AVCs with ntpd

[Felipe Alfaro Solana]

> I wonder about step 2. below. If you have the latest (and even just a
> recent) kernel, all of the SELinux patches are in the kernel already.

I´m running a custom kernel (exactly 2.6.9-rc2-mm1-VP-S1). Since I 
disabled SElinux, I had no support for it compiled in the kernel, thus 
the recompilation.

> Bringing your system up2date is also a good idea as some of the 
> utilities
> (nptd?) have SELinux related patches.

I'm always running from RawHide ;-)

> I also think that step 5. needs to be done before steps 3 and 4.
>
> You might boot a couple of times with 5. set, then do 3. and 4.
>
> At least that is what I have done.

AFAIK, you don't need to get SElinux enabled in order to relabel the 
filesystem. It seems my problems are caused by vanilla kernels not 
having xattrs support for tmpfs yet. I'll take the RedHat kernel SRPM 
and will extract the tmpfs xattr support.

Thanks!
> BobG
>
> On Mon, 20 Sep 2004 14:18:17 +0200, Felipe Alfaro Solana wrote:
>> OK, so I'm trying SElinux after having it disabled for some time.
>> That's what I did:
>>
>> 1. Installed selinux-policy-targeted-1.17.16-2
>> 2. Recompiled the kernel with SElinux support
>> 3. Booted into single user mode
>> 4. Ran "fixfiles relabel"
>> 5. Rebooted with "selinux=1"
>>
>> Now, I'm seeing a lot of these:
>>
>> audit(1095681913.039:0(: avc: denied  { search } for  pid=2515
>> exe=/usr/sbin/ntpd dev=tmpfs ino=357 scontext=user_u:system_r:ntpd_t
>> tcontext=user_u:object_r"tmpfs_t tclass=dir
>>
>> The problem here is that I'm using UDEV and that the initial ramdisk
>> mounts a tmpfs on top of "/dev", thus, covering the labeled "/dev" 
>> that
>> resides on disk.
>>
>> How should I fix this?
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list