SElinux issue
Paolo Galtieri
pgaltieri at gmail.com
Fri Sep 25 22:51:03 UTC 2015
Daniel,
on the machine on which things work there is a prewikka.pp file, but on the one that fails there isn't. On the system
that fails I have the following prewikka policy file (prewikkapol.te):
module prewikka 1.0;
require {
type tmp_t;
type init_var_run_t;
type httpd_prewikka_script_t;
type sysfs_t;
class dir { read search };
}
#============= httpd_prewikka_script_t ==============
allow httpd_prewikka_script_t init_var_run_t:dir search;
allow httpd_prewikka_script_t sysfs_t:dir read;
allow httpd_prewikka_script_t tmp_t:dir read;
and the corresponding prewikkapol.pp file.
On the system that works I have the following prewikka policy file (prewikka.te):
module prewikka 1.0;
require {
type tmp_t;
type init_var_run_t;
type httpd_prewikka_script_t;
type sysfs_t;
class dir { read search };
}
#============= httpd_prewikka_script_t ==============
allow httpd_prewikka_script_t init_var_run_t:dir search;
allow httpd_prewikka_script_t sysfs_t:dir read;
allow httpd_prewikka_script_t tmp_t:dir read;
and the corresponding prewikka.pp file. So as far as I know the prewikka policy files are present, and neither says
anything about httpd_prewikka_rw_content_t.
Also if I run
semodule -l
the appropriate policy file is shown.
I tried disabling the module:
sudo semodule -d prewikkapol
[sudo] password for pgaltieri:
libsepol.context_from_record: type httpd_prewikka_rw_content_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsemanage.validate_handler: invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for /usr/share/prewikka/htdocs/generated_images [all files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
semodule: Failed!
I tried to remove the module:
sudo semodule -r prewikkapol
libsepol.context_from_record: type httpd_prewikka_rw_content_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsemanage.validate_handler: invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for /usr/share/prewikka/htdocs/generated_images [all files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
semodule: Failed!
It does appear though that setsebool still works despite the errors.
Still confused though why I'm seeing the error.
Thanks for the help,
Paolo
On 09/25/2015 12:26 PM, Daniel J Walsh wrote:
> Looks like you might have a prewikka policy around?
>
> locate prewikka.pp
>
> Did you build a custom policy module?
>
> On 09/25/2015 02:30 PM, Paolo Galtieri wrote:
>> Folks,
>> I got an SElinux alert this morning. The suggestion to correct the
>> problem was to do:
>>
>> setsebool -P unconfined_mozilla_plugin_transition 0
>>
>> When I did this I got the following response:
>>
>> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
>> defined
>> libsepol.context_from_record: could not create context structure
>> libsepol.context_from_string: could not create context structure
>> libsepol.sepol_context_to_sid: could not convert
>> system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
>> invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0
>> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
>> defined
>> libsepol.context_from_record: could not create context structure
>> libsepol.context_from_string: could not create context structure
>> libsepol.sepol_context_to_sid: could not convert
>> system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
>> invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0
>>
>> I have 2 systems running F22, I got this response on one of the
>> systems, but not the other. When I was running F19 on the affected
>> system (prior to upgrading to F22) I did have the prewikka packages
>> installed, but I have since removed them. However, it appears that
>> some remnants of those packages remain.
>>
>> How do I fix this issue? I looked in the httpd config files and
>> couldn't find any reference.
>>
>> Any help is appreciated.
>>
>> Paolo
More information about the users
mailing list