Re: Can't boot FC4;avc denied error message

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 8/2/06, David Desscan <ddesscan@xxxxxxxxx> wrote:


On 8/2/06, Tod Merley < todbot88@xxxxxxxxx> wrote:


Hi David!

Learning with you, not an expert!

I did find that AVC appears to be strongly associated, if not SElinux:

http://www.die.net/doc/linux/man/man3/avc_cache_stats.3.html

And is mentioned in at least one SElinux FAQ:

 From : http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2826243
=========
Many thanks for the web links.  In fact I am new to SElinux.  I started reading about it after this problem.  However I am determined to understand it.  I have another system running FC4 which serves as backup.  I'll use this one to understand the functioning of SElinux.
=========
 
Q:   
My application isn't working as expected and I am seeing avc: denied messages, how do I fix this?

A:   
This message means that the current SELinux policy is not allowing the application to do something. There are a number of reasons this could happen.

First, one of the files the application is trying to access could be mislabeled. If the AVC message refers to a specific file, inspect its current label with ls -alZ /path/to/file. If it seems wrong, you could try using restorecon -v /path/to/file. If you have a large number of denials related to files, you may want to use fixfiles relabel, or run restorecon with the -R option to recursively relabel a directory path.
===============
I have booted linux rescue and checked the mingetty attributes in /sbin.  However I can't say whether it's wrong.  I have done a restorecon -v and noted that the label did not change.  I am getting an avc denied for hotplug as well.  I have checked on the other FC4 system ;mingetty has no label and hotplug has same label as the faulty system.
 
rwxr-xr-x  ro"scaling_governor:userspace"ot root system_u:object_r:hotplug_exec_t hotplug
rwxr-xr-x  root root system_u:object_r:getty_exec_t mingetty (no label on working system)
 
=====================
 
Other times, denials may be due to a configuration change in the program not being allowed by the policy. For example, if you change Apache to also listen on port 8800, this will require a change in the security policy, apache.te. See External Link List for more information about writing policy.

If you are having trouble getting a specific application like Apache to work, see How to use system-config-securitylevel for how to disable enforcement just for that application.
=================================
I have not done major changes lately.  I am trying to install a tacacs+ server on Linux.  Well I did not reboot my system for a while and when I did, I could access the console.  I have compiled tcp_wrappers, skey, openssh and tacacs+.  Since I could not find the tac_plus.conf file after installation, I decided to reboot.
 "scaling_governor:userspace"
==================
 
AVC may have to do with other things I am still googleing.

If I were you I would be looking at my policy file and turning off SElinux to see what is going on.

I hope this helps!

Good Hunting!
 

Tod
 

=======================

Thanks stephen for your suggestion and the others as well.  I am new to SElinux and all your information provided are very useful.  Disabling it would just be like sweeping the problem under the carpet.


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Hi David,

Do hope I indeed was helpful.

The end of Stephen Smalley's response I would spend some time on (might well explain the hotplug thing).

You might also consider doing an update.

Good hunting!

Tod

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux