yum/bootloader avcs?
Daniel J Walsh
dwalsh at redhat.com
Tue Dec 7 16:30:48 UTC 2004
Tom London wrote:
>Running strict, latest Rawhide.
>
>I happened to do today's updates in permissive
>mode, and got the following avcs:
>
>Dec 7 07:40:23 fedora kernel: loop: loaded (max 8 devices)
>Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied
>{ read } for pid=3863 exe=/bin/bash name=.bashrc dev=hda2 ino=1130588
>scontext=root:sysadm_r:bootloader_t
>tcontext=root:object_r:staff_home_t tclass=file
>Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied
>{ getattr } for pid=3863 exe=/bin/bash path=/root/.bashrc dev=hda2
>ino=1130588 scontext=root:sysadm_r:bootloader_t
>tcontext=root:object_r:staff_home_t tclass=file
>Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied
>{ read } for pid=3865 exe=/usr/bin/id name=config dev=hda2
>ino=4509759 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:selinux_config_t tclass=file
>Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied
>{ getattr } for pid=3865 exe=/usr/bin/id path=/etc/selinux/config
>dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:selinux_config_t tclass=file
>
>The first two of these (ref to /root/.basrc, I believe) is not new, but
>I don't remember seeing the others.
>
>tom
>
>
>
The others are there only because you are running in permissive mode.
Basically there is a dontaudit in the polic on searches of
/etc/selinux/config, but since you
are in permissive mode it allows you to continue and read the selinux
files, this would not happen in
strict mode. So these are false error messages :^(
More information about the fedora-selinux-list
mailing list