yum/bootloader avcs?

Tue Dec 7 16:30:48 UTC 2004

Tom London wrote:

>Running strict, latest Rawhide.
>
>I happened to do today's updates in permissive
>mode, and got the following avcs:
>
>Dec  7 07:40:23 fedora kernel: loop: loaded (max 8 devices)
>Dec  7 07:41:29 fedora kernel: audit(1102434089.867:0): avc:  denied 
>{ read } for  pid=3863 exe=/bin/bash name=.bashrc dev=hda2 ino=1130588
>scontext=root:sysadm_r:bootloader_t
>tcontext=root:object_r:staff_home_t tclass=file
>Dec  7 07:41:29 fedora kernel: audit(1102434089.867:0): avc:  denied 
>{ getattr } for  pid=3863 exe=/bin/bash path=/root/.bashrc dev=hda2
>ino=1130588 scontext=root:sysadm_r:bootloader_t
>tcontext=root:object_r:staff_home_t tclass=file
>Dec  7 07:41:29 fedora kernel: audit(1102434089.957:0): avc:  denied 
>{ read } for  pid=3865 exe=/usr/bin/id name=config dev=hda2
>ino=4509759 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:selinux_config_t tclass=file
>Dec  7 07:41:29 fedora kernel: audit(1102434089.957:0): avc:  denied 
>{ getattr } for  pid=3865 exe=/usr/bin/id path=/etc/selinux/config
>dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:selinux_config_t tclass=file
>
>The first two of these (ref to /root/.basrc, I believe) is not new, but
>I don't remember seeing the others.  
>
>tom
>
>  
>
The others are there only because you are running in permissive mode.
Basically there is a dontaudit in the polic on searches of 
/etc/selinux/config, but since you
are in permissive mode it allows you to continue and read the selinux 
files, this would not happen in
strict mode.  So these are false error messages :^(