In order to become more familiar with the selinux capabilities I did the following: Started selinux in permissive mode for targetted. I recieved warnings for the following services: portmap, ntpd, and ntpdate. I then ran fixfiles check. After it ran for quite some time. It did not report any problems. So I enabled targetted and rebooted. I then received error warnings for the same services. The following relevent messages from dmesg follow:
<snip> EXT3-fs: mounted filesystem with ordered data mode. security: 3 users, 4 roles, 319 types, 20 bools security: 53 classes, 10805 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda2, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts <snip> ip_tables: (C) 2000-2002 Netfilter core team ip_conntrack version 2.1 (2047 buckets, 16376 max) - 360 bytes per conntrack eth0: link up, 100Mbps, full-duplex, lpa 0x45E1 audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts <snip> IPv6 over IPv4 tunneling driver divert: not allocating divert_blk for non-ethernet device sit0 audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
Obviously something is amiss. I do not know how to correct these messages for the services. Does anyone know how the fix this delemma? If not should I bugzilla it?
On Mon, 2005-02-21 at 16:05 -0800, Richard E Miles wrote:
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
Is your root filesystem labeled?
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
<snip> IPv6 over IPv4 tunneling driver divert: not allocating divert_blk for non-ethernet device sit0 audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
Obviously something is amiss. I do not know how to correct these messages for the services. Does anyone know how the fix this delemma? If not should I bugzilla it?
-- Richard E Miles Federal Way WA. USA registered linux user 46097
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, 21 Feb 2005 19:09:29 -0500 Colin Walters walters@redhat.com wrote:
On Mon, 2005-02-21 at 16:05 -0800, Richard E Miles wrote:
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
Is your root filesystem labeled?
Probably not. The best way to do this is to touch /.autorelable right?
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
<snip> IPv6 over IPv4 tunneling driver divert: not allocating divert_blk for non-ethernet device sit0 audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
Obviously something is amiss. I do not know how to correct these messages for the services. Does anyone know how the fix this delemma? If not should I bugzilla it?
-- Richard E Miles Federal Way WA. USA registered linux user 46097
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Richard E Miles wrote:
On Mon, 21 Feb 2005 19:09:29 -0500 Colin Walters walters@redhat.com wrote:
On Mon, 2005-02-21 at 16:05 -0800, Richard E Miles wrote:
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
Is your root filesystem labeled?
Probably not. The best way to do this is to touch /.autorelable right?
/.autorelabel
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
<snip> IPv6 over IPv4 tunneling driver divert: not allocating divert_blk for non-ethernet device sit0 audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
Obviously something is amiss. I do not know how to correct these messages for the services. Does anyone know how the fix this delemma? If not should I bugzilla it?
-- Richard E Miles Federal Way WA. USA registered linux user 46097
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, 21 Feb 2005 16:05:39 PST, Richard E Miles said:
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
At least at one point in time, I was seeing random avc errors on mount points that made absolutely no sense - I'd do an 'ls -Z' and it would look OK. Finally twigged in that I needed to unmount the file system, relabel the *directory*, and then remount. Seem to remember /usr/share and /usr/local biting me that way (/, /usr, /usr/local, and /usr/share are 4 different file systems on my box).
On Mon, 21 Feb 2005 20:15:48 -0500 Valdis.Kletnieks@vt.edu wrote:
On Mon, 21 Feb 2005 16:05:39 PST, Richard E Miles said:
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
At least at one point in time, I was seeing random avc errors on mount points that made absolutely no sense - I'd do an 'ls -Z' and it would look OK. Finally twigged in that I needed to unmount the file system, relabel the *directory*, and then remount. Seem to remember /usr/share and /usr/local biting me that way (/, /usr, /usr/local, and /usr/share are 4 different file systems on my box).
I put /.autorelabel file and rebooted. Seems to have fixed the problem.
