Recent SELinux updates seem to cause Kernel Panic
Russell Coker
russell at coker.com.au
Mon Apr 12 10:46:20 UTC 2004
On Tue, 6 Apr 2004 07:14, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Brandon Petersen wrote:
> >I got past the kernel panic by setting the kernel parameter
> >'selinux=permissive' at the boot up. Thanks for the info about the
> >policy file, the machine now nearly loads.
> >
> >When I boot normally, I now get an unending stream of the following
> >error message:
> >
> >audit(1081178872.934:0): avc: denied { write } for pid=1063
> >exe=/sbin/klogd_name=log dev=hda2 ino=762650
> >scontext=system_u:system_r:klodg_t tcontext=system_u:object_r:file_t
> >tclass=sock_file
>
> This looks like you have a mislabeled file, perhaps caused by the kernel
> panic.
> You will probably need a relabel.
allow syslogd_t { device_t file_t }:sock_file unlink;
I have added the above line to my policy tree to solve this. When the unix
domain socket gets unlabeled due to a system crash at the wrong time, or when
it gets the type device_t from running in permissive mode syslogd will be
able to unlink it and replace it. This should solve that category of
problem.
We definately don't want to add such policy for all daemons. But syslogd is
particularly important as when it breaks everything goes wrong (many daemons
log messages to the console or abort, some daemons hang, and generally the
machine will not successfully boot).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-test-list
mailing list