-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A thing I just tried: if I run "setfiles -n" it gives me the wrong labels for the files: setfiles -nd /etc/selinux/targeted/contexts/files/file_contexts '/var/lib/xenstored' setfiles: /var/lib/xenstored matched by unconfined_u:object_r:unconfined_home_dir_t:s0 setfiles: /var/lib/xenstored/tdb matched by unconfined_u:object_r:unconfined_home_t:s0 filespec_eval: hash table stats: 2 elements, 2/65536 buckets used, longest chain length 1 In /etc/selinux/targeted/contexts/files/file_contexts I have the following two entries for that directory: /var/lib/xenstored(/.*)? system_u:object_r:xenstored_var_lib_t:s0 /var/run/xenstored(/.*)? system_u:object_r:xenstored_var_run_t:s0 It sounds like it's not matching the entries in the file... Here is the AVC message related to xenstored, but I have many others! type=AVC msg=audit(1204647044.542:940): avc: denied { unlink } for pid=2322 comm="xenstored" name="tdb" dev=sda8 ino=704271 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:unconfined_home_dir_t:s0 tclass=file type=SYSCALL msg=audit(1204647044.542:940): arch=c000003e syscall=82 success=yes exit=0 a0=815480 a1=613780 a2=613796 a3=40da82 items=0 ppid=1 pid=2322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="xenstored" exe="/usr/sbin/xenstored" subj=system_u:system_r:xenstored_t:s0 key=(null) Thanks for your help. Best regards, Alberto Ferrante |> > during the last days I have been experiencing some strange problems on a |> > pre-production server (planned to become a production one this week...). |> > I am running xen with two virtual hosts. The problem is in the real host |> > where something with selinux seems to have gone bad. I started having |> > selinux blocking different file accesses from different services. I |> > tried a full relabeling (the problems started after the last targeted |> > policy update made by yum) but it did not work. It seems like restorecon |> > always assigns the unconfined_u:object_r:unconfined_home_t label to all |> > the files. I am using the targeted policy. Please give advices on how to |> > solve this problem. |> > | Please attach the AVC messages from the audit.log. What directory is | labeled unconfined_home_t? - -- Home page: http://www.alari.ch/people/alberto/personal Flickr gallery: http://www.flickr.com/photos/albertof Public key: http://www.alari.ch/people/alberto/pubkey.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (GNU/Linux) iQIcBAEBCAAGBQJHzXVaAAoJEGwAj6ArCn4kuEcP/A7r+oohJhumGvK2uPuDg5jl f/IeLI/TZszd98T7bK0AOIXu/TsDA6rZgaj30561kqGdYfc4xFRIX6hmlDm9cw58 NkKnTnIDiFdUuzTLWyU8hVpT1yKyfMLhxL/tH7T8f2Xq9g2ZX7l1bF6PtqTeHV0G e3yHFXPhgWBbjKTt763CccpCYzaDp4bd6zGrGcal0k/pzxETnEO8a4jup4mrbuZf JRK7xlIuOzS9UmLmoHTKTbhddzXyXPZlkDnrwFUEReawfoms/i2NU5dfGU1dkspC L0bH+J08Ma4AS2y0EvSMJUTWl/cIHXwunE+o4g/47Vhc2podP2oKu5AstWUomiuS d/3gQdMaquCEK8zOAQDDYBB46nsVHfSqCqqqw9HjVkLdKKj/vAs85Lu5XLMy4HP5 duGDN0kW4rsseKkTK5b41s83Par9WMB3OvV8yyXlEmhLwyCOekcqqepPKw/StkXf k+nTWhJmqsYSrM0Yxup2ccKnHel3w/uhECCOlHMzhYymEsBV1wvDkOI2Biuml5Zf PJQJrCnOVa2414ssz01d05oIfCO9dXGoAa47wz4ju5kGOKdQpY8FaRx/P00C+c7d K4Nmy2/tVgAiBQcQlZCnMGmLEQTNxvbL3CroIHZ12Pzfw+0qlstK4UGbKteL/gkR 0gmgyGO/0hRdkh6XppgU =zByb -----END PGP SIGNATURE-----