Issue with selinux and swapfiles in FC5?
Doug Fordham
dfordham at gmail.com
Fri Feb 17 04:07:34 UTC 2006
Fabio Comolli wrote:
> Hi.
>
>
>> On 2/16/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>
>>> Fabio Mollify wrote:
>>>
>> Who in the hell is Fabio Mollify???????
>>
>>
>
> forgot the :-)
>
>
>>>> Hi. I found this line in my logs:
>>>>
>>>> audit(1140033999.212:6): avc: denied { write } for pid=2171
>>>> comm="swapon" name="swapfile" dev=sda2 ino=67052
>>>> scontext=system_u:system_r:fsadm_t:s0
>>>> tcontext=system_u:object_r:default_t:s0 tclass=file
>>>>
>>>> I'm just experimenting with selinux, so I set it up in permissive mode
>>>> and the swap was activated.
>>>>
>>>> Is there a way to get rid of it? (or can it be considered harmless?)
>>>>
>>>> Thanks in advance.
>>>> Fabio
>>>>
>>>>
>>>>
>>> chcon -t swapfile_t swapfile
>>>
>>> should fix the problem. (swapfile_t needs to be made a customizable
>>> type. Also needs a man page)
>>>
>>>
>
> Unfortunately it didn't work:
>
> root at kepler ~]# ls -Z /swapfile
> -rw-r--r-- root root system_u:object_r:swapfile_t /swapfile
>
> but the warning in dmesg is still there:
>
> audit(1140109455.801:6): avc: denied { read } for pid=2165
> comm="swapon" name="swapfile" dev=sda2 ino=67052
> scontext=system_u:system_r:fsadm_t:s0
> tcontext=system_u:object_r:swapfile_t:s0 tclass=file
> audit(1140109455.810:7): avc: denied { write } for pid=2165
> comm="swapon" name="swapfile" dev=sda2 ino=67052
> scontext=system_u:system_r:fsadm_t:s0
> tcontext=system_u:object_r:swapfile_t:s0 tclass=file
>
> Should I try: chcon -t fsadm_t /swapfile ?
>
> Thanks again,
> Fabio
>
>
After today's update, in addition to the swapfile entry:
audit(1140147570.846:4): avc: denied { write } for pid=1050
comm="mount" name="blkid.tab" dev=dm-0 ino=2127396
scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0
tclass=file
audit(1140147572.454:5): avc: denied { write } for pid=1099
comm="swapon" name="blkid.tab" dev=dm-0 ino=2127396
scontext=system_u:system_r:fsadm_t:s0 tcontext=user_u:object_r:etc_t:s0
tclass=file
Adding 1048568k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1
across:1048568k
...also, have the following in dmesg:
audit(1140129521.520:2): avc: denied { write } for pid=349
comm="restorecon"
name="[952]" dev=pipefs ino=952
scontext=system_u:system_r:restorecon_t:s0
tcontext=system_u:system_r:restorecon_t:s0 tclass=fifo_file
audit(1140129521.520:3): avc: denied { read } for pid=348
comm="restorecon" name="[952]" dev=pipefs ino=952
scontext=system_u:system_r:restorecon_t:s0
tcontext=system_u:system_r:restorecon_t:s0 tclass=fifo_file
audit(1140147577.742:6): avc: denied { read } for pid=1131
comm="readahead" name="display" dev=ramfs ino=3278
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:object_r:ramfs_t:s0 tclass=file
audit(1140147577.742:7): avc: denied { read } for pid=1131
comm="readahead" name="rhgb-console" dev=ramfs ino=3350
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:object_r:ramfs_t:s0 tclass=fifo_file
More information about the fedora-test-list
mailing list