Bug 456912 - AVC deny messages when managing clusters with luci
AVC deny messages when managing clusters with luci
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.3
All Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-28 11:54 EDT by Ryan McCabe
Modified: 2008-07-28 12:39 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-28 12:39:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ryan McCabe 2008-07-28 11:54:16 EDT
While testing some cluster suite stuff with selinux in enforcing, I get the AVCs
below using selinux-policy-targeted-2.4.6-137.el5:

When trying to authenticate:

type=AVC msg=audit(1217259698.328:8216): avc:  denied  { read } for  pid=4501
comm="saslauthd" name="passwd" dev=dm-0 ino=2621553
scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file

Trying to get cluster status:
type=AVC msg=audit(1217259762.498:8226): avc:  denied  { read } for  pid=4446
comm="oddjobd" name="passwd" dev=dm-0 ino=2621553
scontext=system_u:system_r:oddjob_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file
Comment 1 Daniel Walsh 2008-07-28 12:39:40 EDT
You have a mislabeled system.  your passwd file should not be labeled file_t. 
This means that SELinux labels were never applied to this file.  You can add a
label by using the restorecon command.

restorecon /etc/passwd

If you see other file_t context then the entire machine might need to be relabeled

touch /.autorelabel
reboot

If you are mv'ing files off of an ulabeled device you might need to put labels
onto them by using restorecon.

Note You need to log in before you can comment on or make changes to this bug.