Tony Nelson wrote:
At 10:44 PM -0500 5/4/06, Gene Heskett wrote:
Tony Nelson wrote:
So what actually is the magic incantation that will make this work?
touch /.autorelabel
reboot
edit grub command line, appending "enforcing=0"
continue booting
wait
SELinux must be active but not enforcing for it to relabel.
Ah, that might explain some of it, I thought it had to be disabled.
I've now done an init 1, and invoked that command, which did take a
while, 10 minutes or so.
Then I re-enabled selinux and rebooted. Got huge amount of those
warnings, 2-3 times more than before. And I spotted this near the end
of the dmesg:
May 4 02:49:09 diablo kernel: md: Autodetecting RAID arrays.
May 4 02:49:09 diablo kernel: md: autorun ...
May 4 02:49:10 diablo kernel: md: ... autorun DONE.
audit(1146799877.012:325): avc: denied { read } for pid=2528
comm="restorecon" name="config" dev=hda5 ino=12898524
scontext=root:system_r:re
storecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=file
So I tried, in runlevel 3, restorecon -n /, and got this:
audit(1146799877.012:325): avc: denied { read } for pid=2528
comm="restorecon" name="config" dev=hda5 ino=12898524
scontext=root:system_r:re
storecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=file
So whats wrong, and how did I arrive at this condition?
In permissive mode, AVC denials will still be logged, but they have no force.
Ahh, now the bulb brightens a bit. I thought it strange that I was
getting 20-30k of squawks in the log, but everything appeared to be working.
That find command is running, but so far its only spit out the
/.bash_history and /.viminfo files, and it's now done.
Thanks for the patience, I appreciate it.
Thanks.
____________________________________________________________________
TonyN.:' <mailto:tonynelson@xxxxxxxxxxxxxxxxx>
' <http://www.georgeanelson.com/>
--
Cheers, Gene
