Prevent selinux deactivation
by Fernando Villarreal
Hi all,
I'm new with selinux and I'm looking for the way to protect some
files and procceses from the root user.
Of course I should prevent tha the root modify o deactivate selinux to
access what i'm protecting.
Is that possible?
Thanks.
Fernando.
14 years, 7 months
Wordpress: How To Allow httpd to write to /usr/share/wordpress/wp-content/uploads
by Robert L Cochran
I installed Wordpress 2.8.3 on Fedora 11 and attempted to upload a photo
to the directory /usr/share/wordpress/wp-content/uploads/2009/09/, but
failed even though my Wordpress "author" role permits file uploads.
Wordpress uses php for scripting. I suspected that I had set file
permissions incorrectly. Here are the permissions on /usr:
drwxrwxr-x. 16 root apache 4096 2009-04-12 19:05 usr
I ran `setsebool`:
[root@deafeng3 /]# setsebool -P allow_httpd_anon_write=1
[root@deafeng3 /]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
I wrote a php script to see if it can move a single file just to /usr/.
Here is the error message that appears in /var/log/httpd/error_log:
[Wed Sep 09 22:25:30 2009] [error] [client 127.0.0.1] PHP Warning:
move_uploaded_file(/usr/Cochran.jpg) [<a
href='function.move-uploaded-file'>function.move-uploaded-file</a>]:
failed to open stream: Permission denied in
/var/www/html/testuploads.php on line 35, referer:
http://localhost/testuploads.php
[Wed Sep 09 22:25:30 2009] [error] [client 127.0.0.1] PHP Warning:
move_uploaded_file() [<a
href='function.move-uploaded-file'>function.move-uploaded-file</a>]:
Unable to move '/tmp/phpJFMNbS' to '/usr/Cochran.jpg' in
/var/www/html/testuploads.php on line 35, referer:
http://localhost/testuploads.php
But I still can't write to /usr. If I can't write to that, how can I
continue down the file hierarchy to write to the true target directory
of /usr/share/wordpress/wp-content/uploads/*? That is to say, the
uploads directory and every subdirectory under it should be writable by
httpd.
Thanks
Bob Cochran
14 years, 7 months
unconfined domain equals permissive?
by KaiGai Kohei
Dan,
I could find the following policy at the recent rawhide policy.
(such as selinux-policy-3.6.31-2.fc12.src.rpm).
--------------------
interface(`unconfined_domain',`
gen_require(`
attribute unconfined_services;
')
# unconfined_domain_noaudit($1)
permissive $1;
tunable_policy(`allow_execheap',`
auditallow $1 self:process execheap;
')
')
--------------------
Is it a workaround fix? Or, do you have a plan to change the definition
of unconfined domains at the F-12/rawhide?
The permissive domains are also allowed to bypass MLS/MCS rules, not only
TE rules, so it seems to me its impact is a bit unignorable, if it is not
a workaround.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
14 years, 7 months
selinux-policy-2.4.6-203.el5 and kernel_sendrecv_unlabeled_association
by Stefan Schulze Frielinghaus
Why is the following rule removed by the patch of the SRPM package
selinux-policy-2.4.6-203.el5?
# temporary hack until labeling on packets is supported
allow $1 unlabeled_t:packet { send recv };
The actual file is kernel/kernel.if and line 2170.
The comment above indicates that this is a temporary hack but I get some
AVCs and need to manually allow this rule.
Couldn't we accept the temporary hack until something more useful is
out? Because I (and guess some others too) need this rule.
cheers
Stefan
14 years, 7 months
selinux issue
by chloe K
> Hi all
> how I have to set the selinux to disable?
> to make webserver work
> and
> mysql work too
> if not setting to 0, apache error log
> (13)Permission denied: access to /admin denied
> and mysql error
> 090903 19:43:19 InnoDB: Operating system error number 13 in a file
> operation.
> InnoDB: The error means mysqld does not have the access rights to
> InnoDB: the directory.