On Tuesday 22 February 2005 12:15, Valdis.Kletnieks@vt.edu wrote:
At least at one point in time, I was seeing random avc errors on mount points that made absolutely no sense - I'd do an 'ls -Z' and it would look OK. Finally twigged in that I needed to unmount the file system, relabel the *directory*, and then remount. Seem to remember /usr/share and /usr/local biting me that way (/, /usr, /usr/local, and /usr/share are 4 different file systems on my box).
In those cases a dontaudit rule will usually do the job. If the file system is not mounted then there's nothing that the application can usefully do under the mount point and usually ENOENT and EACCESS usually get the same code paths in most applications that try to open files.
grep dontaudit.*file_t.dir policy.conf
The above grep command will show you some of the dontaudit rules that have already been put in place to deal with this. If there are more domains that may get used early in the boot process to get such errors then let us know and we'll write dontaudit rules.
On Mon, 18 Apr 2005 20:36:40 +1000, Russell Coker said:
On Tuesday 22 February 2005 12:15, Valdis.Kletnieks@vt.edu wrote:
At least at one point in time, I was seeing random avc errors on mount points that made absolutely no sense - I'd do an 'ls -Z' and it would look OK. Finally twigged in that I needed to unmount the file system, relabel the *directory*, and then remount. Seem to remember /usr/share and /usr/local biting me that way (/, /usr, /usr/local, and /usr/share are 4 different file systems on my box).
In those cases a dontaudit rule will usually do the job. If the file system is not mounted then there's nothing that the application can usefully do under the mount point and usually ENOENT and EACCESS usually get the same code paths in most applications that try to open files.
In my case, actually labelling the directories correctly was the better fix.
What I got bit by was that all previous relabels had happened with filesystems mounted - so (for instance) the directory seen as /usr got labelled as usr_t. During early boot, I'd have a complaint about it being something else, I'd go back and check it, and it was usr_t. Finally brought the box up in very single-user, unmounted /usr - and the underlying directory *wasn't* usr_t... ;) Found out /boot and /var had similar issues, cleared up by relabelling the mountpoint directories...
Not sure if/how to fix this for the general case - it almost requires multiple passes - first labelling / (so mountpoint dirs like /boot and /usr and /var get labelled), then mounting those filesystems and labelling them, then repeating for any subdirs (on my laptop, /usr/share and /usr/local bit me, on another box that hosts a database it's /var/lib/mysql).
(For all I know, the current 'filesystems' RPM gets this all correct for new systems and boot-from-CD based upgrades, and I got bit only because I've just 'rpm -Fvh'-ed all the way along, and not done a clean install).
Personally, I'm not thrilled by the idea of sticking in dontaudit rules to quiet complaints at boot time that are caused by directories that are mislabelled.
Thoughts?
On Tuesday 19 April 2005 12:25, Valdis.Kletnieks@vt.edu wrote:
In those cases a dontaudit rule will usually do the job. If the file system is not mounted then there's nothing that the application can usefully do under the mount point and usually ENOENT and EACCESS usually get the same code paths in most applications that try to open files.
In my case, actually labelling the directories correctly was the better fix.
For you maybe. In a general sense it isn't. We have no automatic system for using umount or mount --bind to allow labelling of such mount points and we can't expect most users to be able to do it.
Personally, I'm not thrilled by the idea of sticking in dontaudit rules to quiet complaints at boot time that are caused by directories that are mislabelled.
Why not?
On 4/18/05, Russell Coker russell@coker.com.au wrote:
On Tuesday 19 April 2005 12:25, Valdis.Kletnieks@vt.edu wrote:
Personally, I'm not thrilled by the idea of sticking in dontaudit rules to quiet complaints at boot time that are caused by directories that are mislabelled.
Why not?
I can't speak for Valdis, but for me the word "kludge" comes to mind.
On Tuesday 19 April 2005 23:07, "Christofer C. Bell" christofer.c.bell@gmail.com wrote:
On 4/18/05, Russell Coker russell@coker.com.au wrote:
On Tuesday 19 April 2005 12:25, Valdis.Kletnieks@vt.edu wrote:
Personally, I'm not thrilled by the idea of sticking in dontaudit rules to quiet complaints at boot time that are caused by directories that are mislabelled.
