Hi,
i would like to know if there is any workaround to keep
SELINUX=enforcing on both the image server and client (running CentOS 5)?
Searching mailing lists I found several posts suggesting disabling
SElinux (SElinux=disabled), but I would like to know if this
concerns also the new version of systemimager (svn version?).
At the very bottom of this mail you will find the errors encountered when
trying to keep systemimager and SElinux=enforcing.
These errors "enforced" me to keep the following configuration,
which seems to allow cloning of clients:
- the server x86_64 with selinux-policy-2.4.6-30.el5, rsync-2.6.8-3.1,
dhcp-3.0.5-5.el5, tftp-server-0.42-3.1.el5.centos,
systemimager-server-3.8.2-1 (etc.).
Has (/etc/selinux/config) SELINUX=permissive and SELINUXTYPE=targeted.
- the golden client i386, X installed,
has SELINUX=enforcing and SELINUXTYPE=targeted.
When booting a freshly cloned client, in the graphical mode, as root:
session_child_run:: could not exec /etc/X11/xinit/session default
and SElinux complains about TEXTREL from this driver:
eu-readelf -d /usr/lib/dri/r128_dri.so | grep TEXTREL
but allowing this:
chcon -t textrel_shlib_t /usr/lib/dri/r128_dri.so
does not solve "session_child_run" problem, so finally, runnig:
touch /.autorelabel; reboot
helps.
Thanks for any comments concerning Systemimager and SElinux=enforcing.
Best regards,
Marcin
Below you find the errors when cloning a client with SElinux=enforcing:
1.
Oct 9 18:50:31 dulak-server rsyncd[3462]: rsync: failed to open
log-file /var/log/systemimager/rsyncd: Permission denied (13)
Fix:
Unknown
2.
Oct 9 19:09:36 dulak-server setroubleshoot: SELinux is
preventing /usr/bin/rsync (rsync_t) "create" access to <Unknown> (rsync_t).
For complete SELinux messages. run sealert -l
2e645de0-d434-49ca-91ff-6395d6fea367
Oct 9 19:09:36 dulak-server setroubleshoot: SELinux is
preventing /usr/bin/rsync (rsync_t) "create" access to <Unknown> (rsync_t).
For complete SELinux messages. run sealert -l
2e645de0-d434-49ca-91ff-6395d6fea367
Fix:
Unknown
3.
Oct 9 17:09:34 dulak-server rsyncd[3580]: rsync: link_stat
"/i386/standard/boel_binaries.tar.gz" (in boot) failed: Permission denied (13)
Oct 9 17:09:34 dulak-server rsyncd[3580]: rsync error: some files
could not be transferred (code 23) at main.c(615) [sender=2.6.8]
Oct 9 19:09:36 dulak-server setroubleshoot: SELinux is
preventing rsync (/usr/bin/rsync) "getattr" to
/i386/standard/boel_binaries.tar.gz (usr_t). For complete SELinux
messages. run sealert -l c600bb88-a1d5-46ec-aed6-b039e797a5bf
Fix:
chcon -t rsync_data_t
/usr/share/systemimager/boot/i386/standard/boel_binaries.tar.gz
4.
Oct 10 11:24:51 dulak-server rsyncd[10421]: rsync: chroot
/var/lib/systemimager/scripts failed: Permission denied (13)
Oct 10 11:24:53 dulak-server setroubleshoot: SELinux is
preventing rsync (/usr/bin/rsync) "search" to lib (var_lib_t). For
complete SELinux messages. run sealert -l 97f69c1b-87ac-42d0-a066-131f2ec11556
Fix:
chcon -t rsync_data_t /var/lib
chcon -R -h -t rsync_data_t /var/lib/systemimager
5.
lots of similar to this one, this happens during rsync of the image:
Oct 10 12:43:27 dulak-server rsyncd[10635]: rsync: opendir
"/var/lib/dav" (in x.dulak-cluster) failed: Permission denied (13)
Fix:
Unknown
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
sisuite-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sisuite-users
