3:56 p.m.
I've always had problems with SELinux but I set it to permissive and
moved on. Now I want to see if I can fix it.
My logwatch report gives me 20 or 30 lines of :
NULL security context for user, but SELinux in permissive mode,
continuing ()
in the cron section. Then I looked in /var/log/dmesg and I see this
line:
SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
System->Administration->SELinux Management, select SELinux User, shows
8 SELinux users:
guest_u,
root,
staff_u,
sysadm_u,
system_u,
unconfined_u,
user_u
xguest_u
OK, that looks good but when, as root, I run:
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
hmmm... only 3 users. It this a problem or is it telling me that only 3
SELinuux users are currently in use (ie assign to any Linux user)
because I'm running in permissive mode?
How can I find out which user has a "NULL security context"?
Thanks,
Steve
4:04 a.m.
On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
I've always had problems with SELinux but I set it to permissive
and
moved on. Now I want to see if I can fix it.
My logwatch report gives me 20 or 30 lines of :
NULL security context for user, but SELinux in permissive mode,
continuing ()
in the cron section. Then I looked in /var/log/dmesg and I see this
line:
SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
System->Administration->SELinux Management, select SELinux User, shows
8 SELinux users:
guest_u,
root,
staff_u,
sysadm_u,
system_u,
unconfined_u,
user_u
xguest_u
OK, that looks good but when, as root, I run:
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
hmmm... only 3 users. It this a problem or is it telling me that only 3
SELinuux users are currently in use (ie assign to any Linux user)
because I'm running in permissive mode?
This should not be a problem because new users get mapped under __default__ by default,
which is mapped to unconfined_u selinux user.
How can I find out which user has a "NULL security context"?
Good question, my gut feeling tells me it unconfined_u but i am not sure.
If there is no bug in Fedora 11 selinux policy then you could consider reinstalling the
policy.
The procedure for reinstalling policy is as follows.
1. setenforce 0 (put selinux in permisive mode)
2. rpm -ev selinux-policy selinux-policy-targeted (de-install selinux policy)
3. mv /etc/selinux/targeted /etc/selinux/targeted.backup (remove -backup- the old selinux
policy config)
4. yum install selinux-policy selinux-policy-targeted (-re- install fresh selinux policy)
5. fixfiles restore (restore contexts)
6. reboot
But try at your own risk.
Also just a file system relabeling *may* fix the issue: fixfiles restore; reboot (but i am
not sure there either)
hth
Thanks,
Steve
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
9:39 a.m.
On Sun, 25 Apr 2010 11:04:31 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
...
> My logwatch report gives me 20 or 30 lines of :
>
> NULL security context for user, but SELinux in permissive mode,
> continuing ()
>
> in the cron section. Then I looked in /var/log/dmesg and I see this
> line:
>
> SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
>
> System->Administration->SELinux Management, select SELinux User,
> shows 8 SELinux users:
...
>
> OK, that looks good but when, as root, I run:
>
> # semanage login -l
>
> Login Name SELinux User MLS/MCS
> Range
>
> __default__ unconfined_u
> s0-s0:c0.c1023 root unconfined_u
> s0-s0:c0.c1023 system_u system_u
> s0-s0:c0.c1023
>
> hmmm... only 3 users. It this a problem or is it telling me that
> only 3 SELinuux users are currently in use (ie assign to any Linux
> user) because I'm running in permissive mode?
This should not be a problem because new users get mapped under
__default__ by default, which is mapped to unconfined_u selinux user.
>
> How can I find out which user has a "NULL security context"?
Good question, my gut feeling tells me it unconfined_u but i am not
sure.
If there is no bug in Fedora 11 selinux policy then you could
consider reinstalling the policy.
The procedure for reinstalling policy is as follows.
1. setenforce 0 (put selinux in permisive mode)
2. rpm -ev selinux-policy selinux-policy-targeted (de-install selinux
policy)
3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
(remove -backup- the old selinux policy config)
4. yum install
selinux-policy selinux-policy-targeted (-re- install fresh selinux
policy)
5. fixfiles restore (restore contexts)
6. reboot
I tried this procedure and at step 2 I also had to remove
oolicycoreutils-gui and setroubleshoot because of dependencies and then
reinstall them at step 4.
Step 5 started and bailed out with these errors:
# fixfiles restore
********************/sbin/setfiles: unable to stat
file /home/steve/.gvfs: Permission denied /sbin/setfiles:
error while labeling /: Permission denied /sbin/setfiles:
error while labeling /boot: Permission denied /sbin/setfiles:
error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
Permission denied
The /media/... is an external USB harddrive that I use for backups.
Can I ignore these errors or do they need to be resolved.
Thanks,
Steve
10:44 a.m.
On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
On Sun, 25 Apr 2010 11:04:31 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
> On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
...
> > My logwatch report gives me 20 or 30 lines of :
> >
> > NULL security context for user, but SELinux in permissive mode,
> > continuing ()
> >
> > in the cron section. Then I looked in /var/log/dmesg and I see this
> > line:
> >
> > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
> >
> > System->Administration->SELinux Management, select SELinux User,
> > shows 8 SELinux users:
...
> >
> > OK, that looks good but when, as root, I run:
> >
> > # semanage login -l
> >
> > Login Name SELinux User MLS/MCS
> > Range
> >
> > __default__ unconfined_u
> > s0-s0:c0.c1023 root unconfined_u
> > s0-s0:c0.c1023 system_u system_u
> > s0-s0:c0.c1023
> >
> > hmmm... only 3 users. It this a problem or is it telling me that
> > only 3 SELinuux users are currently in use (ie assign to any Linux
> > user) because I'm running in permissive mode?
>
> This should not be a problem because new users get mapped under
> __default__ by default, which is mapped to unconfined_u selinux user.
>
> >
> > How can I find out which user has a "NULL security context"?
>
> Good question, my gut feeling tells me it unconfined_u but i am not
> sure.
>
> If there is no bug in Fedora 11 selinux policy then you could
> consider reinstalling the policy.
>
> The procedure for reinstalling policy is as follows.
>
> 1. setenforce 0 (put selinux in permisive mode)
> 2. rpm -ev selinux-policy selinux-policy-targeted (de-install selinux
> policy)
> 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> (remove -backup- the old selinux policy config)
> 4. yum install
> selinux-policy selinux-policy-targeted (-re- install fresh selinux
> policy)
> 5. fixfiles restore (restore contexts)
> 6. reboot
I tried this procedure and at step 2 I also had to remove
oolicycoreutils-gui and setroubleshoot because of dependencies and then
reinstall them at step 4.
Step 5 started and bailed out with these errors:
# fixfiles restore
********************/sbin/setfiles: unable to stat
file /home/steve/.gvfs: Permission denied /sbin/setfiles:
error while labeling /: Permission denied /sbin/setfiles:
error while labeling /boot: Permission denied /sbin/setfiles:
error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
Permission denied
The /media/... is an external USB harddrive that I use for backups.
Can I ignore these errors or do they need to be resolved.
Looks like a couple of things didnt go the way i expected. I do not understand why
policycoreutils or setroubleshoot depends on the policy.
Anyways..
The errors look like as if selinux was enforcing or as if you were not running fixfiles
restore as root.
Please try to run fixfiles restore as root in permissive mode.
Thanks,
Steve
11:19 a.m.
On Sun, 25 Apr 2010 17:44:00 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
> On Sun, 25 Apr 2010 11:04:31 +0200
> Dominick Grift <domg472(a)gmail.com> wrote:
>
> > On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> ...
> > > My logwatch report gives me 20 or 30 lines of :
> > >
> > > NULL security context for user, but SELinux in permissive mode,
> > > continuing ()
> > >
> > > in the cron section. Then I looked in /var/log/dmesg and I see
> > > this line:
> > >
> > > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024
> > > cats
> > >
> > > System->Administration->SELinux Management, select SELinux User,
> > > shows 8 SELinux users:
> ...
> > >
> > > OK, that looks good but when, as root, I run:
> > >
> > > # semanage login -l
> > >
> > > Login Name SELinux User MLS/MCS
> > > Range
> > >
> > > __default__ unconfined_u
> > > s0-s0:c0.c1023 root unconfined_u
> > > s0-s0:c0.c1023 system_u system_u
> > > s0-s0:c0.c1023
> > >
> > > hmmm... only 3 users. It this a problem or is it telling me that
> > > only 3 SELinuux users are currently in use (ie assign to any
> > > Linux user) because I'm running in permissive mode?
> >
> > This should not be a problem because new users get mapped under
> > __default__ by default, which is mapped to unconfined_u selinux
> > user.
> >
> > >
> > > How can I find out which user has a "NULL security context"?
> >
> > Good question, my gut feeling tells me it unconfined_u but i am
> > not sure.
> >
> > If there is no bug in Fedora 11 selinux policy then you could
> > consider reinstalling the policy.
> >
> > The procedure for reinstalling policy is as follows.
> >
> > 1. setenforce 0 (put selinux in permisive mode)
> > 2. rpm -ev selinux-policy selinux-policy-targeted (de-install
> > selinux policy)
> > 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> > (remove -backup- the old selinux policy config)
> > 4. yum install
> > selinux-policy selinux-policy-targeted (-re- install fresh selinux
> > policy)
> > 5. fixfiles restore (restore contexts)
> > 6. reboot
>
> I tried this procedure and at step 2 I also had to remove
> oolicycoreutils-gui and setroubleshoot because of dependencies and
> then reinstall them at step 4.
> Step 5 started and bailed out with these errors:
>
> # fixfiles restore
> ********************/sbin/setfiles: unable to stat
> file /home/steve/.gvfs: Permission denied /sbin/setfiles:
> error while labeling /: Permission denied /sbin/setfiles:
> error while labeling /boot: Permission denied /sbin/setfiles:
> error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
> Permission denied
>
> The /media/... is an external USB harddrive that I use for backups.
>
> Can I ignore these errors or do they need to be resolved.
Looks like a couple of things didnt go the way i expected. I do not
understand why policycoreutils or setroubleshoot depends on the
policy.
Anyways..
The errors look like as if selinux was enforcing or as if you were
not running fixfiles restore as root.
Please try to run fixfiles restore as root in permissive mode.
The previous attempt was as root and in permissive mode. I tried again:
[root@steve ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@steve ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: disabled
Policy version: 24
Policy from config file: targeted
[root@steve ~]# fixfiles
restore ********************/sbin/setfiles: unable to stat
file /home/steve/.gvfs: Permission denied
/sbin/setfiles: error while labeling /: Permission
denied
/sbin/setfiles: error while labeling /boot: Permission
denied
/sbin/setfiles: error while
labeling /media/blah-blah: Permission denied
Thanks,
Steve
1:32 p.m.
On Sun, Apr 25, 2010 at 12:19:04PM -0400, Steve Blackwell wrote:
On Sun, 25 Apr 2010 17:44:00 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
> On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
> > On Sun, 25 Apr 2010 11:04:31 +0200
> > Dominick Grift <domg472(a)gmail.com> wrote:
> >
> > > On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> > ...
> > > > My logwatch report gives me 20 or 30 lines of :
> > > >
> > > > NULL security context for user, but SELinux in permissive mode,
> > > > continuing ()
> > > >
> > > > in the cron section. Then I looked in /var/log/dmesg and I see
> > > > this line:
> > > >
> > > > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024
> > > > cats
> > > >
> > > > System->Administration->SELinux Management, select SELinux
User,
> > > > shows 8 SELinux users:
> > ...
> > > >
> > > > OK, that looks good but when, as root, I run:
> > > >
> > > > # semanage login -l
> > > >
> > > > Login Name SELinux User MLS/MCS
> > > > Range
> > > >
> > > > __default__ unconfined_u
> > > > s0-s0:c0.c1023 root unconfined_u
> > > > s0-s0:c0.c1023 system_u system_u
> > > > s0-s0:c0.c1023
> > > >
> > > > hmmm... only 3 users. It this a problem or is it telling me that
> > > > only 3 SELinuux users are currently in use (ie assign to any
> > > > Linux user) because I'm running in permissive mode?
> > >
> > > This should not be a problem because new users get mapped under
> > > __default__ by default, which is mapped to unconfined_u selinux
> > > user.
> > >
> > > >
> > > > How can I find out which user has a "NULL security
context"?
> > >
> > > Good question, my gut feeling tells me it unconfined_u but i am
> > > not sure.
> > >
> > > If there is no bug in Fedora 11 selinux policy then you could
> > > consider reinstalling the policy.
> > >
> > > The procedure for reinstalling policy is as follows.
> > >
> > > 1. setenforce 0 (put selinux in permisive mode)
> > > 2. rpm -ev selinux-policy selinux-policy-targeted (de-install
> > > selinux policy)
> > > 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> > > (remove -backup- the old selinux policy config)
> > > 4. yum install
> > > selinux-policy selinux-policy-targeted (-re- install fresh selinux
> > > policy)
> > > 5. fixfiles restore (restore contexts)
> > > 6. reboot
> >
> > I tried this procedure and at step 2 I also had to remove
> > oolicycoreutils-gui and setroubleshoot because of dependencies and
> > then reinstall them at step 4.
> > Step 5 started and bailed out with these errors:
> >
> > # fixfiles restore
> > ********************/sbin/setfiles: unable to stat
> > file /home/steve/.gvfs: Permission denied /sbin/setfiles:
> > error while labeling /: Permission denied /sbin/setfiles:
> > error while labeling /boot: Permission denied /sbin/setfiles:
> > error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
> > Permission denied
> >
> > The /media/... is an external USB harddrive that I use for backups.