Why not?
I can't speak for Valdis, but for me the word "kludge" comes to mind.
It's not a kludge. The purpose of dontaudit rules is to prevent auditing of operations that are not permitted, not interesting, and expected to happen. This is exactly the situation.
Using dontaudit rules for such things also gives correct behavior in situations where relabelling will not. As an example there is the following rule: dontaudit lvm_t file_t:dir search;
Without this rule the lvm utilities when run before /var is mounted would create the /var/lock directory on the mount-point. This is not desired functionality, the machine is in single-user mode at the time (so the lack of locking is not a problem) and creating directories that later get hidden by mounting a file system is not desirable.
So far no-one has provided any reasons not to use dontaudit rules. Accusations of kludging don't count as a reason.
I don't consider file_t labelling for a mount point as "mislabelling". The mount point directory is expected to be hidden, so generally only mount needs to access it.
Russell Coker wrote:
On Tuesday 19 April 2005 23:07, "Christofer C. Bell" christofer.c.bell@gmail.com wrote:
On 4/18/05, Russell Coker russell@coker.com.au wrote:
On Tuesday 19 April 2005 12:25, Valdis.Kletnieks@vt.edu wrote:
Personally, I'm not thrilled by the idea of sticking in dontaudit rules to quiet complaints at boot time that are caused by directories that are mislabelled.
Why not?
I can't speak for Valdis, but for me the word "kludge" comes to mind.
It's not a kludge. The purpose of dontaudit rules is to prevent auditing of operations that are not permitted, not interesting, and expected to happen. This is exactly the situation.
Using dontaudit rules for such things also gives correct behavior in situations where relabelling will not. As an example there is the following rule: dontaudit lvm_t file_t:dir search;
Without this rule the lvm utilities when run before /var is mounted would create the /var/lock directory on the mount-point. This is not desired functionality, the machine is in single-user mode at the time (so the lack of locking is not a problem) and creating directories that later get hidden by mounting a file system is not desirable.
So far no-one has provided any reasons not to use dontaudit rules. Accusations of kludging don't count as a reason.
I don't consider file_t labelling for a mount point as "mislabelling". The mount point directory is expected to be hidden, so generally only mount needs to access it.
I for one consider the use of "dontaudit" to be unethical but that is just my opinion. Think about preventing someone's software from doing what was designed and implemented to do. Shouldn't you at least notify the developer/maintainer that there is a problem with their software? That seems to be the correct thing to do in the open source community. If there is a actual security problem shouldn't there be some notification of the vulnerability as a minimum? If it is not an actual security vulnerability but perhaps a theoretical one, a proof of concept is usually appropriate. If it is a violation of some generally accepted standard, isn't a bugzilla the right thing to do? If it is a "bad idea" according to some peculiar distro's group-think approach to Linux, isn't the thing to do, let the developer know what you think as a minimum? If you have to use dontaudit rules to get "correct" behavior from some software doesn't that indicated that the software needs to be changed(better design or better implementation or RFE)? If some software contains some "not desired functionality", isn't it incumbent upon the person that makes that assertion to at least explain the situation to the developer/maintainer so that they have the opportunity to make a change or refute the assertion? If some action by the software is "uninteresting" shouldn't it be allowed absent some reason that makes it in fact "interesting"?
Then there is the "conspiracy theory" point of view where someone says "Hey, NSA is using that SELinux to change the behavior of programs and not telling anyone that they are doing it."
I would like to hear what others think of this "dontaudit considered harmful" idea. I understand the use of dontaudit as a temporary expedient but other than that it seem that there should be more done about the situations where it is used at least in terms of notifying the developers/maintainers of the software involved.
Richard Hally
On Wednesday 20 April 2005 19:22, Richard Hally rhally@mindspring.com wrote:
Using dontaudit rules for such things also gives correct behavior in situations where relabelling will not. As an example there is the following rule: dontaudit lvm_t file_t:dir search;
Without this rule the lvm utilities when run before /var is mounted would create the /var/lock directory on the mount-point. This is not desired functionality, the machine is in single-user mode at the time (so the lack of locking is not a problem) and creating directories that later get hidden by mounting a file system is not desirable.
So far no-one has provided any reasons not to use dontaudit rules. Accusations of kludging don't count as a reason.
I don't consider file_t labelling for a mount point as "mislabelling". The mount point directory is expected to be hidden, so generally only mount needs to access it.
I for one consider the use of "dontaudit" to be unethical but that is just my opinion.
Why is it unethical to make software perform correctly even when it is not written to?
Think about preventing someone's software from doing what was designed and implemented to do. Shouldn't you at least notify the developer/maintainer that there is a problem with their software? That
Yes, I do that. I don't always notify them first. The first priority is to get the policy fixed, if I don't do it then someone else may do it and do it badly (see this thread as an example).
seems to be the correct thing to do in the open source community. If there is a actual security problem shouldn't there be some notification of the vulnerability as a minimum? If it is not an actual security vulnerability but perhaps a theoretical one, a proof of concept is usually appropriate.
If it's a functionality issue such as creating a directory /var/lock on the root file system when /var is a mount point then it's not such a big deal.
If it is a violation of some generally accepted standard, isn't a bugzilla the right thing to do?
Yes. Of course there are other considerations. Sometimes I already have some open bug reports and don't feel inclined to make minor bug reports when more serious bugs are open.
If some action by the software is "uninteresting" shouldn't it be allowed absent some reason that makes it in fact "interesting"?
Searching a directory of type file_t that is an empty mount point isn't interesting. If however a directory that shouldn't be accessed by the program in question gets type file_t through file system corruption or other errors then we do not want to allow such access.
I would like to hear what others think of this "dontaudit considered harmful" idea. I understand the use of dontaudit as a temporary expedient but other than that it seem that there should be more done about the situations where it is used at least in terms of notifying the developers/maintainers of the software involved.
Why don't you go through the policy, remove a bunch of dontaudit rules and see what happens.
On 4/20/05, Russell Coker russell@coker.com.au wrote:
On Tuesday 19 April 2005 23:07, "Christofer C. Bell" christofer.c.bell@gmail.com wrote:
On 4/18/05, Russell Coker russell@coker.com.au wrote:
On Tuesday 19 April 2005 12:25, Valdis.Kletnieks@vt.edu wrote:
Personally, I'm not thrilled by the idea of sticking in dontaudit rules to quiet complaints at boot time that are caused by directories that are mislabelled.
Why not?
I can't speak for Valdis, but for me the word "kludge" comes to mind.
It's not a kludge. The purpose of dontaudit rules is to prevent auditing of operations that are not permitted, not interesting, and expected to happen. This is exactly the situation.
You say that dontaudit rules are to cover the following circumstances:
1. Not permitted. 2. Not interesting. 3. Expected to happen.
That's not what's going on here and using dontaudit is a kludge. The OP is stating that *mount points* for /usr, /usr/local, and /usr/share are generating complaints because they're not properly labled prior to being mounted. These are the directories themselves and not directories that are hidden by the mount. This is "interesting" and "not expected to happen," failing points 2 and 3.
Regardless if the fix can be automated or not, telling the system to "just ignore it" is inappropriate IMO.
Personally, I'm not thrilled by the idea of sticking in dontaudit rules to quiet complaints at boot time that are caused by directories that are mislabelled.
Why not?
I can't speak for Valdis, but for me the word "kludge" comes to mind.
It's not a kludge. The purpose of dontaudit rules is to prevent auditing of operations that are not permitted, not interesting, and expected to happen. This is exactly the situation.
You say that dontaudit rules are to cover the following circumstances:
- Not permitted.
- Not interesting.
- Expected to happen.
