Rawhide update gone awry
Steve Brueckner
steve at atc-nycorp.com
Tue Apr 26 19:07:45 UTC 2005
I appear to have borked my SELinux installation. I wanted to experiment
with the new name_connect permission, which I read was available with the
latest rawhide kernel and selinux policy. So, in my first-ever attempt to
use rawhide, I enabled my /etc/yum.repos.d/fedora-devel.repo file and then
yum updated to the following:
kernel.i686 2.6.11-1.1267_FC4 installed
selinux-policy-targeted.noarch 1.23.12-4 installed
selinux-policy-targeted-sources.noarch 1.23.12-4 installed
selinux-policy-strict.noarch 1.23.12-4 installed
selinux-policy-strict-sources.noarch 1.23.12-4 installed
libselinux.i386 1.23.7-3 installed
libselinux-devel.i386 1.23.7-3 installed
libselinux-debuginfo.i386 1.23.7-3 installed
libsepol.i386 1.5.5-2 installed
policycoreutils.i386 1.23.6-1 installed
checkpolicy.i386 1.23.1-1 installed
setools.i386 2.1.0-2 installed
selinux-doc.noarch 1.19.5-1 installed
I then did a touch /.autorelabel; reboot, then after rebooting a make
reload. I'm using the targeted policy in permissive mode (things freeze up
when I setenforce 1). Policy version is 19.
I get a lot of avc denied messages on boot; enough to make me think I did
something wrong with my policy update or kernel update. Did I even go about
this the right way? Is there anything obviously wrong with the steps I
took? I'm running FC3, and I wasn't certain about updating to an FC4 kernel
but yum seemed to think it was OK so I went for it. I get the same errors
when I revert to 2.6.11-1.14_FC3.
Thanks for any ideas. My boot log is included below, with anything
non-SELinux related snipped out.
- Steve Brueckner, ATC-NY
$ dmesg
Linux version 2.6.11-1.1267_FC4 (bhcompile at porky.build.redhat.com) (gcc
version 4.0.0 20050423 (Red Hat 4.0.0-1)) #1 Mon Apr 25 19:22:44 EDT 2005
...
Security Framework v1.0.0 initialized
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary module capability
Capability LSM initialized as secondary
...
audit: initializing netlink socket (disabled)
audit(1114514592.659:0): initialized
...
SELinux: Registering netfilter hooks
...
security: 3 users, 6 roles, 684 types, 75 bools
security: 55 classes, 126760 rules
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for
labeling
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses
genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
audit(1114514601.951:0): avc: denied { use } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:kernel_t tclass=fd
...
SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
...
SELinux: initialized (dev hda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Adding 2031608k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses
genfs_contexts
...
audit(1114529038.066:0): avc: denied { read } for name=config dev=dm-0
ino=3837327 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1114529038.066:0): avc: denied { getattr } for
path=/etc/selinux/config dev=dm-0 ino=3837327
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1114529038.092:0): avc: denied { execute } for name=restorecon
dev=dm-0 ino=1802308 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:restorecon_exec_t tclass=file
audit(1114529038.092:0): avc: denied { execute_no_trans } for
path=/sbin/restorecon dev=dm-0 ino=1802308
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:restorecon_exec_t tclass=file
audit(1114529038.092:0): avc: denied { read } for path=/sbin/restorecon
dev=dm-0 ino=1802308 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:restorecon_exec_t tclass=file
audit(1114529038.093:0): avc: denied { search } for name=contexts
dev=dm-0 ino=3834258 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:default_context_t tclass=dir
audit(1114529038.093:0): avc: denied { search } for name=files dev=dm-0
ino=3834262 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:file_context_t tclass=dir
audit(1114529038.093:0): avc: denied { read } for name=file_contexts
dev=dm-0 ino=3834260 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:file_context_t tclass=file
audit(1114529038.093:0): avc: denied { getattr } for
path=/etc/selinux/targeted/contexts/files/file_contexts dev=dm-0 ino=3834260
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t
tclass=file
audit(1114529038.096:0): avc: denied { search } for name=/ dev=selinuxfs
ino=232 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:security_t tclass=dir
audit(1114529038.096:0): avc: denied { read write } for name=context
dev=selinuxfs ino=5 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:security_t tclass=file
audit(1114529038.096:0): avc: denied { check_context } for
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t
tclass=security
audit(1114529038.479:0): avc: denied { use } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:named_t tcontext=system_u:system_r:kernel_t
tclass=fdSELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses
genfs_contexts
audit(1114529040.947:0): avc: denied { use } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:howl_t tcontext=system_u:system_r:kernel_t
tclass=fd
audit(1114529043.069:0): avc: denied { use } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:kernel_t tclass=fd
...
audit(1114529047.672:0): avc: denied { read } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:root_t tclass=file
audit(1114529050.126:0): avc: denied { use } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t
tclass=fdaudit(1114529052.770:0): avc: denied { write } for name=etc
dev=dm-0 ino=3833857 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=dir
audit(1114529052.770:0): avc: denied { add_name } for name=.fstab.hal.S
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t
tclass=dir
audit(1114529052.770:0): avc: denied { create } for name=.fstab.hal.S
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1114529053.042:0): avc: denied { write } for name=media dev=dm-0
ino=8552449 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:mnt_t tclass=dir
audit(1114529053.042:0): avc: denied { remove_name } for name=cdrecorder
dev=dm-0 ino=8552450 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:mnt_t tclass=dir
audit(1114529053.042:0): avc: denied { rmdir } for name=cdrecorder
dev=dm-0 ino=8552450 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:mnt_t tclass=dir
audit(1114529053.157:0): avc: denied { write } for path=/etc/.fstab.hal.S
dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1114529053.157:0): avc: denied { remove_name } for
name=.fstab.hal.S dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=dir
audit(1114529053.157:0): avc: denied { rename } for name=.fstab.hal.S
dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1114529053.157:0): avc: denied { unlink } for name=fstab dev=dm-0
ino=3834553 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1114529053.179:0): avc: denied { write } for name=rhgb-socket
dev=ramfs ino=4929 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:ramfs_t tclass=sock_file
audit(1114529053.179:0): avc: denied { connectto } for
path=/etc/rhgb/temp/rhgb-socket scontext=system_u:system_r:init_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
audit(1114529053.577:0): avc: denied { getattr } for
path=/dev/VolGroup00/LogVol00 dev=tmpfs ino=5807
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:device_t
tclass=lnk_file
audit(1114529053.653:0): avc: denied { add_name } for name=cdrecorder
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t
tclass=dir
audit(1114529053.654:0): avc: denied { create } for name=cdrecorder
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t
tclass=dir
audit(1114529053.674:0): avc: denied { getattr } for
path=/dev/mapper/VolGroup00-LogVol00 dev=tmpfs ino=1128
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:device_t
tclass=blk_file
audit(1114529053.674:0): avc: denied { getattr } for path=/dev/pts
dev=devpts ino=1 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:devpts_t tclass=dir
...
audit(1114529081.451:0): avc: denied { getattr } for path=/dev/pts
dev=devpts ino=1 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:devpts_t tclass=dir
More information about the fedora-selinux-list
mailing list