FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-28-2012, 06:22 PM
Daniel J Walsh
 
Default Fedora 16 AVC at boot time

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/28/2012 02:15 PM, David Highley wrote:
> "David Highley wrote:"
>>
>> "Miroslav Grepl wrote:"
>>>
>>> On 01/26/2012 05:33 AM, David Highley wrote:
>>>> "Daniel J Walsh wrote:"
> On 01/25/2012 01:38 PM, David Highley wrote:
>>>>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39 PM, David
>>>>>>> Highley wrote:
>>>>>>>>>> time->Tue Jan 24 06:17:02 2012 type=SYSCALL
>>>>>>>>>> msg=audit(1327414622.867:2517): arch=c000003e
>>>>>>>>>> syscall=59 success=yes exit=0 a0=9669f0 a1=cc8170
>>>>>>>>>> a2=7fff1bf396c8 a3=1f items=0 ppid=5248 pid=5253
>>>>>>>>>> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>>>>>>>> sgid=0 fsgid=0 tty=(none) ses=293 comm="sh"
>>>>>>>>>> exe="/bin/bash"
>>>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
>>>>>>>>>>
>>>>>>>>>>
key=(null) type=AVC msg=audit(1327414622.867:2517): avc:
>>>>>>>>>> denied { transition } for pid=5253 comm="rpm"
>>>>>>>>>> path="/bin/bash" dev=dm-1 ino=393240
>>>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
>>>>>>>>>>
>>>>>>>>>>
tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
>>>>>>>>>> tclass=process ---- time->Tue Jan 24 06:23:38
>>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.410:38):
>>>>>>>>>> arch=c000003e syscall=2 success=no exit=-13
>>>>>>>>>> a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68
>>>>>>>>>> items=0 ppid=1180 pid=1359 auid=4294967295 uid=0
>>>>>>>>>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48
>>>>>>>>>> fsgid=48 tty=(none) ses=4294967295
>>>>>>>>>> comm="/usr/sbin/httpd" exe="/usr/sbin/httpd"
>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>>>>> type=AVC msg=audit(1327415018.410:38): avc:
>>>>>>>>>> denied { search } for pid=1359
>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
>>>>>>>>>> ino=1313161
>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
>>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
>>>>>>>>>> msg=audit(1327415018.410:39): arch=c000003e
>>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
>>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
>>>>>>>>>> pid=1360 auid=4294967295 uid=0 gid=48 euid=0
>>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
>>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>>>>> type=AVC msg=audit(1327415018.410:39): avc:
>>>>>>>>>> denied { search } for pid=1360
>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
>>>>>>>>>> ino=1313161
>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
>>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
>>>>>>>>>> msg=audit(1327415018.411:40): arch=c000003e
>>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
>>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
>>>>>>>>>> pid=1361 auid=4294967295 uid=0 gid=48 euid=0
>>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
>>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>>>>> type=AVC msg=audit(1327415018.411:40): avc:
>>>>>>>>>> denied { search } for pid=1361
>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
>>>>>>>>>> ino=1313161
>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
>>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
>>>>>>>>>> msg=audit(1327415018.411:41): arch=c000003e
>>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
>>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
>>>>>>>>>> pid=1362 auid=4294967295 uid=0 gid=48 euid=0
>>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
>>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>>>>> type=AVC msg=audit(1327415018.411:41): avc:
>>>>>>>>>> denied { search } for pid=1362
>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
>>>>>>>>>> ino=1313161
>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
>>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
>>>>>>>>>> msg=audit(1327415018.414:42): arch=c000003e
>>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
>>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
>>>>>>>>>> pid=1365 auid=4294967295 uid=0 gid=48 euid=0
>>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
>>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>>>>> type=AVC msg=audit(1327415018.414:42): avc:
>>>>>>>>>> denied { search } for pid=1365
>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
>>>>>>>>>> ino=1313161
>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
>>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
>>>>>>>>>> msg=audit(1327415018.414:43): arch=c000003e
>>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
>>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
>>>>>>>>>> pid=1364 auid=4294967295 uid=0 gid=48 euid=0
>>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
>>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>>>>> type=AVC msg=audit(1327415018.414:43): avc:
>>>>>>>>>> denied { search } for pid=1364
>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
>>>>>>>>>> ino=1313161
>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
>>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
>>>>>>>>>> msg=audit(1327415018.415:44): arch=c000003e
>>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
>>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
>>>>>>>>>> pid=1366 auid=4294967295 uid=0 gid=48 euid=0
>>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
>>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>>>>> type=AVC msg=audit(1327415018.415:44): avc:
>>>>>>>>>> denied { search } for pid=1366
>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
>>>>>>>>>> ino=1313161
>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
>>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
>>>>>>>>>> msg=audit(1327415018.416:45): arch=c000003e
>>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
>>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
>>>>>>>>>> pid=1363 auid=4294967295 uid=0 gid=48 euid=0
>>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
>>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>>>>> type=AVC msg=audit(1327415018.416:45): avc:
>>>>>>>>>> denied { search } for pid=1363
>>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
>>>>>>>>>> ino=1313161
>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
>>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
>>>>>>>>>> msg=audit(1327415018.418:46): arch=c000003e
>>>>>>>>>> syscall=42 success=no exit=-13 a0=3
>>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
>>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
>>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>
>>>>>>>>>>
key=(null) type=AVC msg=audit(1327415018.418:46): avc:
>>>>>>>>>> denied { name_connect } for pid=1369
>>>>>>>>>> comm="dbus-daemon-lau" dest=111
>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>
>>>>>>>>>>
tcontext=system_ubject_rortmap_port_t:s0
>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
>>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:47):
>>>>>>>>>> arch=c000003e syscall=49 success=no exit=-13 a0=3
>>>>>>>>>> a1=7fff07112f60 a2=10 a3=98 items=0 ppid=1367
>>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
>>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>
>>>>>>>>>>
key=(null) type=AVC msg=audit(1327415018.418:47): avc:
>>>>>>>>>> denied { name_bind } for pid=1369
>>>>>>>>>> comm="dbus-daemon-lau" src=697
>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>
>>>>>>>>>>
tcontext=system_ubject_r:hi_reserved_port_t:s0
>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
>>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:48):
>>>>>>>>>> arch=c000003e syscall=42 success=no exit=-13 a0=3
>>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
>>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
>>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>
>>>>>>>>>>
key=(null) type=AVC msg=audit(1327415018.418:48): avc:
>>>>>>>>>> denied { name_connect } for pid=1369
>>>>>>>>>> comm="dbus-daemon-lau" dest=111
>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>
>>>>>>>>>>
tcontext=system_ubject_rortmap_port_t:s0
>>>>>>>>>> tclass=tcp_socket
>>>>>>> Do you have the allow_ypbind boolean permanantly turned
>>>>>>> on
>>>>>>>
>>>>>>> setsebool -P allow_ypbind 1
>>>>>>>
>>>>>>>> Yes, we permanently set this bool.
>>>>>>> If the init script is turning it on, you could see
>>>>>>> avc's like this.
>>>>>>>
>>>>>>> Have no idea what the bootloader->rpm_script one is.
>>>>>>>
>>>>>>> There used to be some kernel update scripts that were
>>>>>>> labeled as bootloader_exec_t? -- selinux mailing list
>>>>>>> selinux@lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>>>>>>>
Strange and these happen on every boot, and then stop?
>>>>> Just tried another reboot and got the same results so I
>>>>> would say that it happens on every boot.
>>>>>
>>>>>
>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> Could you make sure that the policy is installed correctly.
>>>
>>> # yum reinstall selinux-policy-targeted
>>>
>>> and see if something blows up.
>>
>> Same results as before. Did get a new avc just before the reboot
>> doing a yum update.
>
> To add more clarity to the boot up AVC, we did check for any sign
> of AVC when we reinstalled selinux-policy-targeted.
>
>> allow bootloader_t rpm_script_trocess transition; ----
>> time->Sat Jan 28 07:47:51 2012 type=SYSCALL
>> msg=audit(1327765671.705:3395): arch=c000003e syscall=59
>> success=ye s exit=0 a0=1429290 a1=12e3550 a2=7fffd4c974c8 a3=20
>> items=0 ppid=24868 pid=2487 8 auid=1000 uid=0 gid=0 euid=0 suid=0
>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh"
>> exe="/bin/bash"
>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0. c1023
>> key=(null) type=AVC msg=audit(1327765671.705:3395): avc: denied
>> { transition } for pid=24878 comm="rpm" path="/bin/bash"
>> dev=dm-1 ino=393240
>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
>> tclass=process
>
> Packages in this update were: Jan 28 07:46:28 Updated:
> libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> libblkid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:29 Updated:
> libcurl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> curl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31 Updated:
> libmount-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:32 Updated:
> setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28 07:46:32
> Installed: python-tornado-2.1.1-1.fc16.noarch Jan 28 07:46:33
> Updated: python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33
> Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34 Updated:
> mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:39
> Installed: kernel-3.2.2-1.fc16.x86_64 Jan 28 07:46:40 Updated:
> xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40 Updated:
> mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64 Jan 28
> 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan 28 07:46:42 Updated:
> ipython-0.12-2.fc16.noarch Jan 28 07:46:43 Updated:
> setroubleshoot-3.1.2-1.fc16.x86_64 Jan 28 07:46:44 Updated:
> util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44 Updated:
> 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:46 Updated:
> libcurl-devel-7.21.7-6.fc16.x86_64 Jan 28 07:46:47 Updated:
> rsyslog-5.8.7-1.fc16.x86_64 Jan 28 07:46:48 Updated:
> t1lib-5.1.2-9.fc16.x86_64 Jan 28 07:46:49 Updated:
> kernel-headers-3.2.2-1.fc16.x86_64 Jan 28 07:46:59 Installed:
> kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00 Updated:
> mdadm-3.2.3-3.fc16.x86_64
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>
>

Any idea of what process is running as bootloader_t?

ps -eZ | grep bootloader_t
or
find /sbin/ -context "*:bootloader_exec_t*"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8kSvwACgkQrlYvE4MpobOjywCghdmmQAxJ6Y w0Lg9Khj1RlPUV
si0AoIAqVYMmf2pon92UL7gFTUk7nsEQ
=5qAB
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-28-2012, 09:55 PM
David Highley
 