That's not what's going on here and using dontaudit is a kludge. The OP is stating that *mount points* for /usr, /usr/local, and /usr/share are generating complaints because they're not properly labled prior to being mounted. These are the directories themselves and not directories that are hidden by the mount. This is "interesting" and "not expected to happen," failing points 2 and 3.
Regardless if the fix can be automated or not, telling the system to "just ignore it" is inappropriate IMO.
One thing I have noticed is that dontaudit messages occasionally get in the way when trying to modify the policy. When using the strict policy, I've had a few situations where something was denied by SELinux but not audited and I had trouble determining what rules where blocking the operation.
W. Michael Petullo wrote:
Personally, I'm not thrilled by the idea of sticking in dontaudit rules to quiet complaints at boot time that are caused by directories that are mislabelled.
Why not?
I can't speak for Valdis, but for me the word "kludge" comes to mind.
It's not a kludge. The purpose of dontaudit rules is to prevent auditing of operations that are not permitted, not interesting, and expected to happen. This is exactly the situation.
You say that dontaudit rules are to cover the following circumstances:
- Not permitted.
- Not interesting.
- Expected to happen.
That's not what's going on here and using dontaudit is a kludge. The OP is stating that *mount points* for /usr, /usr/local, and /usr/share are generating complaints because they're not properly labled prior to being mounted. These are the directories themselves and not directories that are hidden by the mount. This is "interesting" and "not expected to happen," failing points 2 and 3.
Regardless if the fix can be automated or not, telling the system to "just ignore it" is inappropriate IMO.
One thing I have noticed is that dontaudit messages occasionally get in the way when trying to modify the policy. When using the strict policy, I've had a few situations where something was denied by SELinux but not audited and I had trouble determining what rules where blocking the operation.
You can turn off the dontaudit rules by executing in the policy src dir make enableaudit make load
On Thursday 21 April 2005 04:50, "Christofer C. Bell" christofer.c.bell@gmail.com wrote:
I can't speak for Valdis, but for me the word "kludge" comes to mind.
It's not a kludge. The purpose of dontaudit rules is to prevent auditing of operations that are not permitted, not interesting, and expected to happen. This is exactly the situation.
You say that dontaudit rules are to cover the following circumstances:
- Not permitted.
- Not interesting.
- Expected to happen.
That's not what's going on here and using dontaudit is a kludge. The OP is stating that *mount points* for /usr, /usr/local, and /usr/share are generating complaints because they're not properly labled prior to being mounted. These are the directories themselves and not directories that are hidden by the mount. This is "interesting" and "not expected to happen," failing points 2 and 3.
It is not interesting that programs try to access files under mount points early in the boot process before the file systems are mounted. It happens on every boot.
It is expected to happen, it happens on every boot.
Regardless if the fix can be automated or not, telling the system to "just ignore it" is inappropriate IMO.
The alternatives are as follows:
1) Have the users manually relabel. But this requires that they have the skill needed to use mount --bind or single user mode. 2) Have more error messages in the logs. This leads to users ignoring the more important AVC messages which is a security issue. 3) Have more complex code in rc.sysinit for relabeling file systems (which is therefore more error prone) and also remove the possibility of running "fixfiles relabel" as administrator and forcing a reboot with /.autorelabel .
All the options have disadvantages that I consider to be more serious than the reasons that make you dislike the dontaudit rule.
Option 3 is the only remotely viable option. That requires implementing shell code equivalent for "mount -a -t nonfs,nfs4,smbfs,ncpfs,cifs,gfs -O no_netdev" to allow running setfiles between mounts. I don't think that we want to do this.
Feel free to disbelieve me, but if so spend a month writing policy in the manner you advocate and see where it gets you. If that doesn't convince you then spend a year or two writing policy and see if your opinion changes.
We have a FC3 server running samba, dhcpd, and named (for internal names only). Each night, a backup server to the primary runs rsync to download changed/new files.
