Yeah i've got FC4 here... couldn't export a directory with samba until
I located the magic flag for the new 'chcon' tool.
I gave up on it after not being able to make an LDAP server work with
it's own DB directories and being unable to locate the magic chcon
flag.
It (SELINUX) was easily turned off with a switch in a conf file, but
it's such a pain in the ass, I don't know why it's in a "FC" style
distribution at all.
Dave
On 7/18/06, Ronald G Minnich <[email protected]> wrote:
so, on FC5 I did a standard mount -o loop xyz /mnt
cd /mnt/lib64
rm *
rsync -av /lib64/* .
rsync fails, you get kernel messages like this:
system_u:object_r:unlabeled_t:s0 tclass=dir
audit(1153270163.378:19): avc: denied { read } for pid=19059
comm="python" name="urandom" dev=tmpfs ino=1654
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=file
audit(1153270198.018:20): avc: denied { read } for pid=19065
comm="python" name="urandom" dev=tmpfs ino=1654
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=file
audit(1153270211.628:21): avc: denied { read } for pid=19067
comm="python" name="urandom" dev=tmpfs ino=1654
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=file
audit(1153270220.558:22): avc: denied { read } for pid=19068
comm="python" name="urandom" dev=tmpfs ino=1654
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=file
ah, what's it all mean?
Well, there's an easy way to find out!You can see the necessary allow
rules by running audit2why with this audit message as input.
lots of barf like this:
audit(1153270220.558:22): avc: denied { read } for pid=19068
comm="python" name="urandom" dev=tmpfs ino=1654
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=file
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean
settings; check boolean settings.
yee ha!
OF course, it is easy to fix! dmesg | audit2allow
allow mount_t unlabeled_t:filesystem { mount unmount };
allow semanage_t device_t:file read;
allow semanage_t unlabeled_t:dir search;
allow unlabeled_t fs_t:filesystem associate;
and where does that go? well, that's a great question, thanks for asking!
in /etc/selinux there is a bunch of stuff. The one you care about is this:
/etc/linux/config, and before I got much further I noticed this:
SELINUX=enforcing
is in there, easy to fix, turn all this shit OFF!
But, wow! Is this where we're all headed? I think I'm more and more
motivated to move everything I can to plan 9 .... this selinux is less
fun than a trip to the dentist. Plus, can you image the permutations of
those rule sets over time? many and varied subtleties shall appear. It's
really quite incredible.
ron
