Can't boot FC4;avc denied error message

Thu Aug 3 21:13:33 UTC 2006

On 8/2/06, David Desscan <ddesscan at gmail.com> wrote:
>
>
>
> On 8/2/06, Tod Merley <todbot88 at gmail.com> wrote:
>
> >
> >
> >  Hi David!
> >
> > Learning with you, not an expert!
> >
> > I did find that AVC appears to be strongly associated, if not SElinux:
> >
> > http://www.die.net/doc/linux/man/man3/avc_cache_stats.3.html
> >
> > And is mentioned in at least one SElinux FAQ:
> >
> >  From : http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2826243
> > <http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2826243+>
> >
> =========
> Many thanks for the web links.  In fact I am new to SElinux.  I started
> reading about it after this problem.  However I am determined to understand
> it.  I have another system running FC4 which serves as backup.  I'll use
> this one to understand the functioning of SElinux.
> =========
>
>
> >  Q:
> > My application isn't working as expected and I am seeing avc: denied
> > messages, how do I fix this?
> >
> > A:
> > This message means that the current SELinux policy is not allowing the
> > application to do something. There are a number of reasons this could
> > happen.
> >
> > First, one of the files the application is trying to access could be
> > mislabeled. If the AVC message refers to a specific file, inspect its
> > current label with ls -alZ /path/to/file. If it seems wrong, you could try
> > using restorecon -v /path/to/file. If you have a large number of denials
> > related to files, you may want to use fixfiles relabel, or run restorecon
> > with the -R option to recursively relabel a directory path.
> >
> ===============
> I have booted linux rescue and checked the mingetty attributes in /sbin.
> However I can't say whether it's wrong.  I have done a restorecon -v and
> noted that the label did not change.  I am getting an avc denied for hotplug
> as well.  I have checked on the other FC4 system ;mingetty has no label and
> hotplug has same label as the faulty system.
>
> rwxr-xr-x  ro"scaling_governor:userspace"ot root
> system_u:object_r:hotplug_exec_t hotplug
> rwxr-xr-x  root root system_u:object_r:getty_exec_t mingetty (no label on
> working system)
>
> =====================
>
>
> >  Other times, denials may be due to a configuration change in the
> > program not being allowed by the policy. For example, if you change Apache
> > to also listen on port 8800, this will require a change in the security
> > policy, apache.te. See External Link List for more information about
> > writing policy.
> >
> > If you are having trouble getting a specific application like Apache to
> > work, see How to use system-config-securitylevel for how to disable
> > enforcement just for that application.
> >
> =================================
> I have not done major changes lately.  I am trying to install a tacacs+
> server on Linux.  Well I did not reboot my system for a while and when I
> did, I could access the console.  I have compiled tcp_wrappers, skey,
> openssh and tacacs+.  Since I could not find the tac_plus.conf file after
> installation, I decided to reboot.
>  "scaling_governor:userspace"
> ==================
>
>
> >  AVC may have to do with other things I am still googleing.
> >
> > If I were you I would be looking at my policy file and turning off
> > SElinux to see what is going on.
> >
> > I hope this helps!
> >
> > Good Hunting!
> >
> >
> > Tod
> >
>
>
> =======================
>
> Thanks stephen for your suggestion and the others as well.  I am new to
> SElinux and all your information provided are very useful.  Disabling it
> would just be like sweeping the problem under the carpet.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
> Hi David,

Do hope I indeed was helpful.

The end of Stephen Smalley's response I would spend some time on (might well
explain the hotplug thing).

You might also consider doing an update.

Good hunting!

Tod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060803/213eba81/attachment-0001.htm>