I've always had problems with SELinux but I set it to permissive and moved on. Now I want to see if I can fix it.
My logwatch report gives me 20 or 30 lines of :
NULL security context for user, but SELinux in permissive mode, continuing ()
in the cron section. Then I looked in /var/log/dmesg and I see this line:
SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
System->Administration->SELinux Management, select SELinux User, shows 8 SELinux users: guest_u, root, staff_u, sysadm_u, system_u, unconfined_u, user_u xguest_u
OK, that looks good but when, as root, I run:
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
hmmm... only 3 users. It this a problem or is it telling me that only 3 SELinuux users are currently in use (ie assign to any Linux user) because I'm running in permissive mode?
How can I find out which user has a "NULL security context"?
Thanks, Steve
On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
I've always had problems with SELinux but I set it to permissive and moved on. Now I want to see if I can fix it.
My logwatch report gives me 20 or 30 lines of :
NULL security context for user, but SELinux in permissive mode, continuing ()
in the cron section. Then I looked in /var/log/dmesg and I see this line:
SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
System->Administration->SELinux Management, select SELinux User, shows 8 SELinux users: guest_u, root, staff_u, sysadm_u, system_u, unconfined_u, user_u xguest_u
OK, that looks good but when, as root, I run:
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
hmmm... only 3 users. It this a problem or is it telling me that only 3 SELinuux users are currently in use (ie assign to any Linux user) because I'm running in permissive mode?
This should not be a problem because new users get mapped under __default__ by default, which is mapped to unconfined_u selinux user.
How can I find out which user has a "NULL security context"?
Good question, my gut feeling tells me it unconfined_u but i am not sure.
If there is no bug in Fedora 11 selinux policy then you could consider reinstalling the policy.
The procedure for reinstalling policy is as follows.
1. setenforce 0 (put selinux in permisive mode) 2. rpm -ev selinux-policy selinux-policy-targeted (de-install selinux policy) 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup (remove -backup- the old selinux policy config) 4. yum install selinux-policy selinux-policy-targeted (-re- install fresh selinux policy) 5. fixfiles restore (restore contexts) 6. reboot
But try at your own risk.
Also just a file system relabeling *may* fix the issue: fixfiles restore; reboot (but i am not sure there either)
hth
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Sun, 25 Apr 2010 11:04:31 +0200 Dominick Grift domg472@gmail.com wrote:
On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
...
My logwatch report gives me 20 or 30 lines of :
NULL security context for user, but SELinux in permissive mode, continuing ()
in the cron section. Then I looked in /var/log/dmesg and I see this line:
SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
System->Administration->SELinux Management, select SELinux User, shows 8 SELinux users:
...
OK, that looks good but when, as root, I run:
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
hmmm... only 3 users. It this a problem or is it telling me that only 3 SELinuux users are currently in use (ie assign to any Linux user) because I'm running in permissive mode?
This should not be a problem because new users get mapped under __default__ by default, which is mapped to unconfined_u selinux user.
How can I find out which user has a "NULL security context"?
Good question, my gut feeling tells me it unconfined_u but i am not sure.
If there is no bug in Fedora 11 selinux policy then you could consider reinstalling the policy.
The procedure for reinstalling policy is as follows.
- setenforce 0 (put selinux in permisive mode)
- rpm -ev selinux-policy selinux-policy-targeted (de-install selinux
policy) 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup (remove -backup- the old selinux policy config) 4. yum install selinux-policy selinux-policy-targeted (-re- install fresh selinux policy) 5. fixfiles restore (restore contexts) 6. reboot
I tried this procedure and at step 2 I also had to remove oolicycoreutils-gui and setroubleshoot because of dependencies and then reinstall them at step 4. Step 5 started and bailed out with these errors:
# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx: Permission denied
The /media/... is an external USB harddrive that I use for backups.
Can I ignore these errors or do they need to be resolved.
Thanks, Steve
On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
On Sun, 25 Apr 2010 11:04:31 +0200 Dominick Grift domg472@gmail.com wrote:
On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
...
