I have several versions of root distro partitions of which I do mount via fstab, but of course only one / and /boot partition is to be defined for the version to be booted.
What I would like to know is, if I do an /.autorelabel, for one boot/root partition, does this mean that every mounted filesystem that appears in /etc/fstab also gets relabeled? If so, this is not what I want especially if other root distro partitions are being mounted for example, say: /md/{distro1, distro2, ...}
So, How do I get around this? I could comment out all entries in /etc/fstab except / and /boot (plus the required entries), touch /.autorelabel, reboot, and once relabeling is completed, then add back in the commented out fstab entries, then issue a mount -a. Could I add an option entry say: NO_RELABEL to certain fstab entries?
Since I was introduced to the /media since F9, I never could figure out how to add mounted "media" filesystems, which is why I added them instead to fstab.
How do I solve this issue?
On 27/08/10 07:12, Daniel B. Thurman wrote:
I have several versions of root distro partitions of which I do mount via fstab, but of course only one / and /boot partition is to be defined for the version to be booted.
What I would like to know is, if I do an /.autorelabel, for one boot/root partition, does this mean that every mounted filesystem that appears in /etc/fstab also gets relabeled? If so, this is not what I want especially if other root distro partitions are being mounted for example, say: /md/{distro1, distro2, ...}
So, How do I get around this? I could comment out all entries in /etc/fstab except / and /boot (plus the required entries), touch /.autorelabel, reboot, and once relabeling is completed, then add back in the commented out fstab entries, then issue a mount -a. Could I add an option entry say: NO_RELABEL to certain fstab entries?
Since I was introduced to the /media since F9, I never could figure out how to add mounted "media" filesystems, which is why I added them instead to fstab.
How do I solve this issue?
I create a local policy module for this sort of thing, with a file contexts entry like this:
# Don't touch stuff here /srv/homes(/.*)? <<none>>
So you could have: :::::::::::::: otherdistros.fc :::::::::::::: /md/distro1(/.*)? <<none>> /md/distro2(/.*)? <<none>>
:::::::::::::: otherdistros.te :::::::::::::: policy_module(otherdistros, 0.0.1)
Building and installing that module should do the trick.
Paul.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/27/2010 04:14 AM, Paul Howarth wrote:
On 27/08/10 07:12, Daniel B. Thurman wrote:
I have several versions of root distro partitions of which I do mount via fstab, but of course only one / and /boot partition is to be defined for the version to be booted.
What I would like to know is, if I do an /.autorelabel, for one boot/root partition, does this mean that every mounted filesystem that appears in /etc/fstab also gets relabeled? If so, this is not what I want especially if other root distro partitions are being mounted for example, say: /md/{distro1, distro2, ...}
So, How do I get around this? I could comment out all entries in /etc/fstab except / and /boot (plus the required entries), touch /.autorelabel, reboot, and once relabeling is completed, then add back in the commented out fstab entries, then issue a mount -a. Could I add an option entry say: NO_RELABEL to certain fstab entries?
Since I was introduced to the /media since F9, I never could figure out how to add mounted "media" filesystems, which is why I added them instead to fstab.
How do I solve this issue?
I create a local policy module for this sort of thing, with a file contexts entry like this:
# Don't touch stuff here /srv/homes(/.*)? <<none>>
So you could have: :::::::::::::: otherdistros.fc :::::::::::::: /md/distro1(/.*)? <<none>> /md/distro2(/.*)? <<none>>
:::::::::::::: otherdistros.te :::::::::::::: policy_module(otherdistros, 0.0.1)
Building and installing that module should do the trick.
Paul.
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I have blogged on this.
http://danwalsh.livejournal.com/38157.html
On 09/02/2010 07:40 AM, Daniel J Walsh wrote:
On 08/27/2010 04:14 AM, Paul Howarth wrote:
On 27/08/10 07:12, Daniel B. Thurman wrote:
I have several versions of root distro partitions of which I do mount via fstab, but of course only one / and /boot partition is to be defined for the version to be booted.
What I would like to know is, if I do an /.autorelabel, for one boot/root partition, does this mean that every mounted filesystem that appears in /etc/fstab also gets relabeled? If so, this is not what I want especially if other root distro partitions are being mounted for example, say: /md/{distro1, distro2, ...}
So, How do I get around this? I could comment out all entries in /etc/fstab except / and /boot (plus the required entries), touch /.autorelabel, reboot, and once relabeling is completed, then add back in the commented out fstab entries, then issue a mount -a. Could I add an option entry say: NO_RELABEL to certain fstab entries?
