How to fix acv denied errors
Daniel J Walsh
dwalsh at redhat.com
Tue Oct 2 12:10:13 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ian Leonard wrote:
> Hi,
>
> I am new to SELinux so I may have got this wrong but....
>
>
> I am using a custom FC6 distribution that I built and installed using
> Kickstart. After installation I have two errors in the log file:
>
>
> audit(1191322730.172:5): avc: denied { mounton } for pid=1606
> comm="mount" name="log" dev=hda1 ino=1035266
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=dir
You can allow this by setting the boolean.
setsebool -P allow_mounton_anydir 1
>
> Oct 2 11:59: kernel: audit(1191322771.771:34): avc: denied { getattr
> } for pid=1424 comm="rhgb" name=".X0-lock" dev=hda1 ino=485340
> scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:tmp_t:s0
> tclass=file
>
>
>
> To take the second one, it seems that the .X0-lock needs to be allowed
> to run from the rhgb_t context. To fix this I have edited,
> /etc/selinux/targeted/src/contexts/files/file_contexts (I am running in
> targeted mode). I added the rhgb_t context to the /tmp.*.
>
This is the wrong thing to do. You can add custom rules to policy by
executing
# grep rhgb_t /var/log/audit/audit.log | audit2allow -M myrhgb
# semodule -i myrhgb.pp
> Now it seems I have to run 'make load'. However there is no sign of a
> makefile anywhere (and this is true of my standard FC6 distro).
>
> Where am I going wrong. TIA.
>
What version of policy are you running?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHAjUlrlYvE4MpobMRAtozAKDJ5N50cP0LjmmW+N0nOKCqav/gIgCeMUe0
tQd35jouWhcfYZAZI4w55Tk=
=9xtg
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list