Please take our Survey
logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

selinux-policy-strict-1.23.13-4: suggestions?: msg#00273

Subject: selinux-policy-strict-1.23.13-4: suggestions? 
Running strict/enforcing, latest rawhide.

I finally got around to 'blowing the dust off' of my strict PC. I
updated to latest rawhide, did a 'fixfiles relabel', and rebooted.

Graphical login failed. Appears that xdm is failing on creating a sem:
Apr 30 13:20:44 fedora kernel: audit(1114892386.776:0): avc:  denied 
{ create } for  key=1417649221 scontext=system_u:system_r:xdm_t
tcontext=system_u:system_r:xdm_t tclass=sem
Apr 30 13:25:35 fedora kernel: audit(1114892735.514:0): avc:  denied 
{ unix_read unix_write } for  key=199061348
scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t
tclass=sem

Adding:
allow xdm_t self:sem { create unix_read unix_write };
to xdm.te seems to fix this.  That OK?

Also, running firefox proxied through privoxy generates:
Apr 30 13:48:23 fedora kernel: audit(1114894103.357:0): avc:  denied 
{ name_connect } for  dest=8118 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
or
allow user_mozilla_t port_t:tcp_socket name_connect;
That right?

Going through /var/log/messages:
Early on, I get this:
Apr 30 13:27:05 fedora kernel: SELinux:  Completing initialization.
Apr 30 13:27:05 fedora kernel: SELinux:  Setting up existing superblocks.
Apr 30 13:27:05 fedora kernel: audit(1114867589.097:0): avc:  denied 
{ write } for  path=pipe:[1886] dev=pipefs ino=1886
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:unlabeled_t tclass=fifo_file
Apr 30 13:27:05 fedora kernel: SELinux: initialized (dev hda2, type
ext3), uses xattr
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev tmpfs, type
tmpfs), uses transition SIDs
and
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Apr 30 13:27:06 fedora kernel: audit(1114867589.937:0): avc:  denied 
{ read } for  name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867589.939:0): avc:  denied 
{ read } for  name=class@vc@vcs1 dev=tmpfs ino=1830
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
Apr 30 13:27:06 fedora kernel: audit(1114867590.492:0): avc:  denied 
{ create } for  name=input scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867590.494:0): avc:  denied 
{ create } for  name=input scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867591.604:0): avc:  denied 
{ write } for  name=class@vc@vcs1 dev=tmpfs ino=1830
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867591.627:0): avc:  denied 
{ write } for  name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867591.754:0): avc:  denied 
{ read } for  name=class@vc@vcs1 dev=tmpfs ino=1830
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867591.764:0): avc:  denied 
{ read } for  name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867592.051:0): avc:  denied 
{ write } for  name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
<<<<SNIP>>>>
Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc:  denied 
{ search } for  name=485 dev=proc ino=31784962
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t
tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc:  denied 
{ search } for  name=494 dev=proc ino=32374786
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:initrc_t tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc:  denied 
{ search } for  name=545 dev=proc ino=35717122
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:hotplug_t tclass=dir

and

Apr 30 13:27:08 fedora kernel: ohci1394: fw-host0: OHCI-1394 1.0
(PCI): IRQ=[11]  MMIO=[ed100000-ed1007ff]  Max Packet=[2048]
Apr 30 13:27:08 fedora kernel: audit(1114867609.739:0): avc:  denied 
{ getattr } for  path=/etc/hotplug dev=hda2 ino=4472955
scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir
Apr 30 13:27:09 fedora kernel: audit(1114867609.739:0): avc:  denied 
{ search } for  name=hotplug dev=hda2 ino=4472955
scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir

and
Apr 30 13:27:10 fedora kernel: audit(1114892828.091:0): avc:  denied 
{ execute } for  name=auto.net dev=hda2 ino=4474546
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:automount_etc_t tclass=file
Apr 30 13:27:10 fedora kernel: audit(1114892828.595:0): avc:  denied 
{ write } for  name=/ dev=hda2 ino=2
scontext=system_u:system_r:automount_t
tcontext=system_u:object_r:root_t tclass=dir
Apr 30 13:27:10 fedora kernel: audit(1114892828.677:0): avc:  denied 
{ dac_override } for  capability=1
scontext=system_u:system_r:automount_t
tcontext=system_u:system_r:automount_t tclass=capability
Apr 30 13:27:10 fedora kernel: audit(1114892828.787:0): avc:  denied 
{ write } for  name=/ dev=hda2 ino=2
scontext=system_u:system_r:automount_t
tcontext=system_u:object_r:root_t tclass=dir


Sorry if these are already fixed.
   tom

-- 
Tom London
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: snmpd proc monitoring problem, Carlos Pastorino
Previous by Thread:  snmpd proc monitoring problem, Carlos Pastorino
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe