Please take our Survey
logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

selinux-policy-targeted-1.23.12-4: /proc {search} failures ?: msg#00183

Subject: selinux-policy-targeted-1.23.12-4: /proc {search} failures ? 
Running targeted/enforcing, latest rawhide.

Rebooting after today's updates (including .1261 and
selinux-policy-targeted-1.23.12-4), graphical logins fail.

Looks like search access to /proc/PROCESS-ID directories are failing.
(Also show an early hotplug attempt at writing to sysfs_t).

I worked around this by doing an 'ALT-CTL-F2', and logging in on the
text console, and doing a 'setenforce 0'. Reverting to graphical via
'ALT-CTL-F7' now  allows login.

/var/log messages show a very large number of avcs, including many
that look like:
Apr 23 13:04:18 localhost dhclient: DHCPREQUEST on eth0 to
255.255.255.255 port 67
Apr 23 13:04:18 localhost dhclient: DHCPACK from 10.10.192.1
Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: 
denied  { write } for  name=vcs7 dev=sysfs ino=6997
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: 
denied  { write } for  name=vcsa7 dev=sysfs ino=7003
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 23 13:04:19 localhost NET[2301]: /sbin/dhclient-script : updated
/etc/resolv.conf

and
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: 
denied  { search } for  name=2 dev=proc ino=131074
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: 
denied  { search } for  name=3 dev=proc ino=196610
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: 
denied  { search } for  name=4 dev=proc ino=262146
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
<<<<SNIP  many, many >>>>
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2103 dev=proc ino=137822210
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2111 dev=proc ino=138346498
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2303 dev=proc ino=150929410
scontext=system_u:system_r:init_t tcontext=system_u:system_r:dhcpc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2476 dev=proc ino=162267138
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2530 dev=proc ino=165806082
scontext=system_u:system_r:init_t tcontext=system_u:system_r:portmap_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2548 dev=proc ino=166985730
scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2575 dev=proc ino=168755202
scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t
tclass=dir
<<<<SNIP many, many.... >>>>

etc. etc.

Is this a policy change, or did something else change? Or, did I just
botch it again?

thanks,
   tom

-- 
Tom London
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: avc: denied { search } for smbd, Felipe Alfaro Solana
Next by Date:  avc messages corrupted?, Tom London
Previous by Thread:  avc: denied { search } for smbd, Felipe Alfaro Solana
Next by Thread:  Re: selinux-policy-targeted-1.23.12-4: /proc {search} failures ?, Tom London
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe