From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Description of problem: After yum --exclude=\*4.0.0-8\* update and reboot, dmesg shows following lines: ip_tables: (C) 2000-2002 Netfilter core team ip_conntrack version 2.1 (8191 buckets, 65528 max) - 272 bytes per conntrack eth0: link up, 100Mbps, full-duplex, lpa 0x45E1 audit(1116973947.095:0): avc: denied { read } for pid=1692 comm="cp" name=config dev=dm-0 ino=10797472 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file audit(1116973947.095:0): avc: denied { getattr } for pid=1692 comm="cp" name=config dev=dm-0 ino=10797472 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts parport: PnPBIOS parport detected. full dmesg is attached. Version-Release number of selected component (if applicable): kernel-2.6.11-1.1341_FC4 How reproducible: Didn't try Steps to Reproduce: Additional info:
Created attachment 114805 [details] full dmesg output
Were you in permissive mode when you got these AVC messages? If so they would not show up in enforcing mode, so we ignore them. There is a dontaudit rule that tells the system to not audit an attempt to read the config file. (Something all tools linked with libselinux try to do). But in permissive mode the app is allowed to continue on and hits additional denials. If in permissive mode, this bug should be closed. Dan
If I interprete this correctly: [root@lambda ~]# yum list | grep -i selinux libselinux.i386 1.23.10-2 installed libselinux-devel.i386 1.23.10-2 installed selinux-policy-targeted.noarch 1.23.16-6 installed libselinux-debuginfo.i386 1.23.10-2 development selinux-doc.noarch 1.19.5-1 development selinux-policy-strict.noarch 1.23.16-6 development selinux-policy-strict-sources.noarch 1.23.16-6 development selinux-policy-targeted-sources.noarch 1.23.16-6 development [root@lambda ~]# I am using targeted, rather than strict policies. And: [root@lambda ~]# selinuxenabled [root@lambda ~]# echo $? 0 [root@lambda ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted and permissive mode rather than strict. I touched /.autorelabel and rebooted. I still get these messages in /var/log/messages: May 24 20:08:02 lambda kernel: audit(1116986880.078:0): avc: denied { read } for pid=1708 comm="cp" name=config dev=dm-0 ino=10797472 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file May 24 20:08:02 lambda kernel: audit(1116986880.078:0): avc: denied { getattr } for pid=1708 comm="cp" name=config dev=dm-0 ino=10797472 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file So it looks like a process or file related to starting this daemon: system_u:system_r:dhcpc_t root 1716 1 0 20:07 ? 00:00:00 /sbin/dhclient -1 -q -cf /etc/dhclient-eth0.conf -lf /var/lib/dhcp/dhclient-eth0.leases -pf /var/run/dhclient-eth0.pid eth0 might have a problem with its security policy. Please redirect this issue so it gets resolved properly rather than simply closing it. Thanks.
You need to change permissive to enforcing and then the AVC messages will go away. # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted We only fix AVC messages in that show up in enforcing mode.
I changed /etc/selinux/config to set SELINUX=enforcing touched /.autorelabel entered shutdown -r now the messages disappeared.