Default Fedora 16 AVC at boot time

"Daniel J Walsh wrote:"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/28/2012 02:15 PM, David Highley wrote:
> > "David Highley wrote:"
> >>
> >> "Miroslav Grepl wrote:"
> >>>
> >>> On 01/26/2012 05:33 AM, David Highley wrote:
> >>>> "Daniel J Walsh wrote:"
> > On 01/25/2012 01:38 PM, David Highley wrote:
> >>>>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39 PM, David
> >>>>>>> Highley wrote:
> >>>>>>>>>> time->Tue Jan 24 06:17:02 2012 type=SYSCALL
> >>>>>>>>>> msg=audit(1327414622.867:2517): arch=c000003e
> >>>>>>>>>> syscall=59 success=yes exit=0 a0=9669f0 a1=cc8170
> >>>>>>>>>> a2=7fff1bf396c8 a3=1f items=0 ppid=5248 pid=5253
> >>>>>>>>>> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> >>>>>>>>>> sgid=0 fsgid=0 tty=(none) ses=293 comm="sh"
> >>>>>>>>>> exe="/bin/bash"
> >>>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> >>>>>>>>>>
> >>>>>>>>>>
> key=(null) type=AVC msg=audit(1327414622.867:2517): avc:
> >>>>>>>>>> denied { transition } for pid=5253 comm="rpm"
> >>>>>>>>>> path="/bin/bash" dev=dm-1 ino=393240
> >>>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> >>>>>>>>>>
> >>>>>>>>>>
> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> >>>>>>>>>> tclass=process ---- time->Tue Jan 24 06:23:38
> >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.410:38):
> >>>>>>>>>> arch=c000003e syscall=2 success=no exit=-13
> >>>>>>>>>> a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68
> >>>>>>>>>> items=0 ppid=1180 pid=1359 auid=4294967295 uid=0
> >>>>>>>>>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48
> >>>>>>>>>> fsgid=48 tty=(none) ses=4294967295
> >>>>>>>>>> comm="/usr/sbin/httpd" exe="/usr/sbin/httpd"
> >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> >>>>>>>>>> type=AVC msg=audit(1327415018.410:38): avc:
> >>>>>>>>>> denied { search } for pid=1359
> >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> >>>>>>>>>> ino=1313161
> >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> >>>>>>>>>> msg=audit(1327415018.410:39): arch=c000003e
> >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> >>>>>>>>>> pid=1360 auid=4294967295 uid=0 gid=48 euid=0
> >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> >>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> >>>>>>>>>> type=AVC msg=audit(1327415018.410:39): avc:
> >>>>>>>>>> denied { search } for pid=1360
> >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> >>>>>>>>>> ino=1313161
> >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> >>>>>>>>>> msg=audit(1327415018.411:40): arch=c000003e
> >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> >>>>>>>>>> pid=1361 auid=4294967295 uid=0 gid=48 euid=0
> >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> >>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> >>>>>>>>>> type=AVC msg=audit(1327415018.411:40): avc:
> >>>>>>>>>> denied { search } for pid=1361
> >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> >>>>>>>>>> ino=1313161
> >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> >>>>>>>>>> msg=audit(1327415018.411:41): arch=c000003e
> >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> >>>>>>>>>> pid=1362 auid=4294967295 uid=0 gid=48 euid=0
> >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> >>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> >>>>>>>>>> type=AVC msg=audit(1327415018.411:41): avc:
> >>>>>>>>>> denied { search } for pid=1362
> >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> >>>>>>>>>> ino=1313161
> >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> >>>>>>>>>> msg=audit(1327415018.414:42): arch=c000003e
> >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> >>>>>>>>>> pid=1365 auid=4294967295 uid=0 gid=48 euid=0
> >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> >>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> >>>>>>>>>> type=AVC msg=audit(1327415018.414:42): avc:
> >>>>>>>>>> denied { search } for pid=1365
> >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> >>>>>>>>>> ino=1313161
> >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> >>>>>>>>>> msg=audit(1327415018.414:43): arch=c000003e
> >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> >>>>>>>>>> pid=1364 auid=4294967295 uid=0 gid=48 euid=0
> >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> >>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> >>>>>>>>>> type=AVC msg=audit(1327415018.414:43): avc:
> >>>>>>>>>> denied { search } for pid=1364
> >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> >>>>>>>>>> ino=1313161
> >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> >>>>>>>>>> msg=audit(1327415018.415:44): arch=c000003e
> >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> >>>>>>>>>> pid=1366 auid=4294967295 uid=0 gid=48 euid=0
> >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> >>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> >>>>>>>>>> type=AVC msg=audit(1327415018.415:44): avc:
> >>>>>>>>>> denied { search } for pid=1366
> >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> >>>>>>>>>> ino=1313161
> >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> >>>>>>>>>> msg=audit(1327415018.416:45): arch=c000003e
> >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> >>>>>>>>>> pid=1363 auid=4294967295 uid=0 gid=48 euid=0
> >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> >>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> >>>>>>>>>> type=AVC msg=audit(1327415018.416:45): avc:
> >>>>>>>>>> denied { search } for pid=1363
> >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> >>>>>>>>>> ino=1313161
> >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> >>>>>>>>>> msg=audit(1327415018.418:46): arch=c000003e
> >>>>>>>>>> syscall=42 success=no exit=-13 a0=3
> >>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
> >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>
> >>>>>>>>>>
> key=(null) type=AVC msg=audit(1327415018.418:46): avc:
> >>>>>>>>>> denied { name_connect } for pid=1369
> >>>>>>>>>> comm="dbus-daemon-lau" dest=111
> >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>
> >>>>>>>>>>
> tcontext=system_ubject_rortmap_port_t:s0
> >>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
> >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:47):
> >>>>>>>>>> arch=c000003e syscall=49 success=no exit=-13 a0=3
> >>>>>>>>>> a1=7fff07112f60 a2=10 a3=98 items=0 ppid=1367
> >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>
> >>>>>>>>>>
> key=(null) type=AVC msg=audit(1327415018.418:47): avc:
> >>>>>>>>>> denied { name_bind } for pid=1369
> >>>>>>>>>> comm="dbus-daemon-lau" src=697
> >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>
> >>>>>>>>>>
> tcontext=system_ubject_r:hi_reserved_port_t:s0
> >>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
> >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:48):
> >>>>>>>>>> arch=c000003e syscall=42 success=no exit=-13 a0=3
> >>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
> >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>
> >>>>>>>>>>
> key=(null) type=AVC msg=audit(1327415018.418:48): avc:
> >>>>>>>>>> denied { name_connect } for pid=1369
> >>>>>>>>>> comm="dbus-daemon-lau" dest=111
> >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>
> >>>>>>>>>>
> tcontext=system_ubject_rortmap_port_t:s0
> >>>>>>>>>> tclass=tcp_socket
> >>>>>>> Do you have the allow_ypbind boolean permanantly turned
> >>>>>>> on
> >>>>>>>
> >>>>>>> setsebool -P allow_ypbind 1
> >>>>>>>
> >>>>>>>> Yes, we permanently set this bool.
> >>>>>>> If the init script is turning it on, you could see
> >>>>>>> avc's like this.
> >>>>>>>
> >>>>>>> Have no idea what the bootloader->rpm_script one is.
> >>>>>>>
> >>>>>>> There used to be some kernel update scripts that were
> >>>>>>> labeled as bootloader_exec_t? -- selinux mailing list
> >>>>>>> selinux@lists.fedoraproject.org
> >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >>>>>>>
> Strange and these happen on every boot, and then stop?
> >>>>> Just tried another reboot and got the same results so I
> >>>>> would say that it happens on every boot.
> >>>>>
> >>>>>
> >>>> -- selinux mailing list selinux@lists.fedoraproject.org
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>> Could you make sure that the policy is installed correctly.
> >>>
> >>> # yum reinstall selinux-policy-targeted
> >>>
> >>> and see if something blows up.
> >>
> >> Same results as before. Did get a new avc just before the reboot
> >> doing a yum update.
> >
> > To add more clarity to the boot up AVC, we did check for any sign
> > of AVC when we reinstalled selinux-policy-targeted.
> >
> >> allow bootloader_t rpm_script_trocess transition; ----
> >> time->Sat Jan 28 07:47:51 2012 type=SYSCALL
> >> msg=audit(1327765671.705:3395): arch=c000003e syscall=59
> >> success=ye s exit=0 a0=1429290 a1=12e3550 a2=7fffd4c974c8 a3=20
> >> items=0 ppid=24868 pid=2487 8 auid=1000 uid=0 gid=0 euid=0 suid=0
> >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh"
> >> exe="/bin/bash"
> >> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0. c1023
> >> key=(null) type=AVC msg=audit(1327765671.705:3395): avc: denied
> >> { transition } for pid=24878 comm="rpm" path="/bin/bash"
> >> dev=dm-1 ino=393240
> >> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> >> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> >> tclass=process
> >
> > Packages in this update were: Jan 28 07:46:28 Updated:
> > libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > libblkid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > libcurl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> > curl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> > 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31 Updated:
> > libmount-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:32 Updated:
> > setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28 07:46:32
> > Installed: python-tornado-2.1.1-1.fc16.noarch Jan 28 07:46:33
> > Updated: python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33
> > Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34 Updated:
> > mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:39
> > Installed: kernel-3.2.2-1.fc16.x86_64 Jan 28 07:46:40 Updated:
> > xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40 Updated:
> > mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64 Jan 28
> > 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan 28 07:46:42 Updated:
> > ipython-0.12-2.fc16.noarch Jan 28 07:46:43 Updated:
> > setroubleshoot-3.1.2-1.fc16.x86_64 Jan 28 07:46:44 Updated:
> > util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44 Updated:
> > 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:46 Updated:
> > libcurl-devel-7.21.7-6.fc16.x86_64 Jan 28 07:46:47 Updated:
> > rsyslog-5.8.7-1.fc16.x86_64 Jan 28 07:46:48 Updated:
> > t1lib-5.1.2-9.fc16.x86_64 Jan 28 07:46:49 Updated:
> > kernel-headers-3.2.2-1.fc16.x86_64 Jan 28 07:46:59 Installed:
> > kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00 Updated:
> > mdadm-3.2.3-3.fc16.x86_64
> >> -- selinux mailing list selinux@lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>
> >
> >
>
> Any idea of what process is running as bootloader_t?
>
> ps -eZ | grep bootloader_t
> or
> find /sbin/ -context "*:bootloader_exec_t*"

Since we were running yum update and there was a kernel update involved
it could be several from the list below.

/sbin/grub2-setup
/sbin/installkernel
/sbin/grub2-reboot
/sbin/grub2-probe
/sbin/grub2-mkdevicemap
/sbin/grub2-set-default
/sbin/grubby
/sbin/grub2-install
/sbin/grub2-mkconfig
/sbin/grub2-mknetdir
/sbin/new-kernel-pkg

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk8kSvwACgkQrlYvE4MpobOjywCghdmmQAxJ6Y w0Lg9Khj1RlPUV
> si0AoIAqVYMmf2pon92UL7gFTUk7nsEQ
> =5qAB
> -----END PGP SIGNATURE-----
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-29-2012, 08:36 AM
Dominick Grift
 
