About security field in struct sk_buff
by Park Lee
Hi,
In /usr/src/linux/security/selinux/include/objsec.h,
there seems no SELinux security data structure for
struct sk_buff.
Does this means that SELinux doesn't use the
security field (i.e. the unsigned short security) in
struct sk_buff at all?
Thank you.
=====
Best Regards,
Park Lee
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com
19 years, 4 months
Re: system-config-securitylevel error?
by Justin Conover
I re-enabled SELinux and then did the following:
cd /etc/selinux/targeted/src/policy
make
make relabel
reboot
/sbin/restorecon -v -R
/sbin/fixfiles relabel
reboot to init 3
I didn't seen any avc errors so installed the nvidia drivers and then
got some errors again
Had to do with /sbin/ldconfig
And if I go to init 5, gdm loads but users and root get the following
error trying to login:
Cannot start the session due to some internal errors.
So I can't get into X
On Fri, 24 Dec 2004 09:41:32 -0600, Justin Conover
<justin.conover(a)gmail.com> wrote:
> About 2 days ago I did an update and I was getting so many avc errors
> and had to get some work done so I dropped SELinux for the moment. I
> simply edited /etc/sysconfig/selinux and changed it to "disabled" but
> when I run "system-config-securitylevel" I get the following error:
>
> # system-config-securitylevel
> Traceback (most recent call last):
> File "/usr/share/system-config-securitylevel/system-config-securitylevel.py",
> line 17, in ?
> app = securitylevel.childWindow()
> File "/usr/share/system-config-securitylevel/securitylevel.py", line
> 87, in __init__
> self.trustedList = checklist.CheckList(1)
> NameError: global name 'checklist' is not defined
>
> My systems is the following:
>
> FC3 x86_64 updated to Rawhide.
>
> thx,
>
> btw, I've attached the avc errors out of /var/log/messages If I
> decide to turn SELinux back on, what is the best approach as far a
> re-labeling:
>
> /sbin/restorecon -v -R
> /sbin/fixfiles relabel
>
> ?
>
>
>
19 years, 4 months
'allow XXXX udev_tdb_t:dir r_dir_perms' needed...
by Tom London
Running strict/enforcing, latest Rawhide....
X fails to come up, etc.
Looks like
allow XXXX udev_tdb_t:dir r_dir_perms;
is needed pretty generally, especially
for xdm_t, xdm_server_t, ptal_t, pam_console_t,
lvm_t, hald_t, gpm_t, cupsd_t. Even
user_t seems to want it for configuring esd.
Should this be added to macros somewhere?
tom
--
Tom London
19 years, 4 months
FC3 PostgreSQL update
by Troels Arvin
Hello,
I installed the updated PostgreSQL for FC3 today. Before the update,
there were no problems, but now - when I try to start PostgreSQL - it
fails, and I get the following line in my /var/log/messages:
kernel: audit(1103292268.189:0): avc: denied { search } for pid=13607
exe=/usr/bin/postgres name=mnt dev=hda5 ino=179521
scontext=root:system_r:postgresql_t tcontext=system_u:object_r:mnt_t
tclass=dir
Due to a disk-space problem, my /var/lib/pgsql is a symlink to
/mnt/hda1/pgsql
My /mnt/hda1 is unlabeled, and I guess this should be changed, but to
what? - Should my /mnt/hda1 be labeled system_u:object_r:root_t?
How come a PostgreSQL update breaks what used to work?
--
Greetings from Troels Arvin, Copenhagen, Denmark
19 years, 4 months
Where is the SID stored in file system and process respectively?
by Park Lee
Hi,
As we know, In SELinux, when we first access a file,
the file system should first send the security context
of the file from its extended attribute to security
server. the security server will give a SID back to
the file for later use. Since then, every time when we
access the file, there is no need for the file system
to send the security context of the file again.
instead, it will send the SID of the file to security
server.
