I've noticed that the behavior of my FC5 system differs dramatically depending on whether nscd is running. User info is stored in LDAP, and if nscd is running then applications talk to it. But if it's not running then the applications (or libc, at least) talk to the network themselves. This gets denied by selinux and things break. Most notably, the system won't even boot, because dbus just hangs forever spewing AVC messages to the console.
So I wonder if the intention is to make nscd mandatory, or if failures due to a lack of nscd are considered problematic. I have nothing against nscd, but I don't generally turn it on until after the system boots and has time to pull down configuration information so that encrypted ldap works. Obviously I'll be reworking my installation scripts to work around this.
- J<
On Thu, 2006-03-30 at 13:42 -0600, Jason L Tibbitts III wrote:
I've noticed that the behavior of my FC5 system differs dramatically depending on whether nscd is running. User info is stored in LDAP, and if nscd is running then applications talk to it. But if it's not running then the applications (or libc, at least) talk to the network themselves. This gets denied by selinux and things break. Most notably, the system won't even boot, because dbus just hangs forever spewing AVC messages to the console.
So I wonder if the intention is to make nscd mandatory, or if failures due to a lack of nscd are considered problematic. I have nothing against nscd, but I don't generally turn it on until after the system boots and has time to pull down configuration information so that encrypted ldap works. Obviously I'll be reworking my installation scripts to work around this.
Does 'setsebool -P allow_ypbind=1' help? Same issue applies for NIS (w/o nscd), and that boolean is intended to allow necessary network access.
I realize that the issue is more complicated, because even with nscd turned on, dbus-daemon still fails to start. It's looking in /etc/pki:
Mar 30 13:50:33 util10 kernel: audit(1143748233.484:304): avc: denied { search } for pid=1711 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
I wonder if I have broken something.
- J<
Jason L Tibbitts III wrote:
I realize that the issue is more complicated, because even with nscd turned on, dbus-daemon still fails to start. It's looking in /etc/pki:
Mar 30 13:50:33 util10 kernel: audit(1143748233.484:304): avc: denied { search } for pid=1711 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
I wonder if I have broken something.
- J<
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Can you setenforce now and then start it up, please collect all of the avc messages.
"DJW" == Daniel J Walsh <Daniel> writes:
DJW> Can you setenforce now and then start it up, please collect all DJW> of the avc messages.
Since I can't even boot in enforcing mode, I'm running in permissive mode and just after boot I have 24 denials. Many of these are probably normal but several are looking in /etc/pki for various certs. These are probably related to LDAP; /etc/ldap.conf requires encryption so anything that needs to look at users or groups before nscd starts will need to see the certs.
cat /etc/ldap.conf
base dc=blah uri ldaps://xxxx ldaps://yyyy ldaps://zzzz bind_timelimit 3 idle_timelimit 3600 tls_checkpeer yes tls_cacertfile /etc/pki/cacert.pem
sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 20 Policy from config file: targeted
dmesg|grep avc
audit(1143749462.567:2): avc: denied { search } for pid=659 comm="pam_console_app" name="var" dev=dm-0 ino=98305 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir audit(1143749475.708:3): avc: denied { read } for pid=1261 comm="fsck" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749475.708:4): avc: denied { getattr } for pid=1261 comm="fsck" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749475.772:5): avc: denied { read } for pid=1263 comm="fsck.ext3" name="mtab" dev=dm-0 ino=167311 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749475.772:6): avc: denied { getattr } for pid=1263 comm="fsck.ext3" name="mtab" dev=dm-0 ino=167311 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749476.672:7): avc: denied { write } for pid=1279 comm="mount" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749476.672:8): avc: denied { unlink } for pid=1279 comm="mount" name="blkid.tab.old" dev=dm-0 ino=165330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749476.672:9): avc: denied { link } for pid=1279 comm="mount" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749708.498:10): avc: denied { search } for pid=1719 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir audit(1143749708.498:11): avc: denied { read } for pid=1719 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749708.498:12): avc: denied { getattr } for pid=1719 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749708.498:13): avc: denied { read } for pid=1719 comm="dbus-daemon" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file audit(1143749710.051:14): avc: denied { mounton } for pid=1773 comm="mount" name="mail" dev=dm-4 ino=589827 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir audit(1143749711.663:15): avc: denied { read } for pid=1950 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749711.663:16): avc: denied { getattr } for pid=1950 