Bug 140100
Summary: | avc: denied for ntpd, nfs related stuff! | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Steve Murphy <murf> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | CC: | djuran, trevor |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-04-12 21:55:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Steve Murphy
2004-11-19 19:34:31 UTC
Did you relabel the system after you added SELinux? Upgrade to the latest policy for FC3 selinux-policy-targeted-1.17.30-2.31 Hmm... OK. Didn't know where this great RPM was, but googled, found a link to your dir in another bug, went there, picked up 2.33 (no 31 there), and installed it here. Rebooted. Same messages. The avc: denied has {search}, and the error messages complain about no permission to load the .so's mentioned previously... any other ideas? Oh, sorry, forgot to address the first question... No, the system was not relabeled. Just took my RH9 laptop, applied the FC3 install CD's, and then did the complete up2date thing, and here I am. Touch /.autorelabel reboot That took a few minutes, but the deed is done. It has done some good, it looks like the up2date stuff works again, nfsd is running, and I can mount nfs partitions... I see this message on the console as I boot (along with several others): name=libnss_nisplus-2.3.3.so dev=hda3 ino=8164472 Scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file does this help? Still no ntpd, I'll see what else isn't working... Could you see if you can get the full message using dmesg? Dan I learn something new every day. Here is what dmesg generates: IDE controller at PCI slot 0000:00:04.0 ACPI: PCI interrupt 0000:00:04.0[A]: no GSI ALI15X3: chipset revision 195 ALI15X3: not 100% native mode: will probe irqs later ide0: BM-DMA at 0xeff0-0xeff7, BIOS settings: hda:DMA, hdb:pio ide1: BM-DMA at 0xeff8-0xefff, BIOS settings: hdc:DMA, hdd:pio Probing IDE interface ide0... hda: IC25N030ATCS04-0, ATA DISK drive Using cfq io scheduler ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 Probing IDE interface ide1... hdc: TOSHIBA DVD-ROM SD-R2102, ATAPI CD/DVD-ROM drive ide1 at 0x170-0x177,0x376 on irq 15 Probing IDE interface ide2... ide2: Wait for ready failed before probe ! Probing IDE interface ide3... ide3: Wait for ready failed before probe ! Probing IDE interface ide4... ide4: Wait for ready failed before probe ! Probing IDE interface ide5... ide5: Wait for ready failed before probe ! hda: max request size: 128KiB hda: 58605120 sectors (30005 MB) w/1768KiB Cache, CHS=58140/16/63, UDMA(33) hda: cache flushes not supported hda: hda1 hda2 hda3 hda4 < hda5 > hdc: ATAPI 24X DVD-ROM CD-R/RW drive, 2048kB Cache, UDMA(33) Uniform CD-ROM driver Revision: 3.20 ide-floppy driver 0.99.newide usbcore: registered new driver hiddev usbcore: registered new driver usbhid drivers/usb/input/hid-core.c: v2.0:USB HID core driver mice: PS/2 mouse device common for all mice input: AT Translated Set 2 keyboard on isa0060/serio0 input: PS/2 Generic Mouse on isa0060/serio1 md: md driver 0.90.0 MAX_MD_DEVS=256, MD_SB_DISKS=27 NET: Registered protocol family 2 IP: routing cache hash table of 2048 buckets, 64Kbytes TCP: Hash tables configured (established 262144 bind 37449) Initializing IPsec netlink socket NET: Registered protocol family 1 NET: Registered protocol family 17 ACPI: (supports S0 S3 S4 S4bios S5) ACPI wakeup devices: USB1 ASND VIY0 VIY1 LAN LID Freeing unused kernel memory: 148k freed kjournald starting. Commit interval 5 seconds EXT3-fs: mounted filesystem with ordered data mode. security: 3 users, 4 roles, 305 types, 19 bools security: 53 classes, 6679 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda3, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts inserting floppy driver for 2.6.9-1.678_FC3 Floppy drive(s): fd0 is 1.44M FDC 0 is a post-1991 82077 e100: Intel(R) PRO/100 Network Driver, 3.0.27-k2-NAPI e100: Copyright(c) 1999-2004 Intel Corporation ACPI: PCI interrupt 0000:00:0a.0[A] -> GSI 11 (level, low) -> IRQ 11 divert: allocating divert_blk for eth0 e100: eth0: e100_probe: addr 0xf7efe000, irq 11, MAC addr 00:00:39:FC:FC:3B PCI: Enabling device 0000:00:06.0 (0000 -> 0003) ACPI: PCI interrupt 0000:00:06.0[A] -> GSI 11 (level, low) -> IRQ 11 ohci_hcd: 2004 Feb 02 USB 1.1 'Open' Host Controller (OHCI) Driver (PCI) ACPI: PCI interrupt 0000:00:02.0[A] -> GSI 11 (level, low) -> IRQ 11 ohci_hcd 0000:00:02.0: OHCI Host Controller ohci_hcd 0000:00:02.0: irq 11, pci mem 41832000 SELinux: initialized (dev usbdevfs, type usbdevfs), uses genfs_contexts ohci_hcd 0000:00:02.0: new USB bus registered, assigned bus number 1 hub 1-0:1.0: USB hub found hub 1-0:1.0: 3 ports detected Linux Kernel Card Services options: [pci] [cardbus] [pm] PCI: Enabling device 0000:00:11.0 (0000 -> 0002) ACPI: PCI interrupt 0000:00:11.0[A] -> GSI 11 (level, low) -> IRQ 11 Yenta: CardBus bridge found at 0000:00:11.0 [1179:0001] Yenta: ISA IRQ mask 0x04b8, PCI irq 11 Socket status: 30000007 PCI: Enabling device 0000:00:11.1 (0000 -> 0002) ACPI: PCI interrupt 0000:00:11.1[B] -> GSI 11 (level, low) -> IRQ 11 Yenta: CardBus bridge found at 0000:00:11.1 [1179:0001] Yenta: ISA IRQ mask 0x04b8, PCI irq 11 Socket status: 30000007 usb 1-1: new low speed USB device using address 2 md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. input: USB HID v1.00 Mouse [0461:4d03] on usb-0000:00:02.0-1 usb 1-2: new full speed USB device using address 3 drivers/usb/class/usblp.c: usblp0: USB Bidirectional printer dev 3 if 0 alt 0 proto 2 vid 0x04B8 pid 0x0005 usbcore: registered new driver usblp drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver ACPI: AC Adapter [ADP1] (on-line) ACPI: Battery Slot [BAT1] (battery present) ACPI: Power Button (FF) [PWRF] ACPI: Lid Switch [LID] toshiba_acpi: Toshiba Laptop ACPI Extras version 0.18 toshiba_acpi: HCI method: \_SB_.VALD.GHCI EXT3 FS on hda3, internal journal device-mapper: 4.1.0-ioctl (2003-12-10) initialised: dm.com hdc: packet command error: status=0x51 { DriveReady SeekComplete Error } hdc: packet command error: error=0x50 ide: failed opcode was 100 cdrom: open failed. kjournald starting. Commit interval 5 seconds EXT3 FS on hda2, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev hda2, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs audit(1101070464.342:0): avc: granted { setenforce } for pid=206 exe=/bin/bash scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r: ecurity_t tclass=security audit(1101071004.373:0): avc: granted { setenforce } for pid=206 exe=/bin/bash scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r: ecurity_t tclass=security Adding 489940k swap on /dev/hda5. Priority:-1 extents:1 SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE] parport0: irq 7 detected cs: IO port probe 0x0c00-0x0cff: clean. cs: IO port probe 0x0100-0x04ff: excluding 0x200-0x207 0x220-0x22f 0x330-0x337 0x378-0x37f 0x388-0x38f 0x408-0x40f 0x480-0x48f 0x4d0-0x4d7 cs: IO port probe 0x0a00-0x0aff: clean. ip_tables: (C) 2000-2002 Netfilter core team ip_tables: (C) 2000-2002 Netfilter core team e100: eth0: e100_watchdog: link up, 100Mbps, full-duplex audit(1101071015.988:0): avc: denied { read } for pid=1826 exe=/sbin/syslogd name=libnss_files-2.3.3.so dev=hda3 ino=816464 scontext=user_u:syst m_r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071015.989:0): avc: denied { read } for pid=1826 exe=/sbin/syslogd name=libnss_files-2.3.3.so dev=hda3 ino=816464 scontext=user_u:syst m_r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071015.989:0): avc: denied { read } for pid=1826 exe=/sbin/syslogd name=libnss_dns-2.3.3.so dev=hda3 ino=816461 scontext=user_u:system r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071015.989:0): avc: denied { read } for pid=1826 exe=/sbin/syslogd name=libnss_dns-2.3.3.so dev=hda3 ino=816461 scontext=user_u:system r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071015.990:0): avc: denied { read } for pid=1826 exe=/sbin/syslogd name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472 scontext=user_u:sy tem_r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071015.990:0): avc: denied { read } for pid=1826 exe=/sbin/syslogd name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472 scontext=user_u:sy tem_r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071016.280:0): avc: denied { read } for pid=1856 exe=/sbin/portmap name=libnss_files-2.3.3.so dev=hda3 ino=816464 scontext=user_u:syst m_r:portmap_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071016.281:0): avc: denied { read } for pid=1856 exe=/sbin/portmap name=libnss_files-2.3.3.so dev=hda3 ino=816464 scontext=user_u:syst m_r:portmap_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071016.281:0): avc: denied { read } for pid=1856 exe=/sbin/portmap name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472 scontext=user_u:sy tem_r:portmap_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071016.330:0): avc: denied { read } for pid=1856 exe=/sbin/portmap name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472 scontext=user_u:sy tem_r:portmap_t tcontext=system_u:object_r:var_spool_t tclass=file SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts i2c /dev entries driver NET: Registered protocol family 23 IrCOMM protocol (Dag Brattli) CSLIP: code copyright 1989 Regents of the University of California PPP generic driver version 2.4.2 NET: Registered protocol family 10 Disabled Privacy Extensions on device 0236ca40(lo) IPv6 over IPv4 tunneling driver divert: not allocating divert_blk for non-ethernet device sit0 audit(1101071028.011:0): avc: denied { read } for pid=2456 exe=/usr/sbin/ntpdate name=libnss_files-2.3.3.so dev=hda3 ino=816464 scontext=user_u: ystem_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071028.012:0): avc: denied { read } for pid=2456 exe=/usr/sbin/ntpdate name=libnss_files-2.3.3.so dev=hda3 ino=816464 scontext=user_u: ystem_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071028.012:0): avc: denied { read } for pid=2456 exe=/usr/sbin/ntpdate name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472 scontext=user_ :system_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071028.012:0): avc: denied { read } for pid=2456 exe=/usr/sbin/ntpdate name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472 scontext=user_ :system_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071028.255:0): avc: denied { read } for pid=2460 exe=/usr/sbin/ntpd name=libnss_files-2.3.3.so dev=hda3 ino=816464 scontext=user_u:sys em_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071028.256:0): avc: denied { read } for pid=2460 exe=/usr/sbin/ntpd name=libnss_files-2.3.3.so dev=hda3 ino=816464 scontext=user_u:sys em_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071028.256:0): avc: denied { read } for pid=2460 exe=/usr/sbin/ntpd name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472 scontext=user_u:s stem_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101071028.256:0): avc: denied { read } for pid=2460 exe=/usr/sbin/ntpd name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472 scontext=user_u:s stem_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file eth0: no IPv6 routers present Installing knfsd (copyright (C) 1996 okir.de). SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE] parport0: irq 7 detected lp0: using parport0 (polling). lp0: console ready warning: process `update' used the obsolete bdflush system call Fix your initscripts? warning: process `update' used the obsolete bdflush system call Fix your initscripts? SELinux: initialized (dev 0:14, type nfs), uses genfs_contexts audit(1101074843.574:0): avc: denied { getattr } for pid=3829 exe=/sbin/ldconfig path=/lib/libnss_compat-2.3.3.so dev=hda3 ino=816245 scontext=r ot:sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074843.575:0): avc: denied { getattr } for pid=3829 exe=/sbin/ldconfig path=/lib/libnss_dns-2.3.3.so dev=hda3 ino=816461 scontext=root sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074843.575:0): avc: denied { getattr } for pid=3829 exe=/sbin/ldconfig path=/lib/libnss_files-2.3.3.so dev=hda3 ino=816464 scontext=ro t:sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074843.575:0): avc: denied { getattr } for pid=3829 exe=/sbin/ldconfig path=/lib/libnss_hesiod-2.3.3.so dev=hda3 ino=816467 scontext=r ot:sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074843.576:0): avc: denied { getattr } for pid=3829 exe=/sbin/ldconfig path=/lib/libnss_nis-2.3.3.so dev=hda3 ino=816469 scontext=root sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074843.576:0): avc: denied { getattr } for pid=3829 exe=/sbin/ldconfig