Default Fedora 16 AVC at boot time

On Sat, 2012-01-28 at 14:55 -0800, David Highley wrote:
> "Daniel J Walsh wrote:"
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 01/28/2012 02:15 PM, David Highley wrote:
> > > "David Highley wrote:"
> > >>
> > >> "Miroslav Grepl wrote:"
> > >>>
> > >>> On 01/26/2012 05:33 AM, David Highley wrote:
> > >>>> "Daniel J Walsh wrote:"
> > > On 01/25/2012 01:38 PM, David Highley wrote:
> > >>>>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39 PM, David
> > >>>>>>> Highley wrote:
> > >>>>>>>>>> time->Tue Jan 24 06:17:02 2012 type=SYSCALL
> > >>>>>>>>>> msg=audit(1327414622.867:2517): arch=c000003e
> > >>>>>>>>>> syscall=59 success=yes exit=0 a0=9669f0 a1=cc8170
> > >>>>>>>>>> a2=7fff1bf396c8 a3=1f items=0 ppid=5248 pid=5253
> > >>>>>>>>>> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > >>>>>>>>>> sgid=0 fsgid=0 tty=(none) ses=293 comm="sh"
> > >>>>>>>>>> exe="/bin/bash"
> > >>>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > >>>>>>>>>>
> > >>>>>>>>>>
> > key=(null) type=AVC msg=audit(1327414622.867:2517): avc:
> > >>>>>>>>>> denied { transition } for pid=5253 comm="rpm"
> > >>>>>>>>>> path="/bin/bash" dev=dm-1 ino=393240
> > >>>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> > >>>>>>>>>>
> > >>>>>>>>>>
> > tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > >>>>>>>>>> tclass=process ---- time->Tue Jan 24 06:23:38
> > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.410:38):
> > >>>>>>>>>> arch=c000003e syscall=2 success=no exit=-13
> > >>>>>>>>>> a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68
> > >>>>>>>>>> items=0 ppid=1180 pid=1359 auid=4294967295 uid=0
> > >>>>>>>>>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48
> > >>>>>>>>>> fsgid=48 tty=(none) ses=4294967295
> > >>>>>>>>>> comm="/usr/sbin/httpd" exe="/usr/sbin/httpd"
> > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > >>>>>>>>>> type=AVC msg=audit(1327415018.410:38): avc:
> > >>>>>>>>>> denied { search } for pid=1359
> > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > >>>>>>>>>> ino=1313161
> > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>> msg=audit(1327415018.410:39): arch=c000003e
> > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > >>>>>>>>>> pid=1360 auid=4294967295 uid=0 gid=48 euid=0
> > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > >>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > >>>>>>>>>> type=AVC msg=audit(1327415018.410:39): avc:
> > >>>>>>>>>> denied { search } for pid=1360
> > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > >>>>>>>>>> ino=1313161
> > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>> msg=audit(1327415018.411:40): arch=c000003e
> > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > >>>>>>>>>> pid=1361 auid=4294967295 uid=0 gid=48 euid=0
> > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > >>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > >>>>>>>>>> type=AVC msg=audit(1327415018.411:40): avc:
> > >>>>>>>>>> denied { search } for pid=1361
> > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > >>>>>>>>>> ino=1313161
> > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>> msg=audit(1327415018.411:41): arch=c000003e
> > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > >>>>>>>>>> pid=1362 auid=4294967295 uid=0 gid=48 euid=0
> > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > >>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > >>>>>>>>>> type=AVC msg=audit(1327415018.411:41): avc:
> > >>>>>>>>>> denied { search } for pid=1362
> > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > >>>>>>>>>> ino=1313161
> > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>> msg=audit(1327415018.414:42): arch=c000003e
> > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > >>>>>>>>>> pid=1365 auid=4294967295 uid=0 gid=48 euid=0
> > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > >>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > >>>>>>>>>> type=AVC msg=audit(1327415018.414:42): avc:
> > >>>>>>>>>> denied { search } for pid=1365
> > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > >>>>>>>>>> ino=1313161
> > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>> msg=audit(1327415018.414:43): arch=c000003e
> > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > >>>>>>>>>> pid=1364 auid=4294967295 uid=0 gid=48 euid=0
> > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > >>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > >>>>>>>>>> type=AVC msg=audit(1327415018.414:43): avc:
> > >>>>>>>>>> denied { search } for pid=1364
> > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > >>>>>>>>>> ino=1313161
> > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>> msg=audit(1327415018.415:44): arch=c000003e
> > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > >>>>>>>>>> pid=1366 auid=4294967295 uid=0 gid=48 euid=0
> > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > >>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > >>>>>>>>>> type=AVC msg=audit(1327415018.415:44): avc:
> > >>>>>>>>>> denied { search } for pid=1366
> > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > >>>>>>>>>> ino=1313161
> > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>> msg=audit(1327415018.416:45): arch=c000003e
> > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > >>>>>>>>>> pid=1363 auid=4294967295 uid=0 gid=48 euid=0
> > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > >>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > >>>>>>>>>> type=AVC msg=audit(1327415018.416:45): avc:
> > >>>>>>>>>> denied { search } for pid=1363
> > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > >>>>>>>>>> ino=1313161
> > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>> msg=audit(1327415018.418:46): arch=c000003e
> > >>>>>>>>>> syscall=42 success=no exit=-13 a0=3
> > >>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
> > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>
> > >>>>>>>>>>
> > key=(null) type=AVC msg=audit(1327415018.418:46): avc:
> > >>>>>>>>>> denied { name_connect } for pid=1369
> > >>>>>>>>>> comm="dbus-daemon-lau" dest=111
> > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>
> > >>>>>>>>>>
> > tcontext=system_ubject_rortmap_port_t:s0
> > >>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
> > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:47):
> > >>>>>>>>>> arch=c000003e syscall=49 success=no exit=-13 a0=3
> > >>>>>>>>>> a1=7fff07112f60 a2=10 a3=98 items=0 ppid=1367
> > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>
> > >>>>>>>>>>
> > key=(null) type=AVC msg=audit(1327415018.418:47): avc:
> > >>>>>>>>>> denied { name_bind } for pid=1369
> > >>>>>>>>>> comm="dbus-daemon-lau" src=697
> > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>
> > >>>>>>>>>>
> > tcontext=system_ubject_r:hi_reserved_port_t:s0
> > >>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
> > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:48):
> > >>>>>>>>>> arch=c000003e syscall=42 success=no exit=-13 a0=3
> > >>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
> > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>
> > >>>>>>>>>>
> > key=(null) type=AVC msg=audit(1327415018.418:48): avc:
> > >>>>>>>>>> denied { name_connect } for pid=1369
> > >>>>>>>>>> comm="dbus-daemon-lau" dest=111
> > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>
> > >>>>>>>>>>
> > tcontext=system_ubject_rortmap_port_t:s0
> > >>>>>>>>>> tclass=tcp_socket
> > >>>>>>> Do you have the allow_ypbind boolean permanantly turned
> > >>>>>>> on
> > >>>>>>>
> > >>>>>>> setsebool -P allow_ypbind 1
> > >>>>>>>
> > >>>>>>>> Yes, we permanently set this bool.
> > >>>>>>> If the init script is turning it on, you could see
> > >>>>>>> avc's like this.
> > >>>>>>>
> > >>>>>>> Have no idea what the bootloader->rpm_script one is.
> > >>>>>>>
> > >>>>>>> There used to be some kernel update scripts that were
> > >>>>>>> labeled as bootloader_exec_t? -- selinux mailing list
> > >>>>>>> selinux@lists.fedoraproject.org
> > >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >
> > >>>>>>>
> > Strange and these happen on every boot, and then stop?
> > >>>>> Just tried another reboot and got the same results so I
> > >>>>> would say that it happens on every boot.
> > >>>>>
> > >>>>>
> > >>>> -- selinux mailing list selinux@lists.fedoraproject.org
> > >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>> Could you make sure that the policy is installed correctly.
> > >>>
> > >>> # yum reinstall selinux-policy-targeted
> > >>>
> > >>> and see if something blows up.
> > >>
> > >> Same results as before. Did get a new avc just before the reboot
> > >> doing a yum update.
> > >
> > > To add more clarity to the boot up AVC, we did check for any sign
> > > of AVC when we reinstalled selinux-policy-targeted.
> > >
> > >> allow bootloader_t rpm_script_trocess transition; ----
> > >> time->Sat Jan 28 07:47:51 2012 type=SYSCALL
> > >> msg=audit(1327765671.705:3395): arch=c000003e syscall=59
> > >> success=ye s exit=0 a0=1429290 a1=12e3550 a2=7fffd4c974c8 a3=20
> > >> items=0 ppid=24868 pid=2487 8 auid=1000 uid=0 gid=0 euid=0 suid=0
> > >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh"
> > >> exe="/bin/bash"
> > >> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0. c1023
> > >> key=(null) type=AVC msg=audit(1327765671.705:3395): avc: denied
> > >> { transition } for pid=24878 comm="rpm" path="/bin/bash"
> > >> dev=dm-1 ino=393240
> > >> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> > >> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > >> tclass=process
> > >
> > > Packages in this update were: Jan 28 07:46:28 Updated:
> > > libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > libblkid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > libcurl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> > > curl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> > > 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31 Updated:
> > > libmount-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:32 Updated:
> > > setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28 07:46:32
> > > Installed: python-tornado-2.1.1-1.fc16.noarch Jan 28 07:46:33
> > > Updated: python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33
> > > Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34 Updated:
> > > mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:39
> > > Installed: kernel-3.2.2-1.fc16.x86_64 Jan 28 07:46:40 Updated:
> > > xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40 Updated:
> > > mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64 Jan 28
> > > 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan 28 07:46:42 Updated:
> > > ipython-0.12-2.fc16.noarch Jan 28 07:46:43 Updated:
> > > setroubleshoot-3.1.2-1.fc16.x86_64 Jan 28 07:46:44 Updated:
> > > util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44 Updated:
> > > 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:46 Updated:
> > > libcurl-devel-7.21.7-6.fc16.x86_64 Jan 28 07:46:47 Updated:
> > > rsyslog-5.8.7-1.fc16.x86_64 Jan 28 07:46:48 Updated:
> > > t1lib-5.1.2-9.fc16.x86_64 Jan 28 07:46:49 Updated:
> > > kernel-headers-3.2.2-1.fc16.x86_64 Jan 28 07:46:59 Installed:
> > > kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00 Updated:
> > > mdadm-3.2.3-3.fc16.x86_64
> > >> -- selinux mailing list selinux@lists.fedoraproject.org
> > >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>
> > >
> > >
> >
> > Any idea of what process is running as bootloader_t?
> >
> > ps -eZ | grep bootloader_t
> > or
> > find /sbin/ -context "*:bootloader_exec_t*"
>
> Since we were running yum update and there was a kernel update involved
> it could be several from the list below.
>
> /sbin/grub2-setup
> /sbin/installkernel
> /sbin/grub2-reboot
> /sbin/grub2-probe
> /sbin/grub2-mkdevicemap
> /sbin/grub2-set-default
> /sbin/grubby
> /sbin/grub2-install
> /sbin/grub2-mkconfig
> /sbin/grub2-mknetdir
> /sbin/new-kernel-pkg

Do you have any (a)?kmod packages installed from rpmfusion.

I have specified labels for the above files bootloader_exec_t a while
ago and i was not sure whether this would be a good idea.

I have not had any AVC denials related to this but i do not use grub
manually often and i also do not have a default grub config because i am
using uefi setup.

> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.11 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAk8kSvwACgkQrlYvE4MpobOjywCghdmmQAxJ6Y w0Lg9Khj1RlPUV
> > si0AoIAqVYMmf2pon92UL7gFTUk7nsEQ
> > =5qAB
> > -----END PGP SIGNATURE-----
> >
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-29-2012, 04:48 PM
David Highley
 
Default Fedora 16 AVC at boot time

"Dominick Grift wrote:"
>
> On Sat, 2012-01-28 at 14:55 -0800, David Highley wrote:
> > "Daniel J Walsh wrote:"
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > On 01/28/2012 02:15 PM, David Highley wrote:
> > > > "David Highley wrote:"
> > > >>
> > > >> "Miroslav Grepl wrote:"
> > > >>>
> > > >>> On 01/26/2012 05:33 AM, David Highley wrote:
> > > >>>> "Daniel J Walsh wrote:"
> > > > On 01/25/2012 01:38 PM, David Highley wrote:
> > > >>>>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39 PM, David
> > > >>>>>>> Highley wrote:
> > > >>>>>>>>>> time->Tue Jan 24 06:17:02 2012 type=SYSCALL
> > > >>>>>>>>>> msg=audit(1327414622.867:2517): arch=c000003e
> > > >>>>>>>>>> syscall=59 success=yes exit=0 a0=9669f0 a1=cc8170
> > > >>>>>>>>>> a2=7fff1bf396c8 a3=1f items=0 ppid=5248 pid=5253
> > > >>>>>>>>>> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > >>>>>>>>>> sgid=0 fsgid=0 tty=(none) ses=293 comm="sh"
> > > >>>>>>>>>> exe="/bin/bash"
> > > >>>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > key=(null) type=AVC msg=audit(1327414622.867:2517): avc:
> > > >>>>>>>>>> denied { transition } for pid=5253 comm="rpm"
> > > >>>>>>>>>> path="/bin/bash" dev=dm-1 ino=393240
> > > >>>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > > >>>>>>>>>> tclass=process ---- time->Tue Jan 24 06:23:38
> > > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.410:38):
> > > >>>>>>>>>> arch=c000003e syscall=2 success=no exit=-13
> > > >>>>>>>>>> a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68
> > > >>>>>>>>>> items=0 ppid=1180 pid=1359 auid=4294967295 uid=0
> > > >>>>>>>>>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48
> > > >>>>>>>>>> fsgid=48 tty=(none) ses=4294967295
> > > >>>>>>>>>> comm="/usr/sbin/httpd" exe="/usr/sbin/httpd"
> > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > >>>>>>>>>> type=AVC msg=audit(1327415018.410:38): avc:
> > > >>>>>>>>>> denied { search } for pid=1359
> > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > >>>>>>>>>> ino=1313161
> > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > >>>>>>>>>> msg=audit(1327415018.410:39): arch=c000003e
> > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > >>>>>>>>>> pid=1360 auid=4294967295 uid=0 gid=48 euid=0
> > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > >>>>>>>>>> type=AVC msg=audit(1327415018.410:39): avc:
> > > >>>>>>>>>> denied { search } for pid=1360
> > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > >>>>>>>>>> ino=1313161
> > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > >>>>>>>>>> msg=audit(1327415018.411:40): arch=c000003e
> > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > >>>>>>>>>> pid=1361 auid=4294967295 uid=0 gid=48 euid=0
> > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > >>>>>>>>>> type=AVC msg=audit(1327415018.411:40): avc:
> > > >>>>>>>>>> denied { search } for pid=1361
> > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > >>>>>>>>>> ino=1313161
> > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > >>>>>>>>>> msg=audit(1327415018.411:41): arch=c000003e
> > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > >>>>>>>>>> pid=1362 auid=4294967295 uid=0 gid=48 euid=0
> > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > >>>>>>>>>> type=AVC msg=audit(1327415018.411:41): avc:
> > > >>>>>>>>>> denied { search } for pid=1362
> > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > >>>>>>>>>> ino=1313161
> > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > >>>>>>>>>> msg=audit(1327415018.414:42): arch=c000003e
> > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > >>>>>>>>>> pid=1365 auid=4294967295 uid=0 gid=48 euid=0
> > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > >>>>>>>>>> type=AVC msg=audit(1327415018.414:42): avc:
> > > >>>>>>>>>> denied { search } for pid=1365
> > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > >>>>>>>>>> ino=1313161
> > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > >>>>>>>>>> msg=audit(1327415018.414:43): arch=c000003e
> > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > >>>>>>>>>> pid=1364 auid=4294967295 uid=0 gid=48 euid=0
> > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > >>>>>>>>>> type=AVC msg=audit(1327415018.414:43): avc:
> > > >>>>>>>>>> denied { search } for pid=1364
> > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > >>>>>>>>>> ino=1313161
> > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > >>>>>>>>>> msg=audit(1327415018.415:44): arch=c000003e
> > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > >>>>>>>>>> pid=1366 auid=4294967295 uid=0 gid=48 euid=0
> > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > >>>>>>>>>> type=AVC msg=audit(1327415018.415:44): avc:
> > > >>>>>>>>>> denied { search } for pid=1366
> > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > >>>>>>>>>> ino=1313161
> > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > >>>>>>>>>> msg=audit(1327415018.416:45): arch=c000003e
> > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > >>>>>>>>>> pid=1363 auid=4294967295 uid=0 gid=48 euid=0
> > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > >>>>>>>>>> type=AVC msg=audit(1327415018.416:45): avc:
> > > >>>>>>>>>> denied { search } for pid=1363
> > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > >>>>>>>>>> ino=1313161
> > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > >>>>>>>>>> msg=audit(1327415018.418:46): arch=c000003e
> > > >>>>>>>>>> syscall=42 success=no exit=-13 a0=3
> > > >>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
> > > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> > > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> > > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> > > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > key=(null) type=AVC msg=audit(1327415018.418:46): avc:
> > > >>>>>>>>>> denied { name_connect } for pid=1369
> > > >>>>>>>>>> comm="dbus-daemon-lau" dest=111
> > > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > tcontext=system_ubject_rortmap_port_t:s0
> > > >>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
> > > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:47):
> > > >>>>>>>>>> arch=c000003e syscall=49 success=no exit=-13 a0=3
> > > >>>>>>>>>> a1=7fff07112f60 a2=10 a3=98 items=0 ppid=1367
> > > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> > > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> > > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> > > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > key=(null) type=AVC msg=audit(1327415018.418:47): avc:
> > > >>>>>>>>>> denied { name_bind } for pid=1369
> > > >>>>>>>>>> comm="dbus-daemon-lau" src=697
> > > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > tcontext=system_ubject_r:hi_reserved_port_t:s0
> > > >>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
> > > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:48):
> > > >>>>>>>>>> arch=c000003e syscall=42 success=no exit=-13 a0=3
> > > >>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
> > > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> > > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> > > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> > > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > key=(null) type=AVC msg=audit(1327415018.418:48): avc:
> > > >>>>>>>>>> denied { name_connect } for pid=1369
> > > >>>>>>>>>> comm="dbus-daemon-lau" dest=111
> > > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > tcontext=system_ubject_rortmap_port_t:s0
> > > >>>>>>>>>> tclass=tcp_socket
> > > >>>>>>> Do you have the allow_ypbind boolean permanantly turned
> > > >>>>>>> on
> > > >>>>>>>
> > > >>>>>>> setsebool -P allow_ypbind 1
> > > >>>>>>>
> > > >>>>>>>> Yes, we permanently set this bool.
> > > >>>>>>> If the init script is turning it on, you could see
> > > >>>>>>> avc's like this.
> > > >>>>>>>
> > > >>>>>>> Have no idea what the bootloader->rpm_script one is.
> > > >>>>>>>
> > > >>>>>>> There used to be some kernel update scripts that were
> > > >>>>>>> labeled as bootloader_exec_t? -- selinux mailing list
> > > >>>>>>> selinux@lists.fedoraproject.org
> > > >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > >
> > > >>>>>>>
> > > Strange and these happen on every boot, and then stop?
> > > >>>>> Just tried another reboot and got the same results so I
> > > >>>>> would say that it happens on every boot.
> > > >>>>>
> > > >>>>>
> > > >>>> -- selinux mailing list selinux@lists.fedoraproject.org
> > > >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > >>> Could you make sure that the policy is installed correctly.
> > > >>>
> > > >>> # yum reinstall selinux-policy-targeted
> > > >>>
> > > >>> and see if something blows up.
> > > >>
> > > >> Same results as before. Did get a new avc just before the reboot
> > > >> doing a yum update.
> > > >
> > > > To add more clarity to the boot up AVC, we did check for any sign
> > > > of AVC when we reinstalled selinux-policy-targeted.
> > > >
> > > >> allow bootloader_t rpm_script_trocess transition; ----
> > > >> time->Sat Jan 28 07:47:51 2012 type=SYSCALL
> > > >> msg=audit(1327765671.705:3395): arch=c000003e syscall=59
> > > >> success=ye s exit=0 a0=1429290 a1=12e3550 a2=7fffd4c974c8 a3=20
> > > >> items=0 ppid=24868 pid=2487 8 auid=1000 uid=0 gid=0 euid=0 suid=0
> > > >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh"
> > > >> exe="/bin/bash"
> > > >> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0. c1023
> > > >> key=(null) type=AVC msg=audit(1327765671.705:3395): avc: denied
> > > >> { transition } for pid=24878 comm="rpm" path="/bin/bash"
> > > >> dev=dm-1 ino=393240
> > > >> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> > > >> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > > >> tclass=process
> > > >
> > > > Packages in this update were: Jan 28 07:46:28 Updated:
> > > > libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > > libblkid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > > 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > > libcurl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> > > > curl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> > > > 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31 Updated:
> > > > libmount-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:32 Updated:
> > > > setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28 07:46:32
> > > > Installed: python-tornado-2.1.1-1.fc16.noarch Jan 28 07:46:33
> > > > Updated: python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33
> > > > Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34 Updated:
> > > > mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:39
> > > > Installed: kernel-3.2.2-1.fc16.x86_64 Jan 28 07:46:40 Updated:
> > > > xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40 Updated:
> > > > mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64 Jan 28
> > > > 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan 28 07:46:42 Updated:
> > > > ipython-0.12-2.fc16.noarch Jan 28 07:46:43 Updated:
> > > > setroubleshoot-3.1.2-1.fc16.x86_64 Jan 28 07:46:44 Updated:
> > > > util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44 Updated:
> > > > 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:46 Updated:
> > > > libcurl-devel-7.21.7-6.fc16.x86_64 Jan 28 07:46:47 Updated:
> > > > rsyslog-5.8.7-1.fc16.x86_64 Jan 28 07:46:48 Updated:
> > > > t1lib-5.1.2-9.fc16.x86_64 Jan 28 07:46:49 Updated:
> > > > kernel-headers-3.2.2-1.fc16.x86_64 Jan 28 07:46:59 Installed:
> > > > kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00 Updated:
> > > > mdadm-3.2.3-3.fc16.x86_64
> > > >> -- selinux mailing list selinux@lists.fedoraproject.org
> > > >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > >>
> > > >
> > > >
> > >
> > > Any idea of what process is running as bootloader_t?
> > >
> > > ps -eZ | grep bootloader_t
> > > or
> > > find /sbin/ -context "*:bootloader_exec_t*"
> >
> > Since we were running yum update and there was a kernel update involved
> > it could be several from the list below.
> >
> > /sbin/grub2-setup
> > /sbin/installkernel
> > /sbin/grub2-reboot
> > /sbin/grub2-probe
> > /sbin/grub2-mkdevicemap
> > /sbin/grub2-set-default
> > /sbin/grubby
> > /sbin/grub2-install
> > /sbin/grub2-mkconfig
> > /sbin/grub2-mknetdir
> > /sbin/new-kernel-pkg
>
> Do you have any (a)?kmod packages installed from rpmfusion.

Yes, we run akmod for nvidia on that system and it also has the new ueif
