Bug 122189
Summary: | SALinux still enabled by default! | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ivo Sarak <ivo> |
Component: | selinux-doc | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 2 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | athlon | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-06-16 11:34:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ivo Sarak
2004-05-01 18:44:31 UTC
I updated the box to latest FC2 packages and now the state is even more worse - despite /etc/sysconfig/selinux has "selinux=disabled" in it, I see a lot of messages about selinux activity. [root@sarmax root]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled [root@sarmax root]# dmesg|tail -n 30 audit(1086768406.973:0): avc: denied { read } for pid=2241 exe=/sbin/killall5 name=exe dev=proc ino=144637960 scontext=system_u:system_r:kernel_t tcontext=user_u:sysadm_r:sysadm_t tclass=lnk_file mtrr: 0xd8000000,0x2000000 overlaps existing 0xd8000000,0x100000 mtrr: 0xd8000000,0x2000000 overlaps existing 0xd8000000,0x100000 [drm] Initialized r128 2.5.0 20030725 on minor 0: mtrr: 0xd8000000,0x2000000 overlaps existing 0xd8000000,0x100000 agpgart: Found an AGP 3.0 compliant device at 0000:00:00.0. agpgart: Device is in legacy mode, falling back to 2.x agpgart: Putting AGP V2 device at 0000:00:00.0 into 1x mode agpgart: Putting AGP V2 device at 0000:01:00.0 into 1x mode audit(1086768480.520:0): avc: denied { getattr } for pid=2914 exe=/sbin/udev path=/sys/class/sound/midiC0D0/driver dev=sysfs ino=5389 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t tclass=lnk_file audit(1086768480.532:0): avc: denied { read } for pid=2914 exe=/sbin/udev name=driver dev=sysfs ino=5389 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t tclass=lnk_file audit(1086768480.671:0): avc: denied { getattr } for pid=2914 exe=/sbin/udev path=/udev/snd/midiC0D0 dev=hda2 ino=1163272 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sound_device_t tclass=chr_file audit(1086768480.671:0): avc: denied { setattr } for pid=2914 exe=/sbin/udev name=midiC0D0 dev=hda2 ino=1163272 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sound_device_t tclass=chr_file inserting floppy driver for 2.6.6-1.422 Floppy drive(s): fd0 is 1.44M FDC 0 is a post-1991 82077 audit(1086768487.288:0): avc: denied { getattr } for pid=3004 exe=/sbin/udev path=/udev/fd0 dev=hda2 ino=1163269 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:removable_device_t tclass=blk_file audit(1086768487.288:0): avc: denied { setattr } for pid=3004 exe=/sbin/udev name=fd0 dev=hda2 ino=1163269 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:removable_device_t tclass=blk_file udf: registering filesystem UDF-fs DEBUG fs/udf/lowlevel.c:57:udf_get_last_session: XA disk: no, vol_desc_start=0 UDF-fs DEBUG fs/udf/super.c:1552:udf_fill_super: Multi-session=0 UDF-fs DEBUG fs/udf/super.c:540:udf_vrs: Starting at sector 16 (2048 byte sectors) UDF-fs DEBUG fs/udf/super.c:567:udf_vrs: ISO9660 Primary Volume Descriptor found UDF-fs DEBUG fs/udf/super.c:570:udf_vrs: ISO9660 Supplementary Volume Descriptor found UDF-fs DEBUG fs/udf/super.c:576:udf_vrs: ISO9660 Volume Descriptor Set Terminator found UDF-fs: No VRS found ISO 9660 Extensions: Microsoft Joliet Level 3 ISOFS: changing to secondary root SELinux: initialized (dev hdd, type iso9660), uses genfs_contexts audit(1086769408.461:0): avc: denied { transition } for pid=3238 exe=/bin/su path=/bin/bash dev=hda2 ino=1835024 scontext=user_u:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process [root@sarmax root]# [root@sarmax root]# rpm -q kernel kernel-2.6.5-1.327 kernel-2.6.5-1.358 kernel-2.6.6-1.422 [root@sarmax root]# rpm -qa|grep selinux libselinux-1.13.2-1 libselinux-devel-1.13.2-1 selinux-doc-1.10-1 [root@sarmax root]# Do you have a file in /etc/selinux/config? If not could you copy /etc/security/selinux to it and see if the SELinux gets disabled on reboot. Dan I do not have /etc/selinux directory nor file. Ok, this is a bug in libselinux that is not returning disabled to init program. I have updated the libselinux to fix the problem. It will be in rawhide tomorrow, and on my people page now. libselinux-1.13.3-1 Also copying that file to /etc/selinux/config should fix the problem. Dan Currently running libselinux-1.13.3-2 and OK again. |