FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-21-2007, 03:19 PM
"Daniel B. Thurman"
 
Default GDM problems: gdm-binary

Daniel B. Thurman wrote:
>
>Due to reasons of my /usr space partition running out of
>room, I had tar-copied my /usr/share directory into different
>partition, deleted the contents of /usr/share, changed the
>fstab to mount the /share partition /usr/share. Because there
>is a filesystem change, I believed an autorelabel is necessary
>to ensure that all of the selinux tags are properly labeled.
>
>Fortunately, after a reboot, I was able to log into my system,
>but not without some problems. The following is a list of issues
>that cropped up during the ordeal:
>
>When I rebooted after changing /usr/share:
>
>1. The normal linux textscreen data appears
>2. udev
>3. A black screen with quick X11 black/white "watch" cursor popped up
> then it disappeared quickly, like a flash.
> [NOTE:
> Here, you would normally see a gnome cursor with a blue spinner
> then a gui screen showing the progress bar on the
>loading of services
> ]
>4. Then it switched back into text mode showing (among other things),
> the last 4 lines:
> a. Remounting / rw
> b. Mounting local filesystems
> c. Doing local filesystem quotas
> d. Enabling /etc/fstab swap
> [text-cursor sits waiting] and less than a minute later,
> (Maybe services are being loaded during this waiting period
> but you cannot know or see it, can only assume it is or after
> logging in. Turns out that services are loaded successfully.
> It is interesting to note that loading of services are VERY
> QUICK compared to watching the gui screen on service loading
> progress. Interesting.)
>5. The gui login screen pops up.
>6. I am able to log in as myself as a normal user.
>7. Many sealert messages popped up, most of it showing GDM, sendmail,
> clamav, spamassassin avc denial errors.
>8. After hours trying restorecon in progression:
> a. /var/run/{clamav-milter,clamd.clamdsvc} directory
> i. restorecon -vR on these directries did not work,
>sealerts kept coming
> ii. Changed directory permissions to 750, owners to [owner]:root
> Problem solved. sealert stopped.
> b. SpamAssassin
> i. After many attempts to fix this, I finally tried:
> rm -fr ~[users]/.spamassasin directories
> Problem solved. selalerts stopped for spamassassin.
> [NOTE: ~[user]/.spamassassin is automatically recreated.]
>9. Now, tying to solve gdm-binary problems:
> a. Remove and reinstall GDM.
> It fixed a /var/log/messages error entry that showed
>gdm-binary was
> segfaulting, but it did not restore the missing
>services-loading gui
> screen and there are still problems with gdm-binary and sealerts.
>
> b. Grepping for GDM in the /var/log/messages file reveals:
>
> + Dec 19 07:42:59 linux setroubleshoot: #012 SELinux is
>preventing gdm-binary (xdm_t) "signal" to <Unknown>
>(mono_t).#012 For complete SELinux messages. run sealert
>-l 966ed3a0-cb89-41cc-8eff-7168d263b538
> + Dec 19 07:47:17 linux gdm-binary[2998]: (null): cannot
>open shared object file: No such file or directory
>
> Running: sealert -l 966ed3a0-cb89-41cc-8eff-7168d263b538
> ================================================== ======
> Summary
> SELinux is preventing gdm-binary (xdm_t) "signal" to
><Unknown> (mono_t).
>
> Detailed Description
> SELinux denied access requested by gdm-binary. It is
>not expected that this
> access is required by gdm-binary and this access may
>signal an intrusion
> attempt. It is also possible that the specific
>version or configuration of
> the application is causing it to require additional access.
>
> Allowing Access
> You can generate a local policy module to allow this
>access - see
>
>http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or
>you can disable
> SELinux protection altogether. Disabling SELinux
>protection is not
> recommended. Please file a
>http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
>
> Additional Information
>
> Source Context
>system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context
>system_u:system_r:mono_t:s0-s0:c0.c1023
> Target Objects None [ process ]
> Affected RPM Packages
> Policy RPM selinux-policy-3.0.8-64.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall
> Host Name linux.cdkkt.com
> Platform Linux linux.cdkkt.com
>2.6.23.8-63.fc8 #1 SMP Wed
> Nov 21 18:51:08 EST 2007 i686 i686
> Alert Count 2
> First Seen Wed Dec 19 07:42:32 2007
> Last Seen Wed Dec 19 07:42:48 2007
> Local ID
>966ed3a0-cb89-41cc-8eff-7168d263b538
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { signal } for comm=gdm-binary pid=3060
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
> tcontext=system_u:system_r:mono_t:s0-s0:c0.c1023
> ================================================== ====
>
> c. I am thinking of removing and reinstalling mono since it seems
> that mono problems are showing in the above sealert trace?
>
>Note:
> 1. Tar (with --xattrs) and cp -a does not preserve the selinux tags
> at all. It seems broken. It is possible, but not
>verified, that
> maybe the copy-over of some files got corrupted?
> 2. It seems that autorelabeling does not completely
>relabel and restore
> selinux tags faithfully?
>
>

