[Fwd: [Fedora8] SElinux bug]
by max
Found on fedora list.
-------- Original Message --------
Subject: [Fedora8] SElinux bug
Date: Thu, 12 Jun 2008 15:58:58 +0100
From: hicham <hichamlinux(a)gmail.com>
Reply-To: For users of Fedora <fedora-list(a)redhat.com>
To: For users of Fedora <fedora-list(a)redhat.com>
Hello
I had this morning a "freeze", where I could not shutdown X server or
the laptop properly, looking at /var/log/messages:
I found what I suspect a selinux bug :
Jun 12 12:19:00 laptop kernel: SELinux: out of range capability -555425744
Jun 12 12:19:00 laptop kernel: ------------[ cut here ]------------
Jun 12 12:19:00 laptop kernel: kernel BUG at security/selinux/hooks.c:1332!
Jun 12 12:19:00 laptop kernel: invalid opcode: 0000 [#1] SMP
Jun 12 12:19:00 laptop kernel: Modules linked in: iptable_nat xt_limit
xt_tcpudp iptable_mangle ipt_LOG ipt_MASQUERADE nf_nat xt_DSCP
ipt_REJE
CT nf_conntrack_irc nf_conntrack_ftp nf_conntrack_ipv4 xt_state
nf_conntrack iptable_filter ip_tables x_tables pppoatm pppoe pppox
ppp_synctty
ppp_async ppp_generic slhc appletalk ipx p8023 ipv6 cpufreq_ondemand
acpi_cpufreq vfat fat dm_mirror dm_multipath dm_mod parport_pc
smsc_ircc
2 parport irda crc_ccitt pcspkr floppy serio_raw snd_intel8x0
snd_seq_dummy snd_seq_oss video snd_seq_midi_event snd_seq output
snd_seq_device
snd_intel8x0m fglrx(P)(U) snd_ac97_codec snd_pcm_oss ac97_bus tg3
snd_mixer_oss snd_pcm wmi snd_timer battery snd ac soundcore
snd_page_alloc
button iTCO_wdt i2c_i801 i2c_core iTCO_vendor_support joydev speedtch
usbatm sr_mod cdrom atm sg pata_acpi ata_generic ata_piix libata
sd_mod
scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd [last unloaded:
microcode]
Jun 12 12:19:00 laptop kernel:
Jun 12 12:19:00 laptop kernel: Pid: 2036, comm: X Tainted: P
(2.6.25.4-10.fc8 #1)
Jun 12 12:19:00 laptop kernel: EIP: 0060:[<c04cd270>] EFLAGS: 00213246
CPU: 0
Jun 12 12:19:00 laptop kernel: EIP is at task_has_capability+0x46/0x79
Jun 12 12:19:00 laptop kernel: EAX: 00000030 EBX: dee4e030 ECX:
c07195e4 EDX: 00000000
Jun 12 12:19:00 laptop kernel: ESI: df191740 EDI: df18deb0 EBP:
df18debc ESP: df18de6c
Jun 12 12:19:00 laptop kernel: DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Jun 12 12:19:00 laptop kernel: Process X (pid: 2036, ti=df18d000
task=df160000 task.ti=df18d000)
Jun 12 12:19:00 laptop kernel: Stack: c06d7792 dee4e030 df160000
00000003 df160000 dee4e030 00000000 00000000
Jun 12 12:19:00 laptop kernel: 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000
Jun 12 12:19:00 laptop kernel: 00000000 dee4e030 df160000
df148000 df18decc c04cd2c2 df160000 e0d000c0
Jun 12 12:19:00 laptop kernel: Call Trace:
Jun 12 12:19:00 laptop kernel: [<c04cd2c2>] ? selinux_capable+0x1f/0x23
Jun 12 12:19:00 laptop kernel: [<c04c9685>] ? security_capable+0xc/0xe
Jun 12 12:19:00 laptop kernel: [<c042c9ff>] ? __capable+0xb/0x1f
Jun 12 12:19:00 laptop kernel: [<e0bf5050>] ?