But, Where is the SID (which is assigned by security
server for the file) stored in the file system? and
How is the SID calculated?
As for process in selinux, Where is the SID (which
also is assigned by security server ) stored with the
process?
Is the security context of the process only exist in
the selinux security server and the process only need
to deal with the SID that is related to the security
context?
Will the process itself handle its own security
context?
Thank you.
=====
Best Regards,
Park Lee
__________________________________
Do you Yahoo!?
Dress up your holiday email, Hollywood style. Learn more.
http://celebrity.mail.yahoo.com
19 years, 4 months
RE: Using SELinux on samba mounted directories
by Michael Kraus
> What AVC messages are you seeing?
AVC messages? (Could you elucidate please?)
Thanks
Regards,
Michael S. E. Kraus
B. Info. Tech. (CQU), Dip. Business (Computing)
Software Developer
Wild Technology Pty Ltd
_______________________________
ABN 98 091 470 692
Level 4 Tiara, 306/9 Crystal Street, Waterloo NSW 2017, Australia
Telephone 1300-13-9453 | Facsimile 1300-88-9453
http://www.wildtechnology.net
The information contained in this email message and any attachments may
be confidential information and may also be the subject of client legal
- legal professional privilege. If you are not the intended recipient,
any use, interference with, disclosure or copying of this material is
unauthorised and prohibited. This email and any attachments are also
subject to copyright. No part of them may be reproduced, adapted or
transmitted without the written permission of the copyright owner. If
you have received this email in error, please immediately advise the
sender by return email and delete the message from your system.
19 years, 4 months
ldconfig hanging
by rich turner
i am somewhat of a newbie at selinux so forgive some of my ignorance. i
am using fc3 and have created a filesystem using ramdev. in this
filesystem i have put a bunch of files, some executables, and would like
to update ld.so.cache in this filesystem by running "ldconfig -r /mnt",
where /mnt is the mount point of the ramdev.
if i put the running systems /etc/ld.so.cache into /mnt/etc/ld.so.cache
then the system hangs when running "ldconfig -r /mnt". however, if i
dont include the systems /etc/ld.so.cache into /mnt and then run
ldconfig, it succeeds.
i believe this has something to do with selinux because if i boot with
"selinux=0" then it doesnt seem to be an issue either way.
it also appears /etc/ld.so.cache is being handled in some way by selinux
because there is an entry in
/etc/selinux/targeted/contexts/files/file_contexts.
i realize the short answer is to not include ld.so.cache in my ramdev,
but i would like to know why this is actually happening.
anyone have any suggestions?
19 years, 4 months
Fedora Project Mailing Lists reminder
by Elliot Lee
This is a reminder of the mailing lists for the Fedora Project, and
the purpose of each list. You can view this information at
http://fedora.redhat.com/participate/communicate/
When you're using these mailing lists, please take the time to choose
the one that is most appropriate to your post. If you don't know the
right mailing list to use for a question or discussion, please contact
me. This will help you get the best possible answer for your question,
and keep other list subscribers happy!
Mailing Lists
Mailing lists are email addresses which send email to all users
subscribed to the mailing list. Sending an email to a mailing list
reaches all users interested in discussing a specific topic and users
available to help other users with the topic.
The following mailing lists are available. To subscribe, send email to <listname>-request(a)redhat.com
(replace <listname> with the desired mailing list name such as
fedora-list) with the word subscribe in the subject.
fedora-announce-list - Announcements of changes and events. To stay
aware of news, subscribe to this list.
fedora-list - For users of releases. If you want help with a problem
installing or using , this is the list for you.
fedora-test-list - For testers of test releases. If you would like to
discuss experiences using TEST releases, this is the list for you.
fedora-devel-list - For developers, developers, developers. If you are
interested in helping create releases, this is the list for you.
