Re: Docker storage on Fedora 25?

[Daniel J Walsh]

On 12/27/2016 10:55 AM, Dave Johansen wrote:
> On Tue, Dec 27, 2016 at 5:16 AM, Daniel J Walsh <dwa...@redhat.com
> <mailto:dwa...@redhat.com>> wrote:
>
>
>
> On 12/26/2016 08:39 PM, Matthew Miller wrote:
> > On Mon, Dec 26, 2016 at 12:37:46PM -0700, Dave Johansen wrote:
> >>
> 
> http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/
> 
> <http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/>
> >> Does the above recommendation still hold true with Fedora
> 25/Docker 1.12.5?
> >> If so, is the configuration the same?
> > Quick glance, yeah, looks still basically right. You have a new
> option,
> > overlay2, which is a newer Docker driver for OverlayFS and generally
> > preferred. See
> >
> https://docs.docker.com/engine/userguide/storagedriver/selectadriver/
> <https://docs.docker.com/engine/userguide/storagedriver/selectadriver/>
>
>  
> F25 now uses docker-storage-setup, so the right way to select the
> driver was a bit different, but this instructions showed how to do it:
> https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/7/paged/managing-containers/chapter-1-managing-storage-with-docker-formatted-containers#overlay_graph_driver
>
> > *But*, I'm not sure offhand if SELinux support is complete -- I
> know it
> > *was being worked on.
> >
> SELinux should work fine on F25.  We are working to change the default
> in F26 to the overlay2 driver.
>
>
> That's good to hear. Do I need to add the :z or :Z when mounting a
> host directory for SELinux to work? If so, will that cause any
> problems when running on Mac/Windows?
>
If you want to share the volume on an SELinux system then you need :z
and :Z, on a non SELinux system these options will be ignored.  If you
are using a docker client on Mac/Windows and a docker daemon on an
SELinux system, then these options should work fine.
> Thanks for the help,
> Dave
>
>
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Docker storage on Fedora 25?

[Daniel J Walsh]

On 12/26/2016 08:39 PM, Matthew Miller wrote:
> On Mon, Dec 26, 2016 at 12:37:46PM -0700, Dave Johansen wrote:
>> http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/
>> Does the above recommendation still hold true with Fedora 25/Docker 1.12.5?
>> If so, is the configuration the same?
> Quick glance, yeah, looks still basically right. You have a new option,
> overlay2, which is a newer Docker driver for OverlayFS and generally
> preferred. See
> https://docs.docker.com/engine/userguide/storagedriver/selectadriver/
>
> *But*, I'm not sure offhand if SELinux support is complete -- I know it
> *was being worked on.
>
SELinux should work fine on F25.  We are working to change the default
in F26 to the overlay2 driver.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Apache Authentication with System Accounts?

[Daniel J Walsh]

On 12/23/2016 05:38 PM, Aero Maxx D wrote:
>> On 23 Dec 2016, at 21:19, Matthew Miller  wrote:
>>
>> Oh, just to check -- any SELinux AVC logged? From the mod_authnz_pam
>> page, you need to do `sudo setsebool -P allow_httpd_mod_auth_pam 1`.
>>
>> Other than that, anything at all else logged?
> Yeah I've done that still the same as before.
>
> mod_authnz_pam: PAM authentication failed for user <>: 
> Authentication failure
>
> user <>: authentication failure for "/": Password Mismatch.
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
If you put SELinux in permissive mode does it work?  If not, then it
most likely NOT an
SELinux issue.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: SELinux forces Fedora 25 upgrade into a reboot loop

[Daniel J Walsh]

On 11/25/2016 01:28 PM, Sam Varshavchik wrote:
> Patrick O'Callaghan writes:
>
>> On Fri, 2016-11-25 at 11:08 -0500, Sam Varshavchik wrote:
>> > Wondering if all upgrades with selinux enabled are broken, or just
>> something 
>> > with this particular laptop. This doesn't look like a system-specific 
>> > failure to me, but if all upgrades with enforcing selinux blow up
>> like this, 
>> > I would've expected a lot of noise in here, by now… More details in
>> bug 
>> > 1398696.
>>
>> My system has been enforcing for at least the last 5 versions (possibly
>> more), and I had no problem with this.
>
> What output do you get from:
>
> ls -alZd /var/lib/dnf/system-upgrade
>
> On the one with the problem I get:
>
> drwxr-xr-x. 2 root root unconfined_u:object_r:user_tmp_t:s0 233472 Nov
> 25 10:31 /var/lib/dnf/system-upgrade
>
user_tmp_t means that it was created by a user process in a /tmp or
/var/tmp and then mv'd to /var/lib/dnf. 

> Now, another one of my laptops shows:
>
> drwxr-xr-x. 2 root root unconfined_u:object_r:rpm_var_lib_t:s0 221184
> Nov 23 16:09 system-upgrade
>
> However that laptop was already running in permissive mode. Still,
> according to rpm:
>
> file /var/lib/dnf/system-upgrade is not owned by any package
>
> After rmdir-ing and mkdir-ing /var/lib/dnf/system-upgrade its selinux
> context is changed to unconfined_u:object_r:rpm_var_lib_t:s0, so I
> think that's where the problem was. Unclear how the former selinux
> context was what it was.
>
Just running
restorecon -R -v /var/lib/dnf

Would have fixed the problem.
>
>
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Running docker images crashing F25?

[Daniel J Walsh]

On 09/16/2016 11:22 PM, Philip Rhoades wrote:
> People,
>
> I couldn't find a specific docker Fedora list so I am posting here -
> feel free to tell me a more appropriate list . .
>
> I decided to live on the edge and did a bare-metal install of F25
> x86_64 a little while ago - it has been going pretty smoothly but in
> the last few days I have been playing around with docker again
> (specifically: cprogrammer/indimail:fedora-23 ie a qmail server) and I
> have had a few spontaneous reboots - one that locked up at a BIOS
> splash screen.
>
> Is this something I should be helping to debug somehow?  I just did a
> full "dnf update" before the last couple of crashes . .
>
> Thanks,
>
> Phil.
I have no idea why docker would be causing this, seems like a bad kernel
or this is a very evil docker image.  :^)

I run Rawhide and have been having no problems.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

FYI: systemd as pid one on an unprivileged container.

[Daniel J Walsh]

http://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Fedora 23 Server: can't startx

[Daniel J Walsh]

On 03/30/2016 12:06 PM, Braden McDaniel wrote:

I have a fresh, updated install of Fedora 23 Server.  After
installation, I installed the "Basic Desktop" group.  Now, when I try to
run startx, it fails with the error:

 xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)

Where should I look to diagnose/resolve this?  Could this be related to
the fact that my home directories are NFS mounted?  (I have set the
use_nfs_home_dirs SELinux setting to "on".)


What AVC's are you seeing?

ausearch -m avc -ts recent


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: PulseAudio

[Daniel J Walsh]

On 03/25/2016 12:49 PM, Joe Zeff wrote:

On 03/25/2016 06:58 AM, Richard Ibbotson wrote:

On Friday 25 March 2016 09:41:05 Daniel J Walsh wrote:

What avcs are you seeing

ausearch -m avc -ts recent






Well, that just about proves that SELinux isn't involved, doesn't it?
Well maybe.  Could you get this error to happen again, and then run the 
ausearch

command. you could also check to see if it happens with setenforce 0.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: PulseAudio

[Daniel J Walsh]

On 03/25/2016 09:20 AM, Richard Ibbotson wrote:

Hi

I know a lot of people don't like PulseAudio but that's what comes
with Fedora 23. My problem is this. After a dnf update I find that
selinux has done something it didn't do before. PulseAudio has ceased
to work properly. I'm looking at a dummy output the sound card is not
found by PulseAudio in my workstation.

