changed selinux to permissive get new avcs

Craig White craigwhite at azapple.com
Sun Apr 2 05:37:47 UTC 2006 

On Sat, 2006-04-01 at 18:11 -0800, Antonio Olivares wrote:
> 
> --- Rahul Sundaram <sundaram at fedoraproject.org> wrote:
> 
> > On Sat, 2006-04-01 at 17:56 -0800, Antonio Olivares
> > wrote:
> > > Dear all,
> > >    As I had some previous trouble with selinux,
> > and
> > > have gotten little to no advice, I read through
> > the
> > > fedora wiki, and fedora selinux-faq and previous
> > > knowlege/advice from fedora-list
> > 
> > Can you state what trouble you had specifically?
> > 
> > Rahul
> > 
> > 
> Ok here we go, I sent these messages to
> fedora-selinux-list as shown 
> 
> ------------------------------
> 
> Message: 6
> Date: Sat, 1 Apr 2006 00:51:47 -0800 (PST)
> From: Antonio Olivares <olivares14031 at yahoo.com>
> Subject: nfs avc messages with
> kernel-2.6.16-1.2069_FC4 
> To: fedora-selinux-list at redhat.com
> Message-ID:
> <20060401085147.91904.qmail at web52610.mail.yahoo.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Dear all, 
>   I decided to install latest FC4 kernel
> 2.6.16-1.2069_FC4 or so. Upon booting I can no longer
> surf the internet.  I get some avc denied messages
> from dmesg.  How can I fix this issue?
> 
> I do not want to disable selinux.
> 
> TIA,
> 
> Antonio 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com 
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: dmesg-selinux04012006.log
> Type: text/x-log
> Size: 15583 bytes
> Desc: 4111971101-dmesg-selinux04012006.log
> Url : 
> https://www.redhat.com/archives/fedora-selinux-list/attachments/20060401/45456085/dmesg-selinux04012006.bin
> 
> ------------------------------
> 
> 
> Message: 1
> Date: Sat, 1 Apr 2006 09:57:40 -0800 (PST)
> From: Antonio Olivares <olivares14031 at yahoo.com>
> Subject: Re:  nfs avc messages with
> kernel-2.6.16-1.2069_FC4 
> To: fedora-selinux-list at redhat.com
> Message-ID:
> <20060401175740.57441.qmail at web52601.mail.yahoo.com>
> Content-Type: text/plain; charset=iso-8859-1
> 
> 
> RE:  nfs avc messages with kernel-2.6.16-1.2069_FC4 
> 
> Message: 6
> Date: Sat, 1 Apr 2006 00:51:47 -0800 (PST)
> From: Antonio Olivares <olivares14031 at yahoo.com>
> Subject: nfs avc messages with
> kernel-2.6.16-1.2069_FC4 
> To: fedora-selinux-list at redhat.com
> Message-ID:
> <20060401085147.91904.qmail at web52610.mail.yahoo.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Dear all, 
>   I decided to install latest FC4 kernel
> 2.6.16-1.2069_FC4 or so. Upon booting I can no longer
> surf the internet.  I get some avc denied messages
> from dmesg.  How can I fix this issue?
> 
> I do not want to disable selinux.
> 
> TIA,
> 
> Antonio 
> 
> ======================================================
> 
> Here are the avc's.  Since they were not present in
> the previous email to fedora-selinux-list at redhat.com 
> 
> I do not want to disable selinux to be able to surf
> the internet.  How can I take care of this?
> 
> I appreciate all comments/help I can get.  
> 
> SELinux: initialized (dev binfmt_misc, type
> binfmt_misc), uses genfs_contexts
> ip_tables: (C) 2000-2006 Netfilter Core Team
> Netfilter messages via NETLINK v0.30.
> ip_conntrack version 2.4 (3071 buckets, 24568 max) -
> 232 bytes per conntrack
> audit(1143912938.407:2): avc:  denied  { sendto } for 
> pid=1620 comm="rpc.statd"
> scontext=system_u:system_r:rpcd_t
> tcontext=system_u:object_r:unlabeled_t
> tclass=association
> audit(1143912938.447:3): avc:  denied  { sendto } for 
> pid=1620 comm="rpc.statd"
> scontext=system_u:system_r:rpcd_t
> tcontext=system_u:object_r:unlabeled_t
> tclass=association
> audit(1143912938.463:4): avc:  denied  { sendto } for 
> pid=1620 comm="rpc.statd"
> scontext=system_u:system_r:rpcd_t
> tcontext=system_u:object_r:unlabeled_t
> tclass=association
> 
> 
> Also on another machine
> I installed kernel-2.6.16.1 to an FC3 machine with
> selinux disabled and I tried to reenable it since this
> kernel comes with selinux in its options and i
> compiled it in.  Yet when I rebooted it gave me a
> kernel panic that no policy was in place.  How should
> I define such a policy?  Is there a tarball somewhere
> that I can get, or suggestions since FC3 is in legacy
> already?
> 
> Regards,
> 
> Antonio
> 
> --------------------------------------------------
> 
> I have just set Selinux to permissive mode and I have
> just submitted those new avc's.  I just need a little
> bit of help cause I just do not want to give up on
> SELinux. I want to set it back to enforce but I need
> to take care of those issues and learn how to tackle
> them.
> 
> Thanks for helping,
----
maybe I'm dense but the only thing I saw was the same avc denied several
times for rpc.statd which relates to nfs but has nothing to do with web
browsing/internet.

are you saying that web browsing is working in permissive mode and not
working in targeted/enforcing mode?

Craig

More information about the fedora-selinux-list mailing list