Bug 209950

Summary: many avc denied messages after setting mls
Product: [Fedora] Fedora Reporter: Gene Czarcinski <gczarcinski>
Component: selinux-policy-mlsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-22 14:17:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
mls policy avc messages
none
/var/log/messages for mls bootup none

Description Gene Czarcinski 2006-10-08 18:39:20 UTC 
Description of problem:
After selecting permissive/mls, setting /.autorelabel and reboot.  Then reboot
again to get "clean" record.  Get 21 avc denied messages during bootup/root
login (see attachment).  Also attaching that portion of /var/log/messages for
the bootup.

see related for strict policy:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209949

Version-Release number of selected component (if applicable):
fc6-devel as of 10/8/2006, minimal server fresh install (no X)
Comment 1 Gene Czarcinski 2006-10-08 18:39:20 UTC 
Created attachment 138014 [details]
mls policy avc messages
Comment 2 Gene Czarcinski 2006-10-08 18:40:26 UTC 
Created attachment 138015 [details]
/var/log/messages for mls bootup
Comment 3 Daniel Walsh 2006-10-17 21:25:43 UTC 
If you change a user from user_r to staff_r you need relabel the homedir 

restorecon -R -v /home should do the trick.

anacron.pid seems to have the incorrect context on it. Not sure how it got
created incorrectly but restorecon /var/run/anacron.pid

pcscd needs policy to work correctly.  Patches accepted :^)

multipath.stati looks like it needs a lvm_exec_t label on it?
Comment 4 Daniel Walsh 2006-10-25 17:53:51 UTC 
Please retry with selinux-policy-2.4.1-4
Comment 5 Gene Czarcinski 2006-10-25 19:33:19 UTC 
I assume that 2.4.1-4 will be in testing in a day or so ... 2.4.1-3 is there now.
Comment 6 Daniel Walsh 2006-10-25 19:52:59 UTC 
2.4.1-4 is out on my people page now.  Should be in BETA2 and rawhide.
Comment 7 Gene Czarcinski 2006-10-27 18:34:55 UTC 
could not find it at http://people.redhat.com/dwalsh/  ... could you be mnore
specific as to where it is.

I would also appreciate it if this update was pushed to updates/testing (2.4.1-3
is there now).
Comment 8 Daniel Walsh 2007-08-22 14:17:30 UTC 
Should be fixed in the current release