I've tried to set permissions for PulseAudio in selinux. This allowed
the sound server to start up when I did 'service pulseaudio restart' .
Then there was some kind of error message about some keys not being
created. Still no sound.

I've seen this somewhere before but can't find it on the internet with
a search. Tried the PulseAudio site. Can anyone point me in the right
direction with this ? Also tried man pulseaudio. Nothing useful there


What avcs are you seeing

ausearch -m avc -ts recent


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Discourse - DeviceMapper causing corruption?

[Daniel J Walsh]

Do we have bugzillas with these Spectacular failures?

On 03/21/2016 03:03 PM, Philip Rhoades wrote:

People,

I had a couple of issues to sort out with installing the Docker 
Discourse app and while that was being done people made these comments:


"Devicemapper is non starter, fails spectacularly under load and 
causes corruption. We block setup if we detect devicemapper. You need 
aufs or another better supported docker filesystem."


- which was not true - it did install without resorting to aufs.

also:

"Redhat team get very upset when we mention that it just does not work 
for us, but release after release they say there are no bugs left, and 
each time we keep seeing Discourse users complain about corruption due 
to device mapper."


Any comments?

Thanks,

Phil.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing rsyslogd from getattr access on the file

[Daniel J Walsh]

Looks like it wants you to fix your labels on /var/log

restorecon -R -v /var/log


On 10/22/2015 11:00 AM, Neal Becker wrote:
> Oct 22 10:59:22 nbecker2 setroubleshoot: Plugin Exception restorecon_source
> Oct 22 10:59:22 nbecker2 setroubleshoot: SELinux is preventing rsyslogd from 
> getattr access on the file 
> /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~. For complete SELinux messages. run sealert -l 
> e90ea6c1-782b-49f6-8eee-23d630f05551
> Oct 22 10:59:22 nbecker2 python: SELinux is preventing rsyslogd from getattr 
> access on the file 
> /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~.#012#012*  Plugin restorecon (94.8 confidence) 
> suggests   #012#012If you want to fix the label. 
> #012/var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~ default label should be var_log_t.#012Then you can 
> run restorecon.#012Do#012# /sbin/restorecon -v 
> /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~#012#012*  Plugin catchall_labels (5.21 
> confidence) suggests   ***#012#012If you want to allow 
> rsyslogd to have getattr access on the user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~ file#012Then you need to change the label on 
> /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~#012Do#012# semanage fcontext -a -t FILE_TYPE 
> '/var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~'#012where FILE_TYPE is one of the following: 
> NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, 
> abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, 
> acct_data_t, admin_crontab_tmp_t, afs_logfile_t, aide_log_t, alsa_tmp_t, 
> amanda_log_t, amanda_tmp_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, 
> apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, 
> asterisk_tmp_t, auditadm_sudo_tmp_t, auth_cache_t, automount_tmp_t, 
> awstats_tmp_t, bacula_log_t, bacula_tmp_t, bin_t, bitlbee_log_t, 
> bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, 
> bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, 
> boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, calamaris_log_t, 
> callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, 
> ccs_var_log_t, cdcc_tmp_t, cert_t, certmaster_var_log_t, cfengine_log_t, 
> cgred_log_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_var_log_t, 
> cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, 
> cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, 
> cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, 
> cobbler_tmp_t, cobbler_var_log_t, cockpit_tmp_t, collectd_script_tmp_t, 
> colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, 
> condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, 
> consolekit_log_t, couchdb_log_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, 
> cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, 
> cups_pdf_tmp_t, cupscloudprint_log_t, cupsd_log_t, cupsd_lpd_tmp_t, 
> cupsd_tmp_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, 
> dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, 
> dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, 
> deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, 
> devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, 
> dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, 
> dkim_milter_tmp_t, dlm_controld_var_log_t, dnsmasq_var_log_t, 
> dnssec_trigger_tmp_t, docker_log_t, docker_tmp_t, dovecot_auth_tmp_t, 
> dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, 
> dspam_log_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_log_t, 
> exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, fail2ban_var_lib_t, faillog_t, 
> fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, file_context_t, 
> fingerd_log_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_tmp_t, 
> foghorn_var_log_t, fonts_cache_t, fonts_t, fsadm_log_t, fsadm_tmp_t, 
> fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, 
> gconf_tmp_t, gear_log_t, geoclue_tmp_t, getty_log_t, getty_tmp_t, 
> gfs_controld_var_log_t, git_script_tmp_t, gkeyringd_tmp_t, glance_log_t, 
> glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, 
> gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, 
> groupd_var_log_t, gssd_tmp_t, haproxy_var_log_t, hostname_etc_t, 
> httpd_log_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, 
> icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, 
> initrc_tmp_t, initrc_var_log_t, 

Re: Copying files without losing selinux context

[Daniel J Walsh]

On 10/10/2015 05:07 AM, Suvayu Ali wrote:
> Hi Rejy,
>
> On Sat, Oct 10, 2015 at 12:31:59PM +0530, Rejy M Cyriac wrote:
>> On 10/08/2015 06:35 PM, Suvayu Ali wrote:
>>> Yesterday I installed a new SSD in my laptop.  I moved all my files
>>> (/home, /var, /opt) with rsync and rebooted.  However I see the selinux
>>> filecontexts are wrong, and many services are failing because of that,
>>> e.g. the user crontab doesn't load.
>>>
>>>   # ls -Z /var/spool/cron/user
>>>   unconfined_u:object_r:var_spool_t:s0 /var/spool/cron/user
>>>
>>> I did an autorelabel on boot, I also ran `restorecon -p -r /var',
>>> neither helped.  To get the crontab working, I had to change the context
>>> by hand.
>>>
>>>   # chcon --reference=/old/part/spool/cron/user /var/spool/cron/user
>>>   # ls -Z /var/spool/cron/user 
>>>   unconfined_u:object_r:user_cron_spool_t:s0 /var/spool/cron/user
>>>
>>> I would like to know how I can fix the rest, and what I should have used
>>> to do the copy in the first place.  I guess `cp -c' would work, but then
>>> I wouldn't have the ability to resume the transfer.
>> The following would have retained the SELinux contexts
>>
>> rsync with the --xattrs option
>> tar with the --selinux or --xattrs option
> Thanks a lot!  I'll remember this for the future.  Is there any simple
> way to restore the contexts now, after the fact?  If not, maybe
> something like the command below?
>
>   # cd /old && find . -exec chcon --reference=\{\} /var/\{\} \;
>
> Cheers,
>
If you are moving content around you should reset the default labeling. 
In this case you could do something like

# semanage fcontext -a -e /var /old
# restorecon -R -v /old

Which would make your labels survive a relabel

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SElinux issue

[Daniel J Walsh]

Looks like prelude.te provides the prewikka code.

