[CentOS] SELinux targeted - named, portmap and syslogd errors

Fri Aug 25 16:17:26 UTC 2006
Craig White <craigwhite at azapple.com>

On Fri, 2006-08-25 at 13:02 -0300, Leonardo Vilela Pinheiro wrote:
> Yesterday I activated SELinux in targeted mode, then I rebooted and
> started receiving some error messages in the system services
> initialization:
> 
> ====================================================================== 
> audit(1156518721.252:2): avc:  denied  { read } for  pid=2223
> comm="syslogd" name="libc-2.3.4.so" dev=dm-0 ino=50441
> scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t
> tclass=file 
> 
> audit(1156518721.280:5): avc:  denied  { append } for  pid=2224
> comm="syslogd" name="messages" dev=dm-3 ino=38
> scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t
> tclass=file 
> 
> audit(1156518721.757:7): avc:  denied  { read } for  pid=2246
> comm="portmap" name="libnsl-2.3.4.so" dev=dm-0 ino=48836
> scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t
> tclass=file 
> 
> audit(1156518728.009:10): avc:  denied  { read } for  pid=2411
> comm="named" name="liblwres.so.1.1.2" dev=dm-0 ino=462795
> scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t
> tclass=file 
> 
> audit(1156518728.032:13): avc:  denied  { read } for  pid=2411
> comm="named" name="libgssapi_krb5.so.2" dev=dm-0 ino=459694
> scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t
> tclass=lnk_file 
> ======================================================================
> 
> The SELinux policies in use are the default from Centos packages (I
> haven't changed anything). Surely this bind, portmap and syslogd
> packages came from Centos base or update. 
> 
> bind-chroot is not installed. Bind seems to be working fine - as a
> cache and as a nameserver - even with those errors.
> 
> Syslog also *seems* to be ok, as it keeps logging things on /var/log/,
> even in /var/log/messages. 
> 
> I don't use Portmap, but I have left it activated. Anyways, iptables
> blocks it.
> 
> Any ideas on what is causing the problems and how to solve it ?
> Thanks
----
official documentation...

http://www.centos.org/docs/4/html/rhel-selg-en-4/rhlcommon-section-0068.html#RHLCOMMON-SECTION-0069

There is one good method for relabeling the file system. You may also
hear about two other methods, both of which are not recommended. Here
they are in order: 

     1. The best and cleanest method to relabel is to let init do it for
        you on boot. 
        
        touch /.autorelabel
        reboot
        
        By allowing the relabeling to occur early in the reboot process,
        you ensure that applications have the right labels when they are
        started and that they are started in the right order. If you
        relabel a live file system without rebooting, you may have
        processes running under the incorrect context. Making sure all
        the daemons are restarted and running in the right context can
        be difficult. 
        
     2. It is possible to relabel a live file system using fixfiles, or
        to relabel based on the RPM database: 
        
        Craig