This is a vacation week at our high school and I tried our backup plan for the first time since upgrading to FC3. When bringing up the backup server as primary, I ran into a security problem with dhcpd (dhcpd: Can't open lease database /var/lib/dhcp/dhcpd.leases: Permission denied). I issued a setforce 0 command and restarted dhcpd and all was ok. I then again stopped dhcpd, issued a setenforce 1 command, restarted dhcpd and again all was ok.
So, should I be running fixfiles each night at the end of the rsync script? Or is there a better solution that someone with expertise can suggest?
Mark Orenstein East Granby, CT School System
On Thu, 2005-04-21 at 10:54 -0400, mroselinux@eastgranby.k12.ct.us wrote:
We have a FC3 server running samba, dhcpd, and named (for internal names only). Each night, a backup server to the primary runs rsync to download changed/new files.
This is a vacation week at our high school and I tried our backup plan for the first time since upgrading to FC3. When bringing up the backup server as primary, I ran into a security problem with dhcpd (dhcpd: Can't open lease database /var/lib/dhcp/dhcpd.leases: Permission denied). I issued a setforce 0 command and restarted dhcpd and all was ok. I then again stopped dhcpd, issued a setenforce 1 command, restarted dhcpd and again all was ok.
So, should I be running fixfiles each night at the end of the rsync script? Or is there a better solution that someone with expertise can suggest?
I think that the FC4/development tree includes a patch to rsync to allow preservation of extended attributes (which would include the SELinux attributes). Hence, you might try building the development rsync SRPM on FC3 and trying it there (using the -X option). You need the updated rsync on both the client and server. Naturally, you'd want to test it out somewhere other than your production machine first.
On Thu, 2005-04-21 at 10:54 -0400, mroselinux@eastgranby.k12.ct.us wrote:
We have a FC3 server running samba, dhcpd, and named (for internal names only). Each night, a backup server to the primary runs rsync to download changed/new files.
This is a vacation week at our high school and I tried our backup plan for the first time since upgrading to FC3. When bringing up the backup server as primary, I ran into a security problem with dhcpd (dhcpd: Can't open lease database /var/lib/dhcp/dhcpd.leases: Permission denied). I issued a setforce 0 command and restarted dhcpd and all was ok. I then again stopped dhcpd, issued a setenforce 1 command, restarted dhcpd and again all was ok.
So, should I be running fixfiles each night at the end of the rsync script? Or is there a better solution that someone with expertise can suggest?
I think that the FC4/development tree includes a patch to rsync to allow preservation of extended attributes (which would include the SELinux attributes). Hence, you might try building the development rsync SRPM on FC3 and trying it there (using the -X option). You need the updated rsync on both the client and server. Naturally, you'd want to test it out somewhere other than your production machine first.
-- Stephen Smalley sds@tycho.nsa.gov National Security Agency
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Stephen - Thanks for the info, but I don't think that I have the capability to build rsync. I will look forward to it. But in the meantime, is running fixfiles at the end of the rsync script an ok approach?
Mark
mroselinux@eastgranby.k12.ct.us wrote:
On Thu, 2005-04-21 at 10:54 -0400, mroselinux@eastgranby.k12.ct.us wrote:
We have a FC3 server running samba, dhcpd, and named (for internal names only). Each night, a backup server to the primary runs rsync to download changed/new files.
This is a vacation week at our high school and I tried our backup plan for the first time since upgrading to FC3. When bringing up the backup server as primary, I ran into a security problem with dhcpd (dhcpd: Can't open lease database /var/lib/dhcp/dhcpd.leases: Permission denied). I issued a setforce 0 command and restarted dhcpd and all was ok. I then again stopped dhcpd, issued a setenforce 1 command, restarted dhcpd and again all was ok.
So, should I be running fixfiles each night at the end of the rsync script? Or is there a better solution that someone with expertise can suggest?