My logwatch report gives me 20 or 30 lines of :
NULL security context for user, but SELinux in permissive mode, continuing ()
in the cron section. Then I looked in /var/log/dmesg and I see this line:
SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
System->Administration->SELinux Management, select SELinux User, shows 8 SELinux users:
...
OK, that looks good but when, as root, I run:
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
hmmm... only 3 users. It this a problem or is it telling me that only 3 SELinuux users are currently in use (ie assign to any Linux user) because I'm running in permissive mode?
This should not be a problem because new users get mapped under __default__ by default, which is mapped to unconfined_u selinux user.
How can I find out which user has a "NULL security context"?
Good question, my gut feeling tells me it unconfined_u but i am not sure.
If there is no bug in Fedora 11 selinux policy then you could consider reinstalling the policy.
The procedure for reinstalling policy is as follows.
- setenforce 0 (put selinux in permisive mode)
- rpm -ev selinux-policy selinux-policy-targeted (de-install selinux
policy) 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup (remove -backup- the old selinux policy config) 4. yum install selinux-policy selinux-policy-targeted (-re- install fresh selinux policy) 5. fixfiles restore (restore contexts) 6. reboot
I tried this procedure and at step 2 I also had to remove oolicycoreutils-gui and setroubleshoot because of dependencies and then reinstall them at step 4. Step 5 started and bailed out with these errors:
# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx: Permission denied
The /media/... is an external USB harddrive that I use for backups.
Can I ignore these errors or do they need to be resolved.
Looks like a couple of things didnt go the way i expected. I do not understand why policycoreutils or setroubleshoot depends on the policy.
Anyways..
The errors look like as if selinux was enforcing or as if you were not running fixfiles restore as root.
Please try to run fixfiles restore as root in permissive mode.
Thanks, Steve
On Sun, 25 Apr 2010 17:44:00 +0200 Dominick Grift domg472@gmail.com wrote:
On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
On Sun, 25 Apr 2010 11:04:31 +0200 Dominick Grift domg472@gmail.com wrote:
On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
...
My logwatch report gives me 20 or 30 lines of :
NULL security context for user, but SELinux in permissive mode, continuing ()
in the cron section. Then I looked in /var/log/dmesg and I see this line:
SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
System->Administration->SELinux Management, select SELinux User, shows 8 SELinux users:
...
OK, that looks good but when, as root, I run:
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
hmmm... only 3 users. It this a problem or is it telling me that only 3 SELinuux users are currently in use (ie assign to any Linux user) because I'm running in permissive mode?
This should not be a problem because new users get mapped under __default__ by default, which is mapped to unconfined_u selinux user.
How can I find out which user has a "NULL security context"?
Good question, my gut feeling tells me it unconfined_u but i am not sure.
If there is no bug in Fedora 11 selinux policy then you could consider reinstalling the policy.
The procedure for reinstalling policy is as follows.
- setenforce 0 (put selinux in permisive mode)
- rpm -ev selinux-policy selinux-policy-targeted (de-install
selinux policy) 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup (remove -backup- the old selinux policy config) 4. yum install selinux-policy selinux-policy-targeted (-re- install fresh selinux policy) 5. fixfiles restore (restore contexts) 6. reboot
I tried this procedure and at step 2 I also had to remove oolicycoreutils-gui and setroubleshoot because of dependencies and then reinstall them at step 4. Step 5 started and bailed out with these errors:
# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx: Permission denied
The /media/... is an external USB harddrive that I use for backups.
Can I ignore these errors or do they need to be resolved.
Looks like a couple of things didnt go the way i expected. I do not understand why policycoreutils or setroubleshoot depends on the policy.
Anyways..
The errors look like as if selinux was enforcing or as if you were not running fixfiles restore as root.
Please try to run fixfiles restore as root in permissive mode.
The previous attempt was as root and in permissive mode. I tried again:
[root@steve ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@steve ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: disabled Policy version: 24 Policy from config file: targeted
[root@steve ~]# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/blah-blah: Permission denied
Thanks, Steve
On Sun, Apr 25, 2010 at 12:19:04PM -0400, Steve Blackwell wrote:
On Sun, 25 Apr 2010 17:44:00 +0200 Dominick Grift domg472@gmail.com wrote:
On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
On Sun, 25 Apr 2010 11:04:31 +0200 Dominick Grift domg472@gmail.com wrote:
On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
...