firegl_cmmqs_CWDDE32+0x0/0x110 [fglrx]
Jun 12 12:19:00 laptop kernel: [<c042ca23>] ? capable+0x10/0x12
Jun 12 12:19:00 laptop kernel: [<e0bda477>] ? firegl_ioctl+0xe7/0x220
[fglrx]
Jun 12 12:19:00 laptop kernel: [<c0439d7f>] ? ktime_get_ts+0x45/0x49
Jun 12 12:19:00 laptop kernel: [<c0439d96>] ? ktime_get+0x13/0x2f
Jun 12 12:19:00 laptop kernel: [<e0bcfc66>] ? ip_firegl_ioctl+0xe/0x10
[fglrx]
Jun 12 12:19:00 laptop kernel: [<c048acfa>] ? vfs_ioctl+0x4e/0x67
Jun 12 12:19:00 laptop kernel: [<c048af75>] ? do_vfs_ioctl+0x262/0x279
Jun 12 12:19:00 laptop kernel: [<c04d016e>] ? selinux_file_ioctl+0xa8/0xab
Jun 12 12:19:00 laptop kernel: [<c048afcc>] ? sys_ioctl+0x40/0x5c
Jun 12 12:19:00 laptop kernel: [<c0405b7a>] ? syscall_call+0x7/0xb
Jun 12 12:19:00 laptop kernel: =======================
Jun 12 12:19:00 laptop kernel: Code: 05 00 00 89 d0 f3 ab 8b 4d b8 89
d8 b2 04 c1 f8 05 c6 45 bc 03 89 5d c4 89 4d c0 74 19 48 74 11 53 68
92 77 6d c0 e8 fd 9e f5 ff <0f> 0b 58 5a eb fe ba 45 00 00 00 8b 46 08
83 e3 1f 0f b7 f2 8d
Jun 12 12:19:00 laptop kernel: EIP: [<c04cd270>]
task_has_capability+0x46/0x79 SS:ESP 0068:df18de6c
Jun 12 12:19:00 laptop kernel: ---[ end trace fd35f97fc34637fa ]---
Jun 12 12:19:00 laptop kernel: [fglrx:firegl_release] *ERROR* device
busy: 1 0
Jun 12 12:19:00 laptop kernel: [fglrx] release failed with code -EBUSY
--
fedora-list mailing list
fedora-list(a)redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
--
An unwillingness to embarrass oneself makes learning more difficult
13 years, 11 months
Re: SELinux References/Books
by max
On Thu, Jun 12, 2008 at 8:31 AM, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
>
> On Wed, 2008-06-11 at 18:28 -0400, max wrote:
>> Stephen Smalley wrote:
>> > On Wed, 2008-06-11 at 15:53 -0400, max wrote:
>> >> I would prefer to get a desktop reference rather than having to refer
>> >> to online documents or the hardcopies of individual papers I have
>> >> printed off, many of which are also dated. In any case I feel like I
>> >> have learned enough that I can open a book on the subject of SELinux and
>> >> not get completely lost. It looks like I have basically two options :
>> >>
>> >> SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open
>> >> Source Software Development Series) by Frank Mayer, Karl MacMillan, and
>> >> David Caplan (Paperback - Aug 6, 2006)
>> >>
>> >> SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty
>> >> (Paperback - Oct 11, 2004) - Illustrated
>> >>
>> >> The first is more recent so I am leaning that way but I have seen
>> >> opinions that suggest even it is way out of date. I don't mind spending
>> >> money on a good book, reading is one of my favorite past times, but I
>> >> don't want anything so dated that it won't serve as a decent reference
>> >> for the near future (next year or so). I understand nothing is going to
>> >> be up to the minute. Should I purchase one? or are they too out of date
>> >> to even serve as good references? This is definitely something I am
>> >> interested in learning about or I wouldn't bother to ask. Suggestions
>> >> and advice from all corners of reality welcome.
>> >
>> > What kind of information are you looking for?
>> >
>> > The first, more recent, book includes discussion of reference policy and
>> > policy modules and thus is relatively consistent with what you find in
>> > modern SELinux, although newer developments like system-config-selinux,
>> > setroubleshoot, etc naturally don't appear in it. It was written during
>> > the development of Fedora Core 5, which marked the transition of SELinux
>> > from the old way (example policy, monolithic policy) to the new way
>> > (reference policy, modular policy, semanage).
