Leonardo Vilela Pinheiro
2006-Aug-25 16:02 UTC
[CentOS] SELinux targeted - named, portmap and syslogd errors
Yesterday I activated SELinux in targeted mode, then I rebooted and started
receiving some error messages in the system services initialization:
=====================================================================audit(1156518721.252:2):
avc: denied { read } for pid=2223 comm="syslogd"
name="libc-2.3.4.so" dev=dm-0 ino=50441
scontext=user_u:system_r:syslogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1156518721.280:5): avc: denied { append } for pid=2224 comm="
syslogd" name="messages" dev=dm-3 ino=38
scontext=user_u:system_r:syslogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1156518721.757:7): avc: denied { read } for pid=2246
comm="portmap"
name="libnsl-2.3.4.so" dev=dm-0 ino=48836
scontext=user_u:system_r:portmap_t
tcontext=system_u:object_r:file_t tclass=file
audit(1156518728.009:10): avc: denied { read } for pid=2411
comm="named"
name="liblwres.so.1.1.2" dev=dm-0 ino=462795
scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t
tclass=file
audit(1156518728.032:13): avc: denied { read } for pid=2411
comm="named"
name="libgssapi_krb5.so.2" dev=dm-0 ino=459694
scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t
tclass=lnk_file
=====================================================================
The SELinux policies in use are the default from Centos packages (I haven't
changed anything). Surely this bind, portmap and syslogd packages came from
Centos base or update.
bind-chroot is not installed. Bind seems to be working fine - as a cache and
as a nameserver - even with those errors.
Syslog also *seems* to be ok, as it keeps logging things on /var/log/, even
in /var/log/messages.
I don't use Portmap, but I have left it activated. Anyways, iptables blocks
it.
Any ideas on what is causing the problems and how to solve it ?
Thanks
--
Vilela
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20060825/71e9275f/attachment-0002.html>
Craig White
2006-Aug-25 16:17 UTC
[CentOS] SELinux targeted - named, portmap and syslogd errors
On Fri, 2006-08-25 at 13:02 -0300, Leonardo Vilela Pinheiro wrote:> Yesterday I activated SELinux in targeted mode, then I rebooted and > started receiving some error messages in the system services > initialization: > > ====================================================================== > audit(1156518721.252:2): avc: denied { read } for pid=2223 > comm="syslogd" name="libc-2.3.4.so" dev=dm-0 ino=50441 > scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t > tclass=file > > audit(1156518721.280:5): avc: denied { append } for pid=2224 > comm="syslogd" name="messages" dev=dm-3 ino=38 > scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t > tclass=file > > audit(1156518721.757:7): avc: denied { read } for pid=2246 > comm="portmap" name="libnsl-2.3.4.so" dev=dm-0 ino=48836 > scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t > tclass=file > > audit(1156518728.009:10): avc: denied { read } for pid=2411 > comm="named" name="liblwres.so.1.1.2" dev=dm-0 ino=462795 > scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t > tclass=file > > audit(1156518728.032:13): avc: denied { read } for pid=2411 > comm="named" name="libgssapi_krb5.so.2" dev=dm-0 ino=459694 > scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t > tclass=lnk_file > =====================================================================> > The SELinux policies in use are the default from Centos packages (I > haven't changed anything). Surely this bind, portmap and syslogd > packages came from Centos base or update. > > bind-chroot is not installed. Bind seems to be working fine - as a > cache and as a nameserver - even with those errors. > > Syslog also *seems* to be ok, as it keeps logging things on /var/log/, > even in /var/log/messages. > > I don't use Portmap, but I have left it activated. Anyways, iptables > blocks it. > > Any ideas on what is causing the problems and how to solve it ? > Thanks---- official documentation... http://www.centos.org/docs/4/html/rhel-selg-en-4/rhlcommon-section-0068.html#RHLCOMMON-SECTION-0069 There is one good method for relabeling the file system. You may also hear about two other methods, both of which are not recommended. Here they are in order: 1. The best and cleanest method to relabel is to let init do it for you on boot. touch /.autorelabel reboot By allowing the relabeling to occur early in the reboot process, you ensure that applications have the right labels when they are started and that they are started in the right order. If you relabel a live file system without rebooting, you may have processes running under the incorrect context. Making sure all the daemons are restarted and running in the right context can be difficult. 2. It is possible to relabel a live file system using fixfiles, or to relabel based on the RPM database: Craig