path=/lib/libnss_nisplus-2.3.3.so dev=hda3 ino=816472 scontext= oot:sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074843.581:0): avc: denied { read } for pid=3829 exe=/sbin/ldconfig name=libnss_compat-2.3.3.so dev=hda3 ino=816245 scontext=root:sysa m_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074843.582:0): avc: denied { read } for pid=3829 exe=/sbin/ldconfig name=libnss_dns-2.3.3.so dev=hda3 ino=816461 scontext=root:sysadm_ :ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074843.582:0): avc: denied { read } for pid=3829 exe=/sbin/ldconfig name=libnss_files-2.3.3.so dev=hda3 ino=816464 scontext=root:sysad _r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074843.582:0): avc: denied { read } for pid=3829 exe=/sbin/ldconfig name=libnss_hesiod-2.3.3.so dev=hda3 ino=816467 scontext=root:sysa m_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074843.582:0): avc: denied { read } for pid=3829 exe=/sbin/ldconfig name=libnss_nis-2.3.3.so dev=hda3 ino=816469 scontext=root:sysadm_ :ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074843.583:0): avc: denied { read } for pid=3829 exe=/sbin/ldconfig name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472 scontext=root:sys dm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074857.900:0): avc: denied { read } for pid=3831 exe=/sbin/ldconfig name=libnss_compat-2.3.3.so dev=hda3 ino=816245 scontext=root:sysa m_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074857.900:0): avc: denied { read } for pid=3831 exe=/sbin/ldconfig name=libnss_dns-2.3.3.so dev=hda3 ino=816461 scontext=root:sysadm_ :ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074857.900:0): avc: denied { read } for pid=3831 exe=/sbin/ldconfig name=libnss_files-2.3.3.so dev=hda3 ino=816464 scontext=root:sysad _r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074857.901:0): avc: denied { read } for pid=3831 exe=/sbin/ldconfig name=libnss_hesiod-2.3.3.so dev=hda3 ino=816467 scontext=root:sysa m_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074857.901:0): avc: denied { read } for pid=3831 exe=/sbin/ldconfig name=libnss_nis-2.3.3.so dev=hda3 ino=816469 scontext=root:sysadm_ :ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file audit(1101074857.901:0): avc: denied { read } for pid=3831 exe=/sbin/ldconfig name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472 scontext=root:sys dm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file input: AT Translated Set 2 keyboard on isa0060/serio0 input: AT Translated Set 2 keyboard on isa0060/serio0 input: AT Translated Set 2 keyboard on isa0060/serio0 SELinux: initialized (dev 0:15, type nfs), uses genfs_contexts There it is. Where does libnss_files-2.3.3.so exit on your machine? if it exists in /lib then the following should fix the labeling restorecon -R -v /lib /usr/lib Should fix the context on the libraries. Why they are labeled /var/spool is beyond me. strange! I did a locate on that file... [root@lurch /]# locate libnss_files-2.3.3.so /var/spool/postfix/lib/libnss_files-2.3.3.so /lib/libnss_files-2.3.3.so [root@lurch /]# And, sure enough, there is a /var/spool/postfix, dated 8 Nov, in my /var/spool/ dir. I don't THINK I did any playing with postfix in my spool dir within the last month, if ever... I really can't explain why it's there! But I checked, and no package seems to be associated with those dirs/files, so I removed this stuff from /var/spool, and will now do a boot. I should have waited to enter this, until after the reboot, but I wanted to show the results above, copied and pasted from the shell. More in a bit. That's probably postfix trying to set up a chroot for itself. We need to make sure the postfix scripts preserve the security contexts of files when setting up the chroot; if it's using "cp", it should be passing the -c option. (Ideally though we dump the whole Postfix chrooting thing and switch to confining it with SELinux, which is much stronger protection and doesn't require copying files around) OK, just a reboot after removing the /var/spool/postfix dir, didn't do anything. A quick run of ldconfig -v showed all sorts of "permission denied" messages. I ran the restorcon command, which generated a lot of warnings about