Hello all,
I got an avc the other day that made me suspect that I might have labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; reboot"
The avc turned out to be unrelated to this, but I was a little surprised to see the following errors during the relabelling process:
SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Should I be concerned?
Thanks for any suggestions...
Mark
p.s.
Latest yum log entries: [root@localhost ~]# cat /var/log/yum.log | grep -i selinux Aug 08 21:05:15 Updated: selinux-policy-3.6.12-69.fc11.noarch Aug 08 21:08:51 Updated: selinux-policy-targeted-3.6.12-69.fc11.noarch Aug 12 13:28:30 Updated: selinux-policy-3.6.12-72.fc11.noarch Aug 12 13:29:05 Updated: selinux-policy-targeted-3.6.12-72.fc11.noarch Aug 22 10:31:50 Updated: selinux-policy-3.6.12-78.fc11.noarch Aug 22 10:32:25 Updated: selinux-policy-targeted-3.6.12-78.fc11.noarch Aug 29 16:17:14 Updated: selinux-policy-3.6.12-80.fc11.noarch Aug 29 16:17:48 Updated: selinux-policy-targeted-3.6.12-80.fc11.noarch Sep 07 18:20:34 Updated: selinux-policy-3.6.12-81.fc11.noarch Sep 07 18:21:09 Updated: selinux-policy-targeted-3.6.12-81.fc11.noarch Sep 12 09:31:35 Updated: selinux-policy-3.6.12-82.fc11.noarch Sep 12 09:32:08 Updated: selinux-policy-targeted-3.6.12-82.fc11.noarch Oct 01 19:43:02 Updated: selinux-policy-3.6.12-83.fc11.noarch Oct 01 19:43:35 Updated: selinux-policy-targeted-3.6.12-83.fc11.noarch Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
On Sun, Oct 25, 2009 at 13:01:49 +0000, Arthur Dent misc.lists@blueyonder.co.uk wrote:
I got an avc the other day that made me suspect that I might have labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; reboot"
Should I be concerned?
Generally it is a good idea to switch to permissive mode for a full relabel. Otherwise you might not be permitted to make the changes. Normally that won't be a problem after minor updates, but if things are to the point where you want to do a full relabel, it's generally simpler to make sure it will do all of the work needed rather than have to manually deal with the odd case here and there.
On Sun, 2009-10-25 at 12:37 -0500, Bruno Wolff III wrote:
On Sun, Oct 25, 2009 at 13:01:49 +0000, Arthur Dent misc.lists@blueyonder.co.uk wrote:
I got an avc the other day that made me suspect that I might have labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; reboot"
Should I be concerned?
Generally it is a good idea to switch to permissive mode for a full relabel. Otherwise you might not be permitted to make the changes. Normally that won't be a problem after minor updates, but if things are to the point where you want to do a full relabel, it's generally simpler to make sure it will do all of the work needed rather than have to manually deal with the odd case here and there.
Thank you - but I'm not sure I fully understand what you're saying. Do you mean that if I had first switched to permissive mode, that those errors would not have occurred?
Surely if a particular context is "not valid" there is nothing a relabel can do - permissive mode or otherwise? Or have I misunderstood?
My question was really: a) How have I ended up with all of those invalid contexts? and b) Given that, as far as I can tell, most things seem to work - should I be concerned about these error messages?
Thanks
Mark
On Sun, Oct 25, 2009 at 20:37:40 +0000, Arthur Dent misc.lists@blueyonder.co.uk wrote:
Thank you - but I'm not sure I fully understand what you're saying. Do you mean that if I had first switched to permissive mode, that those errors would not have occurred?
Yes.
Surely if a particular context is "not valid" there is nothing a relabel can do - permissive mode or otherwise? Or have I misunderstood?
It's not that the context is valid, but that you may not have permission to make the changes.
My question was really: a) How have I ended up with all of those invalid contexts? and
It might be just changes in labels from previous versions of the policy. Normally the changes get made during updates.
b) Given that, as far as I can tell, most things seem to work - should I be concerned about these error messages?
Having things mislabelled can cause problems. You can either do a full relabel or use restorecon to fix them. Since you seem to know which ones did not get relabelled you can do a targetted relabelling with restorecon instead of checking evry file on your system.
On 10/25/2009 09:01 AM, Arthur Dent wrote:
Hello all,
I got an avc the other day that made me suspect that I might have labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; reboot"
The avc turned out to be unrelated to this, but I was a little surprised to see the following errors during the relabelling process:
SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Should I be concerned?
Thanks for any suggestions...
Mark
p.s.
Latest yum log entries: [root@localhost ~]# cat /var/log/yum.log | grep -i selinux Aug 08 21:05:15 Updated: selinux-policy-3.6.12-69.fc11.noarch Aug 08 21:08:51 Updated: selinux-policy-targeted-3.6.12-69.fc11.noarch Aug 12 13:28:30 Updated: selinux-policy-3.6.12-72.fc11.noarch Aug 12 13:29:05 Updated: selinux-policy-targeted-3.6.12-72.fc11.noarch Aug 22 10:31:50 Updated: selinux-policy-3.6.12-78.fc11.noarch Aug 22 10:32:25 Updated: selinux-policy-targeted-3.6.12-78.fc11.noarch Aug 29 16:17:14 Updated: selinux-policy-3.6.12-80.fc11.noarch Aug 29 16:17:48 Updated: selinux-policy-targeted-3.6.12-80.fc11.noarch Sep 07 18:20:34 Updated: selinux-policy-3.6.12-81.fc11.noarch Sep 07 18:21:09 Updated: selinux-policy-targeted-3.6.12-81.fc11.noarch Sep 12 09:31:35 Updated: selinux-policy-3.6.12-82.fc11.noarch Sep 12 09:32:08 Updated: selinux-policy-targeted-3.6.12-82.fc11.noarch Oct 01 19:43:02 Updated: selinux-policy-3.6.12-83.fc11.noarch Oct 01 19:43:35 Updated: selinux-policy-targeted-3.6.12-83.fc11.noarch Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a mismatch of policy and labels on disk.
*_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these.
So relabeling is probably a good idea.
gamin_exec_t has disappeared.
On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
On 10/25/2009 09:01 AM, Arthur Dent wrote:
Hello all,
I got an avc the other day that made me suspect that I might have labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; reboot"
The avc turned out to be unrelated to this, but I was a little surprised to see the following errors during the relabelling process:
SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Should I be concerned?
Thanks for any suggestions...
Mark
p.s.
Latest yum log entries: [root@localhost ~]# cat /var/log/yum.log | grep -i selinux Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a mismatch of policy and labels on disk.
*_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these.
So relabeling is probably a good idea.
gamin_exec_t has disappeared.
OK - I finally got round to doing another relabel - this time in permissive mode (I wanted to watch for error messages and couldn't face the thought of sitting watching little asterisks march across the screen until today).
Unfortunately I get exactly the same messages during the relabelling process: SELinux: initialized (dev sdb6, type ext3), uses xattr SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts fuse init (API version 7.11) SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
So now I'm not sure what to do - just ignore it and wait until I rebuild with Fedora 12 - or do something now?
Thanks for any advice...
Mark
On 10/28/2009 05:38 AM, Arthur Dent wrote:
On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
On 10/25/2009 09:01 AM, Arthur Dent wrote:
Hello all,
I got an avc the other day that made me suspect that I might have labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; reboot"
The avc turned out to be unrelated to this, but I was a little surprised to see the following errors during the relabelling process:
SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Should I be concerned?
Thanks for any suggestions...
Mark
p.s.
Latest yum log entries: [root@localhost ~]# cat /var/log/yum.log | grep -i selinux Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a mismatch of policy and labels on disk.
*_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these.
So relabeling is probably a good idea.
gamin_exec_t has disappeared.
OK - I finally got round to doing another relabel - this time in permissive mode (I wanted to watch for error messages and couldn't face the thought of sitting watching little asterisks march across the screen until today).
Unfortunately I get exactly the same messages during the relabelling process: SELinux: initialized (dev sdb6, type ext3), uses xattr SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts fuse init (API version 7.11) SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
So now I'm not sure what to do - just ignore it and wait until I rebuild with Fedora 12 - or do something now?
Thanks for any advice...
Mark
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-l
If you do a load_policy do you see these messages?
What version of policy and which version of the OS are you using?
Tgtd is a iscsi target daemon for linux. Its eventually going to also do FCoE but currently doesnt.
Heres my policy for it. It needs some cleanup and i've not tested it with proper fixed disk devices. I assume the kernel actually does most of the read/write of the devices itself so the block device access i've given the daemon is minimal.
Any feedback appreciated.
On 10/28/2009 09:28 AM, Matthew Ife wrote:
Tgtd is a iscsi target daemon for linux. Its eventually going to also do FCoE but currently doesnt.
Heres my policy for it. It needs some cleanup and i've not tested it with proper fixed disk devices. I assume the kernel actually does most of the read/write of the devices itself so the block device access i've given the daemon is minimal.
Any feedback appreciated.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Better off sending policy to the refpolicy list refpolicy@oss.tresys.com
On Wed, 2009-10-28 at 09:43 -0400, Daniel J Walsh wrote:
On 10/28/2009 09:28 AM, Matthew Ife wrote:
Tgtd is a iscsi target daemon for linux. Its eventually going to also do FCoE but currently doesnt.
Heres my policy for it. It needs some cleanup and i've not tested it with proper fixed disk devices. I assume the kernel actually does most of the read/write of the devices itself so the block device access i've given the daemon is minimal.
Any feedback appreciated.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Better off sending policy to the refpolicy list
Done
On 10/28/2009 09:49 AM, Matthew Ife wrote:
On Wed, 2009-10-28 at 09:43 -0400, Daniel J Walsh wrote:
On 10/28/2009 09:28 AM, Matthew Ife wrote:
Tgtd is a iscsi target daemon for linux. Its eventually going to also do FCoE but currently doesnt.
Heres my policy for it. It needs some cleanup and i've not tested it with proper fixed disk devices. I assume the kernel actually does most of the read/write of the devices itself so the block device access i've given the daemon is minimal.
Any feedback appreciated.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Better off sending policy to the refpolicy list
Done
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Here is my fixes for your policy.
On Wed, 2009-10-28 at 13:28 +0000, Matthew Ife wrote:
I attached my version of the policy.
Tgtd is a iscsi target daemon for linux. Its eventually going to also do FCoE but currently doesnt.
Heres my policy for it. It needs some cleanup and i've not tested it with proper fixed disk devices. I assume the kernel actually does most of the read/write of the devices itself so the block device access i've given the daemon is minimal.
Any feedback appreciated.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
On 10/28/2009 05:38 AM, Arthur Dent wrote:
On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
On 10/25/2009 09:01 AM, Arthur Dent wrote:
Hello all,
I got an avc the other day that made me suspect that I might have labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; reboot"
The avc turned out to be unrelated to this, but I was a little surprised to see the following errors during the relabelling process:
SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Should I be concerned?
Thanks for any suggestions...
Mark
p.s.
Latest yum log entries: [root@localhost ~]# cat /var/log/yum.log | grep -i selinux Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a mismatch of policy and labels on disk.
*_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these.
So relabeling is probably a good idea.
gamin_exec_t has disappeared.
OK - I finally got round to doing another relabel - this time in permissive mode (I wanted to watch for error messages and couldn't face the thought of sitting watching little asterisks march across the screen until today).
Unfortunately I get exactly the same messages during the relabelling process: SELinux: initialized (dev sdb6, type ext3), uses xattr SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts fuse init (API version 7.11) SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
So now I'm not sure what to do - just ignore it and wait until I rebuild with Fedora 12 - or do something now?
Thanks for any advice...
Mark
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-l
If you do a load_policy do you see these messages?
What version of policy and which version of the OS are you using?
Hi Daniel,
Thanks for helping...
If you look a little further up this thread you will see that I am using Fedora 11 and...
Latest yum log entries: [root@localhost ~]# cat /var/log/yum.log | grep -i selinux Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
I have not come across "load_policy" before. I just typed "load_policy" on the command line (as root) and got no errors and no feedback at all.
From reading the man page for load_policy I presume that this means exit status 0 - and therefore that all is well with the command?
What next?
Thanks for the help so far...
Mark
On 10/28/2009 11:14 AM, Arthur Dent wrote:
On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
On 10/28/2009 05:38 AM, Arthur Dent wrote:
On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
On 10/25/2009 09:01 AM, Arthur Dent wrote:
Hello all,
I got an avc the other day that made me suspect that I might have labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; reboot"
The avc turned out to be unrelated to this, but I was a little surprised to see the following errors during the relabelling process:
SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Should I be concerned?