> >
> > Can I ignore these errors or do they need to be resolved.
>
> Looks like a couple of things didnt go the way i expected. I do not
> understand why policycoreutils or setroubleshoot depends on the
> policy.
>
> Anyways..
>
> The errors look like as if selinux was enforcing or as if you were
> not running fixfiles restore as root.
>
> Please try to run fixfiles restore as root in permissive mode.
The previous attempt was as root and in permissive mode. I tried again:
[root@steve ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@steve ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: disabled
Policy version: 24
Policy from config file: targeted
[root@steve ~]# fixfiles
restore ********************/sbin/setfiles: unable to stat
file /home/steve/.gvfs: Permission denied
/sbin/setfiles: error while labeling /: Permission
denied
/sbin/setfiles: error while labeling /boot: Permission
denied
/sbin/setfiles: error while
labeling /media/blah-blah: Permission denied
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
once rebooted change SELINUX=permissive back to SELINUX=enforcing
and setenforce 1
Thanks,
Steve
1:40 p.m.
On Sun, Apr 25, 2010 at 11:32 AM, Dominick Grift <domg472(a)gmail.com> wrote:
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
once rebooted change SELINUX=permissive back to SELINUX=enforcing
and setenforce 1
>
> Thanks,
> Steve
Isn't it usually simpler just to add "enforcing=0" to the kernel boot
parameters on the reboot? No fiddling with /etc/selinux/config nor
with 'setenforce'....
tom
--
Tom London
1:49 p.m.
On Sun, Apr 25, 2010 at 11:40:34AM -0700, Tom London wrote:
On Sun, Apr 25, 2010 at 11:32 AM, Dominick Grift
<domg472(a)gmail.com> wrote:
>
> in /etc/selinux/config set "SELINUX=permissive"
>
> then do: touch /.autorelabel && reboot
>
> once rebooted change SELINUX=permissive back to SELINUX=enforcing
> and setenforce 1
>
> >
> > Thanks,
> > Steve
Isn't it usually simpler just to add "enforcing=0" to the kernel boot
parameters on the reboot? No fiddling with /etc/selinux/config nor
with 'setenforce'....
I guess that depends, but either works.
tom
--
Tom London
5:35 p.m.
On Sun, 25 Apr 2010 20:32:53 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
> >
> > Please try to run fixfiles restore as root in permissive mode.
>
> The previous attempt was as root and in permissive mode. I tried
> again:
>
> [root@steve ~]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> [root@steve ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: disabled
> Policy version: 24
> Policy from config file: targeted
>
> [root@steve ~]# fixfiles
> restore ********************/sbin/setfiles: unable to stat
> file /home/steve/.gvfs: Permission denied
> /sbin/setfiles: error while labeling /: Permission
> denied
> /sbin/setfiles: error while labeling /boot: Permission
> denied
> /sbin/setfiles: error while
> labeling /media/blah-blah: Permission denied
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
OK, I did that and I still get these messages in /var/log/dmesg:
SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:automount_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:apcupsd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:squid_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:soundd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is
not valid (left unmapped).
once rebooted change SELINUX=permissive back to SELINUX=enforcing
and setenforce 1
I have always been running in permissive mode because of the issues
I've benn experiencing but I'll try it and see how it goes.
Thanks,
Steve
2:27 a.m.
On Sun, Apr 25, 2010 at 06:35:57PM -0400, Steve Blackwell wrote:
On Sun, 25 Apr 2010 20:32:53 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
> > >
> > > Please try to run fixfiles restore as root in permissive mode.
> >
> > The previous attempt was as root and in permissive mode. I tried
> > again:
> >
> > [root@steve ~]# id
> > uid=0(root) gid=0(root)
> > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >
> > [root@steve ~]# sestatus
> > SELinux status: enabled
> > SELinuxfs mount: /selinux
> > Current mode: permissive
> > Mode from config file: disabled
> > Policy version: 24
> > Policy from config file: targeted
> >
> > [root@steve ~]# fixfiles
> > restore ********************/sbin/setfiles: unable to stat
> > file /home/steve/.gvfs: Permission denied
> > /sbin/setfiles: error while labeling /: Permission
> > denied
> > /sbin/setfiles: error while labeling /boot: Permission
> > denied
> > /sbin/setfiles: error while
> > labeling /media/blah-blah: Permission denied
>
> in /etc/selinux/config set "SELINUX=permissive"
>
> then do: touch /.autorelabel && reboot
>
OK, I did that and I still get these messages in /var/log/dmesg:
If relabeling succeeded these issues should be fixed now.
You can check by listing: "ls -alZ /etc/rc.d/init.d/mysqld"
if the type returned is mysqld_initrc_exec_t, then its fixed
if the type returned is unlabeled_t, then something went wrong.
SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:automount_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:apcupsd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:squid_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:soundd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is
not valid (left unmapped).
> once rebooted change SELINUX=permissive back to SELINUX=enforcing
> and setenforce 1
I have always been running in permissive mode because of the issues
I've benn experiencing but I'll try it and see how it goes.
Thanks,
Steve
7:45 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/25/2010 06:35 PM, Steve Blackwell wrote:
On Sun, 25 Apr 2010 20:32:53 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
>>>
>>> Please try to run fixfiles restore as root in permissive mode.
>>
>> The previous attempt was as root and in permissive mode. I tried
>> again:
>>
>> [root@steve ~]# id
>> uid=0(root) gid=0(root)
>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>
>> [root@steve ~]# sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: permissive
>> Mode from config file: disabled
>> Policy version: 24
>> Policy from config file: targeted
>>
>> [root@steve ~]# fixfiles
>> restore ********************/sbin/setfiles: unable to stat
>> file /home/steve/.gvfs: Permission denied
>> /sbin/setfiles: error while labeling /: Permission
>> denied
>> /sbin/setfiles: error while labeling /boot: Permission
>> denied
>> /sbin/setfiles: error while
>> labeling /media/blah-blah: Permission denied
>
> in /etc/selinux/config set "SELINUX=permissive"
>
> then do: touch /.autorelabel && reboot
>
OK, I did that and I still get these messages in /var/log/dmesg:
SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:automount_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:apcupsd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:squid_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:soundd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is
not valid (left unmapped).
> once rebooted change SELINUX=permissive back to SELINUX=enforcing
> and setenforce 1
I have always been running in permissive mode because of the issues
I've benn experiencing but I'll try it and see how it goes.
Thanks,
Steve
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Steve lets make sure you have a good selinux-policy-targeted install.
# yum reinstall selinux-policy-targeted
Make sure nothing blows up.
Then execute
#fixfiles restore
You should also see no errors.
One last thing would be what file systems are you using? ext3?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvViugACgkQrlYvE4MpobONyQCfeSVhImaZlXI9TeY8fkStBhS8
z4YAoMYoZBw1CDyhVF19SLR6OPEWqIJq
=8cuI
-----END PGP SIGNATURE-----
8:47 a.m.
On Mon, 26 Apr 2010 09:27:34 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
> > > [root@steve ~]# fixfiles
> > > restore ********************/sbin/setfiles: unable to stat
> > > file /home/steve/.gvfs: Permission denied
> > > /sbin/setfiles: error while labeling /: Permission
> > > denied
> > > /sbin/setfiles: error while labeling /boot: Permission
> > > denied
> > > /sbin/setfiles: error while
> > > labeling /media/blah-blah: Permission denied
> >
> > in /etc/selinux/config set "SELINUX=permissive"
> >
> > then do: touch /.autorelabel && reboot
> >
>
> OK, I did that and I still get these messages in /var/log/dmesg:
If relabeling succeeded these issues should be fixed now.
You can check by listing: "ls -alZ /etc/rc.d/init.d/mysqld"
if the type returned is mysqld_initrc_exec_t, then its fixed
if the type returned is unlabeled_t, then something went wrong.
The type is mysqld_initrc_exec_t so it must be fixed.
Things have definitely improved. I'm not getting streams of AVCs any
more when I open the sevices GUI. Thnk you, Dominick!
I do still have one (so far) problem though. When I tried to point my
browser at my local BackupPC server page a get an "Unable to Connect"
message and an AVC:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied
{ write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock"
dev=dm-0
ino=36667496 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null)
Now I know I could change the context of that socket file but I'm
guessing that it gets created every time and so that is not a permanent
solution. Is there a boolean I need to set; nothing looked obvious or
perhaps a BackupPC policy I need to install?
Thanks,
Steve
8:50 a.m.
On Mon, 26 Apr 2010 08:45:28 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
Steve lets make sure you have a good selinux-policy-targeted
install.
# yum reinstall selinux-policy-targeted
Dominick has already had me reinstall a couple of selinux rpms.
My situation has definitely improved so I must have had a corrupted
policy somehow.
Make sure nothing blows up.
Then execute
#fixfiles restore
You should also see no errors.
One last thing would be what file systems are you using? ext3?
Thanks,
Steve
10:11 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/26/2010 09:47 AM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 09:27:34 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
>>>> [root@steve ~]# fixfiles
>>>> restore ********************/sbin/setfiles: unable to stat
>>>> file /home/steve/.gvfs: Permission denied
>>>> /sbin/setfiles: error while labeling /: Permission
>>>> denied
>>>> /sbin/setfiles: error while labeling /boot: Permission
>>>> denied
>>>> /sbin/setfiles: error while
>>>> labeling /media/blah-blah: Permission denied
>>>
>>> in /etc/selinux/config set "SELINUX=permissive"
>>>
>>> then do: touch /.autorelabel && reboot
>>>
>>
>> OK, I did that and I still get these messages in /var/log/dmesg:
>
> If relabeling succeeded these issues should be fixed now.
> You can check by listing: "ls -alZ /etc/rc.d/init.d/mysqld"
>
> if the type returned is mysqld_initrc_exec_t, then its fixed
> if the type returned is unlabeled_t, then something went wrong.
The type is mysqld_initrc_exec_t so it must be fixed.
Things have definitely improved. I'm not getting streams of AVCs any
more when I open the sevices GUI. Thnk you, Dominick!
I do still have one (so far) problem though. When I tried to point my
browser at my local BackupPC server page a get an "Unable to Connect"
message and an AVC:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied
{ write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock"
dev=dm-0
ino=36667496 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null)
Now I know I could change the context of that socket file but I'm
guessing that it gets created every time and so that is not a permanent
solution. Is there a boolean I need to set; nothing looked obvious or
perhaps a BackupPC policy I need to install?
Thanks,
Steve
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
What directory is the socket in?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvVrQQACgkQrlYvE4MpobP6yACguSMgFt9DYp/cQvFUxlIIANtZ
rrgAoNMyZUbItaC96e512IR1A0IIoZZk
=0S/U
-----END PGP SIGNATURE-----
11:41 a.m.
On Mon, 26 Apr 2010 11:11:00 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> I do still have one (so far) problem though. When I tried to
point
> my browser at my local BackupPC server page a get an "Unable to
> Connect" message and an AVC:
>
> Raw Audit Messages :
> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
> denied { write } for pid=31707 comm="perl5.10.0"
> name="BackupPC.sock" dev=dm-0 ino=36667496
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>
> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> tty=(none) ses=4294967295 comm="perl5.10.0"
> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> key=(null)
>
> Now I know I could change the context of that socket file but I'm
> guessing that it gets created every time and so that is not a
> permanent solution. Is there a boolean I need to set; nothing
> looked obvious or perhaps a BackupPC policy I need to install?
>
> Thanks,
> Steve
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
What directory is the socket in?
/var/log/BackupPC
Steve
7:45 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote:
On Mon, 26 Apr 2010 11:11:00 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>> I do still have one (so far) problem though. When I tried to point
>> my browser at my local BackupPC server page a get an "Unable to
>> Connect" message and an AVC:
>>
>> Raw Audit Messages :
>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
>> denied { write } for pid=31707 comm="perl5.10.0"
>> name="BackupPC.sock" dev=dm-0 ino=36667496
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>
>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>> tty=(none) ses=4294967295 comm="perl5.10.0"
>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>> key=(null)
>>
>> Now I know I could change the context of that socket file but I'm
>> guessing that it gets created every time and so that is not a
>> permanent solution. Is there a boolean I need to set; nothing
>> looked obvious or perhaps a BackupPC policy I need to install?
>>
>> Thanks,
>> Steve
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> What directory is the socket in?
/var/log/BackupPC
Steve
The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/
/var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?'
# restorecon -R -v /var/log/BackupPC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvW3GUACgkQrlYvE4MpobMsrwCg6k7LkOJ85DZVKlsugvy7ieRQ
N/MAn0YvPOqpcOckrhNmQqXVJfsQIUJp
=Eo2t
-----END PGP SIGNATURE-----
9:57 a.m.
On Tue, 27 Apr 2010 08:45:25 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> On Mon, 26 Apr 2010 11:11:00 -0400
> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>
>
>>> I do still have one (so far) problem though. When I tried to point
>>> my browser at my local BackupPC server page a get an "Unable to
>>> Connect" message and an AVC:
>>>
>>> Raw Audit Messages :
>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
>>> denied { write } for pid=31707 comm="perl5.10.0"
>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>
>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>> key=(null)
>>>
>>> Now I know I could change the context of that socket file but I'm
>>> guessing that it gets created every time and so that is not a
>>> permanent solution. Is there a boolean I need to set; nothing
>>> looked obvious or perhaps a BackupPC policy I need to install?