soft links, and then rebooted. That did it. The avc messages at boot time are gone. ntpd is running. Very good. ldconfig -v now runs pretty clean. One of my self-installed utilities, gringotts, which I just compiled and installed, segfaults, but when I run it under the debugger, it runs fine... I'll sort that out later... Did one of the package updates do something funny with /var/spool/postfix? Is this/Could this be the cause of all the /var/spool nonsense? murf I had a similar problem. I upgraded from FC1->FC2->FC3 and when in FC3 I turned on SElinux and policy-targeted. Booted and almost no services would run, esp the important ones like named. I'll try touch /.autorelabel Here's the big question: why doesn't anaconda (or any of the rpm's) do this relabel thing automagically? Anyone upgrading and trying to turn on SElinux will hit this problem and the solution is very obscure. While we are on the subject, let me note that I could have solved this problem on my own (maybe) IF I HAD DOCUMENTATION. I've gone to the NSA site and looked at the documentation they have on SELinux, and... well... I haven't read it all yet, but what I have read is wonderfully general and non-implementation specific. The most critical thing (IMNASHO) that FC could provide right now, is some good documentation on SELinux, and common probs and how to solve them. Heh, hehe, this stuff is most likely SO new that there is no such thing (yet) as a "common problem"... One more thing! Above, you mention "cp" and using the "-c" option. Yet, the man pages don't mention a "-c" option for cp, nor does cp --help show any such option. I assume that incorporating SELinux will involve massive changes, like enhancements to dozens of utilities, documentation, etc? Colin should have said -p for preserving the security contexts of the files. Dan Ok, Here is a new, but seemingly highly related problem: I can no longer install some of the low-level libs for asterisk, nor run it any longer! I get: avc: denied ( read } for pid=2959 exe=/sbin/ldconfig name=libpri.so.1.0 dev=dm-0 ino=2674205 scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file I've done the /.autorelable and the restorecon thing, but these do not help the situation. What do I do? After you do a make install that installs libraries you need to run restorecon on the directories to fix the file context on the libs. restorecon -R -v /usr/local/lib Already did that. Been reading the FAQ and did a ls -alZ on the libpri.so file, and I get: [root@phone lib]# ls -alZ libpri* -rw-r--r-- root root root:object_r:lib_t libpri.a lrwxrwxrwx root root root:object_r:lib_t libpri.so -rwxr-xr-x root root root:object_r:lib_t libpri.so.1.0 Doing the same thing on another file in the distribution that was installed, I see: [root@phone lib]# ls -alZ libzap* -rw-r--r-- root root system_u:object_r:lib_t libzap.a lrwxrwxrwx root root system_u:object_r:lib_t libzap.so -rwxr-xr-x root root system_u:object_r:shlib_t libzap.so.1 I did the restorecon -R -v on the /usr/lib dir, which did no good, but when I did it on the libpri.so.1.0 file, it changed it to shlib_t and all is now well... What happened to mislabel the file? Many thanks! Did the file get replaced by a make install? If so then it will get the default context of the directory that it was installed into (lib_t). Dan I'm sure it was, as this seems the standard procedure for updating libraries...? How should it be done? Delete the so in the lib dir, and then install it? OK, well, I modified the makefile to restorecon the libs immediately after the install. ANOTHER ISSUE: I have built and installed gringotts, a little utility I use. It installs owned by root, setuid. If I un-setuid it, it runs, but with the setuid bit on, it won't run. So, I suspect it's a SELinux prob... When I run it without setuid, it's got all its memory protection stuff turned off. So, what is the magic cookie for this? restorecon -v has no affect. SELinux should have not effect on the APP. You can temporarily turn off SELinux enforcement with setenforce 0. But with targeted policy the app should be running in unconfined_t which would allow the app to do what it wants. I have a feeling you have a DAC problem. Dan |