3:06 p.m.
Running targeted/enforcing, latest Rawhide:
Get the following on boot with latest policy (selinux-policy-targeted-1.21.2-6):
Jan 22 12:57:54 localhost kernel: audit(1106427474.075:0):
security_compute_sid: invalid context user_u:system_r:crond_t for
scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:crond_exec_t tclass=process
Jan 22 12:57:54 localhost gpm[2789]: *** info [mice.c(1766)]:
Jan 22 12:57:54 localhost gpm[2789]: imps2: Auto-detected intellimouse PS/2
Jan 22 12:57:55 localhost kernel: audit(1106427475.435:0):
security_compute_sid: invalid context user_u:system_r:crond_t for
scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:anacron_exec_t tclass=process
Jan 22 12:57:55 localhost xfs[2826]: ignoring font path element
/usr/X11R6/lib/X11/fonts/Speedo (unreadable)
Jan 22 12:57:55 localhost kernel: audit(1106427475.634:0):
security_compute_sid: invalid context user_u:system_r:crond_t for
scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:crond_exec_t tclass=process
2:02 p.m.
Tom London wrote:
Running targeted/enforcing, latest Rawhide:
Get the following on boot with latest policy (selinux-policy-targeted-1.21.2-6):
Jan 22 12:57:54 localhost kernel: audit(1106427474.075:0):
security_compute_sid: invalid context user_u:system_r:crond_t for
scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:crond_exec_t tclass=process
Jan 22 12:57:54 localhost gpm[2789]: *** info [mice.c(1766)]:
Jan 22 12:57:54 localhost gpm[2789]: imps2: Auto-detected intellimouse PS/2
Jan 22 12:57:55 localhost kernel: audit(1106427475.435:0):
security_compute_sid: invalid context user_u:system_r:crond_t for
scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:anacron_exec_t tclass=process
Jan 22 12:57:55 localhost xfs[2826]: ignoring font path element
/usr/X11R6/lib/X11/fonts/Speedo (unreadable)
Jan 22 12:57:55 localhost kernel: audit(1106427475.634:0):
security_compute_sid: invalid context user_u:system_r:crond_t for
scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:crond_exec_t tclass=process
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Can you try a
make -C /etc/selinux/targeted/src/policy load
9:40 a.m.
On Mon, 24 Jan 2005 15:02:22 -0500, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
Can you try a
make -C /etc/selinux/targeted/src/policy load
Sorry, no soap. :-(
Here's a log:
[root@tlondon ~]# cd /etc/selinux/targeted
[root@tlondon targeted]# cd src/policy
[root@tlondon policy]# make -C /etc/selinux/targeted/src/policy load
make: Entering directory `/etc/selinux/targeted/src/policy'
/usr/sbin/load_policy /etc/selinux/targeted/policy/policy.18
touch tmp/load
make: Leaving directory `/etc/selinux/targeted/src/policy'
[root@tlondon ~]# cd /etc/init.d
[root@tlondon init.d]# ./crond status
crond is stopped
[root@tlondon init.d]# ./crond start
Starting crond: /etc/init.d/functions: line 148: /usr/sbin/crond:
Permission denied
[FAILED]
[root@tlondon init.d]#
Here's the AVC:
Jan 25 07:38:17 localhost kernel: audit(1106667497.815:0):
security_compute_sid: invalid context root:system_r:crond_t for
scontext=root:system_r:initrc_t
tcontext=system_u:object_r:crond_exec_t tclass=process
tom
--
Tom London
11:10 a.m.