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749711.663:17): avc: denied { read } for pid=1950 comm="automount" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file audit(1143749720.792:18): avc: denied { getattr } for pid=2240 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir audit(1143749720.792:19): avc: denied { search } for pid=2240 comm="hald" name="spool" dev=dm-4 ino=589825 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir audit(1143749801.841:20): avc: denied { write } for pid=2352 comm="mount" name="socket" dev=dm-4 ino=917527 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file audit(1143749801.841:21): avc: denied { connectto } for pid=2352 comm="mount" name="socket" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket audit(1143749801.841:22): avc: denied { use } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=fd audit(1143749801.841:23): avc: denied { read } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file audit(1143749801.841:24): avc: denied { getattr } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file audit(1143749801.869:25): avc: denied { getattr } for pid=2240 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
- J<
Jason L Tibbitts III wrote:
"DJW" == Daniel J Walsh <Daniel> writes:
DJW> Can you setenforce now and then start it up, please collect all DJW> of the avc messages.
Since I can't even boot in enforcing mode, I'm running in permissive mode and just after boot I have 24 denials. Many of these are probably normal but several are looking in /etc/pki for various certs. These are probably related to LDAP; /etc/ldap.conf requires encryption so anything that needs to look at users or groups before nscd starts will need to see the certs.
cat /etc/ldap.conf
base dc=blah uri ldaps://xxxx ldaps://yyyy ldaps://zzzz bind_timelimit 3 idle_timelimit 3600 tls_checkpeer yes tls_cacertfile /etc/pki/cacert.pem
sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 20 Policy from config file: targeted
dmesg|grep avc
audit(1143749462.567:2): avc: denied { search } for pid=659 comm="pam_console_app" name="var" dev=dm-0 ino=98305 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir audit(1143749475.708:3): avc: denied { read } for pid=1261 comm="fsck" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749475.708:4): avc: denied { getattr } for pid=1261 comm="fsck" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749475.772:5): avc: denied { read } for pid=1263 comm="fsck.ext3" name="mtab" dev=dm-0 ino=167311 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749475.772:6): avc: denied { getattr } for pid=1263 comm="fsck.ext3" name="mtab" dev=dm-0 ino=167311 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749476.672:7): avc: denied { write } for pid=1279 comm="mount" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749476.672:8): avc: denied { unlink } for pid=1279 comm="mount" name="blkid.tab.old" dev=dm-0 ino=165330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749476.672:9): avc: denied { link } for pid=1279 comm="mount" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1143749708.498:10): avc: denied { search } for pid=1719 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir audit(1143749708.498:11): avc: denied { read } for pid=1719 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749708.498:12): avc: denied { getattr } for pid=1719 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749708.498:13): avc: denied { read } for pid=1719 comm="dbus-daemon" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file audit(1143749710.051:14): avc: denied { mounton } for pid=1773 comm="mount" name="mail" dev=dm-4 ino=589827 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir audit(1143749711.663:15): avc: denied { read } for pid=1950 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749711.663:16): avc: denied { getattr } for pid=1950 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143749711.663:17): avc: denied { read } for pid=1950 comm="automount" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file audit(1143749720.792:18): avc: denied { getattr } for pid=2240 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir audit(1143749720.792:19): avc: denied { search } for pid=2240 comm="hald" name="spool" dev=dm-4 ino=589825 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir audit(1143749801.841:20): avc: denied { write } for pid=2352 comm="mount" name="socket" dev=dm-4 ino=917527 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file audit(1143749801.841:21): avc: denied { connectto } for pid=2352 comm="mount" name="socket" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket audit(1143749801.841:22): avc: denied { use } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=fd audit(1143749801.841:23): avc: denied { read } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file audit(1143749801.841:24): avc: denied { getattr } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file audit(1143749801.869:25): avc: denied { getattr } for pid=2240 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
- J<
Looks like you have a labeling problem. Your var partition looks like it is labeled file_t. So if you relabel things might clear up
touch /.autorelabel reboot
"DJW" == Daniel J Walsh <Daniel> writes:
DJW> Looks like you have a labeling problem.