> InnoDB: File name ./ibdata1
> InnoDB: File operation call: 'open'.
> InnoDB: Cannot continue operation.
> Thank you
>
__________________________________________________________________
Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now
http://ca.toolbar.yahoo.com.
14 years, 7 months
I cannot change my shell context
by zheyeung
hi , every body ,I install selinux-policy-targeted in my F11,and run in enforce mode.
now I want to change selinux context of /tmp/test,but failed.I thought current shell domain was unconfined_t. then I intend to change my shell context to root:sysadm_r: sysadm_t ,but also failed.
my project team plan to develop selinux policy for our system based on selinux-policy.src.rpm. I guess is this package have not been developed? If it has been developed ,why I cannot change to sysadm_r: sysadm_t?
----------------------------------------------------------------------------
[root@localhost ~]# ls -lZ /tmp/testselinux
root root unconfined_u:object_r:user_t:user_tmp_t: s0 /tmp/testselinux
[root@localhost ~]#chcon unconfined_u:object_r:mytest_t /tmp/testselinux
chcon:failed to change context of '/tmp/testselinux' to 'unconfined_u:object_r:testselinux: s0 : permission denied
## here mytest_t defined in myapp.pp,which has successfully loaded by "semodule -i myapp.pp"
[root@localhost ~]# newrole -r sysadm_r -t sysadm_t
unconfined_u:unconfined_r:unconfined_t: s0 is not valid context
[root@localhost ~]# semanage login -m -s root -r s0-s0:c0.c1023 root
after reboot, graphic terminal cannot run. audit says that system_u:system_r: xdm_t require "read" permission for system_u:object_r:httpd_sys_content_t.
[root@localhost ~]# id
context= root:unconfined_r:unconfined_t: s0-s0:c0-c1023
[root@localhost ~]# newrole -r sysadm_r -t sysadm_t
failed to exec shell: permission denied
2009-09-02
zheyeung
14 years, 7 months
httpd and ~user/public_html
by G.Wolfe Woodbury
It seems to me that there should be a boolean to allow httpd to serve
files from ~user/public_html without complaint. This lack forces me to
run in permissive mode.
--
G.Wolfe Woodbury
14 years, 7 months
Re: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix).
by Richard Chapman
Hi Daniel
FYI: I have just rebooted the system for the first time in ages - and
I'm still using /tmp as opposes to tmpfs - and received 2 more AVCs -
very similar to the previous ones. If I understood correctly - you were
not expecting this to re-occur. I haven't posted the AVCs because I
think they are much the same as the originals - but can do so if you are
interested.
This is not a major problem - but is one of the issues preventing me
from using "enforcing" mode. Any thoughts why it has re-occurred?
Richard.
Daniel J Walsh wrote:
> On 08/15/2009 01:05 AM, Richard Chapman wrote:
>
>> Daniel J Walsh wrote:
>>
>>> On 08/14/2009 12:19 AM, Richard Chapman wrote:
>>>
>>>
>>>> Daniel J Walsh wrote:
>>>>
>>>>
>>>>> On 08/12/2009 07:53 PM, Richard Chapman wrote:
>>>>>
>>>>>
>>>>>
>>>>>> I am running Centos 5.3 in permissive mode - and recently I started
>>>>>> getting 4 avcs every time I boot the server. I am not sure - but I
>>>>>> think
>>>>>> these might have started when I changed my desktop from Gnome to
>>>>>> KDE. I
>>>>>> have tried the relabelling suggested in the AVC - but this hasn't
>>>>>> fixed it.
>>>>>> Does it look like I have something set up wrong - or is there a policy
>>>>>> problem?
>>>>>> Richard.
>>>>>>
>>>>>>
>>>>>> Summary
>>>>>> SELinux is preventing the setxkbmap from using potentially mislabeled
>>>>>> files (./.X11-unix).
>>>>>> Detailed Description
>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>> denied but
>>>>>> was permitted due to permissive mode.]
