Hi,

My freshly installed SELinux system on RedHat 7.1 makes one complaint that I am having a little trouble figuring out how to fix.

avc: denied { read } for pid=475 exe=/sbin/klogd path=/System.map dev=03:01 ino=23 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:boot_t tclass:lnk_file

I think the problem is that /System.map can be a lnk_file (it is a file on my machine, but a link on our other SELinux machine). All domains can read files of type boot_t, but only initrc_t can read boot_t lnk_files. On the other hand, initrc_t transitions to klogd_t, so perhaps this permission is supposed to arrive in the transition.

Should the following be changed as follows, should System.map always be a file, or is there something else wrong.

old: allow domains boot_t:file r_file_perms; to: allow domains boot_t:{file lnk_file} r_file_perms;

Thanks,
Trent.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.