| 1 |
Hi list, |
| 2 |
|
| 3 |
I'm getting this SELinux AVC denial on my Gentoo |
| 4 |
(2007.0/amd64/no-multilib/PaX) installation at the time of login to the TTY. |
| 5 |
|
| 6 |
type=AVC msg=audit(1196966507.080:55): avc: denied { create } for pid=5858 |
| 7 |
comm="login" scontext=system_u:system_r:local_login_t |
| 8 |
tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket |
| 9 |
|
| 10 |
I'm not able to figure out the reason for this AVC denial. Any ideas, how to |
| 11 |
fix ? Shall I add a 'allow' rule or something is messed up. |
| 12 |
|
| 13 |
|
| 14 |
Another issue is regarding the LDPATH present in "/etc/env.d/04multilib" : |
| 15 |
|
| 16 |
LDPATH="/lib:/usr/lib:/usr/local/lib:/lib64:/usr/lib64:/usr/local/lib64" |
| 17 |
|
| 18 |
On AMD64 architecture, where /usr/lib is symlinked (tclass=lnk_file) |
| 19 |
to /usr/lib64, according to above rule: |
| 20 |
|
| 21 |
chatteau ~ $ ldd `which ls` |
| 22 |
librt.so.1 => /lib/librt.so.1 (0x00002b73875fe000) |
| 23 |
libselinux.so.1 => /lib/libselinux.so.1 (0x00002b7387807000) |
| 24 |
libc.so.6 => /lib/libc.so.6 (0x00002b7387a22000) |
| 25 |
libpthread.so.0 => /lib/libpthread.so.0 (0x00002b7387d60000) |
| 26 |
/lib64/ld-linux-x86-64.so.2 (0x00002b73873e3000) |
| 27 |
libdl.so.2 => /lib/libdl.so.2 (0x00002b7387f7b000) |
| 28 |
libsepol.so.1 => /lib/libsepol.so.1 (0x00002b738817f000) |
| 29 |
|
| 30 |
According to SELinux policy, only apps can load .so from 'file' class of |
| 31 |
object not 'lnk_file'. I'd issues with this few weeks ago, in previous Gentoo |
| 32 |
installation (which I wiped off after few days), which went, when I reordered |
| 33 |
LDPATH, with 'lib64' before corresponding 'lib'. So this needs to be fixed |
| 34 |
too. |
| 35 |
|
| 36 |
TIA |
| 37 |
-- |
| 38 |
Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/ |
| 39 |
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- |
Archives