>>>>>>
>>>>>> SELinux has denied setxkbmap access to potentially mislabeled file(s)
>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
>>>>>> these files. It is common for users to edit files in their home
>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>> directories. The problem is that the files end up with the wrong file
>>>>>> context which confined applications are not allowed to access.
>>>>>>
>>>>>> Allowing Access
>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>> entire
>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>> Additional Information
>>>>>>
>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>> Source: setxkbmap
>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>> Port: <Unknown>
>>>>>> Host: C5.aardvark.com.au
>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>> Target RPM Packages: Policy RPM:
>>>>>> selinux-policy-2.4.6-225.el5
>>>>>> Selinux Enabled: True
>>>>>> Policy Type: targeted
>>>>>> MLS Enabled: True
>>>>>> Enforcing Mode: Permissive
>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>> Host Name: C5.aardvark.com.au
>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>> Alert Count: 34
>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>> Last Seen: Mon Aug 10 18:13:15 2009
>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>
>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc:
>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc:
>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0
>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap"
>>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0
>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap"
>>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>
>>>>>>
>>>>>> Summary
>>>>>> SELinux is preventing the setxkbmap from using potentially mislabeled
>>>>>> files (./.X11-unix).
>>>>>> Detailed Description
>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>> denied but
>>>>>> was permitted due to permissive mode.]
>>>>>>
>>>>>> SELinux has denied setxkbmap access to potentially mislabeled file(s)
>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
>>>>>> these files. It is common for users to edit files in their home
>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>> directories. The problem is that the files end up with the wrong file
>>>>>> context which confined applications are not allowed to access.
>>>>>>
>>>>>> Allowing Access
>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>> entire
>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>> Additional Information
>>>>>>
>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>> Source: setxkbmap
>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>> Port: <Unknown>
>>>>>> Host: C5.aardvark.com.au
>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>> Target RPM Packages: Policy RPM:
>>>>>> selinux-policy-2.4.6-225.el5
>>>>>> Selinux Enabled: True
>>>>>> Policy Type: targeted
>>>>>> MLS Enabled: True
>>>>>> Enforcing Mode: Permissive
>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>> Host Name: C5.aardvark.com.au
>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>> Alert Count: 35
>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>> Last Seen: Mon Aug 10 18:13:16 2009
>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>
>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc:
>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc:
>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>> comm="setxkbmap"
>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>> comm="setxkbmap"
>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>
>>>>>>
>>>>>> Summary
>>>>>> SELinux is preventing the setxkbmap from using potentially mislabeled
>>>>>> files (./.X11-unix).
>>>>>> Detailed Description
>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>> denied but
>>>>>> was permitted due to permissive mode.]
>>>>>>
>>>>>> SELinux has denied setxkbmap access to potentially mislabeled file(s)
>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
>>>>>> these files. It is common for users to edit files in their home
>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>> directories. The problem is that the files end up with the wrong file
>>>>>> context which confined applications are not allowed to access.
>>>>>>
>>>>>> Allowing Access
>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>> entire
>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>> Additional Information
>>>>>>
>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>> Source: setxkbmap
>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>> Port: <Unknown>
>>>>>> Host: C5.aardvark.com.au
>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>> Target RPM Packages: Policy RPM:
>>>>>> selinux-policy-2.4.6-225.el5
>>>>>> Selinux Enabled: True
>>>>>> Policy Type: targeted
>>>>>> MLS Enabled: True
>>>>>> Enforcing Mode: Permissive
>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>> Host Name: C5.aardvark.com.au
>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>> Alert Count: 36
>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>> Last Seen: Mon Aug 10 18:13:17 2009
>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>
>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc:
>>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc:
>>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13
>>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>> comm="setxkbmap"
>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13
>>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>> comm="setxkbmap"
>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>
>>>>>>
>>>>>>
>>>>>> Summary
>>>>>> SELinux is preventing the setxkbmap from using potentially mislabeled
>>>>>> files (./.X11-unix).