My logwatch report gives me 20 or 30 lines of :
NULL security context for user, but SELinux in permissive mode, continuing ()
in the cron section. Then I looked in /var/log/dmesg and I see this line:
SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
System->Administration->SELinux Management, select SELinux User, shows 8 SELinux users:
...
OK, that looks good but when, as root, I run:
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
hmmm... only 3 users. It this a problem or is it telling me that only 3 SELinuux users are currently in use (ie assign to any Linux user) because I'm running in permissive mode?
This should not be a problem because new users get mapped under __default__ by default, which is mapped to unconfined_u selinux user.
How can I find out which user has a "NULL security context"?
Good question, my gut feeling tells me it unconfined_u but i am not sure.
If there is no bug in Fedora 11 selinux policy then you could consider reinstalling the policy.
The procedure for reinstalling policy is as follows.
- setenforce 0 (put selinux in permisive mode)
- rpm -ev selinux-policy selinux-policy-targeted (de-install
selinux policy) 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup (remove -backup- the old selinux policy config) 4. yum install selinux-policy selinux-policy-targeted (-re- install fresh selinux policy) 5. fixfiles restore (restore contexts) 6. reboot
I tried this procedure and at step 2 I also had to remove oolicycoreutils-gui and setroubleshoot because of dependencies and then reinstall them at step 4. Step 5 started and bailed out with these errors:
# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx: Permission denied
The /media/... is an external USB harddrive that I use for backups.
Can I ignore these errors or do they need to be resolved.
Looks like a couple of things didnt go the way i expected. I do not understand why policycoreutils or setroubleshoot depends on the policy.
Anyways..
The errors look like as if selinux was enforcing or as if you were not running fixfiles restore as root.
Please try to run fixfiles restore as root in permissive mode.
The previous attempt was as root and in permissive mode. I tried again:
[root@steve ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@steve ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: disabled Policy version: 24 Policy from config file: targeted
[root@steve ~]# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/blah-blah: Permission denied
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
once rebooted change SELINUX=permissive back to SELINUX=enforcing and setenforce 1
Thanks, Steve
On Sun, Apr 25, 2010 at 11:32 AM, Dominick Grift domg472@gmail.com wrote:
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
once rebooted change SELINUX=permissive back to SELINUX=enforcing and setenforce 1
Thanks, Steve
Isn't it usually simpler just to add "enforcing=0" to the kernel boot parameters on the reboot? No fiddling with /etc/selinux/config nor with 'setenforce'....
tom -- Tom London
On Sun, Apr 25, 2010 at 11:40:34AM -0700, Tom London wrote:
On Sun, Apr 25, 2010 at 11:32 AM, Dominick Grift domg472@gmail.com wrote:
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
once rebooted change SELINUX=permissive back to SELINUX=enforcing and setenforce 1
Thanks, Steve
Isn't it usually simpler just to add "enforcing=0" to the kernel boot parameters on the reboot? No fiddling with /etc/selinux/config nor with 'setenforce'....
I guess that depends, but either works.
tom
Tom London
On Sun, 25 Apr 2010 20:32:53 +0200 Dominick Grift domg472@gmail.com wrote:
Please try to run fixfiles restore as root in permissive mode.
The previous attempt was as root and in permissive mode. I tried again:
[root@steve ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@steve ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: disabled Policy version: 24 Policy from config file: targeted
[root@steve ~]# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/blah-blah: Permission denied
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
OK, I did that and I still get these messages in /var/log/dmesg:
SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:automount_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:apcupsd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:squid_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:soundd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
once rebooted change SELINUX=permissive back to SELINUX=enforcing and setenforce 1
I have always been running in permissive mode because of the issues I've benn experiencing but I'll try it and see how it goes.
Thanks, Steve
On Sun, Apr 25, 2010 at 06:35:57PM -0400, Steve Blackwell wrote:
On Sun, 25 Apr 2010 20:32:53 +0200 Dominick Grift domg472@gmail.com wrote:
Please try to run fixfiles restore as root in permissive mode.
The previous attempt was as root and in permissive mode. I tried again:
[root@steve ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@steve ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: disabled Policy version: 24 Policy from config file: targeted
[root@steve ~]# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/blah-blah: Permission denied
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
OK, I did that and I still get these messages in /var/log/dmesg:
If relabeling succeeded these issues should be fixed now. You can check by listing: "ls -alZ /etc/rc.d/init.d/mysqld"
if the type returned is mysqld_initrc_exec_t, then its fixed if the type returned is unlabeled_t, then something went wrong.
SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:automount_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:apcupsd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:squid_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:soundd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
once rebooted change SELINUX=permissive back to SELINUX=enforcing and setenforce 1
I have always been running in permissive mode because of the issues I've benn experiencing but I'll try it and see how it goes.
Thanks, Steve
On Mon, 26 Apr 2010 09:27:34 +0200 Dominick Grift domg472@gmail.com wrote:
[root@steve ~]# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/blah-blah: Permission denied
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
OK, I did that and I still get these messages in /var/log/dmesg:
If relabeling succeeded these issues should be fixed now. You can check by listing: "ls -alZ /etc/rc.d/init.d/mysqld"
if the type returned is mysqld_initrc_exec_t, then its fixed if the type returned is unlabeled_t, then something went wrong.
The type is mysqld_initrc_exec_t so it must be fixed. Things have definitely improved. I'm not getting streams of AVCs any more when I open the sevices GUI. Thnk you, Dominick!
I do still have one (so far) problem though. When I tried to point my browser at my local BackupPC server page a get an "Unable to Connect" message and an AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied { write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
Now I know I could change the context of that socket file but I'm guessing that it gets created every time and so that is not a permanent solution. Is there a boolean I need to set; nothing looked obvious or perhaps a BackupPC policy I need to install?
Thanks, Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2010 09:47 AM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 09:27:34 +0200 Dominick Grift domg472@gmail.com wrote:
[root@steve ~]# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/blah-blah: Permission denied
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
OK, I did that and I still get these messages in /var/log/dmesg:
If relabeling succeeded these issues should be fixed now. You can check by listing: "ls -alZ /etc/rc.d/init.d/mysqld"
if the type returned is mysqld_initrc_exec_t, then its fixed if the type returned is unlabeled_t, then something went wrong.
The type is mysqld_initrc_exec_t so it must be fixed. Things have definitely improved. I'm not getting streams of AVCs any more when I open the sevices GUI. Thnk you, Dominick!
I do still have one (so far) problem though. When I tried to point my browser at my local BackupPC server page a get an "Unable to Connect" message and an AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied { write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
Now I know I could change the context of that socket file but I'm guessing that it gets created every time and so that is not a permanent solution. Is there a boolean I need to set; nothing looked obvious or perhaps a BackupPC policy I need to install?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What directory is the socket in?
On Mon, 26 Apr 2010 11:11:00 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
I do still have one (so far) problem though. When I tried to point my browser at my local BackupPC server page a get an "Unable to Connect" message and an AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied { write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
Now I know I could change the context of that socket file but I'm guessing that it gets created every time and so that is not a permanent solution. Is there a boolean I need to set; nothing looked obvious or perhaps a BackupPC policy I need to install?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What directory is the socket in?
/var/log/BackupPC
Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 11:11:00 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
I do still have one (so far) problem though. When I tried to point my browser at my local BackupPC server page a get an "Unable to Connect" message and an AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied { write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
Now I know I could change the context of that socket file but I'm guessing that it gets created every time and so that is not a permanent solution. Is there a boolean I need to set; nothing looked obvious or perhaps a BackupPC policy I need to install?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What directory is the socket in?
/var/log/BackupPC
Steve
The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/ /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?' # restorecon -R -v /var/log/BackupPC
On Tue, 27 Apr 2010 08:45:25 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 11:11:00 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
I do still have one (so far) problem though. When I tried to point my browser at my local BackupPC server page a get an "Unable to Connect" message and an AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied { write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
Now I know I could change the context of that socket file but I'm guessing that it gets created every time and so that is not a permanent solution. Is there a boolean I need to set; nothing looked obvious or perhaps a BackupPC policy I need to install?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What directory is the socket in?
/var/log/BackupPC
Steve
The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/ /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?' # restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC -r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock ...
but SELinux still won't let me access the server. I get a slightly different but essentially the same AVC as before:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272379639.571:319): avc: denied { write } for pid=31612 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390 a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
So it looks to my untrained eye that we have a process with context system_u:system_r:httpd_t:s0 trying to write to a file that has a context system_u:object_r:httpd_sys_content_t:s0
and there is no rule to say that this is OK. Is that about right?
Thanks, Steve
On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
On Tue, 27 Apr 2010 08:45:25 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 11:11:00 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
I do still have one (so far) problem though. When I tried to point my browser at my local BackupPC server page a get an "Unable to Connect" message and an AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied { write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
Now I know I could change the context of that socket file but I'm guessing that it gets created every time and so that is not a permanent solution. Is there a boolean I need to set; nothing looked obvious or perhaps a BackupPC policy I need to install?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What directory is the socket in?
/var/log/BackupPC
Steve
The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/ /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?' # restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC -r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
This pid and sock need to mv to /var/run, i asked backuppc packager to do this long time ago but for some reason not fixed yet
...
but SELinux still won't let me access the server. I get a slightly different but essentially the same AVC as before:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272379639.571:319): avc: denied { write } for pid=31612 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390 a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
So it looks to my untrained eye that we have a process with context system_u:system_r:httpd_t:s0 trying to write to a file that has a context system_u:object_r:httpd_sys_content_t:s0
and there is no rule to say that this is OK. Is that about right?
Thanks, Steve
On Tue, 27 Apr 2010 17:01:26 +0200 Dominick Grift domg472@gmail.com wrote:
On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
On Tue, 27 Apr 2010 08:45:25 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 11:11:00 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
I do still have one (so far) problem though. When I tried to point my browser at my local BackupPC server page a get an "Unable to Connect" message and an AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied { write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
Now I know I could change the context of that socket file but I'm guessing that it gets created every time and so that is not a permanent solution. Is there a boolean I need to set; nothing looked obvious or perhaps a BackupPC policy I need to install?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What directory is the socket in?
/var/log/BackupPC
Steve
The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/ /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?' # restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC -r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
This pid and sock need to mv to /var/run, i asked backuppc packager to do this long time ago but for some reason not fixed yet
I posted another message to the BackupPC list to try and find that status on your request but I didn't get an answer to my first question so I'm not holding my breath.
In the meantime, would this work as a temporary workaround?
# semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.sock # semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.pid # restorecon -R -v /var/log/BackupPC
Thanks, Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/27/2010 11:41 AM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 17:01:26 +0200 Dominick Grift domg472@gmail.com wrote:
On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
On Tue, 27 Apr 2010 08:45:25 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 11:11:00 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
> I do still have one (so far) problem though. When I tried to > point my browser at my local BackupPC server page a get an > "Unable to Connect" message and an AVC: > > Raw Audit Messages : > node=steve.blackwell type=AVC msg=audit(1272289200.98:138): > avc: denied { write } for pid=31707 comm="perl5.10.0" > name="BackupPC.sock" dev=dm-0 ino=36667496 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file > > node=steve.blackwell type=SYSCALL > msg=audit(1272289200.98:138): arch=40000003 syscall=102 > success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 > items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 > euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 > tty=(none) ses=4294967295 comm="perl5.10.0" > exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 > key=(null) > > Now I know I could change the context of that socket file but > I'm guessing that it gets created every time and so that is > not a permanent solution. Is there a boolean I need to set; > nothing looked obvious or perhaps a BackupPC policy I need to > install? > > Thanks, > Steve > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > > What directory is the socket in?
/var/log/BackupPC
Steve
The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/ /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?' # restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC -r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
This pid and sock need to mv to /var/run, i asked backuppc packager to do this long time ago but for some reason not fixed yet
I posted another message to the BackupPC list to try and find that status on your request but I didn't get an answer to my first question so I'm not holding my breath.