Since I was introduced to the /media since F9, I never could figure out how to add mounted "media" filesystems, which is why I added them instead to fstab.
How do I solve this issue?
I create a local policy module for this sort of thing, with a file contexts entry like this:
# Don't touch stuff here /srv/homes(/.*)? <<none>>
So you could have: :::::::::::::: otherdistros.fc :::::::::::::: /md/distro1(/.*)? <<none>> /md/distro2(/.*)? <<none>>
:::::::::::::: otherdistros.te :::::::::::::: policy_module(otherdistros, 0.0.1)
Building and installing that module should do the trick.
Paul.
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I have blogged on this.
Yes, its good to know, and it should help users who are faced with similar situations.
My choice was to update only the fstab file for each and every mount entry. The only question in my mind is by having different fstabs; could relabels occur depending on which OS is booted or are the context a mask, and leaves the "actual unlying context" alone?
For example:
1) F12: /etc/fstab: LABEL=RF12D1 / ext4 defaults 1 1 LABEL=BF12D1 /boot ext4 defaults 1 2 [...] LABEL=RF13D3 /md/RF13D3 ext4 context=system_u:object_r:root_t:s0,defaults 0 0
2) F13: /etc/fstab: LABEL=RF13D3 / ext4 defaults 1 1 LABEL=BF13D3 /boot ext4 defaults 1 2 [...] LABEL=RF12D1 /md/RF12D1 ext4 context=system_u:object_r:root_t:s0,defaults 0 0
Does this mean that if I boot F12, RF13D3 / partition would be relabeled as root_t, and if I boot F13, RF12D1 / partition would be relabled as root_t? I note that the entire mounted /md/X file contents are seen as root_t context. Could this cause any problems?
It is interesting to note that for /md/X/ mounted filesystem, a root user cannot change the / files, whereas / subdirectory files can be changed/modified.
The workaround is to unmount the /md/X filesystem, remounting it as default, make the change, unmount again, and then mount -a OR simply reboot to the OS and make the changes in the normal way.
But as it is, it seems to work well, and more importantly, only / and /boot are relabeled if /.autorelabel is touched; all other /md mounts are not traversed during the auto-relabeling phase AFAIK because all I see is stars (*).
Thanks for your help! Dan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/02/2010 01:45 PM, Daniel B. Thurman wrote:
On 09/02/2010 07:40 AM, Daniel J Walsh wrote:
On 08/27/2010 04:14 AM, Paul Howarth wrote:
On 27/08/10 07:12, Daniel B. Thurman wrote:
I have several versions of root distro partitions of which I do mount via fstab, but of course only one / and /boot partition is to be defined for the version to be booted.
What I would like to know is, if I do an /.autorelabel, for one boot/root partition, does this mean that every mounted filesystem that appears in /etc/fstab also gets relabeled? If so, this is not what I want especially if other root distro partitions are being mounted for example, say: /md/{distro1, distro2, ...}
So, How do I get around this? I could comment out all entries in /etc/fstab except / and /boot (plus the required entries), touch /.autorelabel, reboot, and once relabeling is completed, then add back in the commented out fstab entries, then issue a mount -a. Could I add an option entry say: NO_RELABEL to certain fstab entries?
Since I was introduced to the /media since F9, I never could figure out how to add mounted "media" filesystems, which is why I added them instead to fstab.
How do I solve this issue?
I create a local policy module for this sort of thing, with a file contexts entry like this:
# Don't touch stuff here /srv/homes(/.*)? <<none>>
So you could have: :::::::::::::: otherdistros.fc :::::::::::::: /md/distro1(/.*)? <<none>> /md/distro2(/.*)? <<none>>
:::::::::::::: otherdistros.te :::::::::::::: policy_module(otherdistros, 0.0.1)
Building and installing that module should do the trick.
Paul.
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I have blogged on this.
Yes, its good to know, and it should help users who are faced with similar situations.
My choice was to update only the fstab file for each and every mount entry. The only question in my mind is by having different fstabs; could relabels occur depending on which OS is booted or are the context a mask, and leaves the "actual unlying context" alone?
For example:
- F12: /etc/fstab: LABEL=RF12D1 / ext4
defaults 1 1 LABEL=BF12D1 /boot ext4 defaults 1 2 [...] LABEL=RF13D3 /md/RF13D3 ext4 context=system_u:object_r:root_t:s0,defaults 0 0
- F13: /etc/fstab: LABEL=RF13D3 / ext4
defaults 1 1 LABEL=BF13D3 /boot ext4 defaults 1 2 [...] LABEL=RF12D1 /md/RF12D1 ext4 context=system_u:object_r:root_t:s0,defaults 0 0
Does this mean that if I boot F12, RF13D3 / partition would be relabeled as root_t, and if I boot F13, RF12D1 / partition would be relabled as root_t? I note that the entire mounted /md/X file contents are seen as root_t context. Could this cause any problems?
No no relabeling will happen. Although if while booted into F12 you created a file anywhere within the F13 tree, the file might get created with the root_t label.
It is interesting to note that for /md/X/ mounted filesystem, a root user cannot change the / files, whereas / subdirectory files can be changed/modified.
The workaround is to unmount the /md/X filesystem, remounting it as default, make the change, unmount again, and then mount -a OR simply reboot to the OS and make the changes in the normal way.
That is strange, what AVC are you seeing?
But as it is, it seems to work well, and more importantly, only / and /boot are relabeled if /.autorelabel is touched; all other /md mounts are not traversed during the auto-relabeling phase AFAIK because all I see is stars (*).
Thanks for your help! Dan
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 09/02/2010 12:52 PM, Daniel J Walsh wrote:
On 09/02/2010 01:45 PM, Daniel B. Thurman wrote:
It is interesting to note that for /md/X/ mounted filesystem, a root user cannot change the / files, whereas / subdirectory files can be changed/modified.
The workaround is to unmount the /md/X filesystem, remounting it as default, make the change, unmount again, and then mount -a OR simply reboot to the OS and make the changes in the normal way.
That is strange, what AVC are you seeing?
Hope this helps somewhat...
With a little more research, I discovered that I cannot create a new file, cannot create a new file via the vi command, but I can modify/delete an existing file and AVCs are generated in most cases when creating and modifying a file, but not deleting, or so it seems.
I am booted in F13, and have F12 mounted in /md. In general, the same three commands are the same in any place on the md partition, depending perhaps on user ownership.
(1): cd /md/RF12D1; touch foo (Cannot create empty file: foo) ======================================== Summary:
SELinux is preventing /bin/touch "associate" access on foo.
Detailed Description:
SELinux denied access requested by touch. It is not expected that this access is required by touch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:object_r:etc_runtime_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects foo [ filesystem ] Source touch Source Path /bin/touch Port <Unknown> Host gold.cdkkt.com Source RPM Packages coreutils-8.4-8.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 #1 SMP Fri Aug 27 09:48:44 UTC 2010 i686 i686 Alert Count 1 First Seen Thu 02 Sep 2010 01:48:47 PM PDT Last Seen Thu 02 Sep 2010 01:48:47 PM PDT Local ID 9e913bde-6ed4-4d4b-9bfc-ddc06ec0f0c8 Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1283460527.718:896): avc: denied { associate } for pid=19648 comm="touch" name="foo" scontext=unconfined_u:object_r:etc_runtime_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=filesystem
node=gold.cdkkt.com type=SYSCALL msg=audit(1283460527.718:896): arch=40000003 syscall=5 success=no exit=-13 a0=bffb6de9 a1=8941 a2=1b6 a3=bffb6de9 items=0 ppid=17927 pid=19648 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="touch" exe="/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
(2): cd /md/RF12D1; vi foo (Cannot create file: foo) AVS (a) "vi foo", (b) Modify, Write & Save not possible, no AVC
(a) ======================================== Summary:
SELinux is preventing /bin/vi "associate" access on .foo.swp.
