Post FC6 upgrade SELinux problem
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 8 20:52:23 UTC 2007
Kirk Lowery wrote:
> After upgrading from FC5 to FC6, my first clue was that X-Windows
> wouldn't come up because it could not find the 'fixed' font. This
> meant the xfs server wasn't working. Sure enough, dmesg showed:
>
> audit(1167922474.426:78): avc: denied { read } for pid=2399
> comm="xfs" name="fonts.dir" dev=hda5 ino=3260727
> scontext=system_u:system_r:xfs_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> Looking through dmesg, I discovered many other "avc: denied" messages:
>
> audit(1167922423.998:4): avc: denied { audit_write } for pid=376
> comm="hwclock" capability=29 scontext=system_u:system_r:hwclock_t:s0
> tcontext=system_u:system_r:hwclock_t:s0 tclass=capability
>
> audit(1167922427.986:5): avc: denied { getattr } for pid=1369
> comm="pam_console_app" name="adsp1" dev=tmpfs ino=5904
> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>
> audit(1167922462.739:7): avc: denied { search } for pid=2083
> comm="auditd" name="bin" dev=hda5 ino=1042531
> scontext=system_u:system_r:auditd_t:s0
> tcontext=system_u:object_r:bin_t:s0 tclass=dir
>
> audit(1167922463.659:12): avc: denied { write } for pid=2132
> comm="dbus-daemon" name=".setrans-unix" dev=hda5 ino=423906
> scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:object_r:
> var_run_t:s0 tclass=sock_file
>
> audit(1167922464.088:15): avc: denied { setuid } for pid=2154
> comm="mount" capability=7 scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=capability
>
> audit(1167922464.089:16): avc: denied { setgid } for pid=2154
> comm="mount" capability=6 scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=capability
>
> audit(1167922464.531:23): avc: denied { search } for pid=2193
> comm="automount" name="1" dev=proc ino=65538
> scontext=system_u:system_r:automount_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dir
>
> audit(1167922470.796:75): avc: denied { search } for pid=2249
> comm="ntpd" name="net" dev=proc ino=-268435432
> scontext=system_u:system_r:ntpd_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
>
> audit(1167922474.229:76): avc: denied { write } for pid=2396
> comm="restorecon" name=".setrans-unix" dev=hda5 ino=423906
> scontext=system_u:system_r:restorecon_t:s0
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
>
> audit(1167922474.426:78): avc: denied { read } for pid=2399
> comm="xfs" name="fonts.dir" dev=hda5 ino=3260727
> scontext=system_u:system_r:xfs_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> ....and many, many more. Clearly, my SELinux policies were seriously
> broken during the upgrade. So, how to recover? If I could get
> X-Windows up, would the new SELinux GUI be the way to go? Do I need to
> reinstall an SELinux package(s)? If so, which one(s)?
>
> Suggestions, pointers much appreciated!
>
> TIA,
Looks like you have a badly labeled system.
You should be able to boot in permissive mode. (Add enforcing=0 to
kernel line)
touch /.autorelabel; reboot
Then yum -y upgrade selinux-policy
and yum -y upgrade
>
> Kirk
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list