>>>
>>> Thanks,
>>> Steve
>>> --
>>> selinux mailing list
>>> selinux(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>> What directory is the socket in?
>
> /var/log/BackupPC
>
> Steve
The BackupPC package comes with labeling in F12/F13 of
httpd_sys_content_t.
# matchpathcon /var/log/BackupPC/
/var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
Execute the following, should fix the problem
# semanage fcontext -a -t httpd_sys_content_t
'/var/log/BackupPC(/.*)?'
# restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC
-r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0
BackupPC.pid
srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0
BackupPC.sock
...
but SELinux still won't let me access the server. I get a slightly
different but essentially the same AVC as before:
Raw Audit Messages :
node=steve.blackwell type=AVC
msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null)
So it looks to my untrained eye that we have a process with context
system_u:system_r:httpd_t:s0
trying to write to a file that has a context
system_u:object_r:httpd_sys_content_t:s0
and there is no rule to say that this is OK. Is that about right?
Thanks,
Steve
10:01 a.m.
On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
On Tue, 27 Apr 2010 08:45:25 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> > On Mon, 26 Apr 2010 11:11:00 -0400
> > Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> >
> >
> >>> I do still have one (so far) problem though. When I tried to point
> >>> my browser at my local BackupPC server page a get an "Unable to
> >>> Connect" message and an AVC:
> >>>
> >>> Raw Audit Messages :
> >>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
> >>> denied { write } for pid=31707 comm="perl5.10.0"
> >>> name="BackupPC.sock" dev=dm-0 ino=36667496
> >>> scontext=system_u:system_r:httpd_t:s0
> >>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
> >>>
> >>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
> >>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
> >>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
> >>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> >>> tty=(none) ses=4294967295 comm="perl5.10.0"
> >>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> >>> key=(null)
> >>>
> >>> Now I know I could change the context of that socket file but I'm
> >>> guessing that it gets created every time and so that is not a
> >>> permanent solution. Is there a boolean I need to set; nothing
> >>> looked obvious or perhaps a BackupPC policy I need to install?
> >>>
> >>> Thanks,
> >>> Steve
> >>> --
> >>> selinux mailing list
> >>> selinux(a)lists.fedoraproject.org
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>
> >>>
> >> What directory is the socket in?
> >
> > /var/log/BackupPC
> >
> > Steve
>
> The BackupPC package comes with labeling in F12/F13 of
> httpd_sys_content_t.
>
> # matchpathcon /var/log/BackupPC/
> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
>
> Execute the following, should fix the problem
>
> # semanage fcontext -a -t httpd_sys_content_t
> '/var/log/BackupPC(/.*)?'
> # restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC
-r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0
BackupPC.pid
srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0
BackupPC.sock
This pid and sock need to mv to /var/run, i asked backuppc packager to do this long time
ago but for some reason not fixed yet
...
but SELinux still won't let me access the server. I get a slightly
different but essentially the same AVC as before:
Raw Audit Messages :
node=steve.blackwell type=AVC
msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null)
So it looks to my untrained eye that we have a process with context
system_u:system_r:httpd_t:s0
trying to write to a file that has a context
system_u:object_r:httpd_sys_content_t:s0
and there is no rule to say that this is OK. Is that about right?
Thanks,
Steve
10:31 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/27/2010 10:57 AM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 08:45:25 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>> On Mon, 26 Apr 2010 11:11:00 -0400
>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>
>>
>>>> I do still have one (so far) problem though. When I tried to point
>>>> my browser at my local BackupPC server page a get an "Unable to
>>>> Connect" message and an AVC:
>>>>
>>>> Raw Audit Messages :
>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
>>>> denied { write } for pid=31707 comm="perl5.10.0"
>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>> scontext=system_u:system_r:httpd_t:s0
>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>
>>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
>>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>> key=(null)
>>>>
>>>> Now I know I could change the context of that socket file but I'm
>>>> guessing that it gets created every time and so that is not a
>>>> permanent solution. Is there a boolean I need to set; nothing
>>>> looked obvious or perhaps a BackupPC policy I need to install?
>>>>
>>>> Thanks,
>>>> Steve
>>>> --
>>>> selinux mailing list
>>>> selinux(a)lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>> What directory is the socket in?
>>
>> /var/log/BackupPC
>>
>> Steve
>
> The BackupPC package comes with labeling in F12/F13 of
> httpd_sys_content_t.
>
> # matchpathcon /var/log/BackupPC/
> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
>
> Execute the following, should fix the problem
>
> # semanage fcontext -a -t httpd_sys_content_t
> '/var/log/BackupPC(/.*)?'
> # restorecon -R -v /var/log/BackupPC
No luck.
This did relabel the files in /var/log/BackupPC
[root@steve ~]# ls -lZ /var/log/BackupPC
-r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0
BackupPC.pid
srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0
BackupPC.sock
...
but SELinux still won't let me access the server. I get a slightly
different but essentially the same AVC as before:
Raw Audit Messages :
node=steve.blackwell type=AVC
msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null)
So it looks to my untrained eye that we have a process with context
system_u:system_r:httpd_t:s0
trying to write to a file that has a context
system_u:object_r:httpd_sys_content_t:s0
and there is no rule to say that this is OK. Is that about right?
Thanks,
Steve
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
You can add the ok rule using audit2allow
# grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M
mybackuppc
# semodule -i mybackuppc.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvXA20ACgkQrlYvE4MpobMO0wCgh3AtQVSiZXel4UWc5bXeHo1J
+zsAoM1omGR3Pv3nz8uwpIdTQE38/sGu
=2Y2i
-----END PGP SIGNATURE-----
10:41 a.m.
On Tue, 27 Apr 2010 17:01:26 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 08:45:25 -0400
> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> > > On Mon, 26 Apr 2010 11:11:00 -0400
> > > Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> > >
> > >
> > >>> I do still have one (so far) problem though. When I tried to
> > >>> point my browser at my local BackupPC server page a get an
> > >>> "Unable to Connect" message and an AVC:
> > >>>
> > >>> Raw Audit Messages :
> > >>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138):
> > >>> avc: denied { write } for pid=31707 comm="perl5.10.0"
> > >>> name="BackupPC.sock" dev=dm-0 ino=36667496
> > >>> scontext=system_u:system_r:httpd_t:s0
> > >>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
> > >>>
> > >>> node=steve.blackwell type=SYSCALL
> > >>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
> > >>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008
> > >>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48
> > >>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> > >>> tty=(none) ses=4294967295 comm="perl5.10.0"
> > >>> exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0
> > >>> key=(null)
> > >>>
> > >>> Now I know I could change the context of that socket file but
> > >>> I'm guessing that it gets created every time and so that is
> > >>> not a permanent solution. Is there a boolean I need to set;
> > >>> nothing looked obvious or perhaps a BackupPC policy I need to
> > >>> install?