grep prew *
prelude.fc:/usr/share/*prew*ikka/cgi-bin(/.*)?  
gen_context(system_u:object_r:*prew*ikka_script_exec_t,s0)
prelude.te: apache_content_template(*prew*ikka)
prelude.te: apache_content_alias_template(*prew*ikka, *prew*ikka)
prelude.te: can_exec(*prew*ikka_script_t, *prew*ikka_script_exec_t)
prelude.te: files_search_tmp(*prew*ikka_script_t)
prelude.te: kernel_read_sysctl(*prew*ikka_script_t)
prelude.te: kernel_search_network_sysctl(*prew*ikka_script_t)
prelude.te: auth_use_nsswitch(*prew*ikka_script_t)
prelude.te: logging_send_syslog_msg(*prew*ikka_script_t)
prelude.te: apache_search_sys_content(*prew*ikka_script_t)
prelude.te: mysql_stream_connect(*prew*ikka_script_t)
prelude.te: mysql_tcp_connect(*prew*ikka_script_t)
prelude.te: postgresql_stream_connect(*prew*ikka_script_t)
prelude.te: postgresql_tcp_connect(*prew*ikka_script_t)

semodule -l | grep prelude





On 09/25/2015 06:51 PM, Paolo Galtieri wrote:
> Daniel,
>   on the machine on which things work there is a prewikka.pp file, but
> on the one that fails there isn't.  On the system
> that fails I have the following prewikka policy file (prewikkapol.te):
>
> module prewikka 1.0;
>
> require {
>
> type tmp_t;
>
> type init_var_run_t;
>
> type httpd_prewikka_script_t;
>
> type sysfs_t;
>
> class dir { read search };
>
> }
>
> #= httpd_prewikka_script_t ==
>
> allow httpd_prewikka_script_t init_var_run_t:dir search;
>
> allow httpd_prewikka_script_t sysfs_t:dir read;
>
> allow httpd_prewikka_script_t tmp_t:dir read;
>
> and the corresponding prewikkapol.pp file.
>
> On the system that works I have the following prewikka policy file
> (prewikka.te):
>
> module prewikka 1.0;
>
> require {
>
> type tmp_t;
>
> type init_var_run_t;
>
> type httpd_prewikka_script_t;
>
> type sysfs_t;
>
> class dir { read search };
>
> }
>
> #= httpd_prewikka_script_t ==
>
> allow httpd_prewikka_script_t init_var_run_t:dir search;
>
> allow httpd_prewikka_script_t sysfs_t:dir read;
>
> allow httpd_prewikka_script_t tmp_t:dir read;
>
> and the corresponding prewikka.pp file.  So as far as I know the
> prewikka policy files are present, and neither says
> anything about httpd_prewikka_rw_content_t.
>
> Also if I run
>
> semodule -l
>
> the appropriate policy file is shown.
>
> I tried disabling the module:
>
> sudo semodule -d prewikkapol
> [sudo] password for pgaltieri:
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined (No such file or directory).
> libsepol.context_from_record: could not create context structure
> (Invalid argument).
> libsemanage.validate_handler: invalid context
> system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for
> /usr/share/prewikka/htdocs/generated_images [all files] (Invalid
> argument).
> libsemanage.dbase_llist_iterate: could not iterate over records
> (Invalid argument).
> semodule:  Failed!
>
> I tried to remove the module:
>
> sudo semodule -r prewikkapol
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined (No such file or directory).
> libsepol.context_from_record: could not create context structure
> (Invalid argument).
> libsemanage.validate_handler: invalid context
> system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for
> /usr/share/prewikka/htdocs/generated_images [all files] (Invalid
> argument).
> libsemanage.dbase_llist_iterate: could not iterate over records
> (Invalid argument).
> semodule:  Failed!
>
> It does appear though that setsebool still works despite the errors.
>
> Still confused though why I'm seeing the error.
>
> Thanks for the help,
>
> Paolo
>
>
> On 09/25/2015 12:26 PM, Daniel J Walsh wrote:
>> Looks like you might have a prewikka policy around?
>>
>> locate prewikka.pp
>>
>> Did you build a custom policy module?
>>
>> On 09/25/2015 02:30 PM, Paolo Galtieri wrote:
>>> Folks,
>>>I got an SElinux alert this morning.  The suggestion to correct the
>>> problem was to do:
>>>
>>> setsebool -P unconfined_mozilla_plugin_transition 0
>>>
>>> When I did this I got the following response:
>>>
>>> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
>>> defined
>>> libsepol.context_from_record: could not create context structure
>>> libsepol.context_from_string: could not create context structure
>>> libsepol.sepol_contex

Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window

[Daniel J Walsh]

Why use symlinks versus bind mounts?  Or mount the directory there directly.

On 09/24/2015 07:20 PM, jd1008 wrote:
>
>
> On 09/24/2015 04:54 PM, Rahul Sundaram wrote:
>> Hi
>>
>> On Thu, Sep 24, 2015 at 4:20 PM, jd1008 wrote:
>>
>> But /home is a symlink to /home on  another mount point.
>> Would not selinux be "savvy" enough to follow symlinks???
>>
>>
>> Following symlinks can be a security problem.  It is pretty common
>> for that to be restricted by default
>>
>> Rahul
>>
>>
> Agreed.
> Thanks for the heads up.
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window

[Daniel J Walsh]

On 09/25/2015 03:55 PM, jd1008 wrote:
>
>
> On 09/25/2015 01:26 PM, Daniel J Walsh wrote:
>>
>> On 09/25/2015 01:54 PM, jd1008 wrote:
>>>
>>> On 09/25/2015 11:28 AM, Daniel J Walsh wrote:
>>>> mount the directory there directly
>>> You mean mount a partition as /home?
>>> I do not have that.
>>>
>> Anyways where are your homedirs?
> Went ahead and did a bind in /etc/fstab
> and it is working OK.
> I hope next relabel will not miss anything :)
>
Well the problem with just a bind is that the code now exists in two
places, and
a full relabel could cause the labels to revert to the alternate label.

Which is why it is still good to put in the semange fcontext -a -e /home
/PATH

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SElinux issue

[Daniel J Walsh]

Looks like you might have a prewikka policy around? 

locate prewikka.pp

Did you build a custom policy module?

On 09/25/2015 02:30 PM, Paolo Galtieri wrote:
> Folks,
>   I got an SElinux alert this morning.  The suggestion to correct the
> problem was to do:
>
> setsebool -P unconfined_mozilla_plugin_transition 0
>
> When I did this I got the following response:
>
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
> invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
> invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0
>
> I have 2 systems running F22, I got this response on one of the
> systems, but not the other.  When I was running F19 on the affected
> system (prior to upgrading to F22) I did have the prewikka packages
> installed, but I have since removed them.  However, it appears that
> some remnants of those packages remain.
>
> How do I fix this issue?  I looked in the httpd config files and
> couldn't find any reference.
>
> Any help is appreciated.
>
> Paolo

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window

[Daniel J Walsh]

On 09/25/2015 01:54 PM, jd1008 wrote:
>
>
> On 09/25/2015 11:28 AM, Daniel J Walsh wrote:
>> mount the directory there directly
> You mean mount a partition as /home?
> I do not have that.
>
Anyways where are your homedirs?
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window

[Daniel J Walsh]

What AVC are you seeing?

On 09/24/2015 01:58 PM, jd1008 wrote:
> After getting AVC denial, I touched /.autorelabel and rebooted.
> Took about 5 minutes to finish re-labeling.
> Then, I started to ge more AVC denials.
> I clicked on the denial icon and read the details.
>
> Could someone please explain the argument in the suggested "solution" :
> restorecon -v '#SharedObjects'
>
> What in tarnation is '#SharedObjects'
>
> The man page for semanage and for restorcon do not even
> make use of such notation.
>
> So, how is a user going to correctly interpret the meaning
> of such an opaque item as '#SharedObjects' ?
>
> The selinux troubleshoot says: (but does not explain where the
> #SharedObjects directory is )
>
>
> If you want to allow plugin-containe to have read access on the
> #SharedObjects directory
> Then you need to change the label on #SharedObjects
> Do
> # semanage fcontext -a -t FILE_TYPE '#SharedObjects'
> where FILE_TYPE is one of the following: NetworkManager_etc_rw_t,
> NetworkManager_etc_t, abrt_etc_t, admin_home_t, aiccu_etc_t,
> alsa_etc_rw_t, alsa_home_t, antivirus_conf_t, antivirus_home_t,
> asterisk_etc_t, audio_home_t, auth_home_t, bin_t, bitlbee_conf_t,
> bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t,
> cgconfig_etc_t, cgrules_etc_t, chrome_sandbox_home_t, cluster_conf_t,
> cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t,
> couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t,
> cupsd_rw_etc_t, cvs_home_t, data_home_t, dbus_home_t, dbusd_etc_t,
> ddclient_etc_t, device_t, devpts_t, dhcp_etc_t, dictd_etc_t,
> dnsmasq_etc_t, docker_config_t, docker_home_t, dosfs_t, dovecot_etc_t,
> etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t,
> fetchmail_home_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t,
> firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t,
> gconf_home_t, gdomap_conf_t, getty_etc_t, git_user_content_t,
> gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gpm_conf_t,
> gstreamer_home_t, hddtemp_etc_t, home_bin_t, home_cert_t, home_root_t,
> hostname_etc_t, httpd_config_t, httpd_modules_t, httpd_user_content_t,
> httpd_user_htaccess_t, httpd_user_ra_content_t,
> httpd_user_rw_content_t, httpd_user_script_exec_t, hugetlbfs_t,
> icc_data_home_t, iceauth_home_t, innd_etc_t, irc_conf_t, irc_home_t,
> irc_tmp_t, irssi_etc_t, irssi_home_t, kdump_etc_t, kismet_home_t,
> kmscon_conf_t, krb5_conf_t, krb5_home_t, krb5kdc_conf_t, l2tp_conf_t,
> lib_t, likewise_etc_t, lircd_etc_t, local_login_home_t, locale_t,
> lvm_etc_t, machineid_t, mail_home_rw_t, mail_home_t, man_cache_t,
> man_t, mandb_home_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t,
> minissdpd_conf_t, mnt_t, mock_etc_t, modules_conf_t, mozilla_conf_t,
> mozilla_home_t, mozilla_plugin_rw_t, mozilla_plugin_tmp_t,
> mozilla_plugin_tmpfs_t, mpd_etc_t, mpd_home_t, mpd_user_data_t,
> mplayer_etc_t, mplayer_home_t, mrtg_etc_t, mscan_etc_t, munin_etc_t,
> mysqld_etc_t, mysqld_home_t, nagios_etc_t, named_conf_t, net_conf_t,
> nrpe_etc_t, nscd_var_run_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t,
> nut_conf_t, openshift_var_lib_t, openvpn_etc_rw_t, openvpn_etc_t,
> openvswitch_rw_t, pads_config_t, pegasus_conf_t, pingd_etc_t,
> piranha_etc_rw_t, piranha_web_conf_t, polipo_cache_home_t,
> polipo_config_home_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t,
> postgresql_etc_t, postgrey_etc_t, pppd_etc_t,
> prelude_correlator_config_t, printconf_t, proc_t, procmail_home_t,
> psad_etc_t, ptal_etc_t, pulseaudio_home_t, puppet_etc_t, qmail_etc_t,
> radiusd_etc_t, radvd_etc_t, rhnsd_conf_t, rlogind_home_t, root_t,
> rssh_ro_t, rssh_rw_t, rsync_etc_t, samba_etc_t, sandbox_file_t,
> sanlock_conf_t, screen_home_t, shell_exec_t, shorewall_etc_t,
> slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamc_home_t,
> spamd_etc_t, speech-dispatcher_home_t, squid_conf_t, src_t,
> ssh_home_t, sssd_conf_t, sssd_public_t, stunnel_etc_t, svc_conf_t,
> svirt_home_t, sysctl_fs_t, sysctl_t, sysfs_t, syslog_conf_t,
> system_conf_t, system_db_t, systemd_home_t, systemd_logind_sessions_t,
> telepathy_cache_home_t, telepathy_data_home_t,
> telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t,
> telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t,
> telepathy_mission_control_data_home_t,
> telepathy_mission_control_home_t, telepathy_sunshine_home_t,
> texlive_home_t, textrel_shlib_t, tftpd_etc_t, thumb_home_t, tmp_t,
> tmpfs_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, tvtime_home_t,
> udev_etc_t, udev_var_run_t, ulogd_etc_t, uml_ro_t, uml_rw_t,
> user_fonts_cache_t, user_fonts_config_t, user_fonts_t,
> user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t,
> var_lib_t, var_run_t, varnishd_etc_t, virt_content_t, virt_etc_t,
> virt_home_t, vmware_conf_t, vmware_file_t, vmware_sys_conf_t,
> webalizer_etc_t, wine_home_t, wireshark_home_t, xauth_home_t,
> xdm_etc_t, xdm_home_t, xdm_rw_etc_t, xserver_etc_t, ypserv_conf_t,
> zarafa_etc_t, zebra_conf_t.
> Then 

Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window

[Daniel J Walsh]

On 09/24/2015 03:15 PM, jd1008 wrote:
>
>
> On 09/24/2015 12:58 PM, Daniel J Walsh wrote:
>> What AVC are you seeing?
>>
>> On 09/24/2015 01:58 PM, jd1008 wrote:
>>> After getting AVC denial, I touched /.autorelabel and rebooted.
>>> Took about 5 minutes to finish re-labeling.
>>> Then, I started to ge more AVC denials.
>>> I clicked on the denial icon and read the details.
>>>
>>> Could someone please explain the argument in the suggested "solution" :
>>> restorecon -v '#SharedObjects'
>>>
>>> What in tarnation is '#SharedObjects'
>>>
>>> The man page for semanage and for restorcon do not even
>>> make use of such notation.
>>>
>>> So, how is a user going to correctly interpret the meaning
>>> of such an opaque item as '#SharedObjects' ?
>>>
>>> The selinux troubleshoot says: (but does not explain where the
>>> #SharedObjects directory is )
>>>
>>>
>>> If you want to allow plugin-containe to have read access on the
>>> #SharedObjects directory
>>> Then you need to change the label on #SharedObjects
>>> Do
>>> # semanage fcontext -a -t FILE_TYPE '#SharedObjects'
>>> where FILE_TYPE is one of the following: NetworkManager_etc_rw_t,
>>> NetworkManager_etc_t, abrt_etc_t, admin_home_t, aiccu_etc_t,
>>> alsa_etc_rw_t, alsa_home_t, antivirus_conf_t, antivirus_home_t,
>>> asterisk_etc_t, audio_home_t, auth_home_t, bin_t, bitlbee_conf_t,
>>> bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t,
>>> cgconfig_etc_t, cgrules_etc_t, chrome_sandbox_home_t, cluster_conf_t,
>>> cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t,
>>> couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t,
>>> cupsd_rw_etc_t, cvs_home_t, data_home_t, dbus_home_t, dbusd_etc_t,
>>> ddclient_etc_t, device_t, devpts_t, dhcp_etc_t, dictd_etc_t,
>>> dnsmasq_etc_t, docker_config_t, docker_home_t, dosfs_t, dovecot_etc_t,
>>> etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t,
>>> fetchmail_home_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t,
>>> firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t,
>>> gconf_home_t, gdomap_conf_t, getty_etc_t, git_user_content_t,
>>> gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gpm_conf_t,
>>> gstreamer_home_t, hddtemp_etc_t, home_bin_t, home_cert_t, home_root_t,
>>> hostname_etc_t, httpd_config_t, httpd_modules_t, httpd_user_content_t,
>>> httpd_user_htaccess_t, httpd_user_ra_content_t,
>>> httpd_user_rw_content_t, httpd_user_script_exec_t, hugetlbfs_t,
>>> icc_data_home_t, iceauth_home_t, innd_etc_t, irc_conf_t, irc_home_t,
>>> irc_tmp_t, irssi_etc_t, irssi_home_t, kdump_etc_t, kismet_home_t,
>>> kmscon_conf_t, krb5_conf_t, krb5_home_t, krb5kdc_conf_t, l2tp_conf_t,
>>> lib_t, likewise_etc_t, lircd_etc_t, local_login_home_t, locale_t,
>>> lvm_etc_t, machineid_t, mail_home_rw_t, mail_home_t, man_cache_t,
>>> man_t, mandb_home_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t,
>>> minissdpd_conf_t, mnt_t, mock_etc_t, modules_conf_t, mozilla_conf_t,
>>> mozilla_home_t, mozilla_plugin_rw_t, mozilla_plugin_tmp_t,
>>> mozilla_plugin_tmpfs_t, mpd_etc_t, mpd_home_t, mpd_user_data_t,
>>> mplayer_etc_t, mplayer_home_t, mrtg_etc_t, mscan_etc_t, munin_etc_t,
>>> mysqld_etc_t, mysqld_home_t, nagios_etc_t, named_conf_t, net_conf_t,
>>> nrpe_etc_t, nscd_var_run_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t,
>>> nut_conf_t, openshift_var_lib_t, openvpn_etc_rw_t, openvpn_etc_t,
>>> openvswitch_rw_t, pads_config_t, pegasus_conf_t, pingd_etc_t,
>>> piranha_etc_rw_t, piranha_web_conf_t, polipo_cache_home_t,
>>> polipo_config_home_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t,
>>> postgresql_etc_t, postgrey_etc_t, pppd_etc_t,
>>> prelude_correlator_config_t, printconf_t, proc_t, procmail_home_t,
>>> psad_etc_t, ptal_etc_t, pulseaudio_home_t, puppet_etc_t, qmail_etc_t,
>>> radiusd_etc_t, radvd_etc_t, rhnsd_conf_t, rlogind_home_t, root_t,
>>> rssh_ro_t, rssh_rw_t, rsync_etc_t, samba_etc_t, sandbox_file_t,
>>> sanlock_conf_t, screen_home_t, shell_exec_t, shorewall_etc_t,
>>> slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamc_home_t,
>>> spamd_etc_t, speech-dispatcher_home_t, squid_conf_t, src_t,
>>> ssh_home_t, sssd_conf_t, sssd_public_t, stunnel_etc_t, svc_conf_t,
>>> svirt_home_t, sysctl_fs_t, sysctl_t, sysfs_t, syslog_conf_t,
>>> system_conf_t, system_db_t, systemd_home_t, systemd_logind_s

Re: doing docker build, SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process., kills wireless

[Daniel J Walsh]

You have a bad label on /etc/resolv.conf.

restorecon -v /etc/resolv.conf

I have no idea how this is getting mislabeled.  Are you doing anything
special with /etc/resolv.conf?

Also turn on the cups_execmem boolean

setsebool -P cups_execmem 1


On 08/19/2015 10:10 AM, Robert P. J. Day wrote:
 On Wed, 19 Aug 2015, Rick Stevens wrote:

 On 08/19/2015 08:41 AM, Robert P. J. Day wrote:
 On Wed, 19 Aug 2015, Daniel J Walsh wrote:


 On 08/19/2015 07:36 AM, Robert P. J. Day wrote:
 On Wed, 19 Aug 2015, Daniel J Walsh wrote:

 On 08/19/2015 02:43 AM, Robert P. J. Day wrote:
 On Tue, 18 Aug 2015, Robert P. J. Day wrote:

by now, i'm getting *really* good at debugging. was doing a simple
 docker build (docker-1.8.1) with first few lines of Dockerfile (which
 worked fine not that long ago):

FROM ubuntu:14.04
MAINTAINER Robert P. J. Day
ENV REFRESHED_AT 2015-08-18

RUN apt-get -y -q update  apt-get -y -q install nginx
... snip ...

 and it was *entirely* reproducible that the instant docker started to
 process that RUN apt-get command, the wireless connection on my
 Fedora 22 laptop was blown away. grabbed this from SELinux:

 = start =

 SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the
 sigchld access on a process.
 *  Plugin catchall (100. confidence) suggests
 **
 If you believe that abrt-hook-ccpp should be allowed sigchld access on
 processes labeled kernel_t by default.
 Then you should report this as a bug.
 You can generate a local policy module to allow this access.
 Do
 allow this access for now by executing:
 # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
 # semodule -i mypol.pp

 Additional Information:
 Source Contextsystem_u:system_r:NetworkManager_t:s0
 Target Contextsystem_u:system_r:kernel_t:s0
 Target ObjectsUnknown [ process ]
 Sourceabrt-hook-ccpp
 Source Path   /usr/libexec/abrt-hook-ccpp
 Port  Unknown
 Host  localhost.localdomain
 Source RPM Packages
 abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64
 Target RPM Packages
 Policy RPMselinux-policy-3.13.1-128.10.fc22.noarch
 Selinux Enabled   True
 Policy Type   targeted
 Enforcing ModePermissive
 Host Name localhost.localdomain
 Platform  Linux localhost.localdomain
 4.1.5-200.fc22.x86_64
#1 SMP Mon Aug 10 23:38:23 UTC 2015
 x86_64 x86_64
 Alert Count   1
 First Seen2015-08-18 12:57:36 EDT
 Last Seen 2015-08-18 12:57:36 EDT
 Local ID  523c8bed-7428-49e7-b301-3a932852b135

 Raw Audit Messages
 type=AVC msg=audit(1439917056.327:640): avc:  denied  { sigchld } for
 pid=4555 comm=abrt-hook-ccpp scontext=system_u:system_r:NetworkManager_t:s0
 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1

 type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4
 success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131
 pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp
 exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null)
 Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld

 = end =
followup to the above ... i ran the suggested selinux-related
 commands, but that had no apparent effect, so i'm still stuck. for
 people who know docker, you'll recognize that the error occurred at
 the first instruction in the Dockerfile that requires network access,
 the RUN apt-get ... command (i already have the ubuntu base image on
 my system).

i grabbed a few hundred lines from journalctl and stuck them here:
 http://pastebin.com/KzrYMFvC. you can see the very first command there
 is the docker invocation:

 Aug 19 05:24:35 localhost.localdomain sudo[4190]:   rpjday : TTY=pts/0
 ; PWD=/home/rpjday/docker/TDB/sample ; USER=root ; COMMAND=/bin/docker
 build -t jamtur01/nginx .

thoughts? is it bugzilla time?

 rday

 Yes open a bugzilla, although this is a very strange AVC.  It basically
 shows abrt-hook-ccpp executing under networkmanager domain and sending
 sigchld to kernel_t.

 Why would networkmanager execed processes be sending a sigchld to a
 kernel process?
beats me, this is way outside my comfort zone. by the way, even
 though selinux was in permissive mode, i thought i'd play it safe and
 just disable it entirely, so i did, rebooted, sestatus clearly shows
 selinux disabled, but i got the same error.

i'll do it one more time shortly just to make sure it's not some
 intermittent weirdness, then i'll BZ it. open to suggestions as to
 anything else i might try, or add to the BZ submission.

 rday

 With SELinux disabled you should not be getting

Re: doing docker build, SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process., kills wireless

[Daniel J Walsh]

On 08/19/2015 07:36 AM, Robert P. J. Day wrote:
 On Wed, 19 Aug 2015, Daniel J Walsh wrote:

 On 08/19/2015 02:43 AM, Robert P. J. Day wrote:
 On Tue, 18 Aug 2015, Robert P. J. Day wrote:

   by now, i'm getting *really* good at debugging. was doing a simple
 docker build (docker-1.8.1) with first few lines of Dockerfile (which
 worked fine not that long ago):

   FROM ubuntu:14.04
   MAINTAINER Robert P. J. Day
   ENV REFRESHED_AT 2015-08-18

   RUN apt-get -y -q update  apt-get -y -q install nginx
   ... snip ...

 and it was *entirely* reproducible that the instant docker started to
 process that RUN apt-get command, the wireless connection on my
 Fedora 22 laptop was blown away. grabbed this from SELinux:

 = start =

 SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld 
 access on a process.

