Included below are the avc denied messages from trying to do an autorelabel while in enforcing mode with the strict policy. there are also messages about line 64 of rc.sysinit: permission denied. Looks like sysinit(initrc_t) is trying to write to /selinux/enforce with out being allowed to do so. Thus setfiles can not read file_contexts.
HTH Richard Hally
Dec 6 05:53:56 new2 kernel: audit(1102330419.769:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330419.769:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330420.005:0): avc: denied { read } for pid=1279 exe=/usr/sbin/setfiles name=file_contexts dev=dm-0 ino=3998097 scontext=system_u:system_r:initrc_t tcontext=root:object_r:file_context_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330420.026:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330420.026:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file
On Monday 06 December 2004 22:13, Richard Hally rhallyx@mindspring.com wrote:
Included below are the avc denied messages from trying to do an autorelabel while in enforcing mode with the strict policy. there are also messages about line 64 of rc.sysinit: permission denied. Looks like sysinit(initrc_t) is trying to write to /selinux/enforce with out being allowed to do so.
can_setenforce(initrc_t)
We need to add the above to initrc.te inside the ifdef(`distro_redhat' part.
selinux@lists.fedoraproject.org