2.6.0-test6 login/avc denied

2.6.0-test6 login/avc denied

[Carlos Anísio Monteiro]

1) Always that login at system, it request the role and the type.

2) Messages: AVC: denied "make relabel" command was running. But, messages continue.

How do I resolve this ?

Forgive me my English!

C. Anisio Monteiro



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.6.0-test6 login/avc denied

[Stephen Smalley]

On Fri, 2003-10-10 at 13:29, Carlos Anísio Monteiro wrote:
> 1) Always that login at system, it request the role and the type.

This just indicates that /bin/login hasn't been labeled yet, so the
login process is not running the correct domain and it cannot
automatically determine a default domain for the user (since no user
domains are reachable from the domain in which it is running).  I have
an experimental patch to provide a failsafe context so that login, sshd,
and gdm will fall back to a failsafe context (typically
sysadm_r:sysadm_t, but configurable) if security_compute_user returns an
empty list.  

> 2) Messages: AVC: denied "make relabel" command was running. But, messages 
> continue.

These messages are ok; they just reflect the fact that the kernel would
deny the access if it was in enforcing mode (but you are presumably in
permissive mode at this point, since you haven't labeled the filesystem
yet).  See the discussion of the Development Support option and
permissive mode in the README.

> How do I resolve this ?

You need to let the relabeling finish, and then reboot the SELinux
kernel again, as per the README.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.