> > >>>
> > >>> Thanks,
> > >>> Steve
> > >>> --
> > >>> selinux mailing list
> > >>> selinux(a)lists.fedoraproject.org
> > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>>
> > >>>
> > >> What directory is the socket in?
> > >
> > > /var/log/BackupPC
> > >
> > > Steve
> >
> > The BackupPC package comes with labeling in F12/F13 of
> > httpd_sys_content_t.
> >
> > # matchpathcon /var/log/BackupPC/
> > /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
> >
> > Execute the following, should fix the problem
> >
> > # semanage fcontext -a -t httpd_sys_content_t
> > '/var/log/BackupPC(/.*)?'
> > # restorecon -R -v /var/log/BackupPC
>
> No luck.
>
> This did relabel the files in /var/log/BackupPC
>
> [root@steve ~]# ls -lZ /var/log/BackupPC
> -r--r--r--. backuppc backuppc
> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid
> srwxr-x---. backuppc backuppc
> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
This pid and sock need to mv to /var/run, i asked backuppc packager
to do this long time ago but for some reason not fixed yet
I posted another message to the BackupPC list to try and find that
status on your request but I didn't get an answer to my first question
so I'm not holding my breath.
In the meantime, would this work as a temporary workaround?
# semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.sock
# semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.pid
# restorecon -R -v /var/log/BackupPC
Thanks,
Steve
10:45 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/27/2010 11:41 AM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 17:01:26 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
> On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
>> On Tue, 27 Apr 2010 08:45:25 -0400
>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>>>
>>>>
>>>>>> I do still have one (so far) problem though. When I tried to
>>>>>> point my browser at my local BackupPC server page a get an
>>>>>> "Unable to Connect" message and an AVC:
>>>>>>
>>>>>> Raw Audit Messages :
>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138):
>>>>>> avc: denied { write } for pid=31707 comm="perl5.10.0"
>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>>>
>>>>>> node=steve.blackwell type=SYSCALL
>>>>>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
>>>>>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008
>>>>>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48
>>>>>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>> exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0
>>>>>> key=(null)
>>>>>>
>>>>>> Now I know I could change the context of that socket file but
>>>>>> I'm guessing that it gets created every time and so that is
>>>>>> not a permanent solution. Is there a boolean I need to set;
>>>>>> nothing looked obvious or perhaps a BackupPC policy I need to
>>>>>> install?
>>>>>>
>>>>>> Thanks,
>>>>>> Steve
>>>>>> --
>>>>>> selinux mailing list
>>>>>> selinux(a)lists.fedoraproject.org
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>
>>>>> What directory is the socket in?
>>>>
>>>> /var/log/BackupPC
>>>>
>>>> Steve
>>>
>>> The BackupPC package comes with labeling in F12/F13 of
>>> httpd_sys_content_t.
>>>
>>> # matchpathcon /var/log/BackupPC/
>>> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
>>>
>>> Execute the following, should fix the problem
>>>
>>> # semanage fcontext -a -t httpd_sys_content_t
>>> '/var/log/BackupPC(/.*)?'
>>> # restorecon -R -v /var/log/BackupPC
>>
>> No luck.
>>
>> This did relabel the files in /var/log/BackupPC
>>
>> [root@steve ~]# ls -lZ /var/log/BackupPC
>> -r--r--r--. backuppc backuppc
>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid
>> srwxr-x---. backuppc backuppc
>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
>
> This pid and sock need to mv to /var/run, i asked backuppc packager
> to do this long time ago but for some reason not fixed yet
>
I posted another message to the BackupPC list to try and find that
status on your request but I didn't get an answer to my first question
so I'm not holding my breath.
In the meantime, would this work as a temporary workaround?
# semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.sock
# semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.pid
# restorecon -R -v /var/log/BackupPC
No that is wrong. httpd_sys_content_t is the
correct label. httpd_t is
a process label not a file label.
Thanks,
Steve
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvXBoQACgkQrlYvE4MpobNenwCfUH27tXgLNEUWHh/Vr3Nr/dtC
orIAn1/qA4TX4pkGKZQhW3jTvdEFK46v
=TR96
-----END PGP SIGNATURE-----
11:18 a.m.
On Tue, 27 Apr 2010 11:31:57 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/27/2010 10:57 AM, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 08:45:25 -0400
> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>>
>>>
>>>>> I do still have one (so far) problem though. When I tried to
>>>>> point my browser at my local BackupPC server page a get an
>>>>> "Unable to Connect" message and an AVC:
>>>>>
>>>>> Raw Audit Messages :
>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
>>>>> denied { write } for pid=31707 comm="perl5.10.0"
>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>>
>>>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
>>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
>>>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
>>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48
>>>>> fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>> exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0
>>>>> key=(null)
>>>>>
>>>>> Now I know I could change the context of that socket file but
>>>>> I'm guessing that it gets created every time and so that is not
>>>>> a permanent solution. Is there a boolean I need to set; nothing
>>>>> looked obvious or perhaps a BackupPC policy I need to install?
>>>>>
>>>>> Thanks,
>>>>> Steve
>>>>> --
>>>>> selinux mailing list
>>>>> selinux(a)lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>>
>>>> What directory is the socket in?
>>>
>>> /var/log/BackupPC
>>>
>>> Steve
>>
>> The BackupPC package comes with labeling in F12/F13 of
>> httpd_sys_content_t.
>>
>> # matchpathcon /var/log/BackupPC/
>> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
>>
>> Execute the following, should fix the problem
>>
>> # semanage fcontext -a -t httpd_sys_content_t
>> '/var/log/BackupPC(/.*)?'
>> # restorecon -R -v /var/log/BackupPC
>
> No luck.
>
> This did relabel the files in /var/log/BackupPC
>
> [root@steve ~]# ls -lZ /var/log/BackupPC
> -r--r--r--. backuppc backuppc
> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid
> srwxr-x---. backuppc backuppc
> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
> ...
>
> but SELinux still won't let me access the server. I get a slightly
> different but essentially the same AVC as before:
>
> Raw Audit Messages :
>
> node=steve.blackwell type=AVC
> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
>
> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> tty=(none) ses=4294967295 comm="perl5.10.0"
> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> key=(null)
>
> So it looks to my untrained eye that we have a process with context
> system_u:system_r:httpd_t:s0
> trying to write to a file that has a context
> system_u:object_r:httpd_sys_content_t:s0
>
> and there is no rule to say that this is OK. Is that about right?
>
> Thanks,
> Steve
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
You can add the ok rule using audit2allow
# grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M
mybackuppc
# semodule -i mybackuppc.pp
OK, a little progress. Now I am getting a socket connect denial.