Tom London wrote:
On Mon, 24 Jan 2005 15:02:22 -0500, Daniel J Walsh
<dwalsh(a)redhat.com> wrote:
>Can you try a
>make -C /etc/selinux/targeted/src/policy load
>
>
>
Sorry, no soap. :-(
Here's a log:
[root@tlondon ~]# cd /etc/selinux/targeted
[root@tlondon targeted]# cd src/policy
[root@tlondon policy]# make -C /etc/selinux/targeted/src/policy load
make: Entering directory `/etc/selinux/targeted/src/policy'
/usr/sbin/load_policy /etc/selinux/targeted/policy/policy.18
touch tmp/load
make: Leaving directory `/etc/selinux/targeted/src/policy'
[root@tlondon ~]# cd /etc/init.d
[root@tlondon init.d]# ./crond status
crond is stopped
[root@tlondon init.d]# ./crond start
Starting crond: /etc/init.d/functions: line 148: /usr/sbin/crond:
Permission denied
[FAILED]
[root@tlondon init.d]#
Here's the AVC:
Jan 25 07:38:17 localhost kernel: audit(1106667497.815:0):
security_compute_sid: invalid context root:system_r:crond_t for
scontext=root:system_r:initrc_t
tcontext=system_u:object_r:crond_exec_t tclass=process
tom
Ok, you need to change the policy for crond.te
--- crond.te~ 2005-01-21 16:16:11.000000000 -0500
+++ crond.te 2005-01-25 12:04:52.000000000 -0500
@@ -19,5 +19,5 @@
type sysadm_cron_spool_t, file_type, sysadmfile;
type crond_log_t, file_type, sysadmfile;
type crond_var_run_t, file_type, sysadmfile;
-domain_auto_trans(initrc_t, crond_exec_t, crond_t)
-domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
+domain_auto_trans(initrc_t, crond_exec_t, unconfined_t)
+domain_auto_trans(initrc_t, anacron_exec_t, unconfined_t)
I will update policy and throw it out on people.
selinux-policy-targeted-1.21.3-2
10:42 a.m.
On Tue, 25 Jan 2005 12:10:52 -0500, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> Ok, you need to change the policy for crond.te
--- crond.te~ 2005-01-21 16:16:11.000000000 -0500
+++ crond.te 2005-01-25 12:04:52.000000000 -0500
@@ -19,5 +19,5 @@
type sysadm_cron_spool_t, file_type, sysadmfile;
type crond_log_t, file_type, sysadmfile;
type crond_var_run_t, file_type, sysadmfile;
-domain_auto_trans(initrc_t, crond_exec_t, crond_t)
-domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
+domain_auto_trans(initrc_t, crond_exec_t, unconfined_t)
+domain_auto_trans(initrc_t, anacron_exec_t, unconfined_t)
I will update policy and throw it out on people.
selinux-policy-targeted-1.21.3-2
I updated to selinux-policy-targeted-1.21.3-3 and I think I'm still
seeing this problem:
Jan 26 08:33:18 localhost kernel: audit(1106757198.533:0):
security_compute_sid: invalid context user_u:system_r:system_crond_t
for scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:crond_exec_t tclass=process
Jan 26 08:33:20 localhost kernel: audit(1106757200.158:0):
security_compute_sid: invalid context user_u:system_r:system_crond_t
for scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:anacron_exec_t tclass=process
Jan 26 08:33:20 localhost kernel: audit(1106757200.370:0):
security_compute_sid: invalid context user_u:system_r:system_crond_t
for scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:crond_exec_t tclass=process
Jan 26 08:33:29 localhost fstab-sync[3279]: removed all generated mount points
crond.te says:
type crond_var_run_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, crond_exec_t, system_crond_t)
domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
unconfined_domain(system_crond_t)
tom
tom
--
Tom London
11:08 a.m.
On Wed, 2005-01-26 at 11:42, Tom London wrote:
Jan 26 08:33:18 localhost kernel: audit(1106757198.533:0):
security_compute_sid: invalid context user_u:system_r:system_crond_t
for scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:crond_exec_t tclass=process
The error message isn't a permission denial; it is an invalid context,
e.g. the role isn't authorized for the type in the targeted policy. Got
a 'role system_r types system_crond_t;' anywhere? Likely just a failure
to transfer over all of the necessary bits from the strict policy.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
11:20 a.m.
