid=2368 exe=/sbin/portmap dev=tmpfs ino=866 scontext=user_u:system_r:portmap_t tcontext=user_u:object_r:tmpfs_t tclass=dir
>Nov 14 11:46:26 ciscy kernel: audit(1100454386.173:0): avc:  denied  { search } for  pid=2619 exe=/usr/sbin/ntpdate dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
>Nov 14 11:46:26 ciscy kernel: audit(1100454386.174:0): avc:  denied  { read } for  pid=2619 exe=/usr/sbin/ntpdate name=ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:26 ciscy kernel: audit(1100454386.174:0): avc:  denied  { getattr } for  pid=2619 exe=/usr/sbin/ntpdate path=/etc/ld.so.cache dev=hda2 ino=228954 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=file
>Nov 14 11:46:26 ciscy kernel: audit(1100454386.198:0): avc:  denied  { search } for  pid=2619 exe=/usr/sbin/ntpdate dev=tmpfs ino=866 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:tmpfs_t tclass=dir
>Nov 14 11:46:26 ciscy kernel: audit(1100454386.198:0): avc:  denied  { write } for  pid=2619 exe=/usr/sbin/ntpdate name=log dev=tmpfs ino=7518 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:tmpfs_t tclass=sock_file
>Nov 14 11:46:27 ciscy kernel: audit(1100454387.426:0): avc:  denied  { read } for  pid=2622 exe=/usr/sbin/ntpd name=libcrypto.so.4 dev=hda2 ino=588932 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=lnk_file
>Nov 14 11:49:01 ciscy dbus: avc:  1 AV entries and 1/512 buckets used, longest chain length 1 
>  
>
It does not look like the relabel was successful. 
Try booting as single user, run fixfiles relabel and reboot.


Dan

More information about the users mailing list