>> >
>>
>> Well I'd like to learn it all but I think a practical approach would
>> mean learning to write policy first, since that is a skill I could put
>> to use now. I don't expect it will be easy but that's ok, I have some
>> time right now and I'd like to learn the policy language. If the first
>> book covers this then I will get it. Is there a better reference for
>> aspiring policy writers? I don't care about the gui tools so much, not
>> that they aren't useful but I prefer to do most things myself and not
>> automate it since this brings me less understanding.
>
> Yes, the first book covers the policy language and provides an
> introduction to writing a policy module, although specific interfaces
> and patterns are always evolving in the reference policy.
> oss.tresys.com/projects/refpolicy is a good resource for detailed
> refpolicy documentation, and the interface documentation is also locally
> installed on your system under /usr/share/doc/selinux-policy-x.y.z/html.
>
> I don't know of a better reference at present, although it seems like we
> are overdue for an updated edition of it, which could be significantly
> simplified by dropping all discussion of Fedora Core 3 and 4 conventions
> and focusing more specifically on how things are done now, although it
> no doubt would retain some of the older information for RHEL 4 users.
>
> --
> Stephen Smalley
> National Security Agency
>
>
Yes a more up to date reference would be nice but SELinux by Example
will do for starters. I went ahead and had the local bookstore order
it in so I could flip through it before I buy it but it seems
inevitable that I will make this purchase no matter what. One thing
that I notice a lot of people trying to do with computers in general
is memorize things. A bad idea I think, people want quick answers but
without an understanding of the underlying system it just creates more
confusion and ultimately leads to bigger blunders. Ego of course also
gets in the way, nobody wants to look stupid so often questions go
unasked, I am working on abandoning that notion as it seems to be one
of the biggest barriers to learning, though a modicum of judgment is
still required but I don't know if that can be taught you just have to
learn it over time. Getting to know the system is of course going to
require some real focus but I think in the long run it makes for a
better understanding, even if it means it takes twice (or more) as
long to get to my goal. One of the real barriers to understanding and
acceptance is good consistent documentation that people can turn too,
advancement shouldn't get frozen for the sake of publishing a book but
if the basics are solid and unlikely to change too much then I think
its time for an up to date reference. If you want a newcomers
perspective I personally would be happy to provide it but also don't
forget the mailing lists. I am sure I am not the only one trying to
learn this and looking for a good guide. Posting bits to the various
selinux related lists for feedback from the experienced and
inexperienced users would certainly help as far as coverage and
readability are concerned. Another thing I can think of, though I
don't know how feasible it is, is the notion of a moderated thread. I
like my mailing lists unmoderated but say for instance you want to
post a how to or work on one. The thread would be restricted to one or
more persons posting to it until they are finished working out
whatever it is and then opened for comments. There may be many factors
here that I am unaware of or that simply aren't occurring to me right
now. I can't be the first person to have such an idea and it will of
course be pointed out that live journals work much the same but here
my point is the scope of the audience that you are reaching on a
mailing list vs. an individual blog of which there are hundred's of
thousands if not millions. Also it would help by adding more
transparency to the process. I am no expert on mailing lists or email
servers but I thought it might be worth floating the idea anyway. The
other thing I noticed, while at the bookstore, is that various/most of
the Linux magazines on the shelf right now have articles on security
in them and one, i forget which, has a piece on SELinux. It seems its
a hot topic everywhere I look. Cspan aired a rerun, from yesterday I
think, of a hearing on computer spyware. I think congressmen
Nelson(florida) and Pryor(?) were running the show. One of them maybe
a senator but anyway there is apparently some legislation on the
horizon. They had a couple of reps from various places there,
including a guy from Symantec. I didn't watch the whole thing but in
what I saw nobody mentioned the real problem. As far as I am concerned
the "real" problem is having the widespread use of an operating system
that makes things like drive by downloads so easy in the first place,
where most of the security rests with a program(anti virus) that
relies almost exclusively on updates but that is another debate and
probably not one worth having anyway. Unfortunately it will probably
take a major virus outbreak, on a scale we have yet to see, or a
massive, widespread, and very public breach of security to wake people
up. I will go ahead and shutdown here, my real point is that it seems
people are starting to pay a lot more attention :^). Thanks for the
feedback.
Max
--
I am altering the deal. Pray I do not alter it any further. --Darth Vader
13 years, 11 months
[MLS Policy]:- MLS policy enforcing mode problem when manully restart the system services.
by prakash hallalli
HI ALL
I have configured SELinux on ContOS 5.1. I have configured the RBAC using
MLS (Multilevel Security) Policy using enforcing mode. I am trying to
restart the system services and they are not restarting and it is throwing
some error message.
Steps to reproduce:
1 ) MLS Policy configuration.
1. Install selinux-policy-mls
2. Set SELINUXTYPE=MLS in /etc/selinux/config file
3. touch ./autorelabel; on root's home directory, and reboot the machine.
4. While machine is rebooting, change the GRUB parameter.
enforcing=0
2) Now system is in permissive mode and SELinux status is as follows.
[root@turtle11 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: mls
3) Restart the system services and they restart successfully.
[root@turtle11 ~]# service nfs restart
Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
Shutting down NFS services: [ OK ]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
3) Now i am setting enforcing mode using setenforce command.
root@turtle11 ~]#setenforce 1
root@turtle11 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: mls
4) a) Now system is in enforcing mode and i am trying to restart the system
service. The restart will result in error message.
[root@turtle11 ~]# service nfs restart
nfs: unrecognized service
[root@turtle11 ~]# run_init /etc/init.d/nfs restart
Authenticating root.
Password: XXXXXX
run_init: incorrect password for root
authentication failed.
[root@turtle11 ~]#
[root@turtle11 ~]# run_init /etc/init.d/ldap restart
Authenticating root.
Password: XXXXXX
run_init: incorrect password for root
authentication failed.
5) I am using sysadm_r
[root@turtle11 ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh
[root@turtle11 ~]#
6) This is i am getting /sbin/ausearch log messages.
[root@turtle11 ~]#/sbin/ausearch -i -m AVC -sv no
type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64
syscall=recvfrom success=no exit=-13(Permission denied) a0=5 a1=7fff60825b40
a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=dhcpd
exe=/usr/sbin/dhcpd subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc: denied { read }
for pid=3103 comm=dhcpd lport=1
scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket
please help me. what is going on.
Thanks
Prakash.
13 years, 11 months
selinux and httpd don't start on boot - message error EAI9
by Carlos Chavez
Hello everyone.
the HTTP server don't start on boot, it send the following message sort of,
it was difficult to copy because it showed only in the start up process and
no log messages in any log file.
Message: Address Family for Hostname not supported: (EAI 9) alloc_listener
failed to setup sockaddr for 127.0.0.1.
That is the message sort of.
This happen when i setup the option Listen 127.0.0.1:80, when i start
manually the httpd server start successfully, but not on boot.
It say too that there is an syntax error in the line where is the sentence
Listen, but if i run the syntax check the HTTP said the syntax is OK.
I'm using fedora 9 with the latest updates.
selinux 3.3.1-55
httpd 2.2.8-3
kernel 2.6.25.3-18
--
Cheers.
Carlos Chávez
13 years, 11 months
Problems with DNS logging
by Dan Thurman
I discovered that my logging somewhat failed:
1) I tried to use the link provided to submit a buzilla and
apparently it brought up bluefish and within asks for my
account name and password, and I tried to save this file
but in doing so it failed to backup the file, so I clicked "continue"
and it froze up. What am I doing wrong?
2) The specific selinux error is as follows:
=============================================
Summary:
SELinux is preventing named (named_t) "write" to ./named (named_conf_t).
Detailed Description:
SELinux denied access requested by named. It is not expected that this access
is
required by named and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./named,
restorecon -v './named'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:named_t:s0
Target Context system_u:object_r:named_conf_t:s0
Target Objects ./named [ dir ]
Source named
Source Path /usr/sbin/named
Port <Unknown>
Host gold.cdkkt.com
Source RPM Packages bind-9.5.0-27.rc1.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-109.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com 2.6.25.4-10.fc8 #1 SMP Thu
May 22 23:34:09 EDT 2008 i686 i686
Alert Count 3
First Seen Tue 10 Jun 2008 07:38:58 AM PDT
Last Seen Tue 10 Jun 2008 07:52:54 AM PDT
Local ID 616a532f-b429-435d-bf97-e1d8427cc638
Line Numbers
Raw Audit Messages
host=gold.cdkkt.com type=AVC msg=audit(1213109574.740:334): avc: denied {
write } for pid=10160 comm="named" name="named" dev=sdb5 ino=2622969
scontext=system_u:system_r:named_t:s0
tcontext=system_u:object_r:named_conf_t:s0 tclass=dir
host=gold.cdkkt.com type=SYSCALL msg=audit(1213109574.740:334): arch=40000003
syscall=38 success=no exit=-13 a0=b543b4e8 a1=b7ea5ad2 a2=470214 a3=b7ea5ad2
items=0 ppid=10158 pid=10160 auid=500 uid=25 gid=25 euid=25 suid=25 fsuid=25
egid=25 sgid=25 fsgid=25 tty=(none) ses=1 comm="named" exe="/usr/sbin/named"
subj=system_u:system_r:named_t:s0 key=(null)
Thanks!
Dan
13 years, 11 months
SELinux References/Books
by max
I would prefer to get a desktop reference rather than having to refer
to online documents or the hardcopies of individual papers I have
printed off, many of which are also dated. In any case I feel like I
have learned enough that I can open a book on the subject of SELinux and
not get completely lost. It looks like I have basically two options :
SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open
Source Software Development Series) by Frank Mayer, Karl MacMillan, and
David Caplan (Paperback - Aug 6, 2006)
SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty
(Paperback - Oct 11, 2004) - Illustrated
The first is more recent so I am leaning that way but I have seen
opinions that suggest even it is way out of date. I don't mind spending
money on a good book, reading is one of my favorite past times, but I
don't want anything so dated that it won't serve as a decent reference
for the near future (next year or so). I understand nothing is going to
be up to the minute. Should I purchase one? or are they too out of date
to even serve as good references? This is definitely something I am
interested in learning about or I wouldn't bother to ask. Suggestions
and advice from all corners of reality welcome.
Max
--
An unwillingness to embarrass oneself makes learning more difficult
13 years, 11 months
[MLS Policy]:- MLS policy problem when manully restart the servers .
by prakash hallalli
Hi All
I have configured SELinux on ContOS 5.1. I have configured the RBAC using
MLS (Multilevel Security) Policy.
Now i am trying to restart the system services and they are not restarting
and it is throwing some error message.
I have a question here, with mls policy enabled will i be able to restart
the system service? If yes then what to do and If no what is the reason?
Steps to reproduce:
1) MLS Policy configuration.
1. Install selinux-policy-mls
2. Set SELINUXTYPE=MLS in /etc/selinux/config file
3. touch ./autorelabel; on root's home directory, and reboot the machine.
4. While machine is rebooting, change the GRUB parameter.
enforcing=0
2) Now system is in permissive mode and SELinux status is as follows.
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
policy from config file: mls
3) Restart the system services and they restart successfully.
[root@turtle11 ~]# service nfs restart
Shutting down NFS mountd: [FAILED]
Shutting down NFS daemon: [FAILED]
Shutting down NFS quotas: [FAILED]
Shutting down NFS services: [FAILED]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
4) Now i am setting enforcing mode using setenforce command.
root@turtle11 ~]#setenforce 1
root@turtle11 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: mls
5) a) Now system is in enforcing mode and i am trying to restart the system
service. The restart will result in error message.
root@turtle11 ~]#service nfs restart
/sbin/consoletype: error while loading shared libraries: libc.so.6: cannot
open shared object file: No such file or directory
/sbin/consoletype: error while loading shared libraries: libc.so.6: cannot
open shared object file: No such file or directory
nfs: unrecognized service
b) When I trying to login it will show the following error.
turtle login: smbldap3
/bin/login:error while loading shared libraries: libcrypt.so.1:failed to map
segment from shared object: Permission denied
/sbin/mingetty: error while loading shared libraries: libc.so.6: failed to
map segment from shared object: Permission denied
c) When using su command.
root@turtle11 ~]# su smbldap3
su: error while loading shared libraries: libpam.so.0: failed to map segment
from shared object: Permission denied
I am not sure what is going on. I referred to many websites and PDFs but
couldn't get the proper solution.
please help me.
Thanks
Prakash.
13 years, 11 months
[ccosta@gmail.com: Re: [PHP] Problems connecting (from php to pg)]
by Jeff MacDonald
Greetings,
I felt this would be of interest to the selinux list, so I am forwarding it
along.
Regards,
jam
----- Forwarded message from Carlos Costa <ccosta(a)gmail.com> -----
Date: Mon, 9 Jun 2008 22:50:15 +0200
From: Carlos Costa <ccosta(a)gmail.com>
To: Daniel Alejandro <dcarreroc(a)gmail.com>
Cc: pgsql-php(a)postgresql.org
Subject: Re: [PHP] Problems connecting (from php to pg)
Thank you, Daniel and all. My problem was not related to pg, but to
selinux. I disabled selinux, and all runs fine now.
On Mon, Jun 9, 2008 at 10:17 PM, Daniel Alejandro <dcarreroc(a)gmail.com> wrote:
> 2008/6/7 Carlos Costa <ccosta(a)gmail.com>:
>> Hello all,
>>
>> I've the "standard connection error":
>>
>> Unable to connect to PostgreSQL server: could not connect to server:
>> Permission denied.
>> Is the server running on host "localhost" and accepting TCP/IP
>> connections on port 5432?
>>
>> The system is, yes, running and -I think- accepting TCP/IP connections
>> (I've tested this with netstat, I can connect to it with psql -h
>> localhost, and so).
>>
>> In the server where I am testing this I have FC7 installed, so the php
>> and the pgsql-php packages are:
>>
>> PHP Version 5.2.6
>> PostgreSQL(libpq) Version 8.2.7
>>
>> I think that there is a problem in the pgsql-php module. I've created
>> a ssh tunnel, and trying the connection to the same database from
>> other server (with PHP Version 5.2.5-3 and pgsql that supports
>> postgresql 8.3.0).
>>
>> The postgresql version in the server is the 8.3.0.
>>
>> What can we do? I am doing these tests with a simple php code (just a
>> pg_connect()).
>>
>> Thanks in advance,
>> Carlos.
>>
>> --
>> Sent via pgsql-php mailing list (pgsql-php(a)postgresql.org)
>> To make changes to your subscription:
>> http://www.postgresql.org/mailpref/pgsql-php
>>
> Did you check your pg_hba.conf file ???
>
> Bye :)
> --
> Daniel Carrero Canales
>
--
Sent via pgsql-php mailing list (pgsql-php(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-php
----- End forwarded message -----
13 years, 11 months
[PATCH 1/2] LiveCD - Add fake /selinux so livecd can run in enforcing
by Eric Paris
From: Eric Paris <eparis(a)redhat.com>
This patch adds a /selinux directory to a newly created livecd compose which
will allow the tools inside the chroot to interoperate with the live system
successfully.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
imgcreate/creator.py | 55 ++++++++++++++++++++++++++++++++++++++++++++---
imgcreate/kickstart.py | 2 +-
2 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index 5d010a1..f65f7d4 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -24,6 +24,7 @@ import tempfile
import shutil
import logging
+import selinux
import yum
import rpm
@@ -421,6 +422,52 @@ class ImageCreator(object):
os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr")
os.umask(origumask)
+ def __create_selinuxfs(self):
+ # if selinux exists on the host we need to lie to the chroot
+ if os.path.exists("/selinux/enforce"):
+ selinux_dir = self._instroot + "/selinux"
+
+ # enforce=0 tells the chroot selinux is not enforcing
+ # policyvers=999 tell the chroot to make the highest version of policy it can
+ files = (('/enforce', '0'),
+ ('/policyvers', '999'))
+ for (file, value) in files:
+ fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT)
+ os.write(fd, value)
+ os.close(fd)
+
+ # we steal mls from the host system for now, might be best to always set it to 1????
+ files = ("/mls",)
+ for file in files:
+ shutil.copyfile("/selinux" + file, selinux_dir + file)
+
+ # make /load -> /dev/null so chroot policy loads don't hurt anything
+ os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3))
+
+ # selinux is on in the kickstart, so clean up as best we can to start
+ if kickstart.selinux_enabled(self.ks):
+ # label the fs like it is a root before the bind mounting
+ arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
+ subprocess.call(arglist, close_fds = True)
+ # these dumb things don't get magically fixed, so make the user generic
+ for f in ("/proc", "/sys", "/selinux"):
+ arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
+ subprocess.call(arglist, close_fds = True)
+
+ def __destroy_selinuxfs(self):
+ # if the system was running selinux clean up our lies
+ if os.path.exists("/selinux/enforce"):
+ files = ('/enforce',
+ '/policyvers',
+ '/mls',
+ '/load')
+ for file in files:
+ try:
+ os.unlink(self._instroot + "/selinux" + file)
+ except OSError:
+ pass
+
+
def mount(self, base_on = None, cachedir = None):
"""Setup the target filesystem in preparation for an install.
@@ -446,7 +493,7 @@ class ImageCreator(object):
self._mount_instroot(base_on)
- for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"):
+ for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc", "/selinux"):
makedirs(self._instroot + d)
cachesrc = cachedir or (self.__builddir + "/yum-cache")
@@ -458,9 +505,7 @@ class ImageCreator(object):
(cachesrc, "/var/cache/yum")]:
self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))
- # /selinux should only be mounted if selinux is enabled (enforcing or permissive)
- if kickstart.selinux_enabled(self.ks):
- self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None))
+ self.__create_selinuxfs()
self._do_bindmounts()
@@ -483,6 +528,8 @@ class ImageCreator(object):
except OSError:
pass
+ self.__destroy_selinuxfs()
+
self._undo_bindmounts()
self._unmount_instroot()
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index c83e795..180cea2 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -389,7 +389,7 @@ class SelinuxConfig(KickstartConfig):
if not os.path.exists(self.path("/sbin/restorecon")):
return
- self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"])
+ self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
def apply(self, ksselinux):
if os.path.exists(self.path("/usr/sbin/lokkit")):
--
1.5.5.3
13 years, 11 months
[RFC] -v2 livecd running and selinux enforcing
by Eric Paris
Still ongoing selinux policy and toolchain work in this area is needed
and I should do more testing on a host machine with selinux disabled but
this is the livecd patch I've got working as of today. I think that I
want to make my print >> sys.stderr message actually be fatal. The
reason for this is because setting selinux --disabled in the kickstart
and not having /usr/sbin/lokkit results in an enabled livecd which
doesn't work... No reason to just print a message and not stop the
work if we know for sure the results are useless...
This patch also has the f.close() fix that I sent yesterday, so it might
not apply if you already applied that one...
-Eric
diff -Naupr imgcreate.orig/creator.py imgcreate/creator.py
--- imgcreate.orig/creator.py 2008-05-06 12:16:08.000000000 -0400
+++ imgcreate/creator.py 2008-06-05 17:10:36.561313078 -0400
@@ -23,6 +23,7 @@ import sys
import tempfile
import shutil
+import selinux
import yum
import rpm
@@ -402,6 +403,52 @@ class ImageCreator(object):
fstab.write(self._get_fstab())
fstab.close()
+ def __create_selinuxfs(self):
+ # if selinux exists on the host we need to lie to the chroot
+ if os.path.exists("/selinux/enforce"):
+ selinux_dir = self._instroot + "/selinux"
+
+ # enforce=0 tells the chroot selinux is not enforcing
+ # policyvers=999 tell the chroot to make the highest version of policy it can
+ files = (('/enforce', '0'),
+ ('/policyvers', '999'))
+ for (file, value) in files:
+ fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT)
+ os.write(fd, value)
+ os.close(fd)
+
+ # we steal mls from the host system for now, might be best to always set it to 1????
+ files = ("/mls",)
+ for file in files:
+ shutil.copyfile("/selinux" + file, selinux_dir + file)
+
+ # make /load -> /dev/null so chroot policy loads don't hurt anything
+ os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3))
+
+ # selinux is on in the kickstart, so clean up as best we can to start
+ if kickstart.selinux_enabled(self.ks):
+ # label the fs like it is a root before the bind mounting
+ arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
+ subprocess.call(arglist, close_fds = True)
+ # these dumb things don't get magically fixed, so make the user generic
+ for f in ("/proc", "/sys", "/selinux"):
+ arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
+ subprocess.call(arglist, close_fds = True)
+
+ def __destroy_selinuxfs(self):
+ # if the system was running selinux clean up our lies
+ if os.path.exists("/selinux/enforce"):
+ files = ('/enforce',
+ '/policyvers',
+ '/mls',
+ '/load')
+ for file in files:
+ try:
+ os.unlink(self._instroot + "/selinux" + file)
+ except OSError:
+ pass
+
+
def mount(self, base_on = None, cachedir = None):
"""Setup the target filesystem in preparation for an install.
