Re: Odd messages during bootup from gdm

[Gene Heskett <gene.heskett@xxxxxxxxxxx>]

Tony Nelson wrote:
> At 9:27 PM -0500 5/4/06, Gene Heskett wrote:
>   
> > Gene Heskett wrote:
> >     
> > > Gene Heskett wrote:
> > >       
> > > > Paul Howarth wrote:
> > > >         
> > > > > I'd suggest relabelling the system before trying anything else. This
> > > > > will take a long time so schedule it at an appropriate time.
> > > > >
> > > > > Set SELinux to permissive mode, reboot, and in the grub menu add
> > > > > "autorelabel" to the end of the "kernel" line.
> > > > >
> > > > > After rebooting you can change SELinux back to enforcing mode if
> > > > > that's the setting you had before.
> > > > >
> > > > > That will probably fix most of the AVC issues you're seeing.
> > > > >
> > > > > Paul.
> > > > >
> > > > >           
> > > > Ok, thats next, I can answer the rest of this mail after thats done.
> > > > Thanks :)
> > > >
> > > >         
> > > Unforch, the append on the kernel line of grub.conf did nothing.  so I
> > > read the manpage again, and "touch /.autorelabel" is the magic spell.
> > > Back in a bit...
> > >
> > >       
> > Except that 4 reboots later I have not succeeded in getting the relabel
> > to work.  I've tried SELINUX=disabled and SELINUX=permissive in
> > /etc/selinux/config while leaving the SELINUXTYPE=targeted setting.
> >
> > So what actually is the magic incantation that will make this work?
> >     
>
> touch /.autorelabel
> reboot
> edit grub command line, appending "enforcing=0"
> continue booting
> wait
>
> SELinux must be active but not enforcing for it to relabel.
>   
Ah, that might explain some of it, I thought it had to be disabled.

I've now done an init 1, and invoked that command, which did take a 
while, 10 minutes or so.
Then I re-enabled selinux and rebooted.   Got huge amount of those 
warnings, 2-3 times more than before.  And I spotted this near the end 
of the dmesg:
May  4 02:49:09 diablo kernel: md: Autodetecting RAID arrays.
May  4 02:49:09 diablo kernel: md: autorun ...
May  4 02:49:10 diablo kernel: md: ... autorun DONE.

audit(1146799877.012:325): avc:  denied  { read } for  pid=2528 
comm="restorecon" name="config" dev=hda5 ino=12898524 
scontext=root:system_r:re
storecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=file

So I tried, in runlevel 3, restorecon -n /, and got this:
audit(1146799877.012:325): avc:  denied  { read } for  pid=2528 
comm="restorecon" name="config" dev=hda5 ino=12898524 
scontext=root:system_r:re
storecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=file

So whats wrong, and how did I arrive at this condition?

> ____________________________________________________________________
> TonyN.:'                       <mailto:tonynelson@xxxxxxxxxxxxxxxxx>
>       '                              <http://www.georgeanelson.com/>
>
>   


--
Cheers, Gene