In the meantime, would this work as a temporary workaround?
# semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.sock # semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.pid # restorecon -R -v /var/log/BackupPC
No that is wrong. httpd_sys_content_t is the correct label. httpd_t is a process label not a file label.
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/27/2010 10:57 AM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 08:45:25 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 11:11:00 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
I do still have one (so far) problem though. When I tried to point my browser at my local BackupPC server page a get an "Unable to Connect" message and an AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied { write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
Now I know I could change the context of that socket file but I'm guessing that it gets created every time and so that is not a permanent solution. Is there a boolean I need to set; nothing looked obvious or perhaps a BackupPC policy I need to install?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What directory is the socket in?
/var/log/BackupPC
Steve
The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/ /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?' # restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC -r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock ...
but SELinux still won't let me access the server. I get a slightly different but essentially the same AVC as before:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272379639.571:319): avc: denied { write } for pid=31612 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390 a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
So it looks to my untrained eye that we have a process with context system_u:system_r:httpd_t:s0 trying to write to a file that has a context system_u:object_r:httpd_sys_content_t:s0
and there is no rule to say that this is OK. Is that about right?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can add the ok rule using audit2allow
# grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M mybackuppc # semodule -i mybackuppc.pp
On Tue, 27 Apr 2010 11:31:57 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/27/2010 10:57 AM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 08:45:25 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 11:11:00 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
I do still have one (so far) problem though. When I tried to point my browser at my local BackupPC server page a get an "Unable to Connect" message and an AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied { write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
Now I know I could change the context of that socket file but I'm guessing that it gets created every time and so that is not a permanent solution. Is there a boolean I need to set; nothing looked obvious or perhaps a BackupPC policy I need to install?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What directory is the socket in?
/var/log/BackupPC
Steve
The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/ /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?' # restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC -r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock ...
but SELinux still won't let me access the server. I get a slightly different but essentially the same AVC as before:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272379639.571:319): avc: denied { write } for pid=31612 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390 a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
So it looks to my untrained eye that we have a process with context system_u:system_r:httpd_t:s0 trying to write to a file that has a context system_u:object_r:httpd_sys_content_t:s0
and there is no rule to say that this is OK. Is that about right?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can add the ok rule using audit2allow
# grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M mybackuppc # semodule -i mybackuppc.pp
OK, a little progress. Now I am getting a socket connect denial. Will repeating the audit2allow process to correct this?
Thanks, Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/27/2010 12:18 PM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 11:31:57 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/27/2010 10:57 AM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 08:45:25 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 11:11:00 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
> I do still have one (so far) problem though. When I tried to > point my browser at my local BackupPC server page a get an > "Unable to Connect" message and an AVC: > > Raw Audit Messages : > node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: > denied { write } for pid=31707 comm="perl5.10.0" > name="BackupPC.sock" dev=dm-0 ino=36667496 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file > > node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138): > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0 > a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 > uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 > fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" > exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 > key=(null) > > Now I know I could change the context of that socket file but > I'm guessing that it gets created every time and so that is not > a permanent solution. Is there a boolean I need to set; nothing > looked obvious or perhaps a BackupPC policy I need to install? > > Thanks, > Steve > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > > What directory is the socket in?
/var/log/BackupPC
Steve
The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/ /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?' # restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC -r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock ...
but SELinux still won't let me access the server. I get a slightly different but essentially the same AVC as before:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272379639.571:319): avc: denied { write } for pid=31612 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390 a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
So it looks to my untrained eye that we have a process with context system_u:system_r:httpd_t:s0 trying to write to a file that has a context system_u:object_r:httpd_sys_content_t:s0
and there is no rule to say that this is OK. Is that about right?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can add the ok rule using audit2allow
# grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M mybackuppc # semodule -i mybackuppc.pp
OK, a little progress. Now I am getting a socket connect denial. Will repeating the audit2allow process to correct this?