@@ -427,7 +474,7 @@ class ImageCreator(object):
self._mount_instroot(base_on)
- for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"):
+ for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc", "/selinux"):
makedirs(self._instroot + d)
cachesrc = cachedir or (self.__builddir + "/yum-cache")
@@ -439,10 +486,6 @@ class ImageCreator(object):
(cachesrc, "/var/cache/yum")]:
self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))
- # /selinux should only be mounted if selinux is enabled (enforcing or permissive)
- if kickstart.selinux_enabled(self.ks):
- self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None))
-
# Create minimum /dev
origumask = os.umask(0000)
devices = [('null', 1, 3, 0666),
@@ -460,6 +503,8 @@ class ImageCreator(object):
os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr")
os.umask(origumask)
+ self.__create_selinuxfs()
+
self._do_bindmounts()
os.symlink("../proc/mounts", self._instroot + "/etc/mtab")
@@ -479,6 +524,8 @@ class ImageCreator(object):
except OSError:
pass
+ self.__destroy_selinuxfs()
+
self._undo_bindmounts()
self._unmount_instroot()
@@ -543,7 +590,17 @@ class ImageCreator(object):
for pkg in kickstart.get_excluded(self.ks,
self._get_excluded_packages()):
ayum.deselectPackage(pkg)
-
+
+ # if the system is running selinux and the kickstart wants it disabled
+ # we need /usr/sbin/lokkit
+ def __can_handle_selinux(self, ayum):
+ has_req = 1
+ file = "/usr/sbin/lokkit"
+ if not kickstart.selinux_enabled(self.ks) and os.path.exists("/selinux/enforce"):
+ has_req = ayum.installHasFile(file)
+ if not has_req:
+ print >> sys.stderr, "Dude, you need a package which provides %s for your selinux setup to work" %(file)
+
def install(self, repo_urls = {}):
"""Install packages into the install root.
@@ -579,6 +636,9 @@ class ImageCreator(object):
self.__select_packages(ayum)
self.__select_groups(ayum)
self.__deselect_packages(ayum)
+
+ self.__can_handle_selinux(ayum)
+
ayum.runInstall()
except yum.Errors.RepoError, e:
raise CreatorError("Unable to download from repo : %s" % (e,))
diff -Naupr imgcreate.orig/kickstart.py imgcreate/kickstart.py
--- imgcreate.orig/kickstart.py 2008-05-06 12:16:08.000000000 -0400
+++ imgcreate/kickstart.py 2008-06-04 14:56:35.033603440 -0400
@@ -369,14 +369,15 @@ class SelinuxConfig(KickstartConfig):
path = self.path(fn)
f = file(path, "w+")
os.chmod(path, 0644)
+ f.close()
if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
return
- if not os.path.exists(self.path("/sbin/restorecon")):
+ if os.path.exists(self.path("/sbin/restorecon")):
+ self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
+ else:
return
- self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"])
-
def apply(self, ksselinux):
if os.path.exists(self.path("/usr/sbin/lokkit")):
args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"]
diff -Naupr imgcreate.orig/yuminst.py imgcreate/yuminst.py
--- imgcreate.orig/yuminst.py 2008-05-06 12:16:08.000000000 -0400
+++ imgcreate/yuminst.py 2008-06-05 17:00:00.574631892 -0400
@@ -79,7 +79,7 @@ class LiveCDYum(yum.YumBase):
def selectPackage(self, pkg):
"""Select a given package. Can be specified with name.arch or name*"""
return self.install(pattern = pkg)
-
+
def deselectPackage(self, pkg):
"""Deselect package. Can be specified as name.arch or name*"""
sp = pkg.rsplit(".", 2)
@@ -138,6 +138,20 @@ class LiveCDYum(yum.YumBase):
repo.setCallback(TextProgress())
self.repos.add(repo)
return repo
+
+ def installHasFile(self, file):
+ has_file = 0
+ provides_pkg = self.whatProvides(file, None, None)
+ dlpkgs = map(lambda x: x.po, filter(lambda txmbr: txmbr.ts_state in ("i", "u"), self.tsInfo.getMembers()))
+ for p in dlpkgs:
+ for q in provides_pkg:
+ if (p == q):
+ has_file = 1
+ if has_file:
+ return True
+ else:
+ return False
+
def runInstall(self):
os.environ["HOME"] = "/"
13 years, 11 months