BIOS. You mentioned modifying grub for the BIOS, is that something that
may need to be done? If so is there documentation about what needs to be
changed?

> I have specified labels for the above files bootloader_exec_t a while
> ago and i was not sure whether this would be a good idea.
>
> I have not had any AVC denials related to this but i do not use grub
> manually often and i also do not have a default grub config because i am
> using uefi setup.
>
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.11 (GNU/Linux)
> > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> > >
> > > iEYEARECAAYFAk8kSvwACgkQrlYvE4MpobOjywCghdmmQAxJ6Y w0Lg9Khj1RlPUV
> > > si0AoIAqVYMmf2pon92UL7gFTUk7nsEQ
> > > =5qAB
> > > -----END PGP SIGNATURE-----
> > >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-29-2012, 09:39 PM
Dominick Grift
 
Default Fedora 16 AVC at boot time

On Sun, 2012-01-29 at 09:48 -0800, David Highley wrote:
> "Dominick Grift wrote:"
> >
> > On Sat, 2012-01-28 at 14:55 -0800, David Highley wrote:
> > > "Daniel J Walsh wrote:"
> > > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > On 01/28/2012 02:15 PM, David Highley wrote:
> > > > > "David Highley wrote:"
> > > > >>
> > > > >> "Miroslav Grepl wrote:"
> > > > >>>
> > > > >>> On 01/26/2012 05:33 AM, David Highley wrote:
> > > > >>>> "Daniel J Walsh wrote:"
> > > > > On 01/25/2012 01:38 PM, David Highley wrote:
> > > > >>>>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39 PM, David
> > > > >>>>>>> Highley wrote:
> > > > >>>>>>>>>> time->Tue Jan 24 06:17:02 2012 type=SYSCALL
> > > > >>>>>>>>>> msg=audit(1327414622.867:2517): arch=c000003e
> > > > >>>>>>>>>> syscall=59 success=yes exit=0 a0=9669f0 a1=cc8170
> > > > >>>>>>>>>> a2=7fff1bf396c8 a3=1f items=0 ppid=5248 pid=5253
> > > > >>>>>>>>>> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > >>>>>>>>>> sgid=0 fsgid=0 tty=(none) ses=293 comm="sh"
> > > > >>>>>>>>>> exe="/bin/bash"
> > > > >>>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>>
> > > > key=(null) type=AVC msg=audit(1327414622.867:2517): avc:
> > > > >>>>>>>>>> denied { transition } for pid=5253 comm="rpm"
> > > > >>>>>>>>>> path="/bin/bash" dev=dm-1 ino=393240
> > > > >>>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>>
> > > > tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > > > >>>>>>>>>> tclass=process ---- time->Tue Jan 24 06:23:38
> > > > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.410:38):
> > > > >>>>>>>>>> arch=c000003e syscall=2 success=no exit=-13
> > > > >>>>>>>>>> a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68
> > > > >>>>>>>>>> items=0 ppid=1180 pid=1359 auid=4294967295 uid=0
> > > > >>>>>>>>>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48
> > > > >>>>>>>>>> fsgid=48 tty=(none) ses=4294967295
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" exe="/usr/sbin/httpd"
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.410:38): avc:
> > > > >>>>>>>>>> denied { search } for pid=1359
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > > >>>>>>>>>> msg=audit(1327415018.410:39): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1360 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.410:39): avc:
> > > > >>>>>>>>>> denied { search } for pid=1360
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > > >>>>>>>>>> msg=audit(1327415018.411:40): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1361 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.411:40): avc:
> > > > >>>>>>>>>> denied { search } for pid=1361
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > > >>>>>>>>>> msg=audit(1327415018.411:41): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1362 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.411:41): avc:
> > > > >>>>>>>>>> denied { search } for pid=1362
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > > >>>>>>>>>> msg=audit(1327415018.414:42): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1365 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.414:42): avc:
> > > > >>>>>>>>>> denied { search } for pid=1365
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > > >>>>>>>>>> msg=audit(1327415018.414:43): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1364 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.414:43): avc:
> > > > >>>>>>>>>> denied { search } for pid=1364
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > > >>>>>>>>>> msg=audit(1327415018.415:44): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1366 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.415:44): avc:
> > > > >>>>>>>>>> denied { search } for pid=1366
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > > >>>>>>>>>> msg=audit(1327415018.416:45): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1363 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd"
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.416:45): avc:
> > > > >>>>>>>>>> denied { search } for pid=1363
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > > > >>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL
> > > > >>>>>>>>>> msg=audit(1327415018.418:46): arch=c000003e
> > > > >>>>>>>>>> syscall=42 success=no exit=-13 a0=3
> > > > >>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
> > > > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> > > > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > > > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>>
> > > > key=(null) type=AVC msg=audit(1327415018.418:46): avc:
> > > > >>>>>>>>>> denied { name_connect } for pid=1369
> > > > >>>>>>>>>> comm="dbus-daemon-lau" dest=111
> > > > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>>
> > > > tcontext=system_ubject_rortmap_port_t:s0
> > > > >>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
> > > > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:47):
> > > > >>>>>>>>>> arch=c000003e syscall=49 success=no exit=-13 a0=3
> > > > >>>>>>>>>> a1=7fff07112f60 a2=10 a3=98 items=0 ppid=1367
> > > > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> > > > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > > > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>>
> > > > key=(null) type=AVC msg=audit(1327415018.418:47): avc:
> > > > >>>>>>>>>> denied { name_bind } for pid=1369
> > > > >>>>>>>>>> comm="dbus-daemon-lau" src=697
> > > > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>>
> > > > tcontext=system_ubject_r:hi_reserved_port_t:s0
> > > > >>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
> > > > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:48):
> > > > >>>>>>>>>> arch=c000003e syscall=42 success=no exit=-13 a0=3
> > > > >>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
> > > > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau"
> > > > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > > > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>>
> > > > key=(null) type=AVC msg=audit(1327415018.418:48): avc:
> > > > >>>>>>>>>> denied { name_connect } for pid=1369
> > > > >>>>>>>>>> comm="dbus-daemon-lau" dest=111
> > > > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>>
> > > > tcontext=system_ubject_rortmap_port_t:s0
> > > > >>>>>>>>>> tclass=tcp_socket
> > > > >>>>>>> Do you have the allow_ypbind boolean permanantly turned
> > > > >>>>>>> on
> > > > >>>>>>>
> > > > >>>>>>> setsebool -P allow_ypbind 1
> > > > >>>>>>>
> > > > >>>>>>>> Yes, we permanently set this bool.
> > > > >>>>>>> If the init script is turning it on, you could see
> > > > >>>>>>> avc's like this.
> > > > >>>>>>>
> > > > >>>>>>> Have no idea what the bootloader->rpm_script one is.
> > > > >>>>>>>
> > > > >>>>>>> There used to be some kernel update scripts that were
> > > > >>>>>>> labeled as bootloader_exec_t? -- selinux mailing list
> > > > >>>>>>> selinux@lists.fedoraproject.org
> > > > >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > > >
> > > > >>>>>>>
> > > > Strange and these happen on every boot, and then stop?
> > > > >>>>> Just tried another reboot and got the same results so I
> > > > >>>>> would say that it happens on every boot.
> > > > >>>>>
> > > > >>>>>
> > > > >>>> -- selinux mailing list selinux@lists.fedoraproject.org
> > > > >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > > >>> Could you make sure that the policy is installed correctly.
> > > > >>>
> > > > >>> # yum reinstall selinux-policy-targeted
> > > > >>>
> > > > >>> and see if something blows up.
> > > > >>
> > > > >> Same results as before. Did get a new avc just before the reboot
> > > > >> doing a yum update.
> > > > >
> > > > > To add more clarity to the boot up AVC, we did check for any sign
> > > > > of AVC when we reinstalled selinux-policy-targeted.
> > > > >
> > > > >> allow bootloader_t rpm_script_trocess transition; ----
> > > > >> time->Sat Jan 28 07:47:51 2012 type=SYSCALL
> > > > >> msg=audit(1327765671.705:3395): arch=c000003e syscall=59
> > > > >> success=ye s exit=0 a0=1429290 a1=12e3550 a2=7fffd4c974c8 a3=20
> > > > >> items=0 ppid=24868 pid=2487 8 auid=1000 uid=0 gid=0 euid=0 suid=0
> > > > >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh"
> > > > >> exe="/bin/bash"
> > > > >> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0. c1023
> > > > >> key=(null) type=AVC msg=audit(1327765671.705:3395): avc: denied
> > > > >> { transition } for pid=24878 comm="rpm" path="/bin/bash"
> > > > >> dev=dm-1 ino=393240
> > > > >> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> > > > >> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > > > >> tclass=process
> > > > >
> > > > > Packages in this update were: Jan 28 07:46:28 Updated:
> > > > > libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > > > libblkid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > > > 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > > > libcurl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> > > > > curl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> > > > > 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31 Updated:
> > > > > libmount-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:32 Updated:
> > > > > setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28 07:46:32
> > > > > Installed: python-tornado-2.1.1-1.fc16.noarch Jan 28 07:46:33
> > > > > Updated: python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33
> > > > > Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34 Updated:
> > > > > mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:39
> > > > > Installed: kernel-3.2.2-1.fc16.x86_64 Jan 28 07:46:40 Updated:
> > > > > xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40 Updated:
> > > > > mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64 Jan 28
> > > > > 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan 28 07:46:42 Updated:
> > > > > ipython-0.12-2.fc16.noarch Jan 28 07:46:43 Updated:
> > > > > setroubleshoot-3.1.2-1.fc16.x86_64 Jan 28 07:46:44 Updated:
> > > > > util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44 Updated:
> > > > > 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:46 Updated:
> > > > > libcurl-devel-7.21.7-6.fc16.x86_64 Jan 28 07:46:47 Updated:
> > > > > rsyslog-5.8.7-1.fc16.x86_64 Jan 28 07:46:48 Updated:
> > > > > t1lib-5.1.2-9.fc16.x86_64 Jan 28 07:46:49 Updated:
> > > > > kernel-headers-3.2.2-1.fc16.x86_64 Jan 28 07:46:59 Installed:
> > > > > kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00 Updated:
> > > > > mdadm-3.2.3-3.fc16.x86_64
> > > > >> -- selinux mailing list selinux@lists.fedoraproject.org
> > > > >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > > >>
> > > > >
> > > > >
> > > >
> > > > Any idea of what process is running as bootloader_t?
> > > >
> > > > ps -eZ | grep bootloader_t
> > > > or
> > > > find /sbin/ -context "*:bootloader_exec_t*"
> > >
> > > Since we were running yum update and there was a kernel update involved
> > > it could be several from the list below.
> > >
> > > /sbin/grub2-setup
> > > /sbin/installkernel
> > > /sbin/grub2-reboot
> > > /sbin/grub2-probe
> > > /sbin/grub2-mkdevicemap
> > > /sbin/grub2-set-default
> > > /sbin/grubby
> > > /sbin/grub2-install
> > > /sbin/grub2-mkconfig
> > > /sbin/grub2-mknetdir
> > > /sbin/new-kernel-pkg
> >
> > Do you have any (a)?kmod packages installed from rpmfusion.
>
> Yes, we run akmod for nvidia on that system and it also has the new ueif
> BIOS. You mentioned modifying grub for the BIOS, is that something that
> may need to be done? If so is there documentation about what needs to be
> changed?

