|
|
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
When installing a policy rpm, one cannot log the install activity w/o
generating avc errors. For example:
rpm -i lsb-ft-asn-selinux > /var/log/rpm-update.log
produces the following violation:
type=SYSCALL msg=audit(1219774608.030:789): arch=c000003e syscall=59
success=yes exit=0 a0=be952e0 a1=be93390 a2=be958f0 a3=8 items=0
ppid=2848 pid=2875 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="restorecon" exe="/sbin/restorecon"
subj=root:system_r:restorecon_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1219774608.030:789): avc: denied { write } for
pid=2875 comm="restorecon" path="/var/log/rpm-update.log" dev=md2
ino=2694055 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023
tcontext=root:object_r:var_log_t:s0 tclass=file
The problems seems to stem from recording the %post script's attempts to
relabel files affected by the policy, specifically:
/sbin/restorecon -F -R -v /opt/ft/sbin/sra_alarm;
/sbin/restorecon -F -R -v /etc/opt/ft/asn;
/sbin/restorecon -F -R -v /var/opt/ft/asn;
/sbin/restorecon -F -R -v /var/opt/ft/log;
Is there any way to preserve the logging w/o disabling selinux for the
duration of the install?
FWIW, the rpm commands are executed from a bash script.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Home] [Fedora Users] [Fedora Legacy] [Fedora Desktop] [Fedora Bible] [Big List of Linux Books] [Yosemite Photos] [Yosemite News] [Yosemite Campsites] [KDE Users] [Gnome Users]
