On 8/4/06, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Fri, 2006-08-04 at 16:29 +0200, David Desscan wrote:
> On 8/4/06, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > On Fri, 2006-08-04 at 04:25 +0200, David Desscan wrote:
>
> > uname -r
> > rpm -q selinux-policy-targeted
> >
> My kernel version is 2.6.17-1.2142_FC4
> SElinux policy targeted version is 1.27.1-2.28
Ok, nothing interesting there (same kernel and policy works fine here
for me).
/etc/rc.d/rc.sysinit runs restorecon -R /dev to fix up the dev labels
created before initial policy load, then udev handles labeling of all
subsequent nodes. Can you verify that your rc.sysinit script contains
the restorecon -R /dev command? If you run that sequence by hand (but
don't redirect stderr to /dev/null), does it work?
--
Stephen Smalley
National Security Agency
I am getting another avc denied message when I add a user with
useradd/adduser command.
audit(1154719461.914:11): avc : denied {create} for pid=2394
comm="useradd" name=".bashrc" scontext=root:system_r:kernel_t
tcontext=user_u:object_r:user_home_t tclass=file
audit(1154719461.930:12): avc : denied {create} for pid=2394
comm="useradd" name="passwd+" scontext=root:system_r:kernel_t
tcontext=system_u:object_r:etc_t tclass=file
useradd : cannot rewrite password file.
I have checked /etc for .lock files. Each time I delete them, they
are recreated after the useradd command and the I get same error
message.
I did a fixfiles relabel and rebooted my system but still get same
error message. I have also noted that some files have not been
relabeled (avc denied relabel from;comm=setfiles)
when I log on as root I also noticed an avc denied message with login
audit(1154723141.305.3): avc : denied {relabel} for pid=2044
comm="login" name="tty1" dev=tmpfs ino=727
scontext=system_u:system_r:kernel_t
tcontext=root:object_r:tty_device_t tclass=chr_file
I rebooted my system with enforcing=0. I log in as root. It did not
flag the error message I used to get when logging as root(it logged it
however). I checked with sestatus that SElinux is in permissive mode.
I created a user with useradd. It displayed the above avc denied
message (when adding new user) but created the user. I added password
and su to newuser. I got an avc denied with su for relabel as with
login above and noted dev=tmpfs.
Something strange. Subsequent adding of users does not flag the avc
denied for .bashrc and passwd.
I rebooted my system after that. I get the usual avc denied login
relabel message and cannot create users. useradd:cannot rewrite
password file. SElinux mode=enforcing.
Thanks for your help.