Detailed Description:
SELinux denied access requested by vi. It is not expected that this access is required by vi and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:object_r:etc_runtime_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects .foo.swp [ filesystem ] Source vi Source Path /bin/vi Port <Unknown> Host gold.cdkkt.com Source RPM Packages vim-minimal-7.2.411-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 #1 SMP Fri Aug 27 09:48:44 UTC 2010 i686 i686 Alert Count 1 First Seen Thu 02 Sep 2010 01:49:39 PM PDT Last Seen Thu 02 Sep 2010 01:49:39 PM PDT Local ID 01dced02-64b8-4543-a021-c5d9d141d9a4 Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1283460579.305:898): avc: denied { associate } for pid=19762 comm="vi" name=".foo.swp" scontext=unconfined_u:object_r:etc_runtime_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=filesystem
node=gold.cdkkt.com type=SYSCALL msg=audit(1283460579.305:898): arch=40000003 syscall=5 success=no exit=-13 a0=858f310 a1=280c2 a2=180 a3=858f310 items=0 ppid=17927 pid=19762 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" exe="/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
3: cd /md/RF12D1/etc; vi fstab [Can modify & save existing file] AVCs: (a) vi fstab, (b) modify, write & save (a) ======================================== Summary:
SELinux is preventing /bin/vi "associate" access on .fstab.swp.
Detailed Description:
SELinux denied access requested by vi. It is not expected that this access is required by vi and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:object_r:etc_runtime_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects .fstab.swp [ filesystem ] Source vi Source Path /bin/vi Port <Unknown> Host gold.cdkkt.com Source RPM Packages vim-minimal-7.2.411-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 #1 SMP Fri Aug 27 09:48:44 UTC 2010 i686 i686 Alert Count 1 First Seen Thu 02 Sep 2010 01:51:05 PM PDT Last Seen Thu 02 Sep 2010 01:51:05 PM PDT Local ID e7b9c7a4-f908-4e0e-8d33-a92dc5e115a9 Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1283460665.979:912): avc: denied { associate } for pid=19806 comm="vi" name=".fstab.swp" scontext=unconfined_u:object_r:etc_runtime_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=filesystem
node=gold.cdkkt.com type=SYSCALL msg=audit(1283460665.979:912): arch=40000003 syscall=5 success=no exit=-13 a0=86c9320 a1=280c2 a2=180 a3=86c9320 items=0 ppid=17927 pid=19806 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" exe="/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
(b) ======================================== Summary:
SELinux is preventing /bin/vi "associate" access on fstab~.
Detailed Description:
SELinux denied access requested by vi. It is not expected that this access is required by vi and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:object_r:etc_runtime_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects fstab~ [ filesystem ] Source vi Source Path /bin/vi Port <Unknown> Host gold.cdkkt.com Source RPM Packages vim-minimal-7.2.411-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 #1 SMP Fri Aug 27 09:48:44 UTC 2010 i686 i686 Alert Count 4 First Seen Thu 02 Sep 2010 01:58:28 PM PDT Last Seen Thu 02 Sep 2010 01:58:32 PM PDT Local ID 5594e318-4b02-4875-be04-c5fe6fa2cf8d Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1283461112.259:930): avc: denied { associate } for pid=20016 comm="vi" name="fstab~" scontext=unconfined_u:object_r:etc_runtime_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=filesystem
node=gold.cdkkt.com type=SYSCALL msg=audit(1283461112.259:930): arch=40000003 syscall=5 success=no exit=-13 a0=87dedc0 a1=280c1 a2=1a4 a3=87dedc0 items=0 ppid=17927 pid=20016 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" exe="/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
4: cd /md/var/tmp; rm <file>, selinux context-root_t No AVC generated ========================================
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/02/2010 05:13 PM, Daniel B. Thurman wrote:
On 09/02/2010 12:52 PM, Daniel J Walsh wrote:
On 09/02/2010 01:45 PM, Daniel B. Thurman wrote:
It is interesting to note that for /md/X/ mounted filesystem, a root user cannot change the / files, whereas / subdirectory files can be changed/modified.
The workaround is to unmount the /md/X filesystem, remounting it as default, make the change, unmount again, and then mount -a OR simply reboot to the OS and make the changes in the normal way.
That is strange, what AVC are you seeing?
Hope this helps somewhat...
With a little more research, I discovered that I cannot create a new file, cannot create a new file via the vi command, but I can modify/delete an existing file and AVCs are generated in most cases when creating and modifying a file, but not deleting, or so it seems.
I am booted in F13, and have F12 mounted in /md. In general, the same three commands are the same in any place on the md partition, depending perhaps on user ownership.
(1): cd /md/RF12D1; touch foo (Cannot create empty file: foo)
Summary:
SELinux is preventing /bin/touch "associate" access on foo.