Thanks for any suggestions...
Mark
p.s.
Latest yum log entries: [root@localhost ~]# cat /var/log/yum.log | grep -i selinux Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a mismatch of policy and labels on disk.
*_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these.
So relabeling is probably a good idea.
gamin_exec_t has disappeared.
OK - I finally got round to doing another relabel - this time in permissive mode (I wanted to watch for error messages and couldn't face the thought of sitting watching little asterisks march across the screen until today).
Unfortunately I get exactly the same messages during the relabelling process: SELinux: initialized (dev sdb6, type ext3), uses xattr SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts fuse init (API version 7.11) SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
So now I'm not sure what to do - just ignore it and wait until I rebuild with Fedora 12 - or do something now?
Thanks for any advice...
Mark
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-l
If you do a load_policy do you see these messages?
What version of policy and which version of the OS are you using?
Hi Daniel,
Thanks for helping...
If you look a little further up this thread you will see that I am using Fedora 11 and...
Latest yum log entries: [root@localhost ~]# cat /var/log/yum.log | grep -i selinux Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
I have not come across "load_policy" before. I just typed "load_policy" on the command line (as root) and got no errors and no feedback at all.
From reading the man page for load_policy I presume that this means exit status 0 - and therefore that all is well with the command?
What next?
Thanks for the help so far...
Mark
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I guess now reboot and see if you see these errors.
On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote:
On 10/28/2009 11:14 AM, Arthur Dent wrote:
On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
On 10/28/2009 05:38 AM, Arthur Dent wrote:
On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
On 10/25/2009 09:01 AM, Arthur Dent wrote:
Hello all,
snip...
What next?
Thanks for the help so far...
Mark
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I guess now reboot and see if you see these errors.
Do you mean just reboot, or touch /.autorelabel; reboot ?
On 10/28/2009 01:31 PM, Arthur Dent wrote:
On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote:
On 10/28/2009 11:14 AM, Arthur Dent wrote:
On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
On 10/28/2009 05:38 AM, Arthur Dent wrote:
On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
On 10/25/2009 09:01 AM, Arthur Dent wrote: > Hello all,
snip...
What next?
Thanks for the help so far...
Mark
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I guess now reboot and see if you see these errors.
Do you mean just reboot, or touch /.autorelabel; reboot ?
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Just reboot.
On Wed, 2009-10-28 at 13:46 -0400, Daniel J Walsh wrote:
On 10/28/2009 01:31 PM, Arthur Dent wrote:
On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote:
On 10/28/2009 11:14 AM, Arthur Dent wrote:
On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
On 10/28/2009 05:38 AM, Arthur Dent wrote:
On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote: > On 10/25/2009 09:01 AM, Arthur Dent wrote: >> Hello all,
snip...
What next?
Thanks for the help so far...
Mark
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I guess now reboot and see if you see these errors.
Do you mean just reboot, or touch /.autorelabel; reboot ?
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Just reboot.
No errors listed (nothing in dmesg) after a reboot. Do I try a relabel again now?
On 10/28/2009 01:54 PM, Arthur Dent wrote:
On Wed, 2009-10-28 at 13:46 -0400, Daniel J Walsh wrote:
On 10/28/2009 01:31 PM, Arthur Dent wrote:
On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote:
On 10/28/2009 11:14 AM, Arthur Dent wrote:
On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
On 10/28/2009 05:38 AM, Arthur Dent wrote: > On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote: >> On 10/25/2009 09:01 AM, Arthur Dent wrote: >>> Hello all,
snip...
What next?
Thanks for the help so far...
Mark
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I guess now reboot and see if you see these errors.
Do you mean just reboot, or touch /.autorelabel; reboot ?
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Just reboot.
No errors listed (nothing in dmesg) after a reboot. Do I try a relabel again now?
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think you will be fine. You could execute
restorecon -R -v /etc/init.d
And see if it reports anything.
On Wed, 2009-10-28 at 13:57 -0400, Daniel J Walsh wrote:
I think you will be fine. You could execute
restorecon -R -v /etc/init.d
And see if it reports anything.
Well that reports nothing...
So I think I'll leave it at that, and just wait until I'm ready to rebuild with F12 (probably around Xmas time).
I feel reassured now. Thanks for all your help!
Best regards
Mark
selinux@lists.fedoraproject.org