fedora-docs-list - For participants of the docs project
fedora-desktop-list - For discussions about desktop issues such as user
interfaces, artwork, and usability
fedora-config-list - For discussions about the development of
configuration tools
fedora-tools-list - For discussions about the toolchain (gcc, gdb,
etc...) within Fedora
fedora-patches-list - For submitting patches to Fedora maintainers, and
used in line with BugWeek
fedora-legacy-announce - For announcements about the Fedora Legacy
Project
fedora-legacy-list - For discussions about the Fedora Legacy Project
fedora-selinux-list - For discussions about the Fedora SELinux Project
fedora-marketing-list - For discussions about marketing and expanding
the Fedora user base
fedora-de-list - For discussions about Fedora in the German language
fedora-es-list - For discussions about Fedora in the Spanish language
fedora-ja-list - For discussions about Fedora in the Japanese language
fedora-i18n-list - For discussions about the internationalization of
Fedora Core
fedora-trans-list - For discussions about translating the software and
documentation associated with the Fedora Project
German: fedora-trans-de
French: fedora-trans-fr
Spanish: fedora-trans-es
Italian: fedora-trans-it
Brazilian Portuguese: fedora-trans-pt_br
Japanese: fedora-trans-ja
Korean: fedora-trans-ko
Simplified Chinese: fedora-trans-zh_cn
Traditional Chinese: fedora-trans-zh_tw
19 years, 4 months
RE: Using SELinux on samba mounted directories
by Michael Kraus
> Would it be a sick idea to smbmount the share, then export it
> to localhost as an NFS mount, then mount that with an SELinux context?
> Just looking for stop-gap ideas until the Samba context stuff
> is working.
Probably, but it's also probably the kludge that'll work!
Thanks Karsten.
Regards,
Michael S. E. Kraus
B. Info. Tech. (CQU), Dip. Business (Computing)
Software Developer
Wild Technology Pty Ltd
_______________________________
ABN 98 091 470 692
Level 4 Tiara, 306/9 Crystal Street, Waterloo NSW 2017, Australia
Telephone 1300-13-9453 | Facsimile 1300-88-9453
http://www.wildtechnology.net
The information contained in this email message and any attachments may
be confidential information and may also be the subject of client legal
- legal professional privilege. If you are not the intended recipient,
any use, interference with, disclosure or copying of this material is
unauthorised and prohibited. This email and any attachments are also
subject to copyright. No part of them may be reproduced, adapted or
transmitted without the written permission of the copyright owner. If
you have received this email in error, please immediately advise the
sender by return email and delete the message from your system.
19 years, 4 months
RE: Using SELinux on samba mounted directories
by Michael Kraus
G'day...
> > Is there a way to edit the /etc/fstab file so that the
> context is set
> > when the directory is mounted? (I hope this is all making
> Not sure if this solution works with samba - worth a try:
> http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id3523296
Based on that advice, I'm trying:
//machine/share /mnt/mymountpoint smb
context=root:object_r:httpd_sys_content_t,username=myusername,password=m
ypass,exec,rw,uid=500,gid=48,fmask=0775 0 0
Unfortunately to no avail. It looks like smbmount ignores the
"context=..." part. :(
Thanks heaps for your help. Having such a speedy reply is appreciated.
Regards,
Michael S. E. Kraus
B. Info. Tech. (CQU), Dip. Business (Computing)
Software Developer
Wild Technology Pty Ltd
_______________________________
ABN 98 091 470 692
Level 4 Tiara, 306/9 Crystal Street, Waterloo NSW 2017, Australia
Telephone 1300-13-9453 | Facsimile 1300-88-9453
http://www.wildtechnology.net
The information contained in this email message and any attachments may
be confidential information and may also be the subject of client legal
- legal professional privilege. If you are not the intended recipient,
any use, interference with, disclosure or copying of this material is
unauthorised and prohibited. This email and any attachments are also
subject to copyright. No part of them may be reproduced, adapted or
transmitted without the written permission of the copyright owner. If
you have received this email in error, please immediately advise the
sender by return email and delete the message from your system.
19 years, 4 months
