Bug 156337
Summary: | SELinux strict policy denied messages on boot | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Che Gonzalez <che.gonzalez> |
Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-06-08 18:09:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Che Gonzalez
2005-04-29 00:30:49 UTC
Please only report bugs in enforcing mode. (At least on the first pass.) A lot of these avc messages disappear in enforcing mode. /halt is mislabeled. restorecon /halt /etc/rhgb is mislabeled. Did you relabel? Also clear the log files after you switch and reboot, in enforcing mode. Then report the errors. Thanks. Relabel was performed before reboot, and /var/log/messages was cleared. I relabeled twice from system-config-securitylevel and /etc/rhgb was not relabeled correctly. I checked /etc/rhgb and resolved the problem with fixfiles. For /halt I had to mkdir then restorecon it. The rest is set to allow in my custom.te file. I unchecked my custom.te in sepcut, shutdown in permissive, and restarted with enforcing. I was unable to boot into X server. A blue ncurses X configuration screen came up so I set it back to permissive and rebooted. The following log entries occurred. [Strict - Boot - Enforcing] Apr 29 17:15:36 xix kernel: audit(1114794926.175:0): avc: denied { getattr } for path=/etc/hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:hotplug_etc_t tclass=dir Apr 29 17:15:36 xix kernel: audit(1114794926.175:0): avc: denied { search } for name=hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:hotplug_etc_t tclass=dir Apr 29 17:15:36 xix kernel: audit(1114794927.858:0): avc: denied { execmem } for scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:xdm_xserver_t tclass=process Apr 29 17:15:36 xix kernel: audit(1114794927.859:0): avc: denied { execmem } for scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:xdm_xserver_t tclass=process Apr 29 17:15:36 xix kernel: audit(1114794927.860:0): avc: denied { execmem } for scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:xdm_xserver_t tclass=process Apr 29 17:15:36 xix kernel: audit(1114794927.861:0): avc: denied { execmem } for scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:xdm_xserver_t tclass=process setsebool -P allow_execmem=1 |