Bug 121323
Summary: | lots of policy errors | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tim Vismor <tvismor> | ||||||||
Component: | policy | Assignee: | Daniel Walsh <dwalsh> | ||||||||
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | rawhide | CC: | pgraner | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | i386 | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2004-06-14 21:17:17 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Tim Vismor
2004-04-20 14:18:38 UTC
Created attachment 99561 [details]
avc problems in dmesg
Created attachment 99562 [details]
avc errors from system log (messages file).
Actually we were discussing LVM problems on fedora-selinux-list. Could you read that discussion and try applying some of the patches there? http://www.redhat.com/archives/fedora-selinux-list/2004-April/msg00257.html *** This bug has been marked as a duplicate of 120595 *** I have loaded the 4/20 policy updates (which appear to have the patches you described). All of my old LVM AVC denials are still there. By the way, there are many more denial problems exhibited in my original bug report than the LVM denials. Therefore, I disagree with your classification of this bug as a duplicate of the problem that was discussed on the selinux list. I have re-opened the bug. If you, don't feel like looking into the other problems, you can close it again. Ok, sorry about that, I hadn't realized there was more. *** This bug has been marked as a duplicate of 120595 *** Argh, I didn't mean to mark it as a duplicate again. Sorry about that. Ok. First of all, you will almost always get AVC messages running in permissive mode that you wouldn't in enforcing. This is because in enforcing mode, the process would be stopped by earlier (not audited) denials. Are you able to boot in enforcing mode? Why are you running permissive? To answer your question: When I initially installed FC2T2 I was unable to boot in enforcing mode, so I switched to permissive mode. I never bothered to change it back. At your prodding :), I have booted into enforcing mode (it didn't hang this time) and gathered new data. The quantity of AVC denials did not seem to go down. Several unexpected (at least to me) events occurred within the first minute or two of running under enforcing mode: 1) Cyrus imap startup failed due to permission problems (this was forecast by the AVC denials that occurred in permissive mode). 2) After logging in as root, I attempted to run system-logviewer. I was prompted for the root password (as if I were a normal user). Providing the root password allowed the log viewer to run. 3) I attempted to browse the /var/log directory with nautilus. I was told that I did not have permission to to view the directory. 4) I attempted to browse the directory from the console with the following results. [root@redbud log]# cd /var/log [root@redbud log]# ls ls: .: Permission denied [root@redbud log]# whoami root [root@redbud log]# 5) Sendmail generated AVC denials. These and other events are chronicled by their AVC trail in the following attachment. Created attachment 99615 [details]
AVC denials under enforcing mode
I fixed some of these errors in policy-1.11.2-18. Some are legit, you are not allowed to view /var/log/* as staff_r. Dan |