On 8/2/06, Tod Merley <todbot88@xxxxxxxxx> wrote:
Hi David!
Learning with you, not an expert!
I did find that AVC appears to be strongly associated, if not SElinux:
http://www.die.net/doc/linux/man/man3/avc_cache_stats.3.html
And is mentioned in at least one SElinux FAQ:
From : http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2826243
=========
Many thanks for the web links. In fact I am new to SElinux. I started reading about it after this problem. However I am determined to understand it. I have another system running FC4 which serves as backup. I'll use this one to understand the functioning of SElinux.
=========
Q:
My application isn't working as expected and I am seeing avc: denied messages, how do I fix this?
A:
This message means that the current SELinux policy is not allowing the application to do something. There are a number of reasons this could happen.
First, one of the files the application is trying to access could be mislabeled. If the AVC message refers to a specific file, inspect its current label with ls -alZ /path/to/file. If it seems wrong, you could try using restorecon -v /path/to/file. If you have a large number of denials related to files, you may want to use fixfiles relabel, or run restorecon with the -R option to recursively relabel a directory path.
===============
I have booted linux rescue and checked the mingetty attributes in /sbin. However I can't say whether it's wrong. I have done a restorecon -v and noted that the label did not change. I am getting an avc denied for hotplug as well. I have checked on the other FC4 system ;mingetty has no label and hotplug has same label as the faulty system.
rwxr-xr-x root root system_u:object_r:hotplug_exec_t hotplug
rwxr-xr-x root root system_u:object_r:getty_exec_t mingetty (no label on working system)
=====================
Other times, denials may be due to a configuration change in the program not being allowed by the policy. For example, if you change Apache to also listen on port 8800, this will require a change in the security policy, apache.te. See External Link List for more information about writing policy.
If you are having trouble getting a specific application like Apache to work, see How to use system-config-securitylevel for how to disable enforcement just for that application.
=================================
I have not done major changes lately. I am trying to install a tacacs+ server on Linux. Well I did not reboot my system for a while and when I did, I could access the console. I have compiled tcp_wrappers, skey, openssh and tacacs+. Since I could not find the tac_plus.conf file after installation, I decided to reboot.
==================
AVC may have to do with other things I am still googleing.
If I were you I would be looking at my policy file and turning off SElinux to see what is going on.
I hope this helps!
Good Hunting!
Tod
=======================
Thanks stephen for your suggestion and the others as well. I am new to SElinux and all your information provided are very useful. Disabling it would just be like sweeping the problem under the carpet.