At 10:44 PM -0500 5/4/06, Gene Heskett wrote:
>Tony Nelson wrote:
>>> So what actually is the magic incantation that will make this work?
>>>
>>
>> touch /.autorelabel
>> reboot
>> edit grub command line, appending "enforcing=0"
>> continue booting
>> wait
>>
>> SELinux must be active but not enforcing for it to relabel.
>>
>Ah, that might explain some of it, I thought it had to be disabled.
>
>I've now done an init 1, and invoked that command, which did take a
>while, 10 minutes or so.
>Then I re-enabled selinux and rebooted. Got huge amount of those
>warnings, 2-3 times more than before. And I spotted this near the end
>of the dmesg:
>May 4 02:49:09 diablo kernel: md: Autodetecting RAID arrays.
>May 4 02:49:09 diablo kernel: md: autorun ...
>May 4 02:49:10 diablo kernel: md: ... autorun DONE.
>
>audit(1146799877.012:325): avc: denied { read } for pid=2528
>comm="restorecon" name="config" dev=hda5 ino=12898524
>scontext=root:system_r:re
>storecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=file
>
>So I tried, in runlevel 3, restorecon -n /, and got this:
>audit(1146799877.012:325): avc: denied { read } for pid=2528
>comm="restorecon" name="config" dev=hda5 ino=12898524
>scontext=root:system_r:re
>storecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=file
>
>So whats wrong, and how did I arrive at this condition?
In permissive mode, AVC denials will still be logged, but they have no force.
____________________________________________________________________
TonyN.:' <mailto:tonynelson@xxxxxxxxxxxxxxxxx>
' <http://www.georgeanelson.com/>
