Odd messages during bootup from gdm

Gene Heskett gene.heskett at verizon.net
Fri May 5 03:44:46 UTC 2006 

Tony Nelson wrote:
> At 9:27 PM -0500 5/4/06, Gene Heskett wrote:
>   
>> Gene Heskett wrote:
>>     
>>> Gene Heskett wrote:
>>>       
>>>> Paul Howarth wrote:
>>>>         
>>>>> I'd suggest relabelling the system before trying anything else. This
>>>>> will take a long time so schedule it at an appropriate time.
>>>>>
>>>>> Set SELinux to permissive mode, reboot, and in the grub menu add
>>>>> "autorelabel" to the end of the "kernel" line.
>>>>>
>>>>> After rebooting you can change SELinux back to enforcing mode if
>>>>> that's the setting you had before.
>>>>>
>>>>> That will probably fix most of the AVC issues you're seeing.
>>>>>
>>>>> Paul.
>>>>>
>>>>>           
>>>> Ok, thats next, I can answer the rest of this mail after thats done.
>>>> Thanks :)
>>>>
>>>>         
>>> Unforch, the append on the kernel line of grub.conf did nothing.  so I
>>> read the manpage again, and "touch /.autorelabel" is the magic spell.
>>> Back in a bit...
>>>
>>>       
>> Except that 4 reboots later I have not succeeded in getting the relabel
>> to work.  I've tried SELINUX=disabled and SELINUX=permissive in
>> /etc/selinux/config while leaving the SELINUXTYPE=targeted setting.
>>
>> So what actually is the magic incantation that will make this work?
>>     
>
> touch /.autorelabel
> reboot
> edit grub command line, appending "enforcing=0"
> continue booting
> wait
>
> SELinux must be active but not enforcing for it to relabel.
>   
Ah, that might explain some of it, I thought it had to be disabled.

I've now done an init 1, and invoked that command, which did take a 
while, 10 minutes or so.
Then I re-enabled selinux and rebooted.   Got huge amount of those 
warnings, 2-3 times more than before.  And I spotted this near the end 
of the dmesg:
May  4 02:49:09 diablo kernel: md: Autodetecting RAID arrays.
May  4 02:49:09 diablo kernel: md: autorun ...
May  4 02:49:10 diablo kernel: md: ... autorun DONE.

audit(1146799877.012:325): avc:  denied  { read } for  pid=2528 
comm="restorecon" name="config" dev=hda5 ino=12898524 
scontext=root:system_r:re
storecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=file

So I tried, in runlevel 3, restorecon -n /, and got this:
audit(1146799877.012:325): avc:  denied  { read } for  pid=2528 
comm="restorecon" name="config" dev=hda5 ino=12898524 
scontext=root:system_r:re
storecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=file

So whats wrong, and how did I arrive at this condition?

> ____________________________________________________________________
> TonyN.:'                       <mailto:tonynelson at georgeanelson.com>
>       '                              <http://www.georgeanelson.com/>
>
>   


-- 
Cheers, Gene

More information about the fedora-list mailing list