Issue with selinux and swapfiles in FC5?

Doug Fordham dfordham at gmail.com
Fri Feb 17 04:07:34 UTC 2006 

Fabio Comolli wrote:
> Hi.
>
>   
>> On 2/16/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>     
>>> Fabio Mollify wrote:
>>>       
>> Who in the hell is Fabio Mollify???????
>>
>>     
>
> forgot the :-)
>
>   
>>>> Hi. I found this line in my logs:
>>>>
>>>> audit(1140033999.212:6): avc:  denied  { write } for  pid=2171
>>>> comm="swapon" name="swapfile" dev=sda2 ino=67052
>>>> scontext=system_u:system_r:fsadm_t:s0
>>>> tcontext=system_u:object_r:default_t:s0 tclass=file
>>>>
>>>> I'm just experimenting with selinux, so I set it up in permissive mode
>>>> and the swap was activated.
>>>>
>>>> Is there a way to get rid of it? (or can it be considered harmless?)
>>>>
>>>> Thanks in advance.
>>>> Fabio
>>>>
>>>>
>>>>         
>>> chcon -t swapfile_t swapfile
>>>
>>> should fix the problem. (swapfile_t needs to be made a customizable
>>> type.   Also needs a man page)
>>>
>>>       
>
> Unfortunately it didn't work:
>
> root at kepler ~]# ls -Z /swapfile
> -rw-r--r--  root     root     system_u:object_r:swapfile_t     /swapfile
>
> but the warning in dmesg is still there:
>
> audit(1140109455.801:6): avc:  denied  { read } for  pid=2165
> comm="swapon" name="swapfile" dev=sda2 ino=67052
> scontext=system_u:system_r:fsadm_t:s0
> tcontext=system_u:object_r:swapfile_t:s0 tclass=file
> audit(1140109455.810:7): avc:  denied  { write } for  pid=2165
> comm="swapon" name="swapfile" dev=sda2 ino=67052
> scontext=system_u:system_r:fsadm_t:s0
> tcontext=system_u:object_r:swapfile_t:s0 tclass=file
>
> Should I try: chcon -t fsadm_t /swapfile ?
>
> Thanks again,
> Fabio
>
>   
After today's update, in addition to the swapfile entry:
audit(1140147570.846:4): avc:  denied  { write } for  pid=1050 
comm="mount" name="blkid.tab" dev=dm-0 ino=2127396 
scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0 
tclass=file
audit(1140147572.454:5): avc:  denied  { write } for  pid=1099 
comm="swapon" name="blkid.tab" dev=dm-0 ino=2127396 
scontext=system_u:system_r:fsadm_t:s0 tcontext=user_u:object_r:etc_t:s0 
tclass=file
Adding 1048568k swap on /dev/VolGroup00/LogVol01.  Priority:-1 extents:1 
across:1048568k

...also, have the following in dmesg:

audit(1140129521.520:2): avc:  denied  { write } for  pid=349 
comm="restorecon"
name="[952]" dev=pipefs ino=952 
scontext=system_u:system_r:restorecon_t:s0 
tcontext=system_u:system_r:restorecon_t:s0 tclass=fifo_file
audit(1140129521.520:3): avc:  denied  { read } for  pid=348 
comm="restorecon" name="[952]" dev=pipefs ino=952 
scontext=system_u:system_r:restorecon_t:s0 
tcontext=system_u:system_r:restorecon_t:s0 tclass=fifo_file


audit(1140147577.742:6): avc:  denied  { read } for  pid=1131 
comm="readahead" name="display" dev=ramfs ino=3278 
scontext=system_u:system_r:readahead_t:s0 
tcontext=system_u:object_r:ramfs_t:s0 tclass=file
audit(1140147577.742:7): avc:  denied  { read } for  pid=1131 
comm="readahead" name="rhgb-console" dev=ramfs ino=3350 
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:object_r:ramfs_t:s0 tclass=fifo_file

More information about the fedora-test-list mailing list