Thanks, Steve
yes
On Tue, 27 Apr 2010 13:17:09 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/27/2010 12:18 PM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 11:31:57 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/27/2010 10:57 AM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 08:45:25 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 11:11:00 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
>> I do still have one (so far) problem though. When I tried to >> point my browser at my local BackupPC server page a get an >> "Unable to Connect" message and an AVC: >> >> Raw Audit Messages : >> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): >> avc: denied { write } for pid=31707 comm="perl5.10.0" >> name="BackupPC.sock" dev=dm-0 ino=36667496 >> scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file >> >> node=steve.blackwell type=SYSCALL >> msg=audit(1272289200.98:138): arch=40000003 syscall=102 >> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 >> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 >> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 >> tty=(none) ses=4294967295 comm="perl5.10.0" >> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 >> key=(null) >> >> Now I know I could change the context of that socket file but >> I'm guessing that it gets created every time and so that is >> not a permanent solution. Is there a boolean I need to set; >> nothing looked obvious or perhaps a BackupPC policy I need to >> install? >> >> Thanks, >> Steve >> -- >> selinux mailing list >> selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> > What directory is the socket in?
/var/log/BackupPC
Steve
The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/ /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?' # restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC -r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock ...
but SELinux still won't let me access the server. I get a slightly different but essentially the same AVC as before:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272379639.571:319): avc: denied { write } for pid=31612 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390 a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
So it looks to my untrained eye that we have a process with context system_u:system_r:httpd_t:s0 trying to write to a file that has a context system_u:object_r:httpd_sys_content_t:s0
and there is no rule to say that this is OK. Is that about right?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can add the ok rule using audit2allow
# grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M mybackuppc # semodule -i mybackuppc.pp
OK, a little progress. Now I am getting a socket connect denial. Will repeating the audit2allow process to correct this?
Thanks, Steve
yes
I wasn't sure if running audit2allow a second time would add to mybackuppc.pp or replace it so I ran
# grep "BackupPC.sock" /var/log/audit/audit.log | audit2allow -M mybackuppc.pp # semodule -i mybackuppc.pp
I also noticed a boolean called httpd_can_network_connect. This would have worked too, correct?
Now I can connect to the server but I get a different AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc: denied { read } for pid=406 comm="perl5.10.0" name="disk" dev=dm-0 ino=32931842 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349): arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0 a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
disk is a link to an external USB drive where I keep the backups
[root@steve ~]# ls -lZ /media drwxr-xr-x. root root system_u:object_r:mnt_t:s0 <the USB disk UUID> lrwxrwxrwx. root root system_u:object_r:mnt_t:s0 disk -> <the USB disk UUID>
So do I need to relabel the disk httpd_sys_content_t next?
Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/27/2010 02:16 PM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 13:17:09 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/27/2010 12:18 PM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 11:31:57 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/27/2010 10:57 AM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 08:45:25 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote: > On Mon, 26 Apr 2010 11:11:00 -0400 > Daniel J Walsh dwalsh@redhat.com wrote: > > >>> I do still have one (so far) problem though. When I tried to >>> point my browser at my local BackupPC server page a get an >>> "Unable to Connect" message and an AVC: >>> >>> Raw Audit Messages : >>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): >>> avc: denied { write } for pid=31707 comm="perl5.10.0" >>> name="BackupPC.sock" dev=dm-0 ino=36667496 >>> scontext=system_u:system_r:httpd_t:s0 >>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file >>> >>> node=steve.blackwell type=SYSCALL >>> msg=audit(1272289200.98:138): arch=40000003 syscall=102 >>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008 >>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48 >>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 >>> tty=(none) ses=4294967295 comm="perl5.10.0" >>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 >>> key=(null) >>> >>> Now I know I could change the context of that socket file but >>> I'm guessing that it gets created every time and so that is >>> not a permanent solution. Is there a boolean I need to set; >>> nothing looked obvious or perhaps a BackupPC policy I need to >>> install? >>> >>> Thanks, >>> Steve >>> -- >>> selinux mailing list >>> selinux@lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> >> What directory is the socket in? > > /var/log/BackupPC > > Steve
The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/ /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?' # restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC -r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock ...
but SELinux still won't let me access the server. I get a slightly different but essentially the same AVC as before:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272379639.571:319): avc: denied { write } for pid=31612 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390 a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
So it looks to my untrained eye that we have a process with context system_u:system_r:httpd_t:s0 trying to write to a file that has a context system_u:object_r:httpd_sys_content_t:s0
and there is no rule to say that this is OK. Is that about right?
