AVCs with ntpd
Bob Gustafson
bobgus at rcn.com
Mon Sep 20 14:15:48 UTC 2004
I wonder about step 2. below. If you have the latest (and even just a
recent) kernel, all of the SELinux patches are in the kernel already.
[doing the patches by hand after looking them over is always a good idea
for a secure system, but if you just want to get things up for a sanity
check, maybe not necessary at the moment..]
Bringing your system up2date is also a good idea as some of the utilities
(nptd?) have SELinux related patches.
I also think that step 5. needs to be done before steps 3 and 4.
You might boot a couple of times with 5. set, then do 3. and 4.
At least that is what I have done.
BobG
On Mon, 20 Sep 2004 14:18:17 +0200, Felipe Alfaro Solana wrote:
>OK, so I'm trying SElinux after having it disabled for some time.
>That's what I did:
>
>1. Installed selinux-policy-targeted-1.17.16-2
>2. Recompiled the kernel with SElinux support
>3. Booted into single user mode
>4. Ran "fixfiles relabel"
>5. Rebooted with "selinux=1"
>
>Now, I'm seeing a lot of these:
>
>audit(1095681913.039:0(: avc: denied { search } for pid=2515
>exe=/usr/sbin/ntpd dev=tmpfs ino=357 scontext=user_u:system_r:ntpd_t
>tcontext=user_u:object_r"tmpfs_t tclass=dir
>
>The problem here is that I'm using UDEV and that the initial ramdisk
>mounts a tmpfs on top of "/dev", thus, covering the labeled "/dev" that
>resides on disk.
>
>How should I fix this?
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list