Re: issue on 'fixfiles relabel'
by Park Lee
On Thu, 03 Jun 2004 10:29:17, Stephen Smalley wrote:
>The policy package installs a copy of the file_contexts file to
>/etc/security/selinux so that it is available for use by fixfiles,
>setfiles, or restorecon even if policy sources is not available.
But in <<Fedora Core 2 SELinux FAQ>>,there is one statement:
> You will need to have the policy-sources package
> installed to use setfiles.
Then, If policy package installs a copy of the file_contexts file to
/etc/security/selinux, is it necessary to install policy-sources
package in order to use setfiles?
Thanks.
Best regards,
Park Lee
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
19 years, 8 months
trouble shutting down avc netlink socket
by Colin Walters
Hi,
I'm having a problem where calling avc_destroy doesn't seem to close the
netlink socket, because a subsequent avc_init is unable to bind to the
socket, and gets an error "Address already in use".
The attached test program lets me reproduce the problem - the very
interesting thing is it seems to only happen about 50% of the time. Is
there some race here in the kernel?
As far as I can tell the close() is being called so the socket should be
shut down.
19 years, 8 months
mdmpd....
by Tom London
Each time mdmpd tries to start, I get this:
Aug 23 08:20:32 fedora kernel: audit(1093274432.627:0): avc: denied {
write }
for pid=2901 exe=/sbin/mdmpd name=mdstat dev=proc ino=-268435099
scontext=system_u:system_r:mdadm_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 23 08:20:32 fedora mdmpd: Failed to open /proc/mdstat
Aug 23 08:20:32 fedora mdmpd: mdmpd startup failed
Aug 23 08:20:32 fedora mdmpd: mdmpd failed
Does this need to be added? (Sorry, I don't know how mdmpd is
doing its thing....)
tom
[This seems to be an 'old' avc, not related to recent policy changes.]
19 years, 8 months
my first steps in Fedora
by Pietro R.A. Binetti
hello everyone,
i am a new user of Fedora core 2, and a newer of linux-like OS as well.
2 days ago i installed Fedora on my notebook: acer travel mate 212T.
i already have some problems that i can't solve:
1) Can't change the Screen resolution
when i installed the OS, my screen hadn't been recognized, so i chose
"generic LCD monitor" with a resolution of 800x600.
once installed, i changed my mind and i wanted to switch into 1024x768
(supported by my hardware, for sure).
to do that, i opened the Display window, from System Settings menu icon.
here i configured a generic LCD panel with 1024x768 resolution from the
Hardware folder and rebooted the PC. then, in the display window i had
the possibility to choose the wanted resolution. doing that and
rebooting i can see 1024x768 as the selected screen resolution, but
looking at the screen things haven't changed: i always have the old
800x600.
what should i do?
2)Touch pad
the touch pad of my pc is correctly working, even if the click must be
done pressing the left button and can't be done with the "touch". i
can't find where i can configure or change the settings of my touch pad.
can i?
thanks in advance for your help.
regards,
Pietro
19 years, 8 months
avcs from install of initscripts/kernel ?
by Tom London
I noticed the following 2 avc's while doing a 'yum update' off of
Rawhide today
(running strict/enforcing):
Aug 21 09:43:36 fedora kernel: audit(1093106616.786:0): avc: denied {
dac_read_search } for pid=4292 exe=/bin/bash capability=2
scontext=root:sysadm_r:bootloader_t tcontext=root:sysadm_r:bootloader_t
tclass=capability
Aug 21 09:43:37 fedora kernel: audit(1093106617.979:0): avc: denied {
transition } for pid=4331 exe=/bin/bash path=/sbin/dmsetup dev=hda2
ino=2310451 scontext=root:sysadm_r:bootloader_t
tcontext=root:system_r:lvm_t tclass=process
Looks like the second one occurs with a install of a new kernel, I'm
guessing
that the first one occurs during install of initscripts.