Detailed Description:
SELinux denied access requested by touch. It is not expected that this access is required by touch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:object_r:etc_runtime_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects foo [ filesystem ] Source touch Source Path /bin/touch Port <Unknown> Host gold.cdkkt.com Source RPM Packages coreutils-8.4-8.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 #1 SMP Fri Aug 27 09:48:44 UTC 2010 i686 i686 Alert Count 1 First Seen Thu 02 Sep 2010 01:48:47 PM PDT Last Seen Thu 02 Sep 2010 01:48:47 PM PDT Local ID 9e913bde-6ed4-4d4b-9bfc-ddc06ec0f0c8 Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1283460527.718:896): avc: denied { associate } for pid=19648 comm="touch" name="foo" scontext=unconfined_u:object_r:etc_runtime_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=filesystem
node=gold.cdkkt.com type=SYSCALL msg=audit(1283460527.718:896): arch=40000003 syscall=5 success=no exit=-13 a0=bffb6de9 a1=8941 a2=1b6 a3=bffb6de9 items=0 ppid=17927 pid=19648 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="touch" exe="/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
(2): cd /md/RF12D1; vi foo (Cannot create file: foo) AVS (a) "vi foo", (b) Modify, Write & Save not possible, no AVC
(a) ======================================== Summary:
SELinux is preventing /bin/vi "associate" access on .foo.swp.
Detailed Description:
SELinux denied access requested by vi. It is not expected that this access is required by vi and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:object_r:etc_runtime_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects .foo.swp [ filesystem ] Source vi Source Path /bin/vi Port <Unknown> Host gold.cdkkt.com Source RPM Packages vim-minimal-7.2.411-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 #1 SMP Fri Aug 27 09:48:44 UTC 2010 i686 i686 Alert Count 1 First Seen Thu 02 Sep 2010 01:49:39 PM PDT Last Seen Thu 02 Sep 2010 01:49:39 PM PDT Local ID 01dced02-64b8-4543-a021-c5d9d141d9a4 Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1283460579.305:898): avc: denied { associate } for pid=19762 comm="vi" name=".foo.swp" scontext=unconfined_u:object_r:etc_runtime_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=filesystem
node=gold.cdkkt.com type=SYSCALL msg=audit(1283460579.305:898): arch=40000003 syscall=5 success=no exit=-13 a0=858f310 a1=280c2 a2=180 a3=858f310 items=0 ppid=17927 pid=19762 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" exe="/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
3: cd /md/RF12D1/etc; vi fstab [Can modify & save existing file] AVCs: (a) vi fstab, (b) modify, write & save (a) ======================================== Summary:
SELinux is preventing /bin/vi "associate" access on .fstab.swp.
Detailed Description:
SELinux denied access requested by vi. It is not expected that this access is required by vi and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:object_r:etc_runtime_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects .fstab.swp [ filesystem ] Source vi Source Path /bin/vi Port <Unknown> Host gold.cdkkt.com Source RPM Packages vim-minimal-7.2.411-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 #1 SMP Fri Aug 27 09:48:44 UTC 2010 i686 i686 Alert Count 1 First Seen Thu 02 Sep 2010 01:51:05 PM PDT Last Seen Thu 02 Sep 2010 01:51:05 PM PDT Local ID e7b9c7a4-f908-4e0e-8d33-a92dc5e115a9 Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1283460665.979:912): avc: denied { associate } for pid=19806 comm="vi" name=".fstab.swp" scontext=unconfined_u:object_r:etc_runtime_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=filesystem
node=gold.cdkkt.com type=SYSCALL msg=audit(1283460665.979:912): arch=40000003 syscall=5 success=no exit=-13 a0=86c9320 a1=280c2 a2=180 a3=86c9320 items=0 ppid=17927 pid=19806 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" exe="/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
(b) ======================================== Summary:
SELinux is preventing /bin/vi "associate" access on fstab~.
Detailed Description:
SELinux denied access requested by vi. It is not expected that this access is required by vi and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:object_r:etc_runtime_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects fstab~ [ filesystem ] Source vi Source Path /bin/vi Port <Unknown> Host gold.cdkkt.com Source RPM Packages vim-minimal-7.2.411-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.34.6-47.fc13.i686 #1 SMP Fri Aug 27 09:48:44 UTC 2010 i686 i686 Alert Count 4 First Seen Thu 02 Sep 2010 01:58:28 PM PDT Last Seen Thu 02 Sep 2010 01:58:32 PM PDT Local ID 5594e318-4b02-4875-be04-c5fe6fa2cf8d Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1283461112.259:930): avc: denied { associate } for pid=20016 comm="vi" name="fstab~" scontext=unconfined_u:object_r:etc_runtime_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=filesystem
node=gold.cdkkt.com type=SYSCALL msg=audit(1283461112.259:930): arch=40000003 syscall=5 success=no exit=-13 a0=87dedc0 a1=280c1 a2=1a4 a3=87dedc0 items=0 ppid=17927 pid=20016 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" exe="/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
4: cd /md/var/tmp; rm <file>, selinux context-root_t No AVC generated ========================================
I think the problem is the context you chose. The tools are trying to do a transition and change the context. Since you chose root_t the label of /, the kernel is trying to place etc_runtime_t files in the directory. If you were to touch a file in / the same thing would happen.
