From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040922 Description of problem: Several AVC denied messages appear during bootup on RHES4 Beta 1 using the default "targeted" selinux policy. Please have a look at the attached file for the avc messages Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. use default selinux targeted policy 2. watch out for AVC denied messages during bootup 3. Additional info:
Created attachment 104441 [details] AVC denied messages found during boot-up
Yes these were fixed in the latest policy, but did not get in before the freeze. You can update to selinux-policy-targeted-1.17.22 or greater.
Should I take the update from rawhide or will there be a separate RHN channel for RHES4 Beta1?
You can grab it from Rawhide for now. I will check on the RHN channel. Dan
Ok, I took selinux-policy-targeted-1.7.23-1 from rawhide and did rpm -Uvh but ended up with two *.rpmnew files that I had to manually rename: 1. /etc/selinux/targeted/contexts/files/file_contexts 2. /etc/selinux/targeted/policy/policy.18 How is average joe user intended to fiddle with these policy files? Finally some avc messages are gone now but not all: audit(1096394871.960:0): avc: denied { read } for pid=718 exe=/sbin/minilogd path=/init dev=rootfs ino=26 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1096394878.872:0): avc: denied { read } for pid=1179 exe=/sbin/minilogd path=/init dev=rootfs ino=26 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1096394892.782:0): avc: denied { read } for pid=1778 exe=/sbin/minilogd path=/init dev=rootfs ino=26 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1096394901.318:0): avc: denied { read } for pid=1995 exe=/sbin/minilogd path=/init dev=rootfs ino=26 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1096387702.076:0): avc: denied { read } for pid=2048 exe=/sbin/minilogd path=/init dev=rootfs ino=26 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1096387705.943:0): avc: denied { read } for pid=2477 exe=/sbin/minilogd path=/init dev=rootfs ino=26 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1096387708.016:0): avc: denied { read } for pid=2579 exe=/sbin/minilogd path=/init dev=rootfs ino=26 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1096387711.461:0): avc: denied { read } for pid=2676 exe=/sbin/minilogd path=/init dev=rootfs ino=26 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file
Which kernel are you running?
kernel is kernel-2.6.8-1.528.2.10.i686
Try policy selinux-policy-targeted-1.17.26-3 or greater.
Looks much better now with selinux-policy-targeted-1.17.28-2. No AVC messages at all.