Still SELinux-Boot-errors after todays update

Roger Grosswiler roger at gwch.net
Fri Jan 27 14:18:06 UTC 2006 

Am Freitag, den 27.01.2006, 08:37 -0500 schrieb Stephen Smalley:
> On Fri, 2006-01-27 at 12:13 +0100, Roger Grosswiler wrote:
> > Hey, 
> > 
> > i still have AVC Denied while booting:
> > 
> > SELinux:  Completing initialization.
> > SELinux:  Setting up existing superblocks.
> > SELinux: initialized (dev dm-0, type ext3), uses xattr
> > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
> > SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
> > SELinux: initialized (dev selinuxfs, type selinuxfs), uses
> > genfs_contexts
> > SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
> > SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses
> > genfs_contexts
> > SELinux: initialized (dev devpts, type devpts), uses transition SIDs
> > SELinux: initialized (dev eventpollfs, type eventpollfs), uses
> > genfs_contexts
> > SELinux: initialized (dev inotifyfs, type inotifyfs), uses
> > genfs_contexts
> > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
> > SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
> > SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
> > SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
> > SELinux: initialized (dev proc, type proc), uses genfs_contexts
> > SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
> > SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
> > SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> > SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
> > audit(1138363358.904:2): avc:  denied  { write } for  pid=388
> > comm="restorecon" name="[984]" dev=pipefs ino=984
> > scontext=system_u:system_r:restorecon_t:s0 tcont
> > ext=system_u:system_r:restorecon_t:s0 tclass=fifo_file
> > audit(1138363358.912:3): avc:  denied  { read } for  pid=387
> > comm="restorecon" n ame="[984]" dev=pipefs ino=984
> > scontext=system_u:system_r:restorecon_t:s0 tconte
> > xt=system_u:system_r:restorecon_t:s0 tclass=fifo_file
> > 
> > 
> > what does it concern? pipefs? where is that needed?
> > 
> > Even gnome-power-manager,avahi and hal don't start if i have
> > selinux=enforcing. permissive still works fine.
> 
> Hmm...the restorecon fix has been in policy for a while now, so if you
> have the latest policy, you shouldn't still be seeing those denials; I
> don't see them with current rawhide.  There was a change made to the
> restorecon code that creates a child process and communicates with it
> via a pipe, which is why it suddenly started needing that permission.
> But that was added to the policy as I noted.
> 
> There were other policy fixes associated with the other items you
> mentioned as well.
> 
> rpm -q selinux-policy-targeted
> rpm -V selinux-policy-targeted
> 
> -- 
> Stephen Smalley
> National Security Agency
> 

Stephen,

Thanks, look this:

[roger at niobe ~]$ sudo rpm -qa | grep selinux-policy-targeted
[roger at niobe ~]$ sudo rpm -qa | grep selinux-policy
[roger at niobe ~]$

...seems i did not have ANY policy installed??????


btw. can somebody explain me the difference between

-targeted
-mls
-strict

??

Thanks,
Roger

More information about the fedora-test-list mailing list