Odd messages during bootup from gdm
Gene Heskett
gene.heskett at verizon.net
Fri May 5 03:44:46 UTC 2006
Tony Nelson wrote:
> At 9:27 PM -0500 5/4/06, Gene Heskett wrote:
>
>> Gene Heskett wrote:
>>
>>> Gene Heskett wrote:
>>>
>>>> Paul Howarth wrote:
>>>>
>>>>> I'd suggest relabelling the system before trying anything else. This
>>>>> will take a long time so schedule it at an appropriate time.
>>>>>
>>>>> Set SELinux to permissive mode, reboot, and in the grub menu add
>>>>> "autorelabel" to the end of the "kernel" line.
>>>>>
>>>>> After rebooting you can change SELinux back to enforcing mode if
>>>>> that's the setting you had before.
>>>>>
>>>>> That will probably fix most of the AVC issues you're seeing.
>>>>>
>>>>> Paul.
>>>>>
>>>>>
>>>> Ok, thats next, I can answer the rest of this mail after thats done.
>>>> Thanks :)
>>>>
>>>>
>>> Unforch, the append on the kernel line of grub.conf did nothing. so I
>>> read the manpage again, and "touch /.autorelabel" is the magic spell.
>>> Back in a bit...
>>>
>>>
>> Except that 4 reboots later I have not succeeded in getting the relabel
>> to work. I've tried SELINUX=disabled and SELINUX=permissive in
>> /etc/selinux/config while leaving the SELINUXTYPE=targeted setting.
>>
>> So what actually is the magic incantation that will make this work?
>>
>
> touch /.autorelabel
> reboot
> edit grub command line, appending "enforcing=0"
> continue booting
> wait
>
> SELinux must be active but not enforcing for it to relabel.
>
Ah, that might explain some of it, I thought it had to be disabled.
I've now done an init 1, and invoked that command, which did take a
while, 10 minutes or so.
Then I re-enabled selinux and rebooted. Got huge amount of those
warnings, 2-3 times more than before. And I spotted this near the end
of the dmesg:
May 4 02:49:09 diablo kernel: md: Autodetecting RAID arrays.
May 4 02:49:09 diablo kernel: md: autorun ...
May 4 02:49:10 diablo kernel: md: ... autorun DONE.
audit(1146799877.012:325): avc: denied { read } for pid=2528
comm="restorecon" name="config" dev=hda5 ino=12898524
scontext=root:system_r:re
storecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=file
So I tried, in runlevel 3, restorecon -n /, and got this:
audit(1146799877.012:325): avc: denied { read } for pid=2528
comm="restorecon" name="config" dev=hda5 ino=12898524
scontext=root:system_r:re
storecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=file
So whats wrong, and how did I arrive at this condition?
> ____________________________________________________________________
> TonyN.:' <mailto:tonynelson at georgeanelson.com>
> ' <http://www.georgeanelson.com/>
>
>
--
Cheers, Gene
More information about the fedora-list
mailing list