Can't boot FC4;avc denied error message

David Desscan ddesscan at gmail.com
Fri Aug 4 21:18:45 UTC 2006


On 8/4/06, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Fri, 2006-08-04 at 16:29 +0200, David Desscan wrote:
> > On 8/4/06, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> > > On Fri, 2006-08-04 at 04:25 +0200, David Desscan wrote:
> >
> > > uname -r
> > > rpm -q selinux-policy-targeted
> > >
> > My kernel version is 2.6.17-1.2142_FC4
> > SElinux policy targeted version is 1.27.1-2.28
>
> Ok, nothing interesting there (same kernel and policy works fine here
> for me).
>
> /etc/rc.d/rc.sysinit runs restorecon -R /dev to fix up the dev labels
> created before initial policy load, then udev handles labeling of all
> subsequent nodes.  Can you verify that your rc.sysinit script contains
> the restorecon -R /dev command?  If you run that sequence by hand (but
> don't redirect stderr to /dev/null), does it work?
>
> --
> Stephen Smalley
> National Security Agency
>
I am getting another avc denied message when I add a user with
useradd/adduser command.

audit(1154719461.914:11): avc : denied {create} for pid=2394
comm="useradd" name=".bashrc" scontext=root:system_r:kernel_t
tcontext=user_u:object_r:user_home_t tclass=file

audit(1154719461.930:12): avc : denied {create} for pid=2394
comm="useradd" name="passwd+" scontext=root:system_r:kernel_t
tcontext=system_u:object_r:etc_t tclass=file

useradd : cannot rewrite password file.

I have checked /etc for .lock files.  Each time I delete them, they
are recreated after the useradd command and the I get same error
message.

I did a fixfiles relabel and rebooted my system but still get same
error message.  I have also noted that some files have not been
relabeled (avc denied relabel from;comm=setfiles)

when I log on as root I also noticed an avc denied message with login

audit(1154723141.305.3): avc : denied {relabel} for pid=2044
comm="login" name="tty1"  dev=tmpfs ino=727
scontext=system_u:system_r:kernel_t
tcontext=root:object_r:tty_device_t tclass=chr_file

I rebooted my system with enforcing=0. I log in as root.  It did not
flag the error message I used to get when logging as root(it logged it
however). I checked with sestatus that SElinux is in permissive mode.
I created a user with useradd.  It displayed the above avc denied
message (when adding new user) but created the user.  I added password
and su to newuser.  I got an avc denied with su for relabel as with
login above and noted dev=tmpfs.

Something strange.  Subsequent adding of users does not flag the avc
denied for .bashrc and passwd.

I rebooted my system after that.  I get the usual avc denied login
relabel message and cannot create users.  useradd:cannot rewrite
password file.  SElinux mode=enforcing.

Thanks for your help.




More information about the fedora-list mailing list