I meant "i also do not have a default grub config because i am using
uefi setup." because a uefi setup requires package grub-efi which is not
installed if you do not use uefi. I have not modified grub manually in
any way.

I suspect above issue might be related to akmod. Not sure though. I use
to have a policy module for akmod back in the day. Would maybe have been
useful now to be able to determine whether this is actually akmod or
something else running in the bootloader domain.

> > I have specified labels for the above files bootloader_exec_t a while
> > ago and i was not sure whether this would be a good idea.
> >
> > I have not had any AVC denials related to this but i do not use grub
> > manually often and i also do not have a default grub config because i am
> > using uefi setup.
> >
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.4.11 (GNU/Linux)
> > > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> > > >
> > > > iEYEARECAAYFAk8kSvwACgkQrlYvE4MpobOjywCghdmmQAxJ6Y w0Lg9Khj1RlPUV
> > > > si0AoIAqVYMmf2pon92UL7gFTUk7nsEQ
> > > > =5qAB
> > > > -----END PGP SIGNATURE-----
> > > >
> > > --
> > > selinux mailing list
> > > selinux@lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-30-2012, 05:30 PM
Daniel J Walsh
 
Default Fedora 16 AVC at boot time

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/29/2012 05:39 PM, Dominick Grift wrote:
> On Sun, 2012-01-29 at 09:48 -0800, David Highley wrote:
>> "Dominick Grift wrote:"
>>>
>>> On Sat, 2012-01-28 at 14:55 -0800, David Highley wrote:
>>>> "Daniel J Walsh wrote:"
>>>>>
> On 01/28/2012 02:15 PM, David Highley wrote:
>>>>>>> "David Highley wrote:"
>>>>>>>>
>>>>>>>> "Miroslav Grepl wrote:"
>>>>>>>>>
>>>>>>>>> On 01/26/2012 05:33 AM, David Highley wrote:
>>>>>>>>>> "Daniel J Walsh wrote:"
>>>>>>> On 01/25/2012 01:38 PM, David Highley wrote:
>>>>>>>>>>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39
>>>>>>>>>>>>> PM, David Highley wrote:
>>>>>>>>>>>>>>>> time->Tue Jan 24 06:17:02 2012
>>>>>>>>>>>>>>>> type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327414622.867:2517):
>>>>>>>>>>>>>>>> arch=c000003e syscall=59 success=yes
>>>>>>>>>>>>>>>> exit=0 a0=9669f0 a1=cc8170
>>>>>>>>>>>>>>>> a2=7fff1bf396c8 a3=1f items=0
>>>>>>>>>>>>>>>> ppid=5248 pid=5253 auid=0 uid=0 gid=0
>>>>>>>>>>>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>>>>>>>>>>>>>> fsgid=0 tty=(none) ses=293 comm="sh"
>>>>>>>>>>>>>>>> exe="/bin/bash"
>>>>>>>>>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>
key=(null) type=AVC msg=audit(1327414622.867:2517): avc:
>>>>>>>>>>>>>>>> denied { transition } for pid=5253
>>>>>>>>>>>>>>>> comm="rpm" path="/bin/bash" dev=dm-1
>>>>>>>>>>>>>>>> ino=393240
>>>>>>>>>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>
tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>> tclass=process ---- time->Tue Jan 24
>>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327415018.410:38):
>>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
>>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
>>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
>>>>>>>>>>>>>>>> ppid=1180 pid=1359 auid=4294967295
>>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
>>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>>>>>>>>>> ses=4294967295 comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>>> msg=audit(1327415018.410:38): avc:
>>>>>>>>>>>>>>>> denied { search } for pid=1359
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
>>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
>>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327415018.410:39):
>>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
>>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
>>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
>>>>>>>>>>>>>>>> ppid=1180 pid=1360 auid=4294967295
>>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
>>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>>> msg=audit(1327415018.410:39): avc:
>>>>>>>>>>>>>>>> denied { search } for pid=1360
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
>>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
>>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327415018.411:40):
>>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
>>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
>>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
>>>>>>>>>>>>>>>> ppid=1180 pid=1361 auid=4294967295
>>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
>>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>>> msg=audit(1327415018.411:40): avc:
>>>>>>>>>>>>>>>> denied { search } for pid=1361
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
>>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
>>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327415018.411:41):
>>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
>>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
>>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
>>>>>>>>>>>>>>>> ppid=1180 pid=1362 auid=4294967295
>>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
>>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>>> msg=audit(1327415018.411:41): avc:
>>>>>>>>>>>>>>>> denied { search } for pid=1362
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
>>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
>>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327415018.414:42):
>>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
>>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
>>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
>>>>>>>>>>>>>>>> ppid=1180 pid=1365 auid=4294967295
>>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
>>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>>> msg=audit(1327415018.414:42): avc:
>>>>>>>>>>>>>>>> denied { search } for pid=1365
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
>>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
>>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327415018.414:43):
>>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
>>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
>>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
>>>>>>>>>>>>>>>> ppid=1180 pid=1364 auid=4294967295
>>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
>>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>>> msg=audit(1327415018.414:43): avc:
>>>>>>>>>>>>>>>> denied { search } for pid=1364
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
>>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
>>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327415018.415:44):
>>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
>>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
>>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
>>>>>>>>>>>>>>>> ppid=1180 pid=1366 auid=4294967295
>>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
>>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>>> msg=audit(1327415018.415:44): avc:
>>>>>>>>>>>>>>>> denied { search } for pid=1366
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
>>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
>>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327415018.416:45):
>>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
>>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
>>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
>>>>>>>>>>>>>>>> ppid=1180 pid=1363 auid=4294967295
>>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
>>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>>> msg=audit(1327415018.416:45): avc:
>>>>>>>>>>>>>>>> denied { search } for pid=1363
>>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
>>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
>>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327415018.418:46):
>>>>>>>>>>>>>>>> arch=c000003e syscall=42 success=no
>>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0 a2=10
>>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369
>>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0
>>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81
>>>>>>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295
>>>>>>>>>>>>>>>> comm="dbus-daemon-lau"
>>>>>>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>
key=(null) type=AVC msg=audit(1327415018.418:46): avc:
>>>>>>>>>>>>>>>> denied { name_connect } for
>>>>>>>>>>>>>>>> pid=1369 comm="dbus-daemon-lau"
>>>>>>>>>>>>>>>> dest=111
>>>>>>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>
tcontext=system_ubject_rortmap_port_t:s0
>>>>>>>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan
>>>>>>>>>>>>>>>> 24 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327415018.418:47):
>>>>>>>>>>>>>>>> arch=c000003e syscall=49 success=no
>>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff07112f60 a2=10
>>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369
>>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0
>>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81
>>>>>>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295
>>>>>>>>>>>>>>>> comm="dbus-daemon-lau"
>>>>>>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>
key=(null) type=AVC msg=audit(1327415018.418:47): avc:
>>>>>>>>>>>>>>>> denied { name_bind } for pid=1369
>>>>>>>>>>>>>>>> comm="dbus-daemon-lau" src=697
>>>>>>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>
tcontext=system_ubject_r:hi_reserved_port_t:s0
>>>>>>>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan
>>>>>>>>>>>>>>>> 24 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>> msg=audit(1327415018.418:48):
>>>>>>>>>>>>>>>> arch=c000003e syscall=42 success=no
>>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0 a2=10
>>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369
>>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0
>>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81
>>>>>>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295
>>>>>>>>>>>>>>>> comm="dbus-daemon-lau"
>>>>>>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>
key=(null) type=AVC msg=audit(1327415018.418:48): avc:
>>>>>>>>>>>>>>>> denied { name_connect } for
>>>>>>>>>>>>>>>> pid=1369 comm="dbus-daemon-lau"
>>>>>>>>>>>>>>>> dest=111
>>>>>>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>
tcontext=system_ubject_rortmap_port_t:s0
>>>>>>>>>>>>>>>> tclass=tcp_socket
>>>>>>>>>>>>> Do you have the allow_ypbind boolean
>>>>>>>>>>>>> permanantly turned on
>>>>>>>>>>>>>
>>>>>>>>>>>>> setsebool -P allow_ypbind 1
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Yes, we permanently set this bool.
>>>>>>>>>>>>> If the init script is turning it on, you
>>>>>>>>>>>>> could see avc's like this.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Have no idea what the
>>>>>>>>>>>>> bootloader->rpm_script one is.
>>>>>>>>>>>>>
>>>>>>>>>>>>> There used to be some kernel update scripts
>>>>>>>>>>>>> that were labeled as bootloader_exec_t? --
>>>>>>>>>>>>> selinux mailing list
>>>>>>>>>>>>> selinux@lists.fedoraproject.org
>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>>>>>>>>>
>
>>>>>>>>>>>>>
Strange and these happen on every boot, and then stop?
>>>>>>>>>>> Just tried another reboot and got the same
>>>>>>>>>>> results so I would say that it happens on every
>>>>>>>>>>> boot.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> -- selinux mailing list
>>>>>>>>>> selinux@lists.fedoraproject.org
>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>>
>>>>>>>>>>
Could you make sure that the policy is installed correctly.
>>>>>>>>>
>>>>>>>>> # yum reinstall selinux-policy-targeted
>>>>>>>>>
>>>>>>>>> and see if something blows up.
>>>>>>>>
>>>>>>>> Same results as before. Did get a new avc just before
>>>>>>>> the reboot doing a yum update.
>>>>>>>
>>>>>>> To add more clarity to the boot up AVC, we did check
>>>>>>> for any sign of AVC when we reinstalled
>>>>>>> selinux-policy-targeted.
>>>>>>>
>>>>>>>> allow bootloader_t rpm_script_trocess transition;
>>>>>>>> ---- time->Sat Jan 28 07:47:51 2012 type=SYSCALL
>>>>>>>> msg=audit(1327765671.705:3395): arch=c000003e
>>>>>>>> syscall=59 success=ye s exit=0 a0=1429290 a1=12e3550
>>>>>>>> a2=7fffd4c974c8 a3=20 items=0 ppid=24868 pid=2487 8
>>>>>>>> auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>>>>>> sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh"
>>>>>>>> exe="/bin/bash"
>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.
>>>>>>>> c1023 key=(null) type=AVC
>>>>>>>> msg=audit(1327765671.705:3395): avc: denied {
>>>>>>>> transition } for pid=24878 comm="rpm"
>>>>>>>> path="/bin/bash" dev=dm-1 ino=393240
>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
>>>>>>>>
>>>>>>>> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
>>>>>>>> tclass=process
>>>>>>>
>>>>>>> Packages in this update were: Jan 28 07:46:28 Updated:
>>>>>>> libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29
>>>>>>> Updated: libblkid-2.20.1-2.2.fc16.x86_64 Jan 28
>>>>>>> 07:46:29 Updated: 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64
>>>>>>> Jan 28 07:46:29 Updated: libcurl-7.21.7-6.fc16.x86_64
>>>>>>> Jan 28 07:46:30 Updated: curl-7.21.7-6.fc16.x86_64 Jan
>>>>>>> 28 07:46:30 Updated:
>>>>>>> 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31
>>>>>>> Updated: libmount-2.20.1-2.2.fc16.x86_64 Jan 28
>>>>>>> 07:46:32 Updated:
>>>>>>> setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28
>>>>>>> 07:46:32 Installed: python-tornado-2.1.1-1.fc16.noarch
>>>>>>> Jan 28 07:46:33 Updated:
>>>>>>> python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33
>>>>>>> Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34
>>>>>>> Updated:
>>>>>>> mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan
>>>>>>> 28 07:46:39 Installed: kernel-3.2.2-1.fc16.x86_64 Jan
>>>>>>> 28 07:46:40 Updated:
>>>>>>> xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40
>>>>>>> Updated:
>>>>>>> mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64
>>>>>>> Jan 28 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan
>>>>>>> 28 07:46:42 Updated: ipython-0.12-2.fc16.noarch Jan 28
>>>>>>> 07:46:43 Updated: setroubleshoot-3.1.2-1.fc16.x86_64
>>>>>>> Jan 28 07:46:44 Updated:
>>>>>>> util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44
>>>>>>> Updated: 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28
>>>>>>> 07:46:46 Updated: libcurl-devel-7.21.7-6.fc16.x86_64
>>>>>>> Jan 28 07:46:47 Updated: rsyslog-5.8.7-1.fc16.x86_64
>>>>>>> Jan 28 07:46:48 Updated: t1lib-5.1.2-9.fc16.x86_64 Jan
>>>>>>> 28 07:46:49 Updated: kernel-headers-3.2.2-1.fc16.x86_64
>>>>>>> Jan 28 07:46:59 Installed:
>>>>>>> kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00
>>>>>>> Updated: mdadm-3.2.3-3.fc16.x86_64
>>>>>>>> -- selinux mailing list
>>>>>>>> selinux@lists.fedoraproject.org
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>
>>>>>>>
>>>>>>>
>
>>>>>>>>
> Any idea of what process is running as bootloader_t?
>
> ps -eZ | grep bootloader_t or find /sbin/ -context
> "*:bootloader_exec_t*"
>>>>>
>>>>> Since we were running yum update and there was a kernel
>>>>> update involved it could be several from the list below.
>>>>>
>>>>> /sbin/grub2-setup /sbin/installkernel /sbin/grub2-reboot
>>>>> /sbin/grub2-probe /sbin/grub2-mkdevicemap
>>>>> /sbin/grub2-set-default /sbin/grubby /sbin/grub2-install
>>>>> /sbin/grub2-mkconfig /sbin/grub2-mknetdir
>>>>> /sbin/new-kernel-pkg
>>>>
>>>> Do you have any (a)?kmod packages installed from rpmfusion.
>>>
>>> Yes, we run akmod for nvidia on that system and it also has the
>>> new ueif BIOS. You mentioned modifying grub for the BIOS, is
>>> that something that may need to be done? If so is there
>>> documentation about what needs to be changed?
>
>> I meant "i also do not have a default grub config because i am
>> using uefi setup." because a uefi setup requires package grub-efi
>> which is not installed if you do not use uefi. I have not
>> modified grub manually in any way.
>
>> I suspect above issue might be related to akmod. Not sure though.
>> I use to have a policy module for akmod back in the day. Would
>> maybe have been useful now to be able to determine whether this
>> is actually akmod or something else running in the bootloader
>> domain.
>
>>>> I have specified labels for the above files bootloader_exec_t
>>>> a while ago and i was not sure whether this would be a good
>>>> idea.
>>>>
>>>> I have not had any AVC denials related to this but i do not
>>>> use grub manually often and i also do not have a default grub
>>>> config because i am using uefi setup.
>>>>
>>>>>
>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

