I have a fresh FC2T2 install. I did the following to make up2date work:
/usr/bin/setfilecon system_u:object_r:rpm_exec_t /usr/sbin/up2date
Then I ran "up2date-nox kernel"
The following appeared. It seems the kernel did install OK.
audit(1080787992.351:0): avc: denied { search } for pid=20375 exe=/bin/bash name=root dev=hda8 ino=179873 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_dir_t tclass=dir /bin/bash: /root/.bashrc: Permission denied audit(1080787998.806:0): avc: denied { search } for pid=20791 exe=/sbin/grubby name=root dev=hda8 ino=179873 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_dir_t tclass=dir
On Thu, 1 Apr 2004 14:38, Dax Kelson dax@gurulabs.com wrote:
I have a fresh FC2T2 install. I did the following to make up2date work:
/usr/bin/setfilecon system_u:object_r:rpm_exec_t /usr/sbin/up2date
Then I ran "up2date-nox kernel"
The following appeared. It seems the kernel did install OK.
audit(1080787992.351:0): avc: denied { search } for pid=20375 exe=/bin/bash name=root dev=hda8 ino=179873 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_dir_t tclass=dir /bin/bash: /root/.bashrc: Permission denied
What was the working directory at the time you ran up2date? Was it /home/something?
We don't want to grant such domains wide access, and we also don't want large dontaudit rules (they increase the size of the policy, increase kernel memory use, etc).
Is it acceptable that sometimes if you run something from an unusual directory then it will cause an audit message?
Dax Kelson wrote:
I have a fresh FC2T2 install. I did the following to make up2date work:
/usr/bin/setfilecon system_u:object_r:rpm_exec_t /usr/sbin/up2date
Then I ran "up2date-nox kernel"
The following appeared. It seems the kernel did install OK.
audit(1080787992.351:0): avc: denied { search } for pid=20375 exe=/bin/bash name=root dev=hda8 ino=179873 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_dir_t tclass=dir /bin/bash: /root/.bashrc: Permission denied audit(1080787998.806:0): avc: denied { search } for pid=20791 exe=/sbin/grubby name=root dev=hda8 ino=179873 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_dir_t tclass=dir
Messages will be gone in tomorrows build.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dax Kelson -
Russell Coker