Can't boot FC4;avc denied error message

David Desscan ddesscan at gmail.com
Wed Aug 2 20:20:56 UTC 2006 

On 8/2/06, Tod Merley <todbot88 at gmail.com> wrote:

>
>
>  Hi David!
>
> Learning with you, not an expert!
>
> I did find that AVC appears to be strongly associated, if not SElinux:
>
> http://www.die.net/doc/linux/man/man3/avc_cache_stats.3.html
>
> And is mentioned in at least one SElinux FAQ:
>
>  From : http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2826243
>
>
=========
Many thanks for the web links.  In fact I am new to SElinux.  I started
reading about it after this problem.  However I am determined to understand
it.  I have another system running FC4 which serves as backup.  I'll use
this one to understand the functioning of SElinux.
=========


>  Q:
> My application isn't working as expected and I am seeing avc: denied
> messages, how do I fix this?
>
> A:
> This message means that the current SELinux policy is not allowing the
> application to do something. There are a number of reasons this could
> happen.
>
> First, one of the files the application is trying to access could be
> mislabeled. If the AVC message refers to a specific file, inspect its
> current label with ls -alZ /path/to/file. If it seems wrong, you could try
> using restorecon -v /path/to/file. If you have a large number of denials
> related to files, you may want to use fixfiles relabel, or run restorecon
> with the -R option to recursively relabel a directory path.
>
===============
I have booted linux rescue and checked the mingetty attributes in /sbin.
However I can't say whether it's wrong.  I have done a restorecon -v and
noted that the label did not change.  I am getting an avc denied for hotplug
as well.  I have checked on the other FC4 system ;mingetty has no label and
hotplug has same label as the faulty system.

rwxr-xr-x  root root system_u:object_r:hotplug_exec_t hotplug
rwxr-xr-x  root root system_u:object_r:getty_exec_t mingetty (no label on
working system)

=====================


>  Other times, denials may be due to a configuration change in the program
> not being allowed by the policy. For example, if you change Apache to also
> listen on port 8800, this will require a change in the security policy,
> apache.te. See External Link List for more information about writing
> policy.
>
> If you are having trouble getting a specific application like Apache to
> work, see How to use system-config-securitylevel for how to disable
> enforcement just for that application.
>
=================================
I have not done major changes lately.  I am trying to install a tacacs+
server on Linux.  Well I did not reboot my system for a while and when I
did, I could access the console.  I have compiled tcp_wrappers, skey,
openssh and tacacs+.  Since I could not find the tac_plus.conf file after
installation, I decided to reboot.

==================


>  AVC may have to do with other things I am still googleing.
>
> If I were you I would be looking at my policy file and turning off SElinux
> to see what is going on.
>
> I hope this helps!
>
> Good Hunting!
>
>
> Tod
>


=======================

Thanks stephen for your suggestion and the others as well.  I am new to
SElinux and all your information provided are very useful.  Disabling it
would just be like sweeping the problem under the carpet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060802/b394a851/attachment-0001.htm>

More information about the fedora-list mailing list