>>>>>> Detailed Description
>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>> denied but
>>>>>> was permitted due to permissive mode.]
>>>>>>
>>>>>> SELinux has denied setxkbmap access to potentially mislabeled file(s)
>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
>>>>>> these files. It is common for users to edit files in their home
>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>> directories. The problem is that the files end up with the wrong file
>>>>>> context which confined applications are not allowed to access.
>>>>>>
>>>>>> Allowing Access
>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>> entire
>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>> Additional Information
>>>>>>
>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>> Source: setxkbmap
>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>> Port: <Unknown>
>>>>>> Host: C5.aardvark.com.au
>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>> Target RPM Packages: Policy RPM:
>>>>>> selinux-policy-2.4.6-225.el5
>>>>>> Selinux Enabled: True
>>>>>> Policy Type: targeted
>>>>>> MLS Enabled: True
>>>>>> Enforcing Mode: Permissive
>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>> Host Name: C5.aardvark.com.au
>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>> Alert Count: 37
>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>> Last Seen: Mon Aug 10 18:13:19 2009
>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>
>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc:
>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc:
>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>> comm="setxkbmap"
>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>> comm="setxkbmap"
>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> fedora-selinux-list mailing list
>>>>>> fedora-selinux-list(a)redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>
>>>>>>
>>>>> chcon -R -t xserver_tmp_t /tmp/.X11-unix
>>>>>
>>>>> I always use tmpfs for /tmp, so I never end up with garbage on a
>>>>> reboot.
>>>>>
>>>>>
>>>>>
>>>> Thanks Daniel - but this is the response...
>>>>
>>>> [root@C5 ~]# chcon -R -t xserver_tmp_t /tmp/.X11-unix
>>>> chcon: failed to change context of /tmp/.X11-unix to
>>>> system_u:object_r:xserver_t mp_t: Invalid
>>>> argument
>>>> chcon: failed to change context of /tmp/.X11-unix/X0 to
>>>> system_u:object_r:xserve r_tmp_t: Invalid
>>>> argument
>>>> chcon: failed to change context of /tmp/.X11-unix/X1005 to
>>>> user_u:object_r:xserv er_tmp_t: Invalid
>>>> argument
>>>> [root@C5 ~]#
>>>>
>>>> Being pretty green - I don't really understand the problem here. Also -
>>>> if this chcon worked - would this be a permanent solution - or does it
>>>> need to be executed in a boot script?
>>>> I like your idea of using tmpfs - but is it ever a problem that tmpfs is
>>>> relatively small and finite? Also - please excuse my ignorance - but how
>>>> do I make tmpfs the tmp folder?
>>>>
>>>> Richard.
>>>>
>>>>
>>>>
>>>>
>>> Must have changed between RHEL5 and F11
>>>
>>> Try
>>> chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix
>>>
>>> Add this line to /etc/fstab
>>>
>>> tmpfs /tmp tmpfs
>>> rootcontext="system_u:object_r:tmp_t:s0",defaults 0 0
>>>
>>> And reboot.
>>>
>>> I don't tend to store huge abouts of stuff in /tmp. If I want to
>>> store big stuff I can always use /var/tmp
>>>
>>>
>>>
>> Thanks Daniel
>>
>> That chcon command worked fine. Should this be a permanent solution - or
>> will new files appearing there need a chcon too? Should I put this
>> command into a boot script somewhere?
>>
>> I'll try tmpfs and see if it ever overflows in practice. Hopefully I'll
>> be able to see something in my logwatch if there is ever a problem.
>> Currently - It's using less than 1/2 its 2 gigs or ram - so there is
>> some room to spare. Seems your suggestion has sparked quite a bit of
>> interest...:-)
>>
>> Thanks again
>>
>> Richard.
>>
>>
>>
> No the chcon is fine. It was mislabeled at some point and relabeling does not touch /tmp
>
>
14 years, 8 months