These files are mislabeled. They should not be labeled grub_exec_t.
/sbin/installkernel
/sbin/new-kernel-pkg

If restorecon does not fix the labels, then you need to update policy.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8m4a8ACgkQrlYvE4MpobPUcgCffvdg9eDYd3 Gnj4vV2pxYW+HB
CuMAoKg32tl1hxMkE3aNR3qYS3+IwCdx
=n2Is
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-30-2012, 08:07 PM
David Highley
 
Default Fedora 16 AVC at boot time

"Daniel J Walsh wrote:"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/29/2012 05:39 PM, Dominick Grift wrote:
> > On Sun, 2012-01-29 at 09:48 -0800, David Highley wrote:
> >> "Dominick Grift wrote:"
> >>>
> >>> On Sat, 2012-01-28 at 14:55 -0800, David Highley wrote:
> >>>> "Daniel J Walsh wrote:"
> >>>>>
> > On 01/28/2012 02:15 PM, David Highley wrote:
> >>>>>>> "David Highley wrote:"
> >>>>>>>>
> >>>>>>>> "Miroslav Grepl wrote:"
> >>>>>>>>>
> >>>>>>>>> On 01/26/2012 05:33 AM, David Highley wrote:
> >>>>>>>>>> "Daniel J Walsh wrote:"
> >>>>>>> On 01/25/2012 01:38 PM, David Highley wrote:
> >>>>>>>>>>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39
> >>>>>>>>>>>>> PM, David Highley wrote:
> >>>>>>>>>>>>>>>> time->Tue Jan 24 06:17:02 2012
> >>>>>>>>>>>>>>>> type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327414622.867:2517):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=59 success=yes
> >>>>>>>>>>>>>>>> exit=0 a0=9669f0 a1=cc8170
> >>>>>>>>>>>>>>>> a2=7fff1bf396c8 a3=1f items=0
> >>>>>>>>>>>>>>>> ppid=5248 pid=5253 auid=0 uid=0 gid=0
> >>>>>>>>>>>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0
> >>>>>>>>>>>>>>>> fsgid=0 tty=(none) ses=293 comm="sh"
> >>>>>>>>>>>>>>>> exe="/bin/bash"
> >>>>>>>>>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>
> key=(null) type=AVC msg=audit(1327414622.867:2517): avc:
> >>>>>>>>>>>>>>>> denied { transition } for pid=5253
> >>>>>>>>>>>>>>>> comm="rpm" path="/bin/bash" dev=dm-1
> >>>>>>>>>>>>>>>> ino=393240
> >>>>>>>>>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>
> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> >>>>>>>>>>>>>>>> tclass=process ---- time->Tue Jan 24
> >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327415018.410:38):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> >>>>>>>>>>>>>>>> ppid=1180 pid=1359 auid=4294967295
> >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> >>>>>>>>>>>>>>>> ses=4294967295 comm="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>> key=(null) type=AVC
> >>>>>>>>>>>>>>>> msg=audit(1327415018.410:38): avc:
> >>>>>>>>>>>>>>>> denied { search } for pid=1359
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327415018.410:39):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> >>>>>>>>>>>>>>>> ppid=1180 pid=1360 auid=4294967295
> >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> >>>>>>>>>>>>>>>> ses=4294967295
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>> key=(null) type=AVC
> >>>>>>>>>>>>>>>> msg=audit(1327415018.410:39): avc:
> >>>>>>>>>>>>>>>> denied { search } for pid=1360
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327415018.411:40):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> >>>>>>>>>>>>>>>> ppid=1180 pid=1361 auid=4294967295
> >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> >>>>>>>>>>>>>>>> ses=4294967295
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>> key=(null) type=AVC
> >>>>>>>>>>>>>>>> msg=audit(1327415018.411:40): avc:
> >>>>>>>>>>>>>>>> denied { search } for pid=1361
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327415018.411:41):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> >>>>>>>>>>>>>>>> ppid=1180 pid=1362 auid=4294967295
> >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> >>>>>>>>>>>>>>>> ses=4294967295
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>> key=(null) type=AVC
> >>>>>>>>>>>>>>>> msg=audit(1327415018.411:41): avc:
> >>>>>>>>>>>>>>>> denied { search } for pid=1362
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327415018.414:42):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> >>>>>>>>>>>>>>>> ppid=1180 pid=1365 auid=4294967295
> >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> >>>>>>>>>>>>>>>> ses=4294967295
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>> key=(null) type=AVC
> >>>>>>>>>>>>>>>> msg=audit(1327415018.414:42): avc:
> >>>>>>>>>>>>>>>> denied { search } for pid=1365
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327415018.414:43):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> >>>>>>>>>>>>>>>> ppid=1180 pid=1364 auid=4294967295
> >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> >>>>>>>>>>>>>>>> ses=4294967295
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>> key=(null) type=AVC
> >>>>>>>>>>>>>>>> msg=audit(1327415018.414:43): avc:
> >>>>>>>>>>>>>>>> denied { search } for pid=1364
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327415018.415:44):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> >>>>>>>>>>>>>>>> ppid=1180 pid=1366 auid=4294967295
> >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> >>>>>>>>>>>>>>>> ses=4294967295
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>> key=(null) type=AVC
> >>>>>>>>>>>>>>>> msg=audit(1327415018.415:44): avc:
> >>>>>>>>>>>>>>>> denied { search } for pid=1366
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327415018.416:45):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> >>>>>>>>>>>>>>>> ppid=1180 pid=1363 auid=4294967295
> >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> >>>>>>>>>>>>>>>> ses=4294967295
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>> key=(null) type=AVC
> >>>>>>>>>>>>>>>> msg=audit(1327415018.416:45): avc:
> >>>>>>>>>>>>>>>> denied { search } for pid=1363
> >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327415018.418:46):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=42 success=no
> >>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0 a2=10
> >>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369
> >>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0
> >>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81
> >>>>>>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295
> >>>>>>>>>>>>>>>> comm="dbus-daemon-lau"
> >>>>>>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>
> key=(null) type=AVC msg=audit(1327415018.418:46): avc:
> >>>>>>>>>>>>>>>> denied { name_connect } for
> >>>>>>>>>>>>>>>> pid=1369 comm="dbus-daemon-lau"
> >>>>>>>>>>>>>>>> dest=111
> >>>>>>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>
> tcontext=system_ubject_rortmap_port_t:s0
> >>>>>>>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan
> >>>>>>>>>>>>>>>> 24 06:23:38 2012 type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327415018.418:47):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=49 success=no
> >>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff07112f60 a2=10
> >>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369
> >>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0
> >>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81
> >>>>>>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295
> >>>>>>>>>>>>>>>> comm="dbus-daemon-lau"
> >>>>>>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>
> key=(null) type=AVC msg=audit(1327415018.418:47): avc:
> >>>>>>>>>>>>>>>> denied { name_bind } for pid=1369
> >>>>>>>>>>>>>>>> comm="dbus-daemon-lau" src=697
> >>>>>>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>
> tcontext=system_ubject_r:hi_reserved_port_t:s0
> >>>>>>>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan
> >>>>>>>>>>>>>>>> 24 06:23:38 2012 type=SYSCALL
> >>>>>>>>>>>>>>>> msg=audit(1327415018.418:48):
> >>>>>>>>>>>>>>>> arch=c000003e syscall=42 success=no
> >>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0 a2=10
> >>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369
> >>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0
> >>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81
> >>>>>>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295
> >>>>>>>>>>>>>>>> comm="dbus-daemon-lau"
> >>>>>>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>
> key=(null) type=AVC msg=audit(1327415018.418:48): avc:
> >>>>>>>>>>>>>>>> denied { name_connect } for
> >>>>>>>>>>>>>>>> pid=1369 comm="dbus-daemon-lau"
> >>>>>>>>>>>>>>>> dest=111
> >>>>>>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>
> tcontext=system_ubject_rortmap_port_t:s0
> >>>>>>>>>>>>>>>> tclass=tcp_socket
> >>>>>>>>>>>>> Do you have the allow_ypbind boolean
> >>>>>>>>>>>>> permanantly turned on
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> setsebool -P allow_ypbind 1
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Yes, we permanently set this bool.
> >>>>>>>>>>>>> If the init script is turning it on, you
> >>>>>>>>>>>>> could see avc's like this.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Have no idea what the
> >>>>>>>>>>>>> bootloader->rpm_script one is.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> There used to be some kernel update scripts
> >>>>>>>>>>>>> that were labeled as bootloader_exec_t? --
> >>>>>>>>>>>>> selinux mailing list
> >>>>>>>>>>>>> selinux@lists.fedoraproject.org
> >>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>
> >>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>
> Strange and these happen on every boot, and then stop?
> >>>>>>>>>>> Just tried another reboot and got the same
> >>>>>>>>>>> results so I would say that it happens on every
> >>>>>>>>>>> boot.
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> -- selinux mailing list
> >>>>>>>>>> selinux@lists.fedoraproject.org
> >>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>
> >>>>>>>>>>
> Could you make sure that the policy is installed correctly.
> >>>>>>>>>
> >>>>>>>>> # yum reinstall selinux-policy-targeted
> >>>>>>>>>
> >>>>>>>>> and see if something blows up.
> >>>>>>>>
> >>>>>>>> Same results as before. Did get a new avc just before
> >>>>>>>> the reboot doing a yum update.
> >>>>>>>
> >>>>>>> To add more clarity to the boot up AVC, we did check
> >>>>>>> for any sign of AVC when we reinstalled
> >>>>>>> selinux-policy-targeted.
> >>>>>>>
> >>>>>>>> allow bootloader_t rpm_script_trocess transition;
> >>>>>>>> ---- time->Sat Jan 28 07:47:51 2012 type=SYSCALL
> >>>>>>>> msg=audit(1327765671.705:3395): arch=c000003e
> >>>>>>>> syscall=59 success=ye s exit=0 a0=1429290 a1=12e3550
> >>>>>>>> a2=7fffd4c974c8 a3=20 items=0 ppid=24868 pid=2487 8
> >>>>>>>> auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> >>>>>>>> sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh"
> >>>>>>>> exe="/bin/bash"
> >>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.
> >>>>>>>> c1023 key=(null) type=AVC
> >>>>>>>> msg=audit(1327765671.705:3395): avc: denied {
> >>>>>>>> transition } for pid=24878 comm="rpm"
> >>>>>>>> path="/bin/bash" dev=dm-1 ino=393240
> >>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> >>>>>>>>
> >>>>>>>> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> >>>>>>>> tclass=process
> >>>>>>>
> >>>>>>> Packages in this update were: Jan 28 07:46:28 Updated:
> >>>>>>> libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29
> >>>>>>> Updated: libblkid-2.20.1-2.2.fc16.x86_64 Jan 28
> >>>>>>> 07:46:29 Updated: 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64
> >>>>>>> Jan 28 07:46:29 Updated: libcurl-7.21.7-6.fc16.x86_64
> >>>>>>> Jan 28 07:46:30 Updated: curl-7.21.7-6.fc16.x86_64 Jan
> >>>>>>> 28 07:46:30 Updated:
> >>>>>>> 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31
> >>>>>>> Updated: libmount-2.20.1-2.2.fc16.x86_64 Jan 28
> >>>>>>> 07:46:32 Updated:
> >>>>>>> setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28
> >>>>>>> 07:46:32 Installed: python-tornado-2.1.1-1.fc16.noarch
> >>>>>>> Jan 28 07:46:33 Updated:
> >>>>>>> python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33
> >>>>>>> Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34
> >>>>>>> Updated:
> >>>>>>> mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan
> >>>>>>> 28 07:46:39 Installed: kernel-3.2.2-1.fc16.x86_64 Jan
> >>>>>>> 28 07:46:40 Updated:
> >>>>>>> xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40
> >>>>>>> Updated:
> >>>>>>> mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64
> >>>>>>> Jan 28 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan
> >>>>>>> 28 07:46:42 Updated: ipython-0.12-2.fc16.noarch Jan 28
> >>>>>>> 07:46:43 Updated: setroubleshoot-3.1.2-1.fc16.x86_64
> >>>>>>> Jan 28 07:46:44 Updated:
> >>>>>>> util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44
> >>>>>>> Updated: 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28
> >>>>>>> 07:46:46 Updated: libcurl-devel-7.21.7-6.fc16.x86_64
> >>>>>>> Jan 28 07:46:47 Updated: rsyslog-5.8.7-1.fc16.x86_64
> >>>>>>> Jan 28 07:46:48 Updated: t1lib-5.1.2-9.fc16.x86_64 Jan
> >>>>>>> 28 07:46:49 Updated: kernel-headers-3.2.2-1.fc16.x86_64
> >>>>>>> Jan 28 07:46:59 Installed:
> >>>>>>> kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00
> >>>>>>> Updated: mdadm-3.2.3-3.fc16.x86_64
> >>>>>>>> -- selinux mailing list
> >>>>>>>> selinux@lists.fedoraproject.org
> >>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >
> >>>>>>>>
> > Any idea of what process is running as bootloader_t?
> >
> > ps -eZ | grep bootloader_t or find /sbin/ -context
> > "*:bootloader_exec_t*"
> >>>>>
> >>>>> Since we were running yum update and there was a kernel
> >>>>> update involved it could be several from the list below.
> >>>>>
> >>>>> /sbin/grub2-setup /sbin/installkernel /sbin/grub2-reboot
> >>>>> /sbin/grub2-probe /sbin/grub2-mkdevicemap
> >>>>> /sbin/grub2-set-default /sbin/grubby /sbin/grub2-install
> >>>>> /sbin/grub2-mkconfig /sbin/grub2-mknetdir
> >>>>> /sbin/new-kernel-pkg
> >>>>
> >>>> Do you have any (a)?kmod packages installed from rpmfusion.
> >>>
> >>> Yes, we run akmod for nvidia on that system and it also has the
> >>> new ueif BIOS. You mentioned modifying grub for the BIOS, is
> >>> that something that may need to be done? If so is there
> >>> documentation about what needs to be changed?
> >
> >> I meant "i also do not have a default grub config because i am
> >> using uefi setup." because a uefi setup requires package grub-efi
> >> which is not installed if you do not use uefi. I have not
> >> modified grub manually in any way.
> >
> >> I suspect above issue might be related to akmod. Not sure though.
> >> I use to have a policy module for akmod back in the day. Would
> >> maybe have been useful now to be able to determine whether this
> >> is actually akmod or something else running in the bootloader
> >> domain.
> >
> >>>> I have specified labels for the above files bootloader_exec_t
> >>>> a while ago and i was not sure whether this would be a good
> >>>> idea.
> >>>>
> >>>> I have not had any AVC denials related to this but i do not
> >>>> use grub manually often and i also do not have a default grub
> >>>> config because i am using uefi setup.
> >>>>
> >>>>>
> >>>> -- selinux mailing list selinux@lists.fedoraproject.org
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>
> >>>
> >>> -- selinux mailing list selinux@lists.fedoraproject.org
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>
> >> -- selinux mailing list selinux@lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> > -- selinux mailing list selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
>
> These files are mislabeled. They should not be labeled grub_exec_t.
> /sbin/installkernel
> /sbin/new-kernel-pkg
>
> If restorecon does not fix the labels, then you need to update policy.

They did relabel, so we are wondering how they get incorrect labels?

>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk8m4a8ACgkQrlYvE4MpobPUcgCffvdg9eDYd3 Gnj4vV2pxYW+HB
> CuMAoKg32tl1hxMkE3aNR3qYS3+IwCdx
> =n2Is
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-30-2012, 08:31 PM
Dominick Grift
 