 *  Plugin catchall (100. confidence) suggests   
 **

 If you believe that abrt-hook-ccpp should be allowed sigchld access on 
 processes labeled kernel_t by default.
 Then you should report this as a bug.
 You can generate a local policy module to allow this access.
 Do
 allow this access for now by executing:
 # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
 # semodule -i mypol.pp

 Additional Information:
 Source Contextsystem_u:system_r:NetworkManager_t:s0
 Target Contextsystem_u:system_r:kernel_t:s0
 Target ObjectsUnknown [ process ]
 Sourceabrt-hook-ccpp
 Source Path   /usr/libexec/abrt-hook-ccpp
 Port  Unknown
 Host  localhost.localdomain
 Source RPM Packages   
 abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64
 Target RPM Packages
 Policy RPMselinux-policy-3.13.1-128.10.fc22.noarch
 Selinux Enabled   True
 Policy Type   targeted
 Enforcing ModePermissive
 Host Name localhost.localdomain
 Platform  Linux localhost.localdomain 
 4.1.5-200.fc22.x86_64
   #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 
 x86_64
 Alert Count   1
 First Seen2015-08-18 12:57:36 EDT
 Last Seen 2015-08-18 12:57:36 EDT
 Local ID  523c8bed-7428-49e7-b301-3a932852b135

 Raw Audit Messages
 type=AVC msg=audit(1439917056.327:640): avc:  denied  { sigchld } for  
 pid=4555 comm=abrt-hook-ccpp 
 scontext=system_u:system_r:NetworkManager_t:s0 
 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1


 type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 
 success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 
 pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp 
 exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 
 key=(null)

 Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld

 = end =
   followup to the above ... i ran the suggested selinux-related
 commands, but that had no apparent effect, so i'm still stuck. for
 people who know docker, you'll recognize that the error occurred at
 the first instruction in the Dockerfile that requires network access,
 the RUN apt-get ... command (i already have the ubuntu base image on
 my system).

   i grabbed a few hundred lines from journalctl and stuck them here:
 http://pastebin.com/KzrYMFvC. you can see the very first command there
 is the docker invocation:

 Aug 19 05:24:35 localhost.localdomain sudo[4190]:   rpjday : TTY=pts/0
 ; PWD=/home/rpjday/docker/TDB/sample ; USER=root ; COMMAND=/bin/docker
 build -t jamtur01/nginx .

   thoughts? is it bugzilla time?

 rday

 Yes open a bugzilla, although this is a very strange AVC.  It basically
 shows abrt-hook-ccpp executing under networkmanager domain and sending
 sigchld to kernel_t.

 Why would networkmanager execed processes be sending a sigchld to a
 kernel process?
   beats me, this is way outside my comfort zone. by the way, even
 though selinux was in permissive mode, i thought i'd play it safe and
 just disable it entirely, so i did, rebooted, sestatus clearly shows
 selinux disabled, but i got the same error.

   i'll do it one more time shortly just to make sure it's not some
 intermittent weirdness, then i'll BZ it. open to suggestions as to
 anything else i might try, or add to the BZ submission.

 rday

With SELinux disabled you should not be getting any AVC's

If you turn SELInux back on and do a full relabel, I think the problem
will go away.

Something is crashing though which is causing the AVC
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki

Re: doing docker build, SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process., kills wireless

[Daniel J Walsh]

On 08/19/2015 08:03 AM, Robert P. J. Day wrote:
 On Wed, 19 Aug 2015, Daniel J Walsh wrote:

 With SELinux disabled you should not be getting any AVC's

 If you turn SELInux back on and do a full relabel, I think the problem
 will go away.

 Something is crashing though which is causing the AVC
   as in, enabled and not just permissive?

 rday

Either way.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: doing docker build, SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process., kills wireless

[Daniel J Walsh]

On 08/19/2015 02:43 AM, Robert P. J. Day wrote:
 On Tue, 18 Aug 2015, Robert P. J. Day wrote:

   by now, i'm getting *really* good at debugging. was doing a simple
 docker build (docker-1.8.1) with first few lines of Dockerfile (which
 worked fine not that long ago):

   FROM ubuntu:14.04
   MAINTAINER Robert P. J. Day
   ENV REFRESHED_AT 2015-08-18

   RUN apt-get -y -q update  apt-get -y -q install nginx
   ... snip ...

 and it was *entirely* reproducible that the instant docker started to
 process that RUN apt-get command, the wireless connection on my
 Fedora 22 laptop was blown away. grabbed this from SELinux:

 = start =

 SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld 
 access on a process.

 *  Plugin catchall (100. confidence) suggests   
 **

 If you believe that abrt-hook-ccpp should be allowed sigchld access on 
 processes labeled kernel_t by default.
 Then you should report this as a bug.
 You can generate a local policy module to allow this access.
 Do
 allow this access for now by executing:
 # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
 # semodule -i mypol.pp

 Additional Information:
 Source Contextsystem_u:system_r:NetworkManager_t:s0
 Target Contextsystem_u:system_r:kernel_t:s0
 Target ObjectsUnknown [ process ]
 Sourceabrt-hook-ccpp
 Source Path   /usr/libexec/abrt-hook-ccpp
 Port  Unknown
 Host  localhost.localdomain
 Source RPM Packages   abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64
 Target RPM Packages
 Policy RPMselinux-policy-3.13.1-128.10.fc22.noarch
 Selinux Enabled   True
 Policy Type   targeted
 Enforcing ModePermissive
 Host Name localhost.localdomain
 Platform  Linux localhost.localdomain 
 4.1.5-200.fc22.x86_64
   #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 
 x86_64
 Alert Count   1
 First Seen2015-08-18 12:57:36 EDT
 Last Seen 2015-08-18 12:57:36 EDT
 Local ID  523c8bed-7428-49e7-b301-3a932852b135

 Raw Audit Messages
 type=AVC msg=audit(1439917056.327:640): avc:  denied  { sigchld } for  
 pid=4555 comm=abrt-hook-ccpp 
 scontext=system_u:system_r:NetworkManager_t:s0 
 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1


 type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 
 success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 
 pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp 
 exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null)

 Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld

 = end =

   followup to the above ... i ran the suggested selinux-related
 commands, but that had no apparent effect, so i'm still stuck. for
 people who know docker, you'll recognize that the error occurred at
 the first instruction in the Dockerfile that requires network access,
 the RUN apt-get ... command (i already have the ubuntu base image on
 my system).

   i grabbed a few hundred lines from journalctl and stuck them here:
 http://pastebin.com/KzrYMFvC. you can see the very first command there
 is the docker invocation:

 Aug 19 05:24:35 localhost.localdomain sudo[4190]:   rpjday : TTY=pts/0
 ; PWD=/home/rpjday/docker/TDB/sample ; USER=root ; COMMAND=/bin/docker
 build -t jamtur01/nginx .

   thoughts? is it bugzilla time?

 rday

Yes open a bugzilla, although this is a very strange AVC.  It basically
shows abrt-hook-ccpp executing under networkmanager domain and sending
sigchld to kernel_t.

Why would networkmanager execed processes be sending a sigchld to a
kernel process?
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: current/proposed docker-related packages?

