Description of problem: A list of avc denied messages after a fresh install under the strict policy (some fatal if enforcing). See Additional Info below. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.13-4 selinux-doc-1.19.5-1 selinux-policy-strict-1.23.13-4 selinux-policy-strict-sources-1.23.13-4 How reproducible: After fresh install and all updates as of April 28, 2005. Steps to Reproduce: 1. Install fc4test2 2. update the previously listed packages. 3. switch to policy strict and permissive 4. reboot 5. capture /var/log/messages for current boot Actual results: The log messages listed below under Additional Info. Expected results: A boot that would not be fatal or prevent booting into the gui. Additional info: [audit2allow output] allow dhcpc_t selinux_config_t:file { getattr read }; allow fsadm_t ramfs_t:fifo_file ioctl; allow initrc_t ramfs_t:fifo_file write; allow initrc_t root_t:file unlink; allow insmod_t hotplug_etc_t:dir { getattr search }; allow insmod_t nscd_var_run_t:dir search; allow lvm_t removable_device_t:blk_file { ioctl read }; allow xdm_xserver_t self:process execmem; # The following entry errors when testing in a policy, but it is logged in under another bug allow rhgb_t etc_t:dir mounton; [/var/log/messages] Apr 28 19:32:54 xix kernel: audit(1114716744.637:0): avc: denied { search } for name=nscd dev=dm-0 ino=20250719 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 28 19:32:54 xix kernel: audit(1114716754.618:0): avc: denied { getattr } for path=/etc/hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:hotplug_etc_t tclass=dir Apr 28 19:32:54 xix kernel: audit(1114716754.618:0): avc: denied { search } for name=hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:hotplug_etc_t tclass=dir Apr 28 19:32:54 xix kernel: audit(1114716755.277:0): avc: denied { mounton } for path=/etc/rhgb/temp dev=dm-0 ino=17467378 scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:etc_t tclass=dir Apr 28 19:32:54 xix kernel: audit(1114716756.459:0): avc: denied { execmem } for scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:xdm_xserver_t tclass=process Apr 28 19:32:54 xix kernel: audit(1114731158.024:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5990 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file Apr 28 19:32:54 xix kernel: audit(1114731158.978:0): avc: denied { read } for name=hdc dev=tmpfs ino=672 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:removable_device_t tclass=blk_file Apr 28 19:32:54 xix kernel: audit(1114731159.017:0): avc: denied { ioctl } for path=/dev/hdc dev=tmpfs ino=672 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:removable_device_t tclass=blk_file Apr 28 19:32:54 xix kernel: audit(1114731159.852:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5990 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file Apr 28 19:32:54 xix kernel: audit(1114731160.535:0): avc: denied { ioctl } for path=/etc/rhgb/temp/rhgb-console dev=ramfs ino=5990 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file Apr 28 19:32:54 xix kernel: audit(1114731161.265:0): avc: denied { unlink } for name=halt dev=dm-0 ino=13 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:root_t tclass=file Apr 28 19:32:54 xix kernel: audit(1114731166.113:0): avc: denied { read } for name=config dev=dm-0 ino=17465776 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t tclass=file Apr 28 19:32:54 xix kernel: audit(1114731166.113:0): avc: denied { getattr } for path=/etc/selinux/config dev=dm-0 ino=17465776 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t tclass=file
Please only report bugs in enforcing mode. (At least on the first pass.) A lot of these avc messages disappear in enforcing mode. /halt is mislabeled. restorecon /halt /etc/rhgb is mislabeled. Did you relabel? Also clear the log files after you switch and reboot, in enforcing mode. Then report the errors. Thanks.
Relabel was performed before reboot, and /var/log/messages was cleared. I relabeled twice from system-config-securitylevel and /etc/rhgb was not relabeled correctly. I checked /etc/rhgb and resolved the problem with fixfiles. For /halt I had to mkdir then restorecon it. The rest is set to allow in my custom.te file. I unchecked my custom.te in sepcut, shutdown in permissive, and restarted with enforcing. I was unable to boot into X server. A blue ncurses X configuration screen came up so I set it back to permissive and rebooted. The following log entries occurred. [Strict - Boot - Enforcing] Apr 29 17:15:36 xix kernel: audit(1114794926.175:0): avc: denied { getattr } for path=/etc/hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:hotplug_etc_t tclass=dir Apr 29 17:15:36 xix kernel: audit(1114794926.175:0): avc: denied { search } for name=hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:hotplug_etc_t tclass=dir Apr 29 17:15:36 xix kernel: audit(1114794927.858:0): avc: denied { execmem } for scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:xdm_xserver_t tclass=process Apr 29 17:15:36 xix kernel: audit(1114794927.859:0): avc: denied { execmem } for scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:xdm_xserver_t tclass=process Apr 29 17:15:36 xix kernel: audit(1114794927.860:0): avc: denied { execmem } for scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:xdm_xserver_t tclass=process Apr 29 17:15:36 xix kernel: audit(1114794927.861:0): avc: denied { execmem } for scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:xdm_xserver_t tclass=process
setsebool -P allow_execmem=1