I think that the FC4/development tree includes a patch to rsync to allow preservation of extended attributes (which would include the SELinux attributes). Hence, you might try building the development rsync SRPM on FC3 and trying it there (using the -X option). You need the updated rsync on both the client and server. Naturally, you'd want to test it out somewhere other than your production machine first.
-- Stephen Smalley sds@tycho.nsa.gov National Security Agency
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Stephen - Thanks for the info, but I don't think that I have the capability to build rsync. I will look forward to it. But in the meantime, is running fixfiles at the end of the rsync script an ok approach?
Mark
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes.
On Thu, 21 Apr 2005 14:13:29 +1000, Russell Coker said:
On Thursday 21 April 2005 04:50, "Christofer C. Bell"
It is not interesting that programs try to access files under mount points early in the boot process before the file systems are mounted. It happens on every boot.
It is expected to happen, it happens on every boot.
Right - my objection is that we're putting in dontaudit rules to shut stuff up during boot - but if the same thing happens *later*, we won't hear about it (I know that *I* would certainly want to know if an access was denied because /usr wasn't a usr_t once we got up in multiuser, if only because at that point, a *lot* of stuff would break with absolutely no indication of why. Certainly a violation of the "expected to happen" rule once we're out of rc.sysinit... Similarly, if anything managed to trigger that dontaudit rule *after* we booted, by virtue of some access *elsewhere* in the file system, I'd want to know about that as well.
Regardless if the fix can be automated or not, telling the system to "just ignore it" is inappropriate IMO.
Unfortunately, there's no "just ignore it while we get our act together" for the weirdness that happens during system boot. And we're talking about something that if it ever actually happens after we've gotten out of rc.sysinit, we *do* want to know about it...
The alternatives are as follows:
- Have the users manually relabel. But this requires that they have the
skill needed to use mount --bind or single user mode.
Relabelling the /dev mountpoint is quite non-trivial, because booting to single-user in Fedora still gets udev started and a tmpfs mounted over /dev. I ended up having to boot from the rescue disk and having to do something like:
chroot /mnt/sysimage mount -t selinux /selinux restorecon /dev
- Have more error messages in the logs. This leads to users ignoring the
more important AVC messages which is a security issue.
Quite right - my concern was that we're trying to silence a few msgs at boot and thus *forcing* the user to ignore the same message during normal operations, when it *would* be a "more important" message...
- Have more complex code in rc.sysinit for relabeling file systems (which is
therefore more error prone) and also remove the possibility of running "fixfiles relabel" as administrator and forcing a reboot with /.autorelabel .
Unfortunately, the /.autorelabel trick happens too late - it's done right *after* we've mounted all the filesystems and enabled disk quotas. The checking would need to be *really* early in rc.sysinit - like before start_udev gets called. Remember - what got me started on this was the 'mount -t tmpfs /dev' issuing a message because it was trying to mount onto a mislabeled /dev...
All the options have disadvantages that I consider to be more serious than the reasons that make you dislike the dontaudit rule.
Option 3 is the only remotely viable option. That requires implementing shell code equivalent for "mount -a -t nonfs,nfs4,smbfs,ncpfs,cifs,gfs -O no_netdev" to allow running setfiles between mounts. I don't think that we want to do this.
Actually, there's another option:
4) Add code to 'anaconda' (or whatever your distro uses) to do the appropriate 'restorecon' for the mount points for file systems created during system install. It knows (or can be taught) what directories in / (/dev, /proc, /sys, and /selinux) will have pseudo file systems mounted on them, and what directories will have file systems mounted over them (/var, /tmp, /usr/local, / usr/share, /home, /opt, and so on).
After the install, if /usr was a single filesystem, and the admin decides that they want /usr/local and /usr/share to be 2 new file systems, that's OK, because the first 'fixfiles relabel' will have set the right settings on the 'local' and 'share' directories that will now be mount points...
That still has issues with an admin creating a /foo filesystem, mounting it, and later on we decide to add a special context for /foo - but as long as /foo doesn't become required to get to multiuser mode, the admin can just 'umount /foo; restorecon /foo; mount /foo; restorecon -R foo' and be done.
