fc5: several troubles at my first attempt

Maxim Britov udjinrg at forenet.by
Wed Mar 15 17:08:26 UTC 2006 

I have installed current fc5 by http about week or two ago. It updated from rawhide.
It currently installed on hda2 and it ran from qemu.

I see many avc denied messages in dmesg (repeated 210 times with different pids):
audit(1142439027.188:2): avc:  denied  { search } for  pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
hda2 here is /

It can't mount /var/spool/squid at boot time. dmesg is:
audit(1142439059.662:212): avc:  denied  { mounton } for  pid=820 comm="mount" name="squid" dev=hda7 ino=261122 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:squid_cache_t:s0 tclass=dir
hda7 here is /var
After booting I can mount it with: # mount /var/spool/squid (/etc/fstab uses default options):
"kjournald starting.  Commit interval 5 seconds
 EXT3 FS on hda5, internal journal
 EXT3-fs: mounted filesystem with ordered data mode.
 SELinux: initialized (dev hda5, type ext3), uses xattr"

I can't switch to strict mode.
I did it by editing /etc/selinux/config and touch /.autorelabel
System can't boot after restarting: many avc denied for init_t, etc.
Where I wrong?
security:  5 users, 5 roles, 1555 types, 68 bools, 1 sens, 256 cats
security:  55 classes, 89189 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev hda2, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
audit(1142442162.184:2): avc:  denied  { search } for  pid=1 comm="init" name="lib" dev=hda2 ino=775681 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
audit(1142442162.188:3): avc:  denied  { read } for  pid=1 comm="init" name="ld-linux.so.2" dev=hda2 ino=775935 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=lnk_file
audit(1142442162.188:4): avc:  denied  { execute } for  pid=1 comm="init" name="ld-2.4.so" dev=hda2 ino=775682 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file
audit(1142442162.188:5): avc:  denied  { read } for  pid=1 comm="init" name="ld-2.4.so" dev=hda2 ino=775682 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
audit(1142442163.580:6): avc:  denied  { sigchld } for  pid=1 comm="init" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process
audit(1142442169.142:7): avc:  denied  { execute } for  pid=325 comm="udevd" name="udev_run_hotplugd" dev=hda2 ino=775731 scontext=system_u:system_r:udev_t:s0-s0:c0.c255 tcontext=system_u:object_r:lib_t:s0 tclass=file
audit(1142442169.142:8): avc:  denied  { execute_no_trans } for  pid=325 comm="udevd" name="udev_run_hotplugd" dev=hda2 ino=775731 scontext=system_u:system_r:udev_t:s0-s0:c0.c255 tcontext=system_u:object_r:lib_t:s0 tclass=file
audit(1142442171.434:9): avc:  denied  { search } for  pid=364 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
.........


Please excuse me for my engrish :)

-- 
Maxim Britov

GnuPG KeyID 0x4580A6D66F3DB1FB xmpp:maxim at modum.by icq 198171258
Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB
GnuPG-ru Team (http://lists.gnupg.org/mailman/listinfo/gnupg-ru
               xmpp:gnupg-ru at conference.jabber.ru)

More information about the fedora-selinux-list mailing list