selinux December 2011

selinux@lists.fedoraproject.org

15 participants
14 discussions

Long Boot times
by Arthur Dent 06 Dec '11

06 Dec '11

Hello all, I have just upgraded my F14 desktop system to F16 (fresh install with /home partition maintained from previous Fedora install and some config files copied across). Now about 50% of boot times are acceptable (sub 1 minute even with a 5s grub delay) and others take around 2 minutes with a rather alarming black screen for much of that time. I have no idea if this is caused by SEL, but when i look at dmesg for the "slow" boots it shows this at the very end: ===============8<==================================== [root@localhost ~]# dmesg [ snip ] [ 32.248789] e1000e 0000:00:19.0: em1: 10/100 speed: disabling TSO [ 32.248955] ADDRCONF(NETDEV_CHANGE): em1: link becomes ready [ 42.354015] em1: no IPv6 routers present [ 90.858903] SELinux: initialized (dev 0:21, type nfs4), uses genfs_contexts [ 90.863622] SELinux: initialized (dev 0:22, type nfs4), uses genfs_contexts [ 90.867429] SELinux: initialized (dev 0:23, type nfs4), uses genfs_contexts [ 90.868787] SELinux: initialized (dev 0:24, type nfs4), uses genfs_contexts [ 90.872920] SELinux: initialized (dev 0:22, type nfs4), uses genfs_contexts [ 90.877188] SELinux: initialized (dev 0:25, type nfs4), uses genfs_contexts [ 90.878883] mount[998]: mount.nfs: /mnt/NFSmark is busy or already mounted [ 90.887451] SELinux: initialized (dev 0:22, type nfs4), uses genfs_contexts [ 90.927896] SELinux: initialized (dev 0:21, type nfs4), uses genfs_contexts [ 90.932400] SELinux: initialized (dev 0:22, type nfs4), uses genfs_contexts [ 92.714872] [drm:drm_debugfs_create_files] *ERROR* Cannot create /sys/kernel/debug/dri/channel\xfffffff0i\xffffff80]\xffffffc0\x03/3 [ 95.940096] [drm:drm_debugfs_create_files] *ERROR* Cannot create /sys/kernel/debug/dri/channel\xffffffe9i\xffffff80]\xffffffc0\x03/3 [root@localhost ~]# ===============8<==================================== On the successful boots dmesg ends with the "no IPv6 routers present" line at around 44s. Is this even anything to do with SEL? Even if it isn't, can any of the gurus here suggest how to proceed towards fixing it? I originally thought that this was a NFS mounting problem and posted a thread in the Fedora Users list as can be seen here: http://lists.fedoraproject.org/pipermail/users/2011-December/409137.html but I now think that that was a red-herring. Thanks in advance for any help or suggestions... Mark

3 2

F16/proftpd/systemd
by Paul Howarth 05 Dec '11

05 Dec '11

I have these AVCs when logging in to proftpd on F16 using PAM/sssd with an LDAP backend: type=AVC msg=audit(1323102469.514:6174): avc: denied { search } for pid=30199 comm="systemd-logind" name="3503" dev=proc ino=80549480 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=dir type=AVC msg=audit(1323102469.514:6174): avc: denied { read } for pid=30199 comm="systemd-logind" name="sessionid" dev=proc ino=80550003 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file type=AVC msg=audit(1323102469.514:6174): avc: denied { open } for pid=30199 comm="systemd-logind" name="sessionid" dev=proc ino=80550003 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1323102469.514:6174): arch=c000003e syscall=2 success=yes exit=11 a0=15d3f00 a1=80000 a2=1b6 a3=39 items=0 ppid=1 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe=2F6C69622F73797374656D642F73797374656D642D6C6F67696E64202864656C6574656429 subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(1323102469.515:6175): avc: denied { getattr } for pid=30199 comm="systemd-logind" path="/proc/3503/sessionid" dev=proc ino=80550003 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1323102469.515:6175): arch=c000003e syscall=5 success=yes exit=0 a0=b a1=7fffe3b39190 a2=7fffe3b39190 a3=39 items=0 ppid=1 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe=2F6C69622F73797374656D642F73797374656D642D6C6F67696E64202864656C6574656429 subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(1323102564.051:6184): avc: denied { search } for pid=30199 comm="systemd-logind" name="3630" dev=proc ino=80551904 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=dir type=AVC msg=audit(1323102564.051:6184): avc: denied { read } for pid=30199 comm="systemd-logind" name="sessionid" dev=proc ino=80551906 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file type=AVC msg=audit(1323102564.051:6184): avc: denied { open } for pid=30199 comm="systemd-logind" name="sessionid" dev=proc ino=80551906 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1323102564.051:6184): arch=c000003e syscall=2 success=yes exit=11 a0=15d3fd0 a1=80000 a2=1b6 a3=39 items=0 ppid=1 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe=2F6C69622F73797374656D642F73797374656D642D6C6F67696E64202864656C6574656429 subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(1323102564.051:6185): avc: denied { getattr } for pid=30199 comm="systemd-logind" path="/proc/3630/sessionid" dev=proc ino=80551906 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1323102564.051:6185): arch=c000003e syscall=5 success=yes exit=0 a0=b a1=7fffe3b39190 a2=7fffe3b39190 a3=39 items=0 ppid=1 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe=2F6C69622F73797374656D642F73797374656D642D6C6F67696E64202864656C6574656429 subj=system_u:system_r:systemd_logind_t:s0 key=(null) audit2allow -R suggests: ftp_systemctl(systemd_logind_t) Does that look reasonable? I looked at the interface in git but the comment text appears to have been copy-and-pasted from another interface without being edited. Paul.

2 1

Boolean to permit guest_u access
by Konstantin Ryabitsev 01 Dec '11

01 Dec '11

Hi, all: I have the following in my .te file: optional_policy(` gen_require(` type guest_t; role guest_r; ') my_app_run(guest_t, guest_r) ') But really, I'd like to make it a boolean that an admin can toggle -- I'm not really keen on allowing guest_u to use this application by default. Something like: tunable_policy(`allow_guest_myapp_exec'); How would I combine tunable_policy with optional_policy? Best, -- Konstantin Ryabitsev Systems Administrator The Linux Foundation Montréal, Québec

3 2

SELinux policy for both Enterprise Linux 5 and 6
by Brian Ginn 01 Dec '11

01 Dec '11

I have SELinux policy that is compiled on Red Hat Enterprise Linux 5. This policy fails to install on Red Hat Enterprise Linux 6 with the following message: libsepol.print_missing_requirements: pbrun's global requirements were not met: type/attribute system_chkpwd_t (No such file or directory). Is there a way to write SELinux policy so that It can be compiled on v 5.x and will run on 6.x ? Thanks, Brian

3 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2011