The system relabeled itself as part of the boot. But I've forced another relabel and there are eight fewer messages:
audit(1143750802.325:2): avc: denied { search } for pid=636 comm="pam_console_app" name="var" dev=dm-0 ino=98305 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir audit(1143751052.509:3): avc: denied { search } for pid=1723 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir audit(1143751052.509:4): avc: denied { read } for pid=1723 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143751052.517:5): avc: denied { getattr } for pid=1723 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143751052.521:6): avc: denied { read } for pid=1723 comm="dbus-daemon" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file audit(1143751053.465:7): avc: denied { mounton } for pid=1777 comm="mount" name="mail" dev=dm-4 ino=589827 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir audit(1143751055.021:8): avc: denied { read } for pid=1954 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143751055.021:9): avc: denied { getattr } for pid=1954 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143751055.025:10): avc: denied { read } for pid=1954 comm="automount" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file audit(1143751064.226:11): avc: denied { getattr } for pid=2244 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir audit(1143751064.230:12): avc: denied { search } for pid=2244 comm="hald" name="spool" dev=dm-4 ino=589825 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir audit(1143751066.602:13): avc: denied { write } for pid=2341 comm="mount" name="socket" dev=dm-4 ino=917527 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file audit(1143751066.602:14): avc: denied { connectto } for pid=2341 comm="mount" name="socket" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket audit(1143751066.606:15): avc: denied { use } for pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=fd audit(1143751066.606:16): avc: denied { read } for pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file audit(1143751066.606:17): avc: denied { getattr } for pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file
I had been running with selinux disabled for some time, but when I enabled it earlier today the system relabeled itself and then it did so again when I switched to permissive. Does the boot-time relabel log the changes it makes? I'd like to see why the third relabel changed things.
In any case, there are still the cert failures which will keep the machine from booting.
- J<
Jason L Tibbitts III wrote:
"DJW" == Daniel J Walsh <Daniel> writes:
DJW> Looks like you have a labeling problem.
The system relabeled itself as part of the boot. But I've forced another relabel and there are eight fewer messages:
audit(1143750802.325:2): avc: denied { search } for pid=636 comm="pam_console_app" name="var" dev=dm-0 ino=98305 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir audit(1143751052.509:3): avc: denied { search } for pid=1723 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir audit(1143751052.509:4): avc: denied { read } for pid=1723 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143751052.517:5): avc: denied { getattr } for pid=1723 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143751052.521:6): avc: denied { read } for pid=1723 comm="dbus-daemon" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file audit(1143751053.465:7): avc: denied { mounton } for pid=1777 comm="mount" name="mail" dev=dm-4 ino=589827 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir audit(1143751055.021:8): avc: denied { read } for pid=1954 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143751055.021:9): avc: denied { getattr } for pid=1954 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file audit(1143751055.025:10): avc: denied { read } for pid=1954 comm="automount" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file audit(1143751064.226:11): avc: denied { getattr } for pid=2244 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir audit(1143751064.230:12): avc: denied { search } for pid=2244 comm="hald" name="spool" dev=dm-4 ino=589825 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir audit(1143751066.602:13): avc: denied { write } for pid=2341 comm="mount" name="socket" dev=dm-4 ino=917527 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file audit(1143751066.602:14): avc: denied { connectto } for pid=2341 comm="mount" name="socket" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket audit(1143751066.606:15): avc: denied { use } for pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=fd audit(1143751066.606:16): avc: denied { read } for pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file audit(1143751066.606:17): avc: denied { getattr } for pid=2341 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file
I had been running with selinux disabled for some time, but when I enabled it earlier today the system relabeled itself and then it did so again when I switched to permissive. Does the boot-time relabel log the changes it makes? I'd like to see why the third relabel changed things.
