-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alberto Ferrante wrote:
> A thing I just tried: if I run "setfiles -n" it gives me the wrong
> labels for the files:
> setfiles -nd /etc/selinux/targeted/contexts/files/file_contexts
> '/var/lib/xenstored'
> setfiles: /var/lib/xenstored matched by
> unconfined_u:object_r:unconfined_home_dir_t:s0
> setfiles: /var/lib/xenstored/tdb matched by
> unconfined_u:object_r:unconfined_home_t:s0
> filespec_eval: hash table stats: 2 elements, 2/65536 buckets used,
> longest chain length 1
>
> In /etc/selinux/targeted/contexts/files/file_contexts I have the
> following two entries for that directory:
> /var/lib/xenstored(/.*)? system_u:object_r:xenstored_var_lib_t:s0
> /var/run/xenstored(/.*)? system_u:object_r:xenstored_var_run_t:s0
>
> It sounds like it's not matching the entries in the file...
>
> Here is the AVC message related to xenstored, but I have many others!
>
> type=AVC msg=audit(1204647044.542:940): avc: denied { unlink } for
> pid=2322 comm="xenstored" name="tdb" dev=sda8 ino=704271
> scontext=system_u:system_r:xenstored_t:s0
> tcontext=system_u:object_r:unconfined_home_dir_t:s0 tclass=file
> type=SYSCALL msg=audit(1204647044.542:940): arch=c000003e syscall=82
> success=yes exit=0 a0=815480 a1=613780 a2=613796 a3=40da82 items=0
> ppid=1 pid=2322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="xenstored" exe="/usr/sbin/xenstored"
> subj=system_u:system_r:xenstored_t:s0 key=(null)
>
> Thanks for your help.
>
> Best regards,
> Alberto Ferrante
>
> |> > during the last days I have been experiencing some strange problems
> on a
> |> > pre-production server (planned to become a production one this
> week...).
> |> > I am running xen with two virtual hosts. The problem is in the real
> host
> |> > where something with selinux seems to have gone bad. I started having
> |> > selinux blocking different file accesses from different services. I
> |> > tried a full relabeling (the problems started after the last targeted
> |> > policy update made by yum) but it did not work. It seems like
> restorecon
> |> > always assigns the unconfined_u:object_r:unconfined_home_t label to
> all
> |> > the files. I am using the targeted policy. Please give advices on
> how to
> |> > solve this problem.
> |> >
> | Please attach the AVC messages from the audit.log. What directory is
> | labeled unconfined_home_t?
>
Do you have an entry in /etc/passwd with a homedir containing /var/lib?
Does it have a UID > 500 and a login shell other than /bin/false or
/sbin/nologin?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfNeR0ACgkQrlYvE4MpobPjfQCgwnih+F+ByOTQ4jKDoIUx3PLy
u2MAn2Kr6iNgJHdXZVZVobM9aXZv9752
=UvkA
-----END PGP SIGNATURE-----
