Post FC6 upgrade SELinux problem

Daniel J Walsh dwalsh at redhat.com
Mon Jan 8 20:52:23 UTC 2007 

Kirk Lowery wrote:
> After upgrading from FC5 to FC6, my first clue was that X-Windows
> wouldn't come up because it could not find the 'fixed' font. This
> meant the xfs server wasn't working. Sure enough, dmesg showed:
>
> audit(1167922474.426:78): avc:  denied  { read } for  pid=2399
> comm="xfs" name="fonts.dir" dev=hda5 ino=3260727
> scontext=system_u:system_r:xfs_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> Looking through dmesg, I discovered many other "avc:  denied" messages:
>
> audit(1167922423.998:4): avc:  denied  { audit_write } for  pid=376
> comm="hwclock" capability=29 scontext=system_u:system_r:hwclock_t:s0
> tcontext=system_u:system_r:hwclock_t:s0 tclass=capability
>
> audit(1167922427.986:5): avc:  denied  { getattr } for  pid=1369
> comm="pam_console_app" name="adsp1" dev=tmpfs ino=5904
> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>
> audit(1167922462.739:7): avc:  denied  { search } for  pid=2083
> comm="auditd" name="bin" dev=hda5 ino=1042531
> scontext=system_u:system_r:auditd_t:s0
> tcontext=system_u:object_r:bin_t:s0 tclass=dir
>
> audit(1167922463.659:12): avc:  denied  { write } for  pid=2132
> comm="dbus-daemon" name=".setrans-unix" dev=hda5 ino=423906
> scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:object_r:
> var_run_t:s0 tclass=sock_file
>
> audit(1167922464.088:15): avc:  denied  { setuid } for  pid=2154
> comm="mount" capability=7 scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=capability
>
> audit(1167922464.089:16): avc:  denied  { setgid } for  pid=2154
> comm="mount" capability=6 scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=capability
>
> audit(1167922464.531:23): avc:  denied  { search } for  pid=2193
> comm="automount" name="1" dev=proc ino=65538
> scontext=system_u:system_r:automount_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dir
>
> audit(1167922470.796:75): avc:  denied  { search } for  pid=2249
> comm="ntpd" name="net" dev=proc ino=-268435432
> scontext=system_u:system_r:ntpd_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
>
> audit(1167922474.229:76): avc:  denied  { write } for  pid=2396
> comm="restorecon" name=".setrans-unix" dev=hda5 ino=423906
> scontext=system_u:system_r:restorecon_t:s0
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
>
> audit(1167922474.426:78): avc:  denied  { read } for  pid=2399
> comm="xfs" name="fonts.dir" dev=hda5 ino=3260727
> scontext=system_u:system_r:xfs_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> ....and many, many more. Clearly, my SELinux policies were seriously
> broken during the upgrade. So, how to recover? If I could get
> X-Windows up, would the new SELinux GUI be the way to go? Do I need to
> reinstall an SELinux package(s)? If so, which one(s)?
>
> Suggestions, pointers much appreciated!
>
> TIA,
Looks like  you have a badly labeled system.

You should be able to boot in permissive mode.  (Add enforcing=0 to 
kernel line)
touch /.autorelabel; reboot
Then yum -y upgrade selinux-policy
and yum -y upgrade

>
> Kirk
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list