[CentOS] SELinux targeted - named, portmap and syslogd errors
Craig White
craigwhite at azapple.com
Fri Aug 25 16:17:26 UTC 2006
On Fri, 2006-08-25 at 13:02 -0300, Leonardo Vilela Pinheiro wrote:
> Yesterday I activated SELinux in targeted mode, then I rebooted and
> started receiving some error messages in the system services
> initialization:
>
> ======================================================================
> audit(1156518721.252:2): avc: denied { read } for pid=2223
> comm="syslogd" name="libc-2.3.4.so" dev=dm-0 ino=50441
> scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t
> tclass=file
>
> audit(1156518721.280:5): avc: denied { append } for pid=2224
> comm="syslogd" name="messages" dev=dm-3 ino=38
> scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t
> tclass=file
>
> audit(1156518721.757:7): avc: denied { read } for pid=2246
> comm="portmap" name="libnsl-2.3.4.so" dev=dm-0 ino=48836
> scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t
> tclass=file
>
> audit(1156518728.009:10): avc: denied { read } for pid=2411
> comm="named" name="liblwres.so.1.1.2" dev=dm-0 ino=462795
> scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t
> tclass=file
>
> audit(1156518728.032:13): avc: denied { read } for pid=2411
> comm="named" name="libgssapi_krb5.so.2" dev=dm-0 ino=459694
> scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t
> tclass=lnk_file
> ======================================================================
>
> The SELinux policies in use are the default from Centos packages (I
> haven't changed anything). Surely this bind, portmap and syslogd
> packages came from Centos base or update.
>
> bind-chroot is not installed. Bind seems to be working fine - as a
> cache and as a nameserver - even with those errors.
>
> Syslog also *seems* to be ok, as it keeps logging things on /var/log/,
> even in /var/log/messages.
>
> I don't use Portmap, but I have left it activated. Anyways, iptables
> blocks it.
>
> Any ideas on what is causing the problems and how to solve it ?
> Thanks
----
official documentation...
http://www.centos.org/docs/4/html/rhel-selg-en-4/rhlcommon-section-0068.html#RHLCOMMON-SECTION-0069
There is one good method for relabeling the file system. You may also
hear about two other methods, both of which are not recommended. Here
they are in order:
1. The best and cleanest method to relabel is to let init do it for
you on boot.
touch /.autorelabel
reboot
By allowing the relabeling to occur early in the reboot process,
you ensure that applications have the right labels when they are
started and that they are started in the right order. If you
relabel a live file system without rebooting, you may have
processes running under the incorrect context. Making sure all
the daemons are restarted and running in the right context can
be difficult.
2. It is possible to relabel a live file system using fixfiles, or
to relabel based on the RPM database:
Craig
More information about the CentOS
mailing list