I have reinstalled gdm, rhgb, clamav-milter, spamass-milter
and I am not able to fix the problems I am trying to solve.

I found some more problems with selinux tags and somehow it
is not able to label files after a autorelabel which I was
hoping it would fix but does not. Can someone please tell
me how to fix these problems?

>From /var/log/audit log:
================================================== ===========
type=SYSCALL msg=audit(1198252520.322:187): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc093c0 a2=b7f6d31c a3=0 items=0 ppid=2700 pid=3667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1198252520.322:187): avc: denied { connectto } for pid=3667 comm="sendmail" path="/var/run/spamass-milter/spamass-milter.sock" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1198252486.805:186): avc: denied { connectto } for pid=3647 comm="sendmail" path="/var/run/spamass-milter/spamass-milter.sock" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket

>From /var/log/messages log: (Note that all of these errors are
coming from the /usr/share that is mounted from a drive partition
while all in / is in its own partition, but /usr/share)
================================================== ===========
Dec 21 07:50:21 linux kernel: audit(1198252191.457:5): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.457:6): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.457:7): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.457:8): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.457:9): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.457:10): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.457:11): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.547:12): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.547:13): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.547:14): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.547:15): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.547:16): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.548:17): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.548:18): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.548:19): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.548:20): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.687:21): avc: denied { search } for pid=1170 comm="ifconfig" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:ifconfig_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.687:22): avc: denied { search } for pid=1170 comm="ifconfig" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:ifconfig_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.687:23): avc: denied { search } for pid=1170 comm="ifconfig" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:ifconfig_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.688:24): avc: denied { search } for pid=1170 comm="ifconfig" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:ifconfig_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.688:25): avc: denied { search } for pid=1170 comm="ifconfig" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:ifconfig_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.688:26): avc: denied { search } for pid=1170 comm="ifconfig" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:ifconfig_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252191.688:27): avc: denied { search } for pid=1170 comm="ifconfig" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:ifconfig_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.653:28): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.931:29): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.939:30): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.939:31): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.939:32): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.939:33): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.959:34): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.959:35): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.959:36): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.959:37): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.959:38): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.959:39): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.959:40): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.959:41): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.960:42): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.960:43): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.961:44): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.961:45): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.961:46): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.961:47): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.961:48): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.962:49): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.962:50): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.962:51): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.962:52): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.962:53): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.962:54): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.964:55): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.964:56): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.990:57): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.990:58): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.990:59): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.990:60): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.990:61): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252193.990:62): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.175:63): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.175:64): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.175:65): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.175:66): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.354:67): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.374:68): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.374:69): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.374:70): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.374:71): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.407:72): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.408:73): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.408:74): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.408:75): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.408:76): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.408:77): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.408:78): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.468:79): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.468:80): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.468:81): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.468:82): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.468:83): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.468:84): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.494:85): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.494:86): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.494:87): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.494:88): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.494:89): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.494:90): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.494:91): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.570:92): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.570:93): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.570:94): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.570:95): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.571:96): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.571:97): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.571:98): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.571:99): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.603:100): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.603:101): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.603:102): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.603:103): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.847:104): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.847:105): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.847:106): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.847:107): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.847:108): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.847:109): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.854:110): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252194.854:111): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.094:112): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.350:113): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.350:114): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.351:115): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.351:116): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.351:117): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.351:118): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.351:119): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.351:120): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.351:121): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.351:122): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.351:123): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.351:124): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.352:125): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.352:126): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.352:127): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.352:128): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.352:129): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.352:130): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.352:131): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.352:132): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.352:133): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.352:134): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.353:135): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.353:136): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.353:137): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.353:138): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.353:139): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir
Dec 21 07:50:21 linux kernel: audit(1198252195.353:140): avc: denied { search } for pid=1179 comm="Xorg" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:xdm_xserver_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir

Dec 21 07:51:05 linux setroubleshoot: #012 SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "append" to <Unknown> (var_log_t).#012 For complete SELinux messages. run sealert -l 3339843a-b196-4c68-8241-0b8722c2ec40
Dec 21 07:53:11 linux setroubleshoot: #012 SELinux is preventing sendmail (sendmail_t) "connectto" to /var/run/spamass-milter/spamass-milter.sock (initrc_t).#012 For complete SELinux messages. run sealert -l 70f55a23-8d63-4ffe-9d17-1cd63ac4123f

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.17.6/1192 - Release Date: 12/21/2007 1:17 PM


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-21-2007, 03:57 PM
Paul Howarth
 
Default GDM problems: gdm-binary

Daniel B. Thurman wrote:

Daniel B. Thurman wrote:

Due to reasons of my /usr space partition running out of
room, I had tar-copied my /usr/share directory into different
partition, deleted the contents of /usr/share, changed the
fstab to mount the /share partition /usr/share. Because there
is a filesystem change, I believed an autorelabel is necessary
to ensure that all of the selinux tags are properly labeled.


...


I found some more problems with selinux tags and somehow it
is not able to label files after a autorelabel which I was
hoping it would fix but does not. Can someone please tell
me how to fix these problems?


From /var/log/audit log:

================================================== ===========
type=SYSCALL msg=audit(1198252520.322:187): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc093c0 a2=b7f6d31c a3=0 items=0 ppid=2700 pid=3667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1198252520.322:187): avc: denied { connectto } for pid=3667 comm="sendmail" path="/var/run/spamass-milter/spamass-milter.sock" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1198252486.805:186): avc: denied { connectto } for pid=3647 comm="sendmail" path="/var/run/spamass-milter/spamass-milter.sock" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket


This looks remarkably like this bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=425958

You seem to have the socket labelled as initrc_t rather than
spamd_var_run_t, but I don't know why this should happen.


Can you post the output of:
$ ls -lZd /var/run
$ ls -laZ /var/run/spamass-milter
$ sestatus -v


From /var/log/messages log: (Note that all of these errors are
coming from the /usr/share that is mounted from a drive partition
while all in / is in its own partition, but /usr/share)
================================================== ===========
Dec 21 07:50:21 linux kernel: audit(1198252191.457:5): avc: denied { search } for pid=1169 comm="rhgb" name="share" dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0 tcontext=user_ubject_r:default_t:s0 tclass=dir


Try unmounting /usr/share, labelling the now-empty directory as mnt_t,
remounting /usr/share and labelling the mounted directory as usr_t.


Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-21-2007, 04:05 PM
"Daniel B. Thurman"
 
Default GDM problems: gdm-binary

Paul Howarth wrote:
>Daniel B. Thurman wrote:
>> Daniel B. Thurman wrote:
>>> Due to reasons of my /usr space partition running out of
>>> room, I had tar-copied my /usr/share directory into different
>>> partition, deleted the contents of /usr/share, changed the
>>> fstab to mount the /share partition /usr/share. Because there
>>> is a filesystem change, I believed an autorelabel is necessary
>>> to ensure that all of the selinux tags are properly labeled.
>
>...
>
>> I found some more problems with selinux tags and somehow it
>> is not able to label files after a autorelabel which I was
>> hoping it would fix but does not. Can someone please tell
>> me how to fix these problems?
>>
>>>From /var/log/audit log:
>> ================================================== ===========
>> type=SYSCALL msg=audit(1198252520.322:187): arch=40000003
>syscall=102 success=no exit=-13 a0=3 a1=bfc093c0 a2=b7f6d31c
>a3=0 items=0 ppid=2700 pid=3667 auid=4294967295 uid=0 gid=0
>euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none)
>comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
>subj=system_u:system_r:sendmail_t:s0 key=(null)
>> type=AVC msg=audit(1198252520.322:187): avc: denied {
>connectto } for pid=3667 comm="sendmail"
>path="/var/run/spamass-milter/spamass-milter.sock"
>scontext=system_u:system_r:sendmail_t:s0
>tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>> type=AVC msg=audit(1198252486.805:186): avc: denied {
>connectto } for pid=3647 comm="sendmail"
>path="/var/run/spamass-milter/spamass-milter.sock"
>scontext=system_u:system_r:sendmail_t:s0
>tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>
>This looks remarkably like this bug report:
>https://bugzilla.redhat.com/show_bug.cgi?id=425958
>
>You seem to have the socket labelled as initrc_t rather than
>spamd_var_run_t, but I don't know why this should happen.
>
>Can you post the output of:
>$ ls -lZd /var/run