Anything to be concerned about?
tom
19 years, 8 months
/dev/cpu/0/microcode....link mislabeled?
by Tom London
I'm noticing the following messages showing up for the past few days
(strict/enforcing):
Aug 21 13:31:15 fedora kernel: audit(1093120250.606:0): avc: denied {
read } for pid=1558 exe=/sbin/microcode_ctl name=microcode dev=hda2
ino=2689367 scontext=system_u:system_r:cpucontrol_t
tcontext=system_u:object_r:device_t tclass=lnk_file
Aug 21 13:31:15 fedora kernel: microcode: No new microdata for cpu 0
'ls -lZ /dev/cpu/0/microcode' yields:
lrwxrwxrwx root root system_u:object_r:device_t
/dev/cpu/0/microcode -> ../../microcode
Does this link need to be labeled cpu_device_t, or
does 'allow cpucontrol_t device_t:lnk_file { read };' need
to be added to cpucontrol.te, or .... ?
tom
[I sort of remember this being fixed a while back .....]
19 years, 8 months
.525 kernel and strict/enforcing (!?!?)
by Tom London
Wow, the new kernel (.525) seems to not quite work with strict/enforcing.
(Took me a while to recover, so tread carefully!)
It manages to boot with strict/permissive, but there are hordes of
avc messages.... Here are just the first....
Also, I notice that the initrd for .525 is about 625KB, compared
with about 180KB for previous versions.
Is it running udev, etc., off of the initrd?
tom
> Aug 21 11:28:46 fedora kernel: SELinux: initialized (dev rootfs, type
> rootfs), uses genfs_contexts
> Aug 21 11:28:46 fedora kernel: SELinux: initialized (dev sysfs, type
> sysfs), uses genfs_contexts
> Aug 21 11:28:46 fedora kernel: audit(1093087655.962:0): avc: denied
> { read write } for pid=1 exe=/sbin/init path=/dev/console dev=ramfs
> ino=847 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087655.962:0): avc: denied
> { read } for pid=1 exe=/sbin/init path=/init dev=rootfs ino=17
> scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087655.963:0): avc: denied
> { ioctl } for pid=1 exe=/sbin/init path=/dev/tty0 dev=ramfs ino=1126
> scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc: denied
> { write } for pid=1 exe=/sbin/init dev=ramfs ino=846
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc: denied
> { add_name } for pid=1 exe=/sbin/init name=initctl
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc: denied
> { create } for pid=1 exe=/sbin/init name=initctl
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:ramfs_t
> tclass=fifo_file
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc: denied
> { read write } for pid=1 exe=/sbin/init name=initctl dev=ramfs
> ino=1787 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:ramfs_t tclass=fifo_file
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc: denied
> { getattr } for pid=1 exe=/sbin/init path=/dev/initctl dev=ramfs
> ino=1787 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:ramfs_t tclass=fifo_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.094:0): avc: denied
> { read write } for pid=403 exe=/bin/hostname path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:hostname_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.565:0): avc: denied
> { read write } for pid=449 exe=/bin/mount path=/dev/console dev=ramfs
> ino=847 scontext=system_u:system_r:mount_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.566:0): avc: denied
> { search } for pid=449 exe=/bin/mount dev=ramfs ino=846
> scontext=system_u:system_r:mount_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087657.640:0): avc: denied
> { search } for pid=451 exe=/bin/bash dev=ramfs ino=846
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087657.640:0): avc: denied
> { read write } for pid=451 exe=/bin/bash name=tty dev=ramfs ino=1120
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.898:0): avc: denied
> { read write } for pid=513 exe=/sbin/consoletype path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:consoletype_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.899:0): avc: denied
> { getattr } for pid=513 exe=/sbin/consoletype path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:consoletype_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.900:0): avc: denied
> { ioctl } for pid=513 exe=/sbin/consoletype path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:consoletype_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.598:0): avc: denied
> { read write } for pid=536 exe=/sbin/minilogd path=/dev/null
> dev=ramfs ino=848 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.598:0): avc: denied
> { use } for pid=536 exe=/sbin/minilogd path=/init dev=rootfs ino=17
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:system_r:kernel_t tclass=fd
> Aug 21 11:28:46 fedora kernel: audit(1093087658.598:0): avc: denied
> { search } for pid=536 exe=/sbin/minilogd dev=ramfs ino=846
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc: denied
> { write } for pid=536 exe=/sbin/minilogd dev=ramfs ino=846
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc: denied
> { add_name } for pid=536 exe=/sbin/minilogd name=log
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc: denied
> { create } for pid=536 exe=/sbin/minilogd name=log
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc: denied
> { getattr } for pid=540 exe=/sbin/minilogd path=/dev/log dev=ramfs
> ino=2057 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.614:0): avc: denied
> { read write } for pid=538 exe=/sbin/udev name=.udev.tdb dev=ramfs
> ino=855 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.614:0): avc: denied
> { lock } for pid=538 exe=/sbin/udev path=/dev/.udev.tdb dev=ramfs
> ino=855 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.614:0): avc: denied
> { getattr } for pid=538 exe=/sbin/udev path=/dev/.udev.tdb dev=ramfs
> ino=855 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.665:0): avc: denied
> { write } for pid=538 exe=/sbin/udev name=log dev=ramfs ino=2057
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.666:0): avc: denied
> { write } for pid=538 exe=/sbin/udev dev=ramfs ino=846
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.666:0): avc: denied
> { add_name } for pid=538 exe=/sbin/udev name=input
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.666:0): avc: denied
> { create } for pid=538 exe=/sbin/udev name=input
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.679:0): avc: denied
> { create } for pid=538 exe=/sbin/udev name=event0
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.679:0): avc: denied
> { setattr } for pid=538 exe=/sbin/udev name=event0 dev=ramfs ino=2069
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087659.059:0): avc: denied
> { read write } for pid=546 exe=/sbin/restorecon path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:restorecon_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087659.061:0): avc: denied
> { getattr } for pid=546 exe=/sbin/restorecon path=/dev/input/event0
> dev=ramfs ino=2069 scontext=system_u:system_r:restorecon_t
> tcontext=system_u:object_r:ramfs_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087659.226:0): avc: denied
> { getattr } for pid=547 exe=/sbin/udev path=/dev/input dev=ramfs
> ino=2066 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087661.046:0): avc: denied
> { write } for pid=540 exe=/sbin/minilogd name=log dev=ramfs ino=2057
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087661.320:0): avc: denied
> { getattr } for pid=568 exe=/sbin/udev path=/dev/full dev=ramfs
> ino=883 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087661.320:0): avc: denied
> { setattr } for pid=568 exe=/sbin/udev name=full dev=ramfs ino=883
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087661.893:0): avc: denied
> { create } for pid=596 exe=/sbin/udev name=XOR
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=lnk_file
> Aug 21 11:28:46 fedora kernel: audit(1093087667.935:0): avc: denied
> { remove_name } for pid=897 exe=/sbin/udev name=vcs1 dev=ramfs
> ino=1564 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087667.935:0): avc: denied
> { unlink } for pid=897 exe=/sbin/udev name=vcs1 dev=ramfs ino=1564
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087668.270:0): avc: denied
> { unlink } for pid=919 exe=/sbin/udev name=vcsa1 dev=ramfs ino=2889
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087679.159:0): avc: denied
> { getattr } for pid=1476 exe=/sbin/udev path=/dev/vcs1 dev=ramfs
> ino=3133 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:ramfs_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087679.590:0): avc: denied
> { getattr } for pid=1497 exe=/sbin/udev path=/dev/hda dev=ramfs
> ino=1582 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=blk_file
> Aug 21 11:28:46 fedora kernel: audit(1093087679.590:0): avc: denied
> { setattr } for pid=1497 exe=/sbin/udev name=hda dev=ramfs ino=1582
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=blk_file
> Aug 21 11:28:46 fedora kernel: audit(1093087682.418:0): avc: denied
> { remove_name } for pid=1637 exe=/sbin/minilogd name=log dev=ramfs
> ino=2057 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087682.418:0): avc: denied
> { unlink } for pid=1637 exe=/sbin/minilogd name=log dev=ramfs
> ino=2057 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087683.376:0): avc: denied
> { read write } for pid=1836 exe=/bin/dmesg path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:dmesg_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087683.406:0): avc: denied
> { mounton } for pid=1837 exe=/bin/mount path=/dev/pts dev=ramfs
> ino=850 scontext=system_u:system_r:mount_t
> tcontext=system_u:object_r:unlabeled_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087683.700:0): avc: denied
> { read write } for pid=1849 exe=/sbin/hwclock path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:hwclock_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087683.701:0): avc: denied
> { search } for pid=1849 exe=/sbin/hwclock dev=ramfs ino=846
> scontext=system_u:system_r:hwclock_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087683.701:0): avc: denied
> { ioctl } for pid=1849 exe=/sbin/hwclock path=/dev/rtc dev=ramfs
> ino=941 scontext=system_u:system_r:hwclock_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: ACPI: Power Button (FF) [PWRF]
19 years, 8 months
Testing cron script
by Bill McCarty
Hi all,
How do folks like to test system Cron scripts, which run in the context
system_u:system_r:system_crond_t? The system administrator can't simply
invoke them using runcon:
runcon system_u:system_r:system_crond_t /etc/cron.hourly/test.cron
because the usual policies don't permit transitions from sysadm_t to
system_crond_t.
And, modifying the policy to permit such a transition seems to entail
authorizing too many permissions, at least for my taste.
I've tried running test scripts out of /etc/crontab, but I find that I
waste a lot of time waiting for Cron to wake up and launch my test script.
I've also tried running scripts, and test scripts, out of root's crontab,
by using crontab -e. But, doing so entails extending permissions to
crond_t, and I seem to end up in pretty much the same predicament.
What am I missing?
Cheers,
--
Bill McCarty, Ph.D.
Professor of Information Technology
Azusa Pacific University
19 years, 8 months
new to Fedora
by Jean Létourneau
Good day all,
It's been a long time since I used any Linux, last was slackware
2.3, Anyway I found a umongus changes, well
done to all devloppers.. This question is about several ports 21, (FTP) 25,
(SMTP) and 110 (Pop) did I mist something
while I was away? None of them work from the network, port 25 work from the
fedora machine but not any others. Yes Postfix is installed. Sendmail and
Spamassasin are also installed and running. I am running NO firewall for
this testing. I am trying to figure out what is the command to install the
pop and FTP server. From the GUY server setting, there is no MAIL, or
FTP... at the add/remouve application I did install all services.. DOVECOT
is installed and the IMap is working, but ni POP...
Any one can put some light on this???
Thanks,
Jean
19 years, 8 months
new Fedora user asks help
by Pietro R.A. Binetti
hello everyone,
i am a new user of Fedora core 2, and a newer of linux-like OS as well.
2 days ago i installed Fedora on my notebook: acer travel mate 212T.
i already have some problems that i can't solve:
1) Can't change the Screen resolution
when i installed the OS, my screen hadn't been recognized, so i chose
"generic LCD monitor" with a resolution of 800x600.
once installed, i changed my mind and i wanted to switch into 1024x768
(supported by my hardware, for sure).
to do that, i opened the Display window, from System Settings menu icon.
here i configured a generic LCD panel with 1024x768 resolution from the
Hardware folder and rebooted the PC. then, in the display window i had
the possibility to choose the wanted resolution. doing that and
rebooting i can see 1024x768 as the selected screen resolution, but
looking at the screen things haven't changed: i always have the old
800x600.
what should i do?
2)Touch pad
the touch pad of my pc is correctly working, even if the click must be
done pressing the left button and can't be done with the "touch". i
can't find where i can configure or change the settings of my touch pad.
can i?
thanks in advance for your help.
regards,
Pietro
19 years, 8 months