If you change your context line to use nfs_t or usr_t, I think you will get a better result.
On Thu, 02 Sep 2010 10:40:05 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/27/2010 04:14 AM, Paul Howarth wrote:
On 27/08/10 07:12, Daniel B. Thurman wrote:
I have several versions of root distro partitions of which I do mount via fstab, but of course only one / and /boot partition is to be defined for the version to be booted.
What I would like to know is, if I do an /.autorelabel, for one boot/root partition, does this mean that every mounted filesystem that appears in /etc/fstab also gets relabeled? If so, this is not what I want especially if other root distro partitions are being mounted for example, say: /md/{distro1, distro2, ...}
So, How do I get around this? I could comment out all entries in /etc/fstab except / and /boot (plus the required entries), touch /.autorelabel, reboot, and once relabeling is completed, then add back in the commented out fstab entries, then issue a mount -a. Could I add an option entry say: NO_RELABEL to certain fstab entries?
Since I was introduced to the /media since F9, I never could figure out how to add mounted "media" filesystems, which is why I added them instead to fstab.
How do I solve this issue?
I create a local policy module for this sort of thing, with a file contexts entry like this:
# Don't touch stuff here /srv/homes(/.*)? <<none>>
So you could have: :::::::::::::: otherdistros.fc :::::::::::::: /md/distro1(/.*)? <<none>> /md/distro2(/.*)? <<none>>
:::::::::::::: otherdistros.te :::::::::::::: policy_module(otherdistros, 0.0.1)
Building and installing that module should do the trick.
Paul.
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I have blogged on this.
I used to use semanage for this but I find using local policy modules better for maintainability - it's easier to add, remove, and change multiple default contexts in one go and it's easy to see what I have that's different from the stock policy.
Paul.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/05/2010 02:20 PM, Paul Howarth wrote:
On Thu, 02 Sep 2010 10:40:05 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/27/2010 04:14 AM, Paul Howarth wrote:
On 27/08/10 07:12, Daniel B. Thurman wrote:
I have several versions of root distro partitions of which I do mount via fstab, but of course only one / and /boot partition is to be defined for the version to be booted.
What I would like to know is, if I do an /.autorelabel, for one boot/root partition, does this mean that every mounted filesystem that appears in /etc/fstab also gets relabeled? If so, this is not what I want especially if other root distro partitions are being mounted for example, say: /md/{distro1, distro2, ...}
So, How do I get around this? I could comment out all entries in /etc/fstab except / and /boot (plus the required entries), touch /.autorelabel, reboot, and once relabeling is completed, then add back in the commented out fstab entries, then issue a mount -a. Could I add an option entry say: NO_RELABEL to certain fstab entries?
Since I was introduced to the /media since F9, I never could figure out how to add mounted "media" filesystems, which is why I added them instead to fstab.
How do I solve this issue?
I create a local policy module for this sort of thing, with a file contexts entry like this:
# Don't touch stuff here /srv/homes(/.*)? <<none>>
So you could have: :::::::::::::: otherdistros.fc :::::::::::::: /md/distro1(/.*)? <<none>> /md/distro2(/.*)? <<none>>
:::::::::::::: otherdistros.te :::::::::::::: policy_module(otherdistros, 0.0.1)
Building and installing that module should do the trick.
Paul.
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I have blogged on this.
I used to use semanage for this but I find using local policy modules better for maintainability - it's easier to add, remove, and change multiple default contexts in one go and it's easy to see what I have that's different from the stock policy.
Paul.
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Good point. I wanted to point to different ways of doing the same thing. What I have not experimented with is, does restorecon stop as soon as it hits a <<none>> matchpathcon?
selinux@lists.fedoraproject.org