Will repeating the audit2allow process to correct this?
Thanks,
Steve
12:17 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/27/2010 12:18 PM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 11:31:57 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
>> On Tue, 27 Apr 2010 08:45:25 -0400
>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>>>
>>>>
>>>>>> I do still have one (so far) problem though. When I tried to
>>>>>> point my browser at my local BackupPC server page a get an
>>>>>> "Unable to Connect" message and an AVC:
>>>>>>
>>>>>> Raw Audit Messages :
>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
>>>>>> denied { write } for pid=31707 comm="perl5.10.0"
>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>>>
>>>>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
>>>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
>>>>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
>>>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48
>>>>>> fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>> exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0
>>>>>> key=(null)
>>>>>>
>>>>>> Now I know I could change the context of that socket file but
>>>>>> I'm guessing that it gets created every time and so that is
not
>>>>>> a permanent solution. Is there a boolean I need to set; nothing
>>>>>> looked obvious or perhaps a BackupPC policy I need to install?
>>>>>>
>>>>>> Thanks,
>>>>>> Steve
>>>>>> --
>>>>>> selinux mailing list
>>>>>> selinux(a)lists.fedoraproject.org
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>
>>>>> What directory is the socket in?
>>>>
>>>> /var/log/BackupPC
>>>>
>>>> Steve
>>>
>>> The BackupPC package comes with labeling in F12/F13 of
>>> httpd_sys_content_t.
>>>
>>> # matchpathcon /var/log/BackupPC/
>>> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
>>>
>>> Execute the following, should fix the problem
>>>
>>> # semanage fcontext -a -t httpd_sys_content_t
>>> '/var/log/BackupPC(/.*)?'
>>> # restorecon -R -v /var/log/BackupPC
>>
>> No luck.
>>
>> This did relabel the files in /var/log/BackupPC
>>
>> [root@steve ~]# ls -lZ /var/log/BackupPC
>> -r--r--r--. backuppc backuppc
>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid
>> srwxr-x---. backuppc backuppc
>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
>> ...
>>
>> but SELinux still won't let me access the server. I get a slightly
>> different but essentially the same AVC as before:
>>
>> Raw Audit Messages :
>>
>> node=steve.blackwell type=AVC
>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
>>
>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>> tty=(none) ses=4294967295 comm="perl5.10.0"
>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>> key=(null)
>>
>> So it looks to my untrained eye that we have a process with context
>> system_u:system_r:httpd_t:s0
>> trying to write to a file that has a context
>> system_u:object_r:httpd_sys_content_t:s0
>>
>> and there is no rule to say that this is OK. Is that about right?
>>
>> Thanks,
>> Steve
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> You can add the ok rule using audit2allow
>
> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M
> mybackuppc
> # semodule -i mybackuppc.pp
OK, a little progress. Now I am getting a socket connect denial.
Will repeating the audit2allow process to correct this?
Thanks,
Steve
yes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvXHBUACgkQrlYvE4MpobM04gCg4cunuKobL/5XAhhyS+UVRn+f
El4AnRpyJ2jjHqYozA6Q/XaJg99uTEqI
=UocO
-----END PGP SIGNATURE-----
1:16 p.m.
On Tue, 27 Apr 2010 13:17:09 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/27/2010 12:18 PM, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 11:31:57 -0400
> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
>>> On Tue, 27 Apr 2010 08:45:25 -0400
>>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>>>>
>>>>>
>>>>>>> I do still have one (so far) problem though. When I tried
to
>>>>>>> point my browser at my local BackupPC server page a get an
>>>>>>> "Unable to Connect" message and an AVC:
>>>>>>>
>>>>>>> Raw Audit Messages :
>>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138):
>>>>>>> avc: denied { write } for pid=31707
comm="perl5.10.0"
>>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>>>>
>>>>>>> node=steve.blackwell type=SYSCALL
>>>>>>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
>>>>>>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008
>>>>>>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48
>>>>>>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>>> exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0
>>>>>>> key=(null)
>>>>>>>
>>>>>>> Now I know I could change the context of that socket file
but
>>>>>>> I'm guessing that it gets created every time and so that
is
>>>>>>> not a permanent solution. Is there a boolean I need to set;
>>>>>>> nothing looked obvious or perhaps a BackupPC policy I need
to
>>>>>>> install?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Steve
>>>>>>> --
>>>>>>> selinux mailing list
>>>>>>> selinux(a)lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>>>
>>>>>> What directory is the socket in?
>>>>>
>>>>> /var/log/BackupPC
>>>>>
>>>>> Steve
>>>>
>>>> The BackupPC package comes with labeling in F12/F13 of
>>>> httpd_sys_content_t.
>>>>
>>>> # matchpathcon /var/log/BackupPC/
>>>> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
>>>>
>>>> Execute the following, should fix the problem
>>>>
>>>> # semanage fcontext -a -t httpd_sys_content_t
>>>> '/var/log/BackupPC(/.*)?'
>>>> # restorecon -R -v /var/log/BackupPC
>>>
>>> No luck.
>>>
>>> This did relabel the files in /var/log/BackupPC
>>>
>>> [root@steve ~]# ls -lZ /var/log/BackupPC
>>> -r--r--r--. backuppc backuppc
>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid
>>> srwxr-x---. backuppc backuppc
>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
>>> ...
>>>
>>> but SELinux still won't let me access the server. I get a slightly
>>> different but essentially the same AVC as before:
>>>
>>> Raw Audit Messages :
>>>
>>> node=steve.blackwell type=AVC
>>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
>>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0
ino=36667496
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
>>>
>>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
>>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>> key=(null)
>>>
>>> So it looks to my untrained eye that we have a process with
>>> context system_u:system_r:httpd_t:s0
>>> trying to write to a file that has a context
>>> system_u:object_r:httpd_sys_content_t:s0
>>>
>>> and there is no rule to say that this is OK. Is that about right?
>>>
>>> Thanks,
>>> Steve
>>> --
>>> selinux mailing list
>>> selinux(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> You can add the ok rule using audit2allow
>>
>> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow
>> -M mybackuppc
>> # semodule -i mybackuppc.pp
>
> OK, a little progress. Now I am getting a socket connect denial.
> Will repeating the audit2allow process to correct this?
>
> Thanks,
> Steve
yes
I wasn't sure if running audit2allow a second time would add to
mybackuppc.pp or replace it so I ran
# grep "BackupPC.sock" /var/log/audit/audit.log | audit2allow -M
mybackuppc.pp
# semodule -i mybackuppc.pp
I also noticed a boolean called httpd_can_network_connect. This would
have worked too, correct?
