policy change adventure ..

hb HBurde at t-online.de
Wed Feb 2 15:11:41 UTC 2005 

hi;

I changed a SE linux system from a targeted policy to strict to do some
testing with strict & enforcing for a particular setup i plan. System is
FC3 (all patches up to 01.02.2005) with standard install up to that
point. 

Policy change :

1 yum'ed the strict policy and policy sources 
2 did a system-config-securelevel (changed targeted -> strict)
3 reboot (fingers crossed ..)

What happend was this :

Mass complains (avc: denies )
mass out of Memory errors .. (no way .. )// the system has 384MB RAM
rescue CD : mount and change to permissive /etc/selinux/config
touch /.autorelabel 
this time autorelabel worked
still many avc denies from std. system services

fixfiles check // everything ok .. surprise
still many many avc denies from std system services ..

So my Question : is this normal (still no production quality) ? or a
bug / side effect from changing the policy (should work but does not) ?
Since there are to many errors i can't track each individual problem
down. any idea what to try?


----
Example /var/log/messages

Feb  1 15:58:15 dragon kernel: audit(1107269508.339:0): avc:  denied
{ getattr } for  pid=2183 exe=/sbin/lvm.static path=/dev/mem dev=tmpfs
ino=485 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
Feb  1 15:58:15 dragon kernel: audit(1107269508.339:0): avc:  denied
{ getattr } for  pid=2183 exe=/sbin/lvm.static path=/dev/net/tun
dev=tmpfs ino=1816 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:tun_tap_device_t tclass=chr_file
Feb  1 15:58:15 dragon kernel: audit(1107269508.339:0): avc:  denied
{ getattr } for  pid=2183 exe=/sbin/lvm.static path=/dev/ppp dev=tmpfs
ino=1817 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ppp_device_t tclass=chr_file
Feb  1 15:58:15 dragon kernel: audit(1107269508.343:0): avc:  denied
{ getattr } for  pid=2183 exe=/sbin/lvm.static path=/dev/zero dev=tmpfs
ino=1820 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:zero_device_t tclass=chr_file
Feb  1 15:58:15 dragon kernel: audit(1107269508.554:0): avc:  denied
{ read } for  pid=2183 exe=/sbin/lvm.static name=hdf dev=tmpfs ino=1063
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file
Feb  1 15:58:15 dragon kernel: audit(1107269508.556:0): avc:  denied
{ write } for  pid=2183 exe=/sbin/lvm.static name=control dev=tmpfs
ino=4737 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:lvm_control_t tclass=chr_file
Feb  1 15:58:15 dragon kernel: audit(1107269508.556:0): avc:  denied
{ ioctl } for  pid=2183 exe=/sbin/lvm.static path=/dev/mapper/control
dev=tmpfs ino=4737 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:lvm_control_t tclass=chr_file
Feb  1 15:58:15 dragon kernel: audit(1107269508.557:0): avc:  denied
{ write } for  pid=2183 exe=/sbin/lvm.static name=.cache dev=hde1
ino=66753 scontext=system_u:system_r:initrc_t
tcontext=user_u:object_r:etc_t tclass=file
-- 
hb <hburde at t-online.de>

More information about the fedora-selinux-list mailing list