drwxr-xr-x root root system_ubject_r:var_run_t:s0 /var/run

>$ ls -laZ /var/run/spamass-milter

drwxr-x--- sa-milt root system_ubject_r:spamd_var_run_t:s0 .
drwxr-xr-x root root system_ubject_r:var_run_t:s0 ..
srwxr-xr-x sa-milt sa-milt system_ubject_r:spamd_var_run_t:s0 spamass-milter.sock

>$ sestatus -v

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

Process contexts:
Current context: unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/sbin/mingetty system_u:system_r:getty_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023

File contexts:
Controlling term: unconfined_ubject_r:unconfined_devpts_t:s0
/etc/passwd system_ubject_r:etc_t:s0
/etc/shadow system_ubject_r:shadow_t:s0
/bin/bash system_ubject_r:shell_exec_t:s0
/bin/login system_ubject_r:login_exec_t:s0
/bin/sh system_ubject_r:bin_t:s0 -> system_ubject_r:shell_exec_t:s0
/sbin/agetty system_ubject_r:getty_exec_t:s0
/sbin/init system_ubject_r:init_exec_t:s0
/sbin/mingetty system_ubject_r:getty_exec_t:s0
/usr/sbin/sshd system_ubject_r:sshd_exec_t:s0
/lib/libc.so.6 system_ubject_r:lib_t:s0 -> system_ubject_r:lib_t:s0
/lib/ld-linux.so.2 system_ubject_r:lib_t:s0 -> system_ubject_r:ld_so_t:s0

>
>>From /var/log/messages log: (Note that all of these errors are
>> coming from the /usr/share that is mounted from a drive partition
>> while all in / is in its own partition, but /usr/share)
>> ================================================== ===========
>> Dec 21 07:50:21 linux kernel: audit(1198252191.457:5): avc:
>denied { search } for pid=1169 comm="rhgb" name="share"
>dev=sda2 ino=102929 scontext=system_u:system_r:rhgb_t:s0
>tcontext=user_ubject_r:default_t:s0 tclass=dir
>
>Try unmounting /usr/share, labelling the now-empty directory as mnt_t,

How do I do this, please?

>remounting /usr/share and labelling the mounted directory as usr_t.
>
>Paul.

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.17.6/1192 - Release Date: 12/21/2007 1:17 PM


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-21-2007, 05:24 PM
Paul Howarth
 
Default GDM problems: gdm-binary

On Fri, 21 Dec 2007 09:05:55 -0800
"Daniel B. Thurman" <dant@cdkkt.com> wrote:

> Paul Howarth wrote:
> >Daniel B. Thurman wrote:
> >> Daniel B. Thurman wrote:
> >>> Due to reasons of my /usr space partition running out of
> >>> room, I had tar-copied my /usr/share directory into different
> >>> partition, deleted the contents of /usr/share, changed the
> >>> fstab to mount the /share partition /usr/share. Because there
> >>> is a filesystem change, I believed an autorelabel is necessary
> >>> to ensure that all of the selinux tags are properly labeled.
> >
> >...
> >
> >> I found some more problems with selinux tags and somehow it
> >> is not able to label files after a autorelabel which I was
> >> hoping it would fix but does not. Can someone please tell
> >> me how to fix these problems?
> >>
> >>>From /var/log/audit log:
> >> ================================================== ==========>>
> >> type=SYSCALL msg=audit(1198252520.322:187): arch@000003
> >syscall2 success=no exit=-13 a0=3 a1c093c0 a2f6d31c
> >a3=0 items=0 ppid'00 pid667 auidB94967295 uid=0 gid=0
> >euid=0 suid=0 fsuid=0 egidQ sgidQ fsgidQ tty=(none)
> >comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
> >subj=system_u:system_r:sendmail_t:s0 key=(null)
> >> type=AVC msg=audit(1198252520.322:187): avc: denied {
> >connectto } for pid667 comm="sendmail"
> >path="/var/run/spamass-milter/spamass-milter.sock"
> >scontext=system_u:system_r:sendmail_t:s0
> >tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> >> type=AVC msg=audit(1198252486.805:186): avc: denied {
> >connectto } for pid647 comm="sendmail"
> >path="/var/run/spamass-milter/spamass-milter.sock"
> >scontext=system_u:system_r:sendmail_t:s0
> >tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> >
> >This looks remarkably like this bug report:
> >https://bugzilla.redhat.com/show_bug.cgi?idB5958
> >
> >You seem to have the socket labelled as initrc_t rather than
> >spamd_var_run_t, but I don't know why this should happen.
> >
> >Can you post the output of:
> >$ ls -lZd /var/run
>
> drwxr-xr-x root root system_ubject_r:var_run_t:s0 /var/run
>
> >$ ls -laZ /var/run/spamass-milter
>
> drwxr-x--- sa-milt root system_ubject_r:spamd_var_run_t:s0 .
> drwxr-xr-x root root system_ubject_r:var_run_t:s0 ..
> srwxr-xr-x sa-milt sa-milt system_ubject_r:spamd_var_run_t:s0
> spamass-milter.sock

This all looks normal so I guess you're not getting the AVCs from
spamass-milter anymore?

> >>From /var/log/messages log: (Note that all of these errors are
> >> coming from the /usr/share that is mounted from a drive partition
> >> while all in / is in its own partition, but /usr/share)
> >> ================================================== ==========>> Dec
> >> 21 07:50:21 linux kernel: audit(1198252191.457:5): avc:
> >denied { search } for pid69 comm="rhgb" name="share"
> >dev=sda2 ino2929 scontext=system_u:system_r:rhgb_t:s0
> >tcontext=user_ubject_r:default_t:s0 tclass=dir
> >
> >Try unmounting /usr/share, labelling the now-empty directory as
> >mnt_t,
>
> How do I do this, please?

# umount /usr/share
# chcon -t mnt_t /usr/share

> >remounting /usr/share and labelling the mounted directory as usr_t.

# mount /usr/share
# chcon -t usr_t /usr/share

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-21-2007, 06:54 PM
"Daniel B. Thurman"
 
Default GDM problems: gdm-binary

Paul Howarth wrote:

>"Daniel B. Thurman" <dant@cdkkt.com> wrote:
>> Paul Howarth wrote:
>
>This all looks normal so I guess you're not getting the AVCs from
>spamass-milter anymore?

Rats, I forgot to add that I still get the sealert
errors reporting type initrc_t, even though the actual
type on the file is spamd_var_run_t

Please read the previous post for my detailed report
other than the above I forgot to include. Sorry about
that!

Dan

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.17.6/1192 - Release Date: 12/21/2007 1:17 PM


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-21-2007, 06:55 PM
"Daniel B. Thurman"
 
