After update to selinux-policy-targeted 1.17.30-3.13 I see following errors in syslog: audit(1119895261.549:0): avc: denied { execmod } for pid=19033 comm=crond path=/lib/libnsl-2.3.5.so dev=md0 ino=999535 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file audit(1119895261.552:0): avc: denied { execmod } for pid=19033 comm=crond path=/lib/libcrypt-2.3.5.so dev=md0 ino=999678 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file audit(1119886648.341:0): avc: denied { execmod } for pid=18933 comm=smbd path=/lib/libnss_files-2.3.5.so dev=md0 ino=998312 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file audit(1119889030.658:0): avc: denied { execmod } for pid=18980 comm=sshd path=/lib/libdl-2.3.5.so dev=md0 ino=999672 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file I cannot even ssh into the box! It's good that I didn't disconnect from current ssh session. For now I disabled selinux.
It seems it also breaks squid: audit(1119878211.583:0): avc: denied { append } for pid=3071 exe=/usr/sbin/squid path=/var/log/squid/squid.out dev=sda2 ino=1465950 scontext=user_u:system_r:squid_t tcontext=root:object_r:var_log_t tclass=file
You have a labeling problem. Did you run with selinux disabled? restorecon -R -v /var/log Should fix its labeling. touch /.autorelabel reboot Will relabel the entire system. selinux-policy-targeted 1.17.30-3.15 should fix the lib_t error. Dan
I cannot reboot, so I ran fixfiles restore, but it didn't help (why?). Are you sure relabeling /var/log will help with avc: denied { execmod } for pid=18980 comm=sshd path=/lib/libdl-2.3.5.so dev=md0 ino=999672 ? Or will 1.17.30-3.15 help even without relabeling? BTW, it happened on about 5 different servers, so of course I disabled selinux, as otherwise customers would have killed me. And I'm very afraid to enable it now. Is it possible to relabel the entire system without rebooting?
Please go to ftp://people.redhat.com/dwalsh/SELinux/FC3 and grab the latest policy 1.17.30-3.15 and see if this fixes the problem. This should be available via update tomorrow. Dan
Fixed in selinux-policy-targeted-1.17.30-3.16