[EMAIL PROTECTED] wrote: > Hi, > > i would like to know if there is any workaround to keep > SELINUX=enforcing on both the image server and client (running CentOS 5)? > Searching mailing lists I found several posts suggesting disabling > SElinux (SElinux=disabled), but I would like to know if this > concerns also the new version of systemimager (svn version?). > > At the very bottom of this mail you will find the errors encountered when > trying to keep systemimager and SElinux=enforcing. > These errors "enforced" me to keep the following configuration, > which seems to allow cloning of clients: > - the server x86_64 with selinux-policy-2.4.6-30.el5, rsync-2.6.8-3.1, > dhcp-3.0.5-5.el5, tftp-server-0.42-3.1.el5.centos, > systemimager-server-3.8.2-1 (etc.). > Has (/etc/selinux/config) SELINUX=permissive and SELINUXTYPE=targeted. > - the golden client i386, X installed, > has SELINUX=enforcing and SELINUXTYPE=targeted. > > When booting a freshly cloned client, in the graphical mode, as root: > > session_child_run:: could not exec /etc/X11/xinit/session default > > and SElinux complains about TEXTREL from this driver: > > eu-readelf -d /usr/lib/dri/r128_dri.so | grep TEXTREL > > but allowing this: > > chcon -t textrel_shlib_t /usr/lib/dri/r128_dri.so > > does not solve "session_child_run" problem, so finally, runnig: > > touch /.autorelabel; reboot > > helps.
Marcin, sorry but I'm considering myself a totally incompetent in SELinux stuff, so don't expect any useful hint from me... :-) I'll try to help you anyway... have you tried to add the commands above a post-install script (see /var/lib/systemimager/scripts/post-install/README)? This should resolve the problem in the reshly installed clients. > Below you find the errors when cloning a client with SElinux=enforcing: > > 1. > Oct 9 18:50:31 dulak-server rsyncd[3462]: rsync: failed to open > log-file /var/log/systemimager/rsyncd: Permission denied (13) > > Fix: > > Unknown The rsyncd daemon used by SystemImager needs to write the logs to /var/log/systemimager/rsyncd (and systemimager-server-netbootmond reads from it, if you need use the netbootmond feature). I don't know how to translate this in SELinux language... > > 2. > Oct 9 19:09:36 dulak-server setroubleshoot: SELinux is > preventing /usr/bin/rsync (rsync_t) "create" access to <Unknown> (rsync_t). > For complete SELinux messages. run sealert -l > 2e645de0-d434-49ca-91ff-6395d6fea367 > Oct 9 19:09:36 dulak-server setroubleshoot: SELinux is > preventing /usr/bin/rsync (rsync_t) "create" access to <Unknown> (rsync_t). > For complete SELinux messages. run sealert -l > 2e645de0-d434-49ca-91ff-6395d6fea367 > > Fix: > > Unknown No idea. > > 3. > Oct 9 17:09:34 dulak-server rsyncd[3580]: rsync: link_stat > "/i386/standard/boel_binaries.tar.gz" (in boot) failed: Permission denied (13) > Oct 9 17:09:34 dulak-server rsyncd[3580]: rsync error: some files > could not be transferred (code 23) at main.c(615) [sender=2.6.8] > Oct 9 19:09:36 dulak-server setroubleshoot: SELinux is > preventing rsync (/usr/bin/rsync) "getattr" to > /i386/standard/boel_binaries.tar.gz (usr_t). For complete SELinux > messages. run sealert -l c600bb88-a1d5-46ec-aed6-b039e797a5bf > > Fix: > > chcon -t rsync_data_t > /usr/share/systemimager/boot/i386/standard/boel_binaries.tar.gz > OK. > 4. > Oct 10 11:24:51 dulak-server rsyncd[10421]: rsync: chroot > /var/lib/systemimager/scripts failed: Permission denied (13) > Oct 10 11:24:53 dulak-server setroubleshoot: SELinux is > preventing rsync (/usr/bin/rsync) "search" to lib (var_lib_t). For > complete SELinux messages. run sealert -l 97f69c1b-87ac-42d0-a066-131f2ec11556 > > Fix: > > chcon -t rsync_data_t /var/lib > chcon -R -h -t rsync_data_t /var/lib/systemimager > OK. > 5. > > lots of similar to this one, this happens during rsync of the image: > > Oct 10 12:43:27 dulak-server rsyncd[10635]: rsync: opendir > "/var/lib/dav" (in x.dulak-cluster) failed: Permission denied (13) > > Fix: > > Unknown > No idea. It would be great to collect a list of commands to be executed both in the image server and in the client after the auto-installation, in order to enable SELinux support for systemimager in 2 scripts: a server-side script and a post-install script for the clients. Someone has other useful info? -Andrea ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ sisuite-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/sisuite-users