Default GDM problems: gdm-binary

Paul Howarth wrote:
>"Daniel B. Thurman" <dant@cdkkt.com> wrote:
>
>> Paul Howarth wrote:
>> >Daniel B. Thurman wrote:
>> >> Daniel B. Thurman wrote:
>> >>> Due to reasons of my /usr space partition running out of
>> >>> room, I had tar-copied my /usr/share directory into different
>> >>> partition, deleted the contents of /usr/share, changed the
>> >>> fstab to mount the /share partition /usr/share. Because there
>> >>> is a filesystem change, I believed an autorelabel is necessary
>> >>> to ensure that all of the selinux tags are properly labeled.
>> >
>> >...
>> >
>> >> I found some more problems with selinux tags and somehow it
>> >> is not able to label files after a autorelabel which I was
>> >> hoping it would fix but does not. Can someone please tell
>> >> me how to fix these problems?
>> >>
>> >>>From /var/log/audit log:
>> >> ================================================== ==========>>
>> >> type=SYSCALL msg=audit(1198252520.322:187): arch@000003
>> >syscall2 success=no exit=-13 a0=3 a1c093c0 a2f6d31c
>> >a3=0 items=0 ppid'00 pid667 auidB94967295 uid=0 gid=0
>> >euid=0 suid=0 fsuid=0 egidQ sgidQ fsgidQ tty=(none)
>> >comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
>> >subj=system_u:system_r:sendmail_t:s0 key=(null)
>> >> type=AVC msg=audit(1198252520.322:187): avc: denied {
>> >connectto } for pid667 comm="sendmail"
>> >path="/var/run/spamass-milter/spamass-milter.sock"
>> >scontext=system_u:system_r:sendmail_t:s0
>> >tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>> >> type=AVC msg=audit(1198252486.805:186): avc: denied {
>> >connectto } for pid647 comm="sendmail"
>> >path="/var/run/spamass-milter/spamass-milter.sock"
>> >scontext=system_u:system_r:sendmail_t:s0
>> >tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>> >
>> >This looks remarkably like this bug report:
>> >https://bugzilla.redhat.com/show_bug.cgi?idB5958
>> >
>> >You seem to have the socket labelled as initrc_t rather than
>> >spamd_var_run_t, but I don't know why this should happen.
>> >
>> >Can you post the output of:
>> >$ ls -lZd /var/run
>>
>> drwxr-xr-x root root system_ubject_r:var_run_t:s0 /var/run
>>
>> >$ ls -laZ /var/run/spamass-milter
>>
>> drwxr-x--- sa-milt root system_ubject_r:spamd_var_run_t:s0 .
>> drwxr-xr-x root root system_ubject_r:var_run_t:s0 ..
>> srwxr-xr-x sa-milt sa-milt system_ubject_r:spamd_var_run_t:s0
>> spamass-milter.sock
>
>This all looks normal so I guess you're not getting the AVCs from
>spamass-milter anymore?
>
>> >>From /var/log/messages log: (Note that all of these errors are
>> >> coming from the /usr/share that is mounted from a drive partition
>> >> while all in / is in its own partition, but /usr/share)
>> >> ================================================== ==========>> Dec
>> >> 21 07:50:21 linux kernel: audit(1198252191.457:5): avc:
>> >denied { search } for pid69 comm="rhgb" name="share"
>> >dev=sda2 ino2929 scontext=system_u:system_r:rhgb_t:s0
>> >tcontext=user_ubject_r:default_t:s0 tclass=dir
>> >
>> >Try unmounting /usr/share, labelling the now-empty directory as
>> >mnt_t,
>>
>> How do I do this, please?
>
># umount /usr/share
># chcon -t mnt_t /usr/share
>
>> >remounting /usr/share and labelling the mounted directory as usr_t.
>
># mount /usr/share
># chcon -t usr_t /usr/share
>
>Paul.

Notes:
1: Just to make sure that I have noted it here, the latest
yum updates have been applied.
2: The mounting of LABEL=/share to /usr/share appears as a
drive on the desktop, unlike /usr, which does not appear.
This is quite annoying. Why is that it appears on the desktop?

1. Have have done what you have asked, above.
2. restorecon -vvR /usr
<no corrections were made>
3. clamav-milter:
+ was never started at boot. Logs show a permission problem with clamav.log
+ deleted: /var/log/clamav-milter/clamav.log
+ service clamav-milter start
<no more sealert permissions problems, it started up!>
[perhaps, the problem here is that an existing log file from
a previous startup, is no longer accepted and fails on the
next reboot unless clamav-milter service is shutdown, the
log file is deleted, before rebooting. This has been verified.]
4. spamass-milter:
+ The spamass-milter.sock orignally when created at reboot shows:
srwxr-xr-x sa-milt sa-milt system_ubject_r:spamd_var_run_t:s0 spamass-milter.sock

BUT, when restarting spamassassin, it shows a different user context:
drwxr-x--- sa-milt root system_ubject_r:spamd_var_run_t:s0 .
drwxr-xr-x root root system_ubject_r:var_run_t:s0 ..
srwxr-xr-x sa-milt sa-milt unconfined_ubject_r:spamd_var_run_t:s0 spamass-milter.sock
----------------------------^^^^^^^^^^^^

+ chcon -u system_u spamass-milter.sock
<has no effect, sealert continues>
+ chcon -t initrc_t spamass-milter.sock
<permission denied, even as root user>

5. I still have unresolved issues with the others:
rhgb, xorg, ifconfig, xdm-server

Any ideas, anyone?


No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.17.6/1192 - Release Date: 12/21/2007 1:17 PM


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:24 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org