Default Fedora 16 AVC at boot time

On Mon, 2012-01-30 at 13:07 -0800, David Highley wrote:
> "Daniel J Walsh wrote:"
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 01/29/2012 05:39 PM, Dominick Grift wrote:
> > > On Sun, 2012-01-29 at 09:48 -0800, David Highley wrote:
> > >> "Dominick Grift wrote:"
> > >>>
> > >>> On Sat, 2012-01-28 at 14:55 -0800, David Highley wrote:
> > >>>> "Daniel J Walsh wrote:"
> > >>>>>
> > > On 01/28/2012 02:15 PM, David Highley wrote:
> > >>>>>>> "David Highley wrote:"
> > >>>>>>>>
> > >>>>>>>> "Miroslav Grepl wrote:"
> > >>>>>>>>>
> > >>>>>>>>> On 01/26/2012 05:33 AM, David Highley wrote:
> > >>>>>>>>>> "Daniel J Walsh wrote:"
> > >>>>>>> On 01/25/2012 01:38 PM, David Highley wrote:
> > >>>>>>>>>>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39
> > >>>>>>>>>>>>> PM, David Highley wrote:
> > >>>>>>>>>>>>>>>> time->Tue Jan 24 06:17:02 2012
> > >>>>>>>>>>>>>>>> type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327414622.867:2517):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=59 success=yes
> > >>>>>>>>>>>>>>>> exit=0 a0=9669f0 a1=cc8170
> > >>>>>>>>>>>>>>>> a2=7fff1bf396c8 a3=1f items=0
> > >>>>>>>>>>>>>>>> ppid=5248 pid=5253 auid=0 uid=0 gid=0
> > >>>>>>>>>>>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > >>>>>>>>>>>>>>>> fsgid=0 tty=(none) ses=293 comm="sh"
> > >>>>>>>>>>>>>>>> exe="/bin/bash"
> > >>>>>>>>>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>>
> > >
> > >>>>>>>>>>>>>>>>
> > key=(null) type=AVC msg=audit(1327414622.867:2517): avc:
> > >>>>>>>>>>>>>>>> denied { transition } for pid=5253
> > >>>>>>>>>>>>>>>> comm="rpm" path="/bin/bash" dev=dm-1
> > >>>>>>>>>>>>>>>> ino=393240
> > >>>>>>>>>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>>
> > >
> > >>>>>>>>>>>>>>>>
> > tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > >>>>>>>>>>>>>>>> tclass=process ---- time->Tue Jan 24
> > >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.410:38):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> > >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> > >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> > >>>>>>>>>>>>>>>> ppid=1180 pid=1359 auid=4294967295
> > >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> > >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> > >>>>>>>>>>>>>>>> ses=4294967295 comm="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>> key=(null) type=AVC
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.410:38): avc:
> > >>>>>>>>>>>>>>>> denied { search } for pid=1359
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> > >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> > >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> > >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> > >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.410:39):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> > >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> > >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> > >>>>>>>>>>>>>>>> ppid=1180 pid=1360 auid=4294967295
> > >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> > >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> > >>>>>>>>>>>>>>>> ses=4294967295
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>> key=(null) type=AVC
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.410:39): avc:
> > >>>>>>>>>>>>>>>> denied { search } for pid=1360
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> > >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> > >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> > >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> > >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.411:40):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> > >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> > >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> > >>>>>>>>>>>>>>>> ppid=1180 pid=1361 auid=4294967295
> > >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> > >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> > >>>>>>>>>>>>>>>> ses=4294967295
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>> key=(null) type=AVC
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.411:40): avc:
> > >>>>>>>>>>>>>>>> denied { search } for pid=1361
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> > >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> > >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> > >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> > >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.411:41):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> > >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> > >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> > >>>>>>>>>>>>>>>> ppid=1180 pid=1362 auid=4294967295
> > >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> > >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> > >>>>>>>>>>>>>>>> ses=4294967295
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>> key=(null) type=AVC
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.411:41): avc:
> > >>>>>>>>>>>>>>>> denied { search } for pid=1362
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> > >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> > >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> > >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> > >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.414:42):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> > >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> > >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> > >>>>>>>>>>>>>>>> ppid=1180 pid=1365 auid=4294967295
> > >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> > >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> > >>>>>>>>>>>>>>>> ses=4294967295
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>> key=(null) type=AVC
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.414:42): avc:
> > >>>>>>>>>>>>>>>> denied { search } for pid=1365
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> > >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> > >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> > >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> > >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.414:43):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> > >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> > >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> > >>>>>>>>>>>>>>>> ppid=1180 pid=1364 auid=4294967295
> > >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> > >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> > >>>>>>>>>>>>>>>> ses=4294967295
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>> key=(null) type=AVC
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.414:43): avc:
> > >>>>>>>>>>>>>>>> denied { search } for pid=1364
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> > >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> > >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> > >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> > >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.415:44):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> > >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> > >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> > >>>>>>>>>>>>>>>> ppid=1180 pid=1366 auid=4294967295
> > >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> > >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> > >>>>>>>>>>>>>>>> ses=4294967295
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>> key=(null) type=AVC
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.415:44): avc:
> > >>>>>>>>>>>>>>>> denied { search } for pid=1366
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> > >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> > >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> > >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> > >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.416:45):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=2 success=no
> > >>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50 a1=0
> > >>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68 items=0
> > >>>>>>>>>>>>>>>> ppid=1180 pid=1363 auid=4294967295
> > >>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0 fsuid=0
> > >>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none)
> > >>>>>>>>>>>>>>>> ses=4294967295
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> exe="/usr/sbin/httpd"
> > >>>>>>>>>>>>>>>> subj=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>> key=(null) type=AVC
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.416:45): avc:
> > >>>>>>>>>>>>>>>> denied { search } for pid=1363
> > >>>>>>>>>>>>>>>> comm="/usr/sbin/httpd" name="yp"
> > >>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
> > >>>>>>>>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> tcontext=system_ubject_r:var_yp_t:s0
> > >>>>>>>>>>>>>>>> tclass=dir ---- time->Tue Jan 24
> > >>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.418:46):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=42 success=no
> > >>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0 a2=10
> > >>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369
> > >>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0
> > >>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81
> > >>>>>>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295
> > >>>>>>>>>>>>>>>> comm="dbus-daemon-lau"
> > >>>>>>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>>
> > >
> > >>>>>>>>>>>>>>>>
> > key=(null) type=AVC msg=audit(1327415018.418:46): avc:
> > >>>>>>>>>>>>>>>> denied { name_connect } for
> > >>>>>>>>>>>>>>>> pid=1369 comm="dbus-daemon-lau"
> > >>>>>>>>>>>>>>>> dest=111
> > >>>>>>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>>
> > >
> > >>>>>>>>>>>>>>>>
> > tcontext=system_ubject_rortmap_port_t:s0
> > >>>>>>>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan
> > >>>>>>>>>>>>>>>> 24 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.418:47):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=49 success=no
> > >>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff07112f60 a2=10
> > >>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369
> > >>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0
> > >>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81
> > >>>>>>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295
> > >>>>>>>>>>>>>>>> comm="dbus-daemon-lau"
> > >>>>>>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>>
> > >
> > >>>>>>>>>>>>>>>>
> > key=(null) type=AVC msg=audit(1327415018.418:47): avc:
> > >>>>>>>>>>>>>>>> denied { name_bind } for pid=1369
> > >>>>>>>>>>>>>>>> comm="dbus-daemon-lau" src=697
> > >>>>>>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>>
> > >
> > >>>>>>>>>>>>>>>>
> > tcontext=system_ubject_r:hi_reserved_port_t:s0
> > >>>>>>>>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan
> > >>>>>>>>>>>>>>>> 24 06:23:38 2012 type=SYSCALL
> > >>>>>>>>>>>>>>>> msg=audit(1327415018.418:48):
> > >>>>>>>>>>>>>>>> arch=c000003e syscall=42 success=no
> > >>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0 a2=10
> > >>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367 pid=1369
> > >>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81 euid=0
> > >>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81
> > >>>>>>>>>>>>>>>> fsgid=81 tty=(none) ses=4294967295
> > >>>>>>>>>>>>>>>> comm="dbus-daemon-lau"
> > >>>>>>>>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper"
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>>
> > >
> > >>>>>>>>>>>>>>>>
> > key=(null) type=AVC msg=audit(1327415018.418:48): avc:
> > >>>>>>>>>>>>>>>> denied { name_connect } for
> > >>>>>>>>>>>>>>>> pid=1369 comm="dbus-daemon-lau"
> > >>>>>>>>>>>>>>>> dest=111
> > >>>>>>>>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>>
> > >
> > >>>>>>>>>>>>>>>>
> > tcontext=system_ubject_rortmap_port_t:s0
> > >>>>>>>>>>>>>>>> tclass=tcp_socket
> > >>>>>>>>>>>>> Do you have the allow_ypbind boolean
> > >>>>>>>>>>>>> permanantly turned on
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> setsebool -P allow_ypbind 1
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>>> Yes, we permanently set this bool.
> > >>>>>>>>>>>>> If the init script is turning it on, you
> > >>>>>>>>>>>>> could see avc's like this.
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> Have no idea what the
> > >>>>>>>>>>>>> bootloader->rpm_script one is.
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> There used to be some kernel update scripts
> > >>>>>>>>>>>>> that were labeled as bootloader_exec_t? --
> > >>>>>>>>>>>>> selinux mailing list
> > >>>>>>>>>>>>> selinux@lists.fedoraproject.org
> > >>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>>>>>>
> > >>>>>>>>>>>>>
> > >
> > >>>>>>>>>>>>>
> > Strange and these happen on every boot, and then stop?
> > >>>>>>>>>>> Just tried another reboot and got the same
> > >>>>>>>>>>> results so I would say that it happens on every
> > >>>>>>>>>>> boot.
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>>> -- selinux mailing list
> > >>>>>>>>>> selinux@lists.fedoraproject.org
> > >>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>>>>>>>>
> > >>>>>>>>>>
> > Could you make sure that the policy is installed correctly.
> > >>>>>>>>>
> > >>>>>>>>> # yum reinstall selinux-policy-targeted
> > >>>>>>>>>
> > >>>>>>>>> and see if something blows up.
> > >>>>>>>>
> > >>>>>>>> Same results as before. Did get a new avc just before
> > >>>>>>>> the reboot doing a yum update.
> > >>>>>>>
> > >>>>>>> To add more clarity to the boot up AVC, we did check
> > >>>>>>> for any sign of AVC when we reinstalled
> > >>>>>>> selinux-policy-targeted.
> > >>>>>>>
> > >>>>>>>> allow bootloader_t rpm_script_trocess transition;
> > >>>>>>>> ---- time->Sat Jan 28 07:47:51 2012 type=SYSCALL
> > >>>>>>>> msg=audit(1327765671.705:3395): arch=c000003e
> > >>>>>>>> syscall=59 success=ye s exit=0 a0=1429290 a1=12e3550
> > >>>>>>>> a2=7fffd4c974c8 a3=20 items=0 ppid=24868 pid=2487 8
> > >>>>>>>> auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > >>>>>>>> sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh"
> > >>>>>>>> exe="/bin/bash"
> > >>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.
> > >>>>>>>> c1023 key=(null) type=AVC
> > >>>>>>>> msg=audit(1327765671.705:3395): avc: denied {
> > >>>>>>>> transition } for pid=24878 comm="rpm"
> > >>>>>>>> path="/bin/bash" dev=dm-1 ino=393240
> > >>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> > >>>>>>>>
> > >>>>>>>> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > >>>>>>>> tclass=process
> > >>>>>>>
> > >>>>>>> Packages in this update were: Jan 28 07:46:28 Updated:
> > >>>>>>> libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29
> > >>>>>>> Updated: libblkid-2.20.1-2.2.fc16.x86_64 Jan 28
> > >>>>>>> 07:46:29 Updated: 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64
> > >>>>>>> Jan 28 07:46:29 Updated: libcurl-7.21.7-6.fc16.x86_64
> > >>>>>>> Jan 28 07:46:30 Updated: curl-7.21.7-6.fc16.x86_64 Jan
> > >>>>>>> 28 07:46:30 Updated:
> > >>>>>>> 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31
> > >>>>>>> Updated: libmount-2.20.1-2.2.fc16.x86_64 Jan 28
> > >>>>>>> 07:46:32 Updated:
> > >>>>>>> setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28
> > >>>>>>> 07:46:32 Installed: python-tornado-2.1.1-1.fc16.noarch
> > >>>>>>> Jan 28 07:46:33 Updated:
> > >>>>>>> python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33
> > >>>>>>> Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34
> > >>>>>>> Updated:
> > >>>>>>> mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan
> > >>>>>>> 28 07:46:39 Installed: kernel-3.2.2-1.fc16.x86_64 Jan
> > >>>>>>> 28 07:46:40 Updated:
> > >>>>>>> xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40
> > >>>>>>> Updated:
> > >>>>>>> mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64
> > >>>>>>> Jan 28 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan
> > >>>>>>> 28 07:46:42 Updated: ipython-0.12-2.fc16.noarch Jan 28
> > >>>>>>> 07:46:43 Updated: setroubleshoot-3.1.2-1.fc16.x86_64
> > >>>>>>> Jan 28 07:46:44 Updated:
> > >>>>>>> util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44
> > >>>>>>> Updated: 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28
> > >>>>>>> 07:46:46 Updated: libcurl-devel-7.21.7-6.fc16.x86_64
> > >>>>>>> Jan 28 07:46:47 Updated: rsyslog-5.8.7-1.fc16.x86_64
> > >>>>>>> Jan 28 07:46:48 Updated: t1lib-5.1.2-9.fc16.x86_64 Jan
> > >>>>>>> 28 07:46:49 Updated: kernel-headers-3.2.2-1.fc16.x86_64
> > >>>>>>> Jan 28 07:46:59 Installed:
> > >>>>>>> kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00
> > >>>>>>> Updated: mdadm-3.2.3-3.fc16.x86_64
> > >>>>>>>> -- selinux mailing list
> > >>>>>>>> selinux@lists.fedoraproject.org
> > >>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >
> > >>>>>>>>
> > > Any idea of what process is running as bootloader_t?
> > >
> > > ps -eZ | grep bootloader_t or find /sbin/ -context
> > > "*:bootloader_exec_t*"
> > >>>>>
> > >>>>> Since we were running yum update and there was a kernel
> > >>>>> update involved it could be several from the list below.
> > >>>>>
> > >>>>> /sbin/grub2-setup /sbin/installkernel /sbin/grub2-reboot
> > >>>>> /sbin/grub2-probe /sbin/grub2-mkdevicemap
> > >>>>> /sbin/grub2-set-default /sbin/grubby /sbin/grub2-install
> > >>>>> /sbin/grub2-mkconfig /sbin/grub2-mknetdir
> > >>>>> /sbin/new-kernel-pkg
> > >>>>
> > >>>> Do you have any (a)?kmod packages installed from rpmfusion.
> > >>>
> > >>> Yes, we run akmod for nvidia on that system and it also has the
> > >>> new ueif BIOS. You mentioned modifying grub for the BIOS, is
> > >>> that something that may need to be done? If so is there
> > >>> documentation about what needs to be changed?
> > >
> > >> I meant "i also do not have a default grub config because i am
> > >> using uefi setup." because a uefi setup requires package grub-efi
> > >> which is not installed if you do not use uefi. I have not
> > >> modified grub manually in any way.
> > >
> > >> I suspect above issue might be related to akmod. Not sure though.
> > >> I use to have a policy module for akmod back in the day. Would
> > >> maybe have been useful now to be able to determine whether this
> > >> is actually akmod or something else running in the bootloader
> > >> domain.
> > >
> > >>>> I have specified labels for the above files bootloader_exec_t
> > >>>> a while ago and i was not sure whether this would be a good
> > >>>> idea.
> > >>>>
> > >>>> I have not had any AVC denials related to this but i do not
> > >>>> use grub manually often and i also do not have a default grub
> > >>>> config because i am using uefi setup.
> > >>>>
> > >>>>>
> > >>>> -- selinux mailing list selinux@lists.fedoraproject.org
> > >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>>
> > >>>
> > >>> -- selinux mailing list selinux@lists.fedoraproject.org
> > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>>
> > >> -- selinux mailing list selinux@lists.fedoraproject.org
> > >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >
> > >
> > > -- selinux mailing list selinux@lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >
> > >
> >
> > These files are mislabeled. They should not be labeled grub_exec_t.
> > /sbin/installkernel
> > /sbin/new-kernel-pkg
> >
> > If restorecon does not fix the labels, then you need to update policy.
>
> They did relabel, so we are wondering how they get incorrect labels?

they use to be labeled bootloader_exec_t at some point then later the
file context specification changed and somehow the /sbin dir has not
been restored from that point on is my best bet.

> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.11 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAk8m4a8ACgkQrlYvE4MpobPUcgCffvdg9eDYd3 Gnj4vV2pxYW+HB
> > CuMAoKg32tl1hxMkE3aNR3qYS3+IwCdx
> > =n2Is
> > -----END PGP SIGNATURE-----
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:22 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org