Hi,
1. Should I be getting denied in permissive mode? 2. How do I get ntpd working? (Also, smartd has the same problem, but they both used to work some months ago.)
[root@z ~]# getsebool -a | grep exec allow_execheap --> on allow_execmem --> on allow_execmod --> on allow_execstack --> on allow_java_execstack --> off httpd_ssi_exec --> on httpd_suexec_disable_trans --> off [root@z ~]# getenforce Permissive [root@z ~]# /sbin/service ntpd start Starting ntpd: SELinux denied execmem. [FAILED] [root@z ~]# cat /etc/fedora-release Fedora Core release 5 (Bordeaux) [root@z ~]# uname -a Linux z.localdomain 2.6.20-1.2312.fc5 #1 Tue Apr 10 15:09:44 EDT 2007 i686 athlon i386 GNU/Linux
Andrew
On Wed, 2007-04-18 at 09:19 -0600, Andrew Ziem wrote:
Hi,
- Should I be getting denied in permissive mode?
No.
- How do I get ntpd working? (Also, smartd has the same problem, but
they both used to work some months ago.)
[root@z ~]# getsebool -a | grep exec allow_execheap --> on allow_execmem --> on allow_execmod --> on allow_execstack --> on allow_java_execstack --> off httpd_ssi_exec --> on httpd_suexec_disable_trans --> off [root@z ~]# getenforce Permissive [root@z ~]# /sbin/service ntpd start Starting ntpd: SELinux denied execmem.
Hmm...that's interesting. What is generating that message ("SELinux denied execmem")? A SELinux denial only manifests as an audit message (in /var/log/messages or /var/log/audit/audit.log) and as an error return from the kernel (with errno EACCES, but not distinguished from other potential reasons for permission denied there), so some userland component is displaying that message for you, not SELinux itself.
I'd guess that the application or script is getting an error and incorrectly assuming that it was SELinux that was the culprit, as permissive mode shouldn't deny anything.
[FAILED]
[root@z ~]# cat /etc/fedora-release Fedora Core release 5 (Bordeaux) [root@z ~]# uname -a Linux z.localdomain 2.6.20-1.2312.fc5 #1 Tue Apr 10 15:09:44 EDT 2007 i686 athlon i386 GNU/Linux
Andrew
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Stephen Smalley wrote:
On Wed, 2007-04-18 at 09:19 -0600, Andrew Ziem wrote:
Hi,
- Should I be getting denied in permissive mode?
No.
- How do I get ntpd working? (Also, smartd has the same problem, but
they both used to work some months ago.)
[root@z ~]# getsebool -a | grep exec allow_execheap --> on allow_execmem --> on allow_execmod --> on allow_execstack --> on allow_java_execstack --> off httpd_ssi_exec --> on httpd_suexec_disable_trans --> off [root@z ~]# getenforce Permissive [root@z ~]# /sbin/service ntpd start Starting ntpd: SELinux denied execmem.
Hmm...that's interesting. What is generating that message ("SELinux denied execmem")? A SELinux denial only manifests as an audit message (in /var/log/messages or /var/log/audit/audit.log) and as an error return from the kernel (with errno EACCES, but not distinguished from other potential reasons for permission denied there), so some userland component is displaying that message for you, not SELinux itself.
I'd guess that the application or script is getting an error and incorrectly assuming that it was SELinux that was the culprit, as permissive mode shouldn't deny anything.
Apparently, the binaries were corrupt. The problem was solved by: rpm -e --nodeps ntp hal-cups-utils; yum -y install ntp hal-cups-utils
(Also affected was cups-config-daemon in hal-cups-utils.)
Anyway, sorry for the noise.
Andrew
selinux@lists.fedoraproject.org