Now I can connect to the server but I get a different AVC:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc: denied
{ read } for pid=406 comm="perl5.10.0" name="disk" dev=dm-0
ino=32931842
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349):
arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0
a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null)
disk is a link to an external USB drive where I keep the backups
[root@steve ~]# ls -lZ /media
drwxr-xr-x. root root system_u:object_r:mnt_t:s0
<the USB disk UUID>
lrwxrwxrwx. root root system_u:object_r:mnt_t:s0 disk ->
<the USB disk UUID>
So do I need to relabel the disk httpd_sys_content_t next?
Steve
12:27 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/27/2010 02:16 PM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 13:17:09 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/27/2010 12:18 PM, Steve Blackwell wrote:
>> On Tue, 27 Apr 2010 11:31:57 -0400
>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
>>>> On Tue, 27 Apr 2010 08:45:25 -0400
>>>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>>>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>>>>>
>>>>>>
>>>>>>>> I do still have one (so far) problem though. When I tried
to
>>>>>>>> point my browser at my local BackupPC server page a get
an
>>>>>>>> "Unable to Connect" message and an AVC:
>>>>>>>>
>>>>>>>> Raw Audit Messages :
>>>>>>>> node=steve.blackwell type=AVC
msg=audit(1272289200.98:138):
>>>>>>>> avc: denied { write } for pid=31707
comm="perl5.10.0"
>>>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>>>>>
>>>>>>>> node=steve.blackwell type=SYSCALL
>>>>>>>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
>>>>>>>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac
a3=9317008
>>>>>>>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48
gid=48
>>>>>>>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>>>> exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0
>>>>>>>> key=(null)
>>>>>>>>
>>>>>>>> Now I know I could change the context of that socket file
but
>>>>>>>> I'm guessing that it gets created every time and so
that is
>>>>>>>> not a permanent solution. Is there a boolean I need to
set;
>>>>>>>> nothing looked obvious or perhaps a BackupPC policy I
need to
>>>>>>>> install?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Steve
>>>>>>>> --
>>>>>>>> selinux mailing list
>>>>>>>> selinux(a)lists.fedoraproject.org
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>
>>>>>>>>
>>>>>>> What directory is the socket in?
>>>>>>
>>>>>> /var/log/BackupPC
>>>>>>
>>>>>> Steve
>>>>>
>>>>> The BackupPC package comes with labeling in F12/F13 of
>>>>> httpd_sys_content_t.
>>>>>
>>>>> # matchpathcon /var/log/BackupPC/
>>>>> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
>>>>>
>>>>> Execute the following, should fix the problem
>>>>>
>>>>> # semanage fcontext -a -t httpd_sys_content_t
>>>>> '/var/log/BackupPC(/.*)?'
>>>>> # restorecon -R -v /var/log/BackupPC
>>>>
>>>> No luck.
>>>>
>>>> This did relabel the files in /var/log/BackupPC
>>>>
>>>> [root@steve ~]# ls -lZ /var/log/BackupPC
>>>> -r--r--r--. backuppc backuppc
>>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid
>>>> srwxr-x---. backuppc backuppc
>>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
>>>> ...
>>>>
>>>> but SELinux still won't let me access the server. I get a slightly
>>>> different but essentially the same AVC as before:
>>>>
>>>> Raw Audit Messages :
>>>>
>>>> node=steve.blackwell type=AVC
>>>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
>>>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0
ino=36667496
>>>> scontext=system_u:system_r:httpd_t:s0
>>>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
>>>>
>>>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
>>>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>> key=(null)
>>>>
>>>> So it looks to my untrained eye that we have a process with
>>>> context system_u:system_r:httpd_t:s0
>>>> trying to write to a file that has a context
>>>> system_u:object_r:httpd_sys_content_t:s0
>>>>
>>>> and there is no rule to say that this is OK. Is that about right?
>>>>
>>>> Thanks,
>>>> Steve
>>>> --
>>>> selinux mailing list
>>>> selinux(a)lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>> You can add the ok rule using audit2allow
>>>
>>> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow
>>> -M mybackuppc
>>> # semodule -i mybackuppc.pp
>>
>> OK, a little progress. Now I am getting a socket connect denial.
>> Will repeating the audit2allow process to correct this?
>>
>> Thanks,
>> Steve
> yes
I wasn't sure if running audit2allow a second time would add to
mybackuppc.pp or replace it so I ran
# grep "BackupPC.sock" /var/log/audit/audit.log | audit2allow -M
mybackuppc.pp
# semodule -i mybackuppc.pp
I also noticed a boolean called httpd_can_network_connect. This would
have worked too, correct?
Now I can connect to the server but I get a different AVC:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc: denied
{ read } for pid=406 comm="perl5.10.0" name="disk" dev=dm-0
ino=32931842
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349):
arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0
a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null)
disk is a link to an external USB drive where I keep the backups
[root@steve ~]# ls -lZ /media
drwxr-xr-x. root root system_u:object_r:mnt_t:s0
<the USB disk UUID>
lrwxrwxrwx. root root system_u:object_r:mnt_t:s0 disk ->
<the USB disk UUID>
So do I need to relabel the disk httpd_sys_content_t next?
Steve
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
You could use something like
mount -o context="system_u:object_r:httpd_sys_content_t:s0"
Which will tell mount to mount your disk with this label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvYcB4ACgkQrlYvE4MpobN4aQCg1OldKQ27BBTQ4yoqFax+xvTY
jLQAoJzcJsmJPDLpo2E0aGGj1KZRSFSl
=oFHJ
-----END PGP SIGNATURE-----
12:39 p.m.
On Wed, 28 Apr 2010 13:27:58 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> Now I can connect to the server but I get a different AVC:
>
> Raw Audit Messages :
> node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc:
> denied { read } for pid=406 comm="perl5.10.0" name="disk"
dev=dm-0
> ino=32931842 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
>
> node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349):
> arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0
> a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295
> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> tty=(none) ses=4294967295 comm="perl5.10.0"
> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> key=(null)
>
> disk is a link to an external USB drive where I keep the backups
>
> [root@steve ~]# ls -lZ /media
> drwxr-xr-x. root root system_u:object_r:mnt_t:s0
> <the USB disk UUID>
> lrwxrwxrwx. root root system_u:object_r:mnt_t:s0 disk ->
> <the USB disk UUID>
>
> So do I need to relabel the disk httpd_sys_content_t next?
You could use something like
mount -o context="system_u:object_r:httpd_sys_content_t:s0"
Which will tell mount to mount your disk with this label.
I'm sure that would work but the disk is mounted by the automounter and
I'd have to dig into that to figure out where to put those options.
I went ahead and relabeled and it seems to be working. Now I just have
to solve the issues I was having with BackupPC when I was running in
permissive mode.
Thanks,
Steve
5111
days inactive
5116
days old
selinux@lists.fedoraproject.org
25 comments
4 participants
participants (4)
-
Daniel J Walsh -
Dominick Grift -
Steve Blackwell -
Tom London