On Wed, 26 Jan 2005 12:08:51 -0500, Stephen Smalley <sds(a)epoch.ncsc.mil> wrote:
The error message isn't a permission denial; it is an invalid
context,
e.g. the role isn't authorized for the type in the targeted policy. Got
a 'role system_r types system_crond_t;' anywhere? Likely just a failure
to transfer over all of the necessary bits from the strict policy.
Got it. The strict policy has this line, targeted does not.
tom
--
Tom London
12:37 p.m.
Tom London wrote:
On Wed, 26 Jan 2005 12:08:51 -0500, Stephen Smalley
<sds(a)epoch.ncsc.mil> wrote:
>The error message isn't a permission denial; it is an invalid context,
>e.g. the role isn't authorized for the type in the targeted policy. Got
>a 'role system_r types system_crond_t;' anywhere? Likely just a failure
>to transfer over all of the necessary bits from the strict policy.
>
>
>
>
Got it. The strict policy has this line, targeted does not.
tom
Added in selinux-policy-targeted-1.21.3-5
1:41 p.m.
Tom London wrote:
>On Wed, 26 Jan 2005 12:08:51 -0500, Stephen Smalley <sds(a)epoch.ncsc.mil>
> wrote:
>
>
>>The error message isn't a permission denial; it is an invalid context,
>>e.g. the role isn't authorized for the type in the targeted policy. Got
>>a 'role system_r types system_crond_t;' anywhere? Likely just a failure
>>to transfer over all of the necessary bits from the strict policy.
>>
>>
>>
>>
>
>Got it. The strict policy has this line, targeted does not.
>
>tom
>
>
Added in selinux-policy-targeted-1.21.3-5
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Where to get selinux-policy-targeted-1.21.3-5? When I run yum in my fc3
system, it lists only:
Available Packages
selinux-doc.noarch 1.14.1-1 base
selinux-policy-strict.noarch 1.19.10-2
updates-released
selinux-policy-strict-sources.noarch 1.19.10-2
updates-released
selinux-policy-targeted.noarch 1.17.30-2.73
updates-released
selinux-policy-targeted-sources.noarch 1.17.30-2.73
updates-released
Thanks!
Hongwei Li
2:03 p.m.
Hongwei Li wrote:
>Tom London wrote:
>
>
>
>>On Wed, 26 Jan 2005 12:08:51 -0500, Stephen Smalley <sds(a)epoch.ncsc.mil>
>>wrote:
>>
>>
>>
>>
>>>The error message isn't a permission denial; it is an invalid context,
>>>e.g. the role isn't authorized for the type in the targeted policy. Got
>>>a 'role system_r types system_crond_t;' anywhere? Likely just a
failure
>>>to transfer over all of the necessary bits from the strict policy.
>>>
>>>
>>>
>>>
>>>
>>>
>>Got it. The strict policy has this line, targeted does not.
>>
>>tom
>>
>>
>>
>>
>Added in selinux-policy-targeted-1.21.3-5
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list(a)redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
Where to get selinux-policy-targeted-1.21.3-5? When I run yum in my fc3
system, it lists only:
Available Packages
selinux-doc.noarch 1.14.1-1 base
selinux-policy-strict.noarch 1.19.10-2
updates-released
selinux-policy-strict-sources.noarch 1.19.10-2
updates-released
selinux-policy-targeted.noarch 1.17.30-2.73
updates-released
selinux-policy-targeted-sources.noarch 1.17.30-2.73
updates-released
Thanks!
Hongwei Li
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
No you have the correct policy. 1.21 and later are for rawhide, which
will be FC4.
You are up to date on policy so now you need to do the restorecon stuff.
Dan
7028
days inactive
7032
days old
selinux@lists.fedoraproject.org
9 comments
4 participants
participants (4)
-
Daniel J Walsh -
Hongwei Li -
Stephen Smalley -
Tom London