Issue with selinux and swapfiles in FC5?

Daniel J Walsh dwalsh at redhat.com
Mon Feb 20 20:43:18 UTC 2006 

Doug Fordham wrote:
> Fabio Comolli wrote:
>> Hi.
>>
>>  
>>> On 2/16/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>>    
>>>> Fabio Mollify wrote:
>>>>       
>>> Who in the hell is Fabio Mollify???????
>>>
>>>     
>>
>> forgot the :-)
>>
>>  
>>>>> Hi. I found this line in my logs:
>>>>>
>>>>> audit(1140033999.212:6): avc:  denied  { write } for  pid=2171
>>>>> comm="swapon" name="swapfile" dev=sda2 ino=67052
>>>>> scontext=system_u:system_r:fsadm_t:s0
>>>>> tcontext=system_u:object_r:default_t:s0 tclass=file
>>>>>
>>>>> I'm just experimenting with selinux, so I set it up in permissive 
>>>>> mode
>>>>> and the swap was activated.
>>>>>
>>>>> Is there a way to get rid of it? (or can it be considered harmless?)
>>>>>
>>>>> Thanks in advance.
>>>>> Fabio
>>>>>
>>>>>
>>>>>         
>>>> chcon -t swapfile_t swapfile
>>>>
>>>> should fix the problem. (swapfile_t needs to be made a customizable
>>>> type.   Also needs a man page)
>>>>
>>>>       
>>
>> Unfortunately it didn't work:
>>
>> root at kepler ~]# ls -Z /swapfile
>> -rw-r--r--  root     root     system_u:object_r:swapfile_t     /swapfile
>>
>> but the warning in dmesg is still there:
>>
>> audit(1140109455.801:6): avc:  denied  { read } for  pid=2165
>> comm="swapon" name="swapfile" dev=sda2 ino=67052
>> scontext=system_u:system_r:fsadm_t:s0
>> tcontext=system_u:object_r:swapfile_t:s0 tclass=file
>> audit(1140109455.810:7): avc:  denied  { write } for  pid=2165
>> comm="swapon" name="swapfile" dev=sda2 ino=67052
>> scontext=system_u:system_r:fsadm_t:s0
>> tcontext=system_u:object_r:swapfile_t:s0 tclass=file
>>
>> Should I try: chcon -t fsadm_t /swapfile ?
>>
>> Thanks again,
>> Fabio
>>
>>   
> After today's update, in addition to the swapfile entry:
> audit(1140147570.846:4): avc:  denied  { write } for  pid=1050 
> comm="mount" name="blkid.tab" dev=dm-0 ino=2127396 
> scontext=system_u:system_r:mount_t:s0 
> tcontext=user_u:object_r:etc_t:s0 tclass=file
> audit(1140147572.454:5): avc:  denied  { write } for  pid=1099 
> comm="swapon" name="blkid.tab" dev=dm-0 ino=2127396 
> scontext=system_u:system_r:fsadm_t:s0 
> tcontext=user_u:object_r:etc_t:s0 tclass=file
This is mislabeled and we are working to find the source of the 
mislabeling.  restorecon /etc/blkid.tab will fix it.
> Adding 1048568k swap on /dev/VolGroup00/LogVol01.  Priority:-1 
> extents:1 across:1048568k
>
> ...also, have the following in dmesg:
>
> audit(1140129521.520:2): avc:  denied  { write } for  pid=349 
> comm="restorecon"
> name="[952]" dev=pipefs ino=952 
> scontext=system_u:system_r:restorecon_t:s0 
> tcontext=system_u:system_r:restorecon_t:s0 tclass=fifo_file
Fixed in latest policy
> audit(1140129521.520:3): avc:  denied  { read } for  pid=348 
> comm="restorecon" name="[952]" dev=pipefs ino=952 
> scontext=system_u:system_r:restorecon_t:s0 
> tcontext=system_u:system_r:restorecon_t:s0 tclass=fifo_file
>
>
> audit(1140147577.742:6): avc:  denied  { read } for  pid=1131 
> comm="readahead" name="display" dev=ramfs ino=3278 
> scontext=system_u:system_r:readahead_t:s0 
> tcontext=system_u:object_r:ramfs_t:s0 tclass=file
> audit(1140147577.742:7): avc:  denied  { read } for  pid=1131 
> comm="readahead" name="rhgb-console" dev=ramfs ino=3350 
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:object_r:ramfs_t:s0 tclass=fifo_file
>
>
Fixed in latest policy

More information about the fedora-test-list mailing list