[Daniel J Walsh]

On 08/16/2015 05:04 AM, Robert P. J. Day wrote:
 On Sat, 15 Aug 2015, Kenneth Wolcott wrote:

 I have a related question about Fedora docker packages.  There seems
 to be a docker-engine at version 1.8.1 and docker at version 1.7.1.
 I'd like to have docker AND docker engine at the same version,
 preferably at 1.8.1.  I don't mind having to get docker-compose and
 docker-machine via the docker website directly, but it would also be
 nice to get them via the normal Fedora repositories.  Even though
 docker-machine appears to be broken for all Linux distributions that
 I've tried when running with a local vm (VirtualBox) rather than a
 cloud (AWS).  docker-swarm is still considered beta, so I could see
 why that might not be provided via a Fedora repository.
   you've summed up my wish list nicely ... i'm just trying to make a
 list of where to get all the cool stuff in the docker ecosystem,
 either as an official fedora package or, if not, then from docker.com
 directly.

   as i read it (and i'm willing to be corrected), there will be some
 package renaming in the near future, either synchronized with when
 docker 1.8 gets packaged with fedora, or with f23, or maybe both. i
 found this page of docker-related fedora packages:

 https://admin.fedoraproject.org/pkgdb/packages/docker*/

 and i know what *was* docker-io is now docker, and that's going to
 become docker-engine, is it not? oddly, that list includes
 docker-compose as being approved in f22, but i don't yet see it in
 dnf search, so i can only assume it's coming. same thing with
 docker-client? docker-machine? etc, etc.

   regarding other possible packages, i ran across this page at
 docker.com, talking about kitematic:

   http://docs.docker.com/kitematic/

 which refers to something called the docker toolbox, but it looks
 like all that is windows/mac only:

   https://www.docker.com/toolbox

 and as d walsh(?) mentioned recently, the improved builder dock has
 been renamed to atomic-reactor. like i said, i'm just trying to keep
 up.

 rday

docker-1.8.1 (docker-engine) should be out soon.  I believe lokesh is
working on packaging up the other docker content for Fedora.
I am not a big fan of changing the name of docker to docker-engine at
this time. (We just changed it from docker-io to docker, and would
probably have to alias it anyways.)

Lokesh can you add a provides docker-engine to docker package.

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: current/proposed docker-related packages?

[Daniel J Walsh]

On 08/17/2015 08:06 AM, Daniel J Walsh wrote:

 On 08/16/2015 05:04 AM, Robert P. J. Day wrote:
 On Sat, 15 Aug 2015, Kenneth Wolcott wrote:

 I have a related question about Fedora docker packages.  There seems
 to be a docker-engine at version 1.8.1 and docker at version 1.7.1.
 I'd like to have docker AND docker engine at the same version,
 preferably at 1.8.1.  I don't mind having to get docker-compose and
 docker-machine via the docker website directly, but it would also be
 nice to get them via the normal Fedora repositories.  Even though
 docker-machine appears to be broken for all Linux distributions that
 I've tried when running with a local vm (VirtualBox) rather than a
 cloud (AWS).  docker-swarm is still considered beta, so I could see
 why that might not be provided via a Fedora repository.
   you've summed up my wish list nicely ... i'm just trying to make a
 list of where to get all the cool stuff in the docker ecosystem,
 either as an official fedora package or, if not, then from docker.com
 directly.

   as i read it (and i'm willing to be corrected), there will be some
 package renaming in the near future, either synchronized with when
 docker 1.8 gets packaged with fedora, or with f23, or maybe both. i
 found this page of docker-related fedora packages:

 https://admin.fedoraproject.org/pkgdb/packages/docker*/

 and i know what *was* docker-io is now docker, and that's going to
 become docker-engine, is it not? oddly, that list includes
 docker-compose as being approved in f22, but i don't yet see it in
 dnf search, so i can only assume it's coming. same thing with
 docker-client? docker-machine? etc, etc.

   regarding other possible packages, i ran across this page at
 docker.com, talking about kitematic:

   http://docs.docker.com/kitematic/

 which refers to something called the docker toolbox, but it looks
 like all that is windows/mac only:

   https://www.docker.com/toolbox

 and as d walsh(?) mentioned recently, the improved builder dock has
 been renamed to atomic-reactor. like i said, i'm just trying to keep
 up.

 rday

 docker-1.8.1 (docker-engine) should be out soon.  I believe lokesh is
 working on packaging up the other docker content for Fedora.
 I am not a big fan of changing the name of docker to docker-engine at
 this time. (We just changed it from docker-io to docker, and would
 probably have to alias it anyways.)

 Lokesh can you add a provides docker-engine to docker package.

Looks like docker-1.8.1-1.git9281dc3.fc22 is in updates-testing?
docker-1.8.1-1.git3c1d7c8.fc23
http://koji.fedoraproject.org/koji/buildinfo?buildID=677363 is also
built and I believe movind along.

docker-1.9.0-2.gitf8950e0.fc24
http://koji.fedoraproject.org/koji/buildinfo?buildID=677354 is in Rawhide.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedora-dockerfiles: LABEL lines in cockpit-ws sample file look weird

[Daniel J Walsh]

Wow, we removed this command a while ago and I guess forgot to remove
the man page.

atomic info

Will show you the labels.

Latest atomic has added --display command

atomic install imagename --display

Will show the command that will be executed without executing it.



On 08/10/2015 02:53 PM, Robert P. J. Day wrote:
 On Mon, 10 Aug 2015, Daniel J Walsh wrote:

 Here are a couple of blogs on the atomic command

 http://developerblog.redhat.com/2015/04/21/introducing-the-atomic-command/
 http://www.projectatomic.io/blog/2015/04/using-environment-substitution-with-the-atomic-command/

 atomic command is available for both fedora and fedora atomic host.
   hmm ... didn't take long to run into issues:

 $ man atomic-defaults

 ATOMIC(1)   January 2015  
 ATOMIC(1)

 NAME
atomic - List default commands

 SYNOPSIS
atomic defaults [-h] IMAGE

 DESCRIPTION
atomic defaults list default commands with which atomic will 
 RUN/INSTALL/REMOVE containers.
 ... snip ...

   ok, then:

 $ atomic defaults fedora
 /usr/bin/atomic: invalid choice: 'defaults' (choose from 'info',
 'install', 'images', 'mount', 'stop', 'run', 'uninstall', 'unmount',
 'update', 'upload', 'version', 'verify')
 Try 'atomic --help' for more information.
 $

   the list in that error message isn't even complete (it's missing
 atomic host), but why does the atomic command not accept the
 defaults subcommand?

 rday


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedora-dockerfiles: LABEL lines in cockpit-ws sample file look weird

[Daniel J Walsh]

On 08/10/2015 08:31 AM, Robert P. J. Day wrote:
 On Mon, 10 Aug 2015, Daniel J Walsh wrote:


 On 08/10/2015 05:43 AM, Robert P. J. Day wrote:
   brief digression from my discussion of docker roadmap and stuff like
 that ... i'm using the sample Dockerfiles from the
 fedora-dockerfiles package to demonstrate various Dockerfile
 instructions in an upcoming course, and i ran across this:

 cockpit-ws/Dockerfile:LABEL INSTALL /usr/bin/docker run -ti --rm 
 --privileged -v /:/host IMAGE /container/atomic-install
 cockpit-ws/Dockerfile:LABEL UNINSTALL /usr/bin/docker run -ti --rm 
 --privileged -v /:/host IMAGE /cockpit/atomic-uninstall
 cockpit-ws/Dockerfile:LABEL RUN /usr/bin/docker run -d --privileged 
 --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh

 i have no idea what those lines mean, they don't even seem valid as
 the documentation suggests the proper form of a Dockerfile LABEL
 instruction requires an = sign.

   what does the above mean, if anything?

 rday

 I think the = sign is optional.
   ah, man Dockerfile doesn't mention that -- bugzilla time?