On Sunday 24 April 2005 18:40, Valdis.Kletnieks@vt.edu wrote:
The alternatives are as follows:
- Have the users manually relabel. But this requires that they have
the skill needed to use mount --bind or single user mode.
Relabelling the /dev mountpoint is quite non-trivial, because booting to single-user in Fedora still gets udev started and a tmpfs mounted over /dev. I ended up having to boot from the rescue disk and having to do something like:
Here you are just proving my point about the operation being overly difficult. mount --bind / /mnt ; chcon /mnt ...
But there's lots of potential for things to go spectacularly wrong when you do a bind mount (think about what would happen if you ran "fixfiles relabel").
chroot /mnt/sysimage mount -t selinux /selinux restorecon /dev
We could of course have the rescue disk contain scripts to manage such things, but again it's really painful, it would require changing code in several packages.
- Have more error messages in the logs. This leads to users ignoring
the more important AVC messages which is a security issue.
Quite right - my concern was that we're trying to silence a few msgs at boot and thus *forcing* the user to ignore the same message during normal operations, when it *would* be a "more important" message...
dontaudit pam_console_t file_t:dir search; dontaudit dmesg_t file_t:dir search; dontaudit hostname_t file_t:dir search; dontaudit hotplug_t file_t:dir { search getattr }; dontaudit hwclock_t file_t:dir search; dontaudit kudzu_t file_t:dir search; dontaudit lvm_t file_t:dir search; dontaudit insmod_t file_t:dir search; dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; dontaudit sulogin_t file_t:dir search; dontaudit syslogd_t file_t:dir search; dontaudit udev_t file_t:dir search;
According to a quick grep the above are the domains that have such dontaudit rules. Note that for some it doesn't matter at all, the system is in permissive mode for sulogin_t, mrtg does an operation equivalent to "ls -l /" without any good cause, etc.
- Have more complex code in rc.sysinit for relabeling file systems
(which is therefore more error prone) and also remove the possibility of running "fixfiles relabel" as administrator and forcing a reboot with /.autorelabel .
Unfortunately, the /.autorelabel trick happens too late - it's done right *after* we've mounted all the filesystems and enabled disk quotas. The checking would need to be *really* early in rc.sysinit - like before start_udev gets called. Remember - what got me started on this was the 'mount -t tmpfs /dev' issuing a message because it was trying to mount onto a mislabeled /dev...
We could change the .autorelabel code to be more complex, use bind mounts, etc. But that also means more failure conditions.
Note that there is an opportunity cost to everything we do. There are lots of features that I would like to get in that require more work from the maintainers of such packages. Is it worth delaying work on SE-X, crypto-root, and other security features to remove a few dontaudit rules?
- Add code to 'anaconda' (or whatever your distro uses) to do the
appropriate 'restorecon' for the mount points for file systems created during system install. It knows (or can be taught) what directories in / (/dev, /proc, /sys, and /selinux) will have pseudo file systems mounted on them, and what directories will have file systems mounted over them (/var, /tmp, /usr/local, / usr/share, /home, /opt, and so on).
After the install, if /usr was a single filesystem, and the admin decides that they want /usr/local and /usr/share to be 2 new file systems, that's OK, because the first 'fixfiles relabel' will have set the right settings on the 'local' and 'share' directories that will now be mount points...
That still has issues with an admin creating a /foo filesystem, mounting it, and later on we decide to add a special context for /foo - but as long as /foo doesn't become required to get to multiuser mode, the admin can just 'umount /foo; restorecon /foo; mount /foo; restorecon -R foo' and be done.
That also has issues related to fsck removing xattrs on corrupted filesystems, administrators converting non-SE systems to SE Linux, administrators booting machines with selinux=0 while they repartition disks, and all manner of other potential problems.
The /.autorelabel file MUST do everything that we require in terms of fixing file labels. We can't rely on anaconda or anything else to fix things up.
selinux@lists.fedoraproject.org