mrtg selinux denials in default configuration

David Timms dtimms at
Tue Apr 15 12:51:19 UTC 2008

Daniel J Walsh wrote:
> # semanage user -l
> # semanage login -l

# semanage user -l
                Labeling  MLS/     MLS/
SELinux User   Prefix    MCS Lvl  MCS Range
SELinux Roles

root           user      s0       SystemLow-SystemHigh
system_r staff_r unconfined_r sysadm_r
staff_u        user      s0       SystemLow-SystemHigh
system_r staff_r sysadm_r
sysadm_u       user      s0       SystemLow-SystemHigh
system_u       user      s0       SystemLow-SystemHigh
unconfined_u   unconfined s0      SystemLow-SystemHigh
system_r unconfined_r
user_u         user      s0       s0                             user_r

# semanage login -l
Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              SystemLow-SystemHigh
root                      unconfined_u              SystemLow-SystemHigh
system_u                  system_u                  SystemLow-SystemHigh

As an aside, I erased mrtg yesterday - mo more mrtg denials.
Reinstalled mrtg just now, mrtg denials every five minutes. It is also
possible that when originally installed under F8, that I attempted to
configure it, but I can't find any evidence of that in /etc ...etc. My
other machine doesn't popup the denials with a default install, so I
expect there must be some invalid or selinux not configured to match
service requirements.
Actually running same -l on another f9beta notebook:
# semanage user -l {has the ones above plus:}

                 Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range
SELinux Roles

guest_u         guest      s0         s0                             guest_r
xguest_u        xguest     s0         s0

# semanage login -l   {same 3 items, except the selinux user for root is
Login Name                SELinux User              MLS/MCS Range

root                      root                      SystemLow-SystemHigh

Given autorelabel doesn't seem to solve it, is it worth {possible} to
rpm -e the targeted policy, then reinstall it - or am I barking up the
wrong tree ?


More information about the fedora-selinux-list mailing list