Bug 209950 - many avc denied messages after setting mls
many avc denied messages after setting mls
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-mls (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-08 14:39 EDT by Gene Czarcinski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:17:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
mls policy avc messages (5.05 KB, text/plain)
2006-10-08 14:39 EDT, Gene Czarcinski
no flags Details
/var/log/messages for mls bootup (26.55 KB, text/plain)
2006-10-08 14:40 EDT, Gene Czarcinski
no flags Details

  None (edit)
Description Gene Czarcinski 2006-10-08 14:39:20 EDT
Description of problem:
After selecting permissive/mls, setting /.autorelabel and reboot.  Then reboot
again to get "clean" record.  Get 21 avc denied messages during bootup/root
login (see attachment).  Also attaching that portion of /var/log/messages for
the bootup.

see related for strict policy:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209949

Version-Release number of selected component (if applicable):
fc6-devel as of 10/8/2006, minimal server fresh install (no X)
Comment 1 Gene Czarcinski 2006-10-08 14:39:20 EDT
Created attachment 138014 [details]
mls policy avc messages
Comment 2 Gene Czarcinski 2006-10-08 14:40:26 EDT
Created attachment 138015 [details]
/var/log/messages for mls bootup
Comment 3 Daniel Walsh 2006-10-17 17:25:43 EDT
If you change a user from user_r to staff_r you need relabel the homedir 

restorecon -R -v /home should do the trick.

anacron.pid seems to have the incorrect context on it. Not sure how it got
created incorrectly but restorecon /var/run/anacron.pid

pcscd needs policy to work correctly.  Patches accepted :^)

multipath.stati looks like it needs a lvm_exec_t label on it?
Comment 4 Daniel Walsh 2006-10-25 13:53:51 EDT
Please retry with selinux-policy-2.4.1-4
Comment 5 Gene Czarcinski 2006-10-25 15:33:19 EDT
I assume that 2.4.1-4 will be in testing in a day or so ... 2.4.1-3 is there now.
Comment 6 Daniel Walsh 2006-10-25 15:52:59 EDT
2.4.1-4 is out on my people page now.  Should be in BETA2 and rawhide.
Comment 7 Gene Czarcinski 2006-10-27 14:34:55 EDT
could not find it at http://people.redhat.com/dwalsh/  ... could you be mnore
specific as to where it is.

I would also appreciate it if this update was pushed to updates/testing (2.4.1-3
is there now).
Comment 8 Daniel Walsh 2007-08-22 10:17:30 EDT
Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.