In any case, there are still the cert failures which will keep the machine from booting.
- J<
You can use audit2allow -l -M local -i /var/log/messages
to generate a loadable module, and work around this problem. The question I have is why do dbus and automount want to read the certificate files?
Dan
I have been informed that if you are running ldap-with-ssl you will need these permissions.
So added to selinux-policy-2.2.28-3
Available in Rawhide tomorrow On ftp://people.redhat.com/dwalsh/SELinux/Fedora Now
Will be back ported to FC5 soon.
Just FYI, I installed the rawhide policy and it does fix this problem. The system boots fine in enforcing mode. Lots of other denials, most of which are from pam_console_app but also some that keep boot-time NFS mounts from working. I'm assuming it's just not a good idea to be running the rawhide policy on otherwise stock FC5, so I'll go back to permissive mode with the old policy until an update arrives.
If, however, you'd like for me to report problems then I'd be happy to do so. I gather that I'm the only person running FC5, selinux and LDAP over SSL so perhaps my setup is odd in other ways that may be useful to you.
- J<
On Thu, 2006-03-30 at 17:36 -0500, Daniel J Walsh wrote:
I have been informed that if you are running ldap-with-ssl you will need these permissions.
So added to selinux-policy-2.2.28-3
Available in Rawhide tomorrow On ftp://people.redhat.com/dwalsh/SELinux/Fedora Now
Will be back ported to FC5 soon.
Is this under a boolean? Allowing such wide ranging access to the cert files is obviously not desirable in general...
Stephen Smalley wrote:
On Thu, 2006-03-30 at 17:36 -0500, Daniel J Walsh wrote:
I have been informed that if you are running ldap-with-ssl you will need these permissions.
So added to selinux-policy-2.2.28-3
Available in Rawhide tomorrow On ftp://people.redhat.com/dwalsh/SELinux/Fedora Now
Will be back ported to FC5 soon.
Is this under a boolean? Allowing such wide ranging access to the cert files is obviously not desirable in general...
Which should I put under a boolean?
grep -r miscfiles_read_cert . ./modules/apps/evolution.if: miscfiles_read_certs($1_evolution_server_t) ./modules/system/authlogin.if: miscfiles_read_certs($1_chkpwd_t) ./modules/system/authlogin.if: miscfiles_read_certs($1) ./modules/system/init.te:miscfiles_read_certs(initrc_t) ./modules/system/miscfiles.if:interface(`miscfiles_read_certs',` ./modules/admin/certwatch.te:miscfiles_read_certs(certwatch_t) ./modules/services/dbus.te:miscfiles_read_certs(system_dbusd_t) ./modules/services/cyrus.te:miscfiles_read_certs(cyrus_t) ./modules/services/fetchmail.te:miscfiles_read_certs(fetchmail_t) ./modules/services/dovecot.te:miscfiles_read_certs(dovecot_t) ./modules/services/nscd.te:miscfiles_read_certs(nscd_t) ./modules/services/ldap.te:miscfiles_read_certs(slapd_t) ./modules/services/automount.te:miscfiles_read_certs(automount_t) ./modules/services/postfix.if: miscfiles_read_certs(postfix_$1_t) ./modules/services/sasl.te:miscfiles_read_certs(saslauthd_t) ./modules/services/apache.te:miscfiles_read_certs(httpd_t) ./modules/services/squid.te:miscfiles_read_certs(squid_t)
I just added hal and automount?
On Thu, 2006-03-30 at 14:05 -0600, Jason L Tibbitts III wrote:
I realize that the issue is more complicated, because even with nscd turned on, dbus-daemon still fails to start. It's looking in /etc/pki:
Mar 30 13:50:33 util10 kernel: audit(1143748233.484:304): avc: denied { search } for pid=1711 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
I wonder if I have broken something.
Ah, so your dbus config refers to files in /etc/pki? Likely not allowed by the current policy.
grep -r pki /etc/dbus-1
selinux@lists.fedoraproject.org