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can add the ok rule using audit2allow
# grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M mybackuppc # semodule -i mybackuppc.pp
OK, a little progress. Now I am getting a socket connect denial. Will repeating the audit2allow process to correct this?
Thanks, Steve
yes
I wasn't sure if running audit2allow a second time would add to mybackuppc.pp or replace it so I ran
# grep "BackupPC.sock" /var/log/audit/audit.log | audit2allow -M mybackuppc.pp # semodule -i mybackuppc.pp
I also noticed a boolean called httpd_can_network_connect. This would have worked too, correct?
Now I can connect to the server but I get a different AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc: denied { read } for pid=406 comm="perl5.10.0" name="disk" dev=dm-0 ino=32931842 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349): arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0 a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
disk is a link to an external USB drive where I keep the backups
[root@steve ~]# ls -lZ /media drwxr-xr-x. root root system_u:object_r:mnt_t:s0
<the USB disk UUID> lrwxrwxrwx. root root system_u:object_r:mnt_t:s0 disk -> <the USB disk UUID>
So do I need to relabel the disk httpd_sys_content_t next?
Steve
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You could use something like mount -o context="system_u:object_r:httpd_sys_content_t:s0"
Which will tell mount to mount your disk with this label.
On Wed, 28 Apr 2010 13:27:58 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
Now I can connect to the server but I get a different AVC:
Raw Audit Messages : node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc: denied { read } for pid=406 comm="perl5.10.0" name="disk" dev=dm-0 ino=32931842 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349): arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0 a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295 uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 key=(null)
disk is a link to an external USB drive where I keep the backups
[root@steve ~]# ls -lZ /media drwxr-xr-x. root root system_u:object_r:mnt_t:s0
<the USB disk UUID> lrwxrwxrwx. root root system_u:object_r:mnt_t:s0 disk -> <the USB disk UUID>
So do I need to relabel the disk httpd_sys_content_t next?
You could use something like mount -o context="system_u:object_r:httpd_sys_content_t:s0"
Which will tell mount to mount your disk with this label.
I'm sure that would work but the disk is mounted by the automounter and I'd have to dig into that to figure out where to put those options.
I went ahead and relabeled and it seems to be working. Now I just have to solve the issues I was having with BackupPC when I was running in permissive mode.
Thanks, Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/25/2010 06:35 PM, Steve Blackwell wrote:
On Sun, 25 Apr 2010 20:32:53 +0200 Dominick Grift domg472@gmail.com wrote:
Please try to run fixfiles restore as root in permissive mode.
The previous attempt was as root and in permissive mode. I tried again:
[root@steve ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@steve ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: disabled Policy version: 24 Policy from config file: targeted
[root@steve ~]# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/blah-blah: Permission denied
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
OK, I did that and I still get these messages in /var/log/dmesg:
SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:automount_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:apcupsd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:squid_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:soundd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
once rebooted change SELINUX=permissive back to SELINUX=enforcing and setenforce 1
I have always been running in permissive mode because of the issues I've benn experiencing but I'll try it and see how it goes.
Thanks, Steve -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Steve lets make sure you have a good selinux-policy-targeted install.
# yum reinstall selinux-policy-targeted
Make sure nothing blows up.
Then execute
#fixfiles restore
You should also see no errors.
One last thing would be what file systems are you using? ext3?
On Mon, 26 Apr 2010 08:45:28 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
Steve lets make sure you have a good selinux-policy-targeted install.
# yum reinstall selinux-policy-targeted
Dominick has already had me reinstall a couple of selinux rpms. My situation has definitely improved so I must have had a corrupted policy somehow.
Make sure nothing blows up.
Then execute
#fixfiles restore
You should also see no errors.
One last thing would be what file systems are you using? ext3?
Thanks, Steve
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Steve Blackwell -
Tom London