Issue with selinux and swapfiles in FC5?
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 20 20:43:18 UTC 2006
Doug Fordham wrote:
> Fabio Comolli wrote:
>> Hi.
>>
>>
>>> On 2/16/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>>
>>>> Fabio Mollify wrote:
>>>>
>>> Who in the hell is Fabio Mollify???????
>>>
>>>
>>
>> forgot the :-)
>>
>>
>>>>> Hi. I found this line in my logs:
>>>>>
>>>>> audit(1140033999.212:6): avc: denied { write } for pid=2171
>>>>> comm="swapon" name="swapfile" dev=sda2 ino=67052
>>>>> scontext=system_u:system_r:fsadm_t:s0
>>>>> tcontext=system_u:object_r:default_t:s0 tclass=file
>>>>>
>>>>> I'm just experimenting with selinux, so I set it up in permissive
>>>>> mode
>>>>> and the swap was activated.
>>>>>
>>>>> Is there a way to get rid of it? (or can it be considered harmless?)
>>>>>
>>>>> Thanks in advance.
>>>>> Fabio
>>>>>
>>>>>
>>>>>
>>>> chcon -t swapfile_t swapfile
>>>>
>>>> should fix the problem. (swapfile_t needs to be made a customizable
>>>> type. Also needs a man page)
>>>>
>>>>
>>
>> Unfortunately it didn't work:
>>
>> root at kepler ~]# ls -Z /swapfile
>> -rw-r--r-- root root system_u:object_r:swapfile_t /swapfile
>>
>> but the warning in dmesg is still there:
>>
>> audit(1140109455.801:6): avc: denied { read } for pid=2165
>> comm="swapon" name="swapfile" dev=sda2 ino=67052
>> scontext=system_u:system_r:fsadm_t:s0
>> tcontext=system_u:object_r:swapfile_t:s0 tclass=file
>> audit(1140109455.810:7): avc: denied { write } for pid=2165
>> comm="swapon" name="swapfile" dev=sda2 ino=67052
>> scontext=system_u:system_r:fsadm_t:s0
>> tcontext=system_u:object_r:swapfile_t:s0 tclass=file
>>
>> Should I try: chcon -t fsadm_t /swapfile ?
>>
>> Thanks again,
>> Fabio
>>
>>
> After today's update, in addition to the swapfile entry:
> audit(1140147570.846:4): avc: denied { write } for pid=1050
> comm="mount" name="blkid.tab" dev=dm-0 ino=2127396
> scontext=system_u:system_r:mount_t:s0
> tcontext=user_u:object_r:etc_t:s0 tclass=file
> audit(1140147572.454:5): avc: denied { write } for pid=1099
> comm="swapon" name="blkid.tab" dev=dm-0 ino=2127396
> scontext=system_u:system_r:fsadm_t:s0
> tcontext=user_u:object_r:etc_t:s0 tclass=file
This is mislabeled and we are working to find the source of the
mislabeling. restorecon /etc/blkid.tab will fix it.
> Adding 1048568k swap on /dev/VolGroup00/LogVol01. Priority:-1
> extents:1 across:1048568k
>
> ...also, have the following in dmesg:
>
> audit(1140129521.520:2): avc: denied { write } for pid=349
> comm="restorecon"
> name="[952]" dev=pipefs ino=952
> scontext=system_u:system_r:restorecon_t:s0
> tcontext=system_u:system_r:restorecon_t:s0 tclass=fifo_file
Fixed in latest policy
> audit(1140129521.520:3): avc: denied { read } for pid=348
> comm="restorecon" name="[952]" dev=pipefs ino=952
> scontext=system_u:system_r:restorecon_t:s0
> tcontext=system_u:system_r:restorecon_t:s0 tclass=fifo_file
>
>
> audit(1140147577.742:6): avc: denied { read } for pid=1131
> comm="readahead" name="display" dev=ramfs ino=3278
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:object_r:ramfs_t:s0 tclass=file
> audit(1140147577.742:7): avc: denied { read } for pid=1131
> comm="readahead" name="rhgb-console" dev=ramfs ino=3350
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:object_r:ramfs_t:s0 tclass=fifo_file
>
>
Fixed in latest policy
More information about the fedora-test-list
mailing list