 Although I would prefer it in the form of

 LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE 
 /container/atomic-install
   as would i. by the way, i'm assuming there's nothing magical about
 the labels INSTALL, UNINSTALL or RUN, right? they're simply being
 added as metadata to the image as documentation that someone can dig
 out later with docker inspect? beyond that, they have no special
 power, is that correct?
The special power it the atomic run|install|uninstall command will
automatically use them

atomic install cockpit-ws

Does a

docker pull cockpit-ws

Then docker inspect to get the INSTALL label,
then it executes the INSTALL label substituting environment variables
like ${NAME} and ${IMAGE}

Do a man atomic.

 And with the latest atomic we now support

 LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host 
 \${IMAGE} /container/atomic-install
   just to clarify these two uses of IMAGE, the first one will simply
 keep the literal string IMAGE, correct? while the second will use
 escaping so that the label saved will incorporate the literal string
 $(IMAGE} -- i'm assuming to show the reader that that is supposed to
 represent an image name?

 rday

No in either case IMAGE will be substituted with the image specified on the
atomic install command.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedora-dockerfiles: LABEL lines in cockpit-ws sample file look weird

[Daniel J Walsh]

Here are a couple of blogs on the atomic command

http://developerblog.redhat.com/2015/04/21/introducing-the-atomic-command/
http://www.projectatomic.io/blog/2015/04/using-environment-substitution-with-the-atomic-command/

atomic command is available for both fedora and fedora atomic host.

On 08/10/2015 08:43 AM, Daniel J Walsh wrote:

 On 08/10/2015 08:31 AM, Robert P. J. Day wrote:
 On Mon, 10 Aug 2015, Daniel J Walsh wrote:

 On 08/10/2015 05:43 AM, Robert P. J. Day wrote:
   brief digression from my discussion of docker roadmap and stuff like
 that ... i'm using the sample Dockerfiles from the
 fedora-dockerfiles package to demonstrate various Dockerfile
 instructions in an upcoming course, and i ran across this:

 cockpit-ws/Dockerfile:LABEL INSTALL /usr/bin/docker run -ti --rm 
 --privileged -v /:/host IMAGE /container/atomic-install
 cockpit-ws/Dockerfile:LABEL UNINSTALL /usr/bin/docker run -ti --rm 
 --privileged -v /:/host IMAGE /cockpit/atomic-uninstall
 cockpit-ws/Dockerfile:LABEL RUN /usr/bin/docker run -d --privileged 
 --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh

 i have no idea what those lines mean, they don't even seem valid as
 the documentation suggests the proper form of a Dockerfile LABEL
 instruction requires an = sign.

   what does the above mean, if anything?

 rday

 I think the = sign is optional.
   ah, man Dockerfile doesn't mention that -- bugzilla time?

 Although I would prefer it in the form of

 LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE 
 /container/atomic-install
   as would i. by the way, i'm assuming there's nothing magical about
 the labels INSTALL, UNINSTALL or RUN, right? they're simply being
 added as metadata to the image as documentation that someone can dig
 out later with docker inspect? beyond that, they have no special
 power, is that correct?
 The special power it the atomic run|install|uninstall command will
 automatically use them

 atomic install cockpit-ws

 Does a

 docker pull cockpit-ws

 Then docker inspect to get the INSTALL label,
 then it executes the INSTALL label substituting environment variables
 like ${NAME} and ${IMAGE}

 Do a man atomic.

 And with the latest atomic we now support

 LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host 
 \${IMAGE} /container/atomic-install
   just to clarify these two uses of IMAGE, the first one will simply
 keep the literal string IMAGE, correct? while the second will use
 escaping so that the label saved will incorporate the literal string
 $(IMAGE} -- i'm assuming to show the reader that that is supposed to
 represent an image name?

 rday

 No in either case IMAGE will be substituted with the image specified on the
 atomic install command.



-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedora-dockerfiles: LABEL lines in cockpit-ws sample file look weird

[Daniel J Walsh]

On 08/10/2015 05:43 AM, Robert P. J. Day wrote:
   brief digression from my discussion of docker roadmap and stuff like
 that ... i'm using the sample Dockerfiles from the
 fedora-dockerfiles package to demonstrate various Dockerfile
 instructions in an upcoming course, and i ran across this:

 cockpit-ws/Dockerfile:LABEL INSTALL /usr/bin/docker run -ti --rm --privileged 
 -v /:/host IMAGE /container/atomic-install
 cockpit-ws/Dockerfile:LABEL UNINSTALL /usr/bin/docker run -ti --rm 
 --privileged -v /:/host IMAGE /cockpit/atomic-uninstall
 cockpit-ws/Dockerfile:LABEL RUN /usr/bin/docker run -d --privileged 
 --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh

 i have no idea what those lines mean, they don't even seem valid as
 the documentation suggests the proper form of a Dockerfile LABEL
 instruction requires an = sign.

   what does the above mean, if anything?

 rday

I think the = sign is optional.  Although I would prefer it in the form of

LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE 
/container/atomic-install

And with the latest atomic we now support


LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host \${IMAGE} 
/container/atomic-install




-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SE alert

[Daniel J Walsh]

You can just run

# restorecon -R -v /

From the booted machine.

On 07/20/2015 03:49 PM, jd1008 wrote:


 On 07/20/2015 01:42 PM, Martin Cigorraga wrote:
 Hi,

 ~ getenforce
 Enforcing

 Please be aware that setenforce will only change the mode SELinux is
 running in. For a permanent change, you have to edit the
 configuration file.


 I already stated that /etc/sysconfig/selinux says (and did say when my
 system was in permissive mode):

 #
 $ sudo cat /etc/sysconfig/selinux

 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
 # enforcing - SELinux security policy is enforced.
 # permissive - SELinux prints warnings instead of enforcing.
 # disabled - No SELinux policy is loaded.
 SELINUX=enforcing
 # SELINUXTYPE= can take one of these two values:
 # targeted - Targeted processes are protected,
 # minimum - Modification of targeted policy. Only selected
 processes are protected.
 # mls - Multi Level Security protection.
 SELINUXTYPE=targeted

 Thus going into permissive mode was not done by me.
 As I also stated, this is a fresh install since mid-day, yesterday,
 with only yum update bringing in new versions of packages.



-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: which images is docker pull supposed to pull by default?

[Daniel J Walsh]

Please open a bugzilla with the docker package to fix the man page.

On 07/19/2015 05:05 AM, Robert P. J. Day wrote:
   more nitpicky pedantry regarding docker on fedora 22 ... if i read
 the man page for docker-pull on my f22 system, i see:

 This command pulls down an image or a repository from a registry. If
 there is more than one image for a repository (e.g., fedora) then all
 images for that repository name are pulled down including any tags.

   note the reference to all images being pulled down. and the
 example given seems to reinforce the notion that, if you specify
 simply a repository, you'll get all corresponding tagged images:

   docker pull fedora
   Pulling repository fedora
   ad57ef8d78d7: Download complete
   105182bb5e8b: Download complete
   511136ea3c5a: Download complete
   73bd853d2ea5: Download complete

   Status: Downloaded newer image for fedora

   docker images
   REPOSITORY   TAG IMAGE IDCREATED  VIRTUAL 
 SIZE
   fedora   rawhide ad57ef8d78d75 days ago   359.3 MB
   fedora   20  105182bb5e8b5 days ago   372.7 MB
   fedora   heisenbug   105182bb5e8b5 days ago   372.7 MB
   fedora   latest  105182bb5e8b5 days ago   372.7 MB

   *however*, the explanation of the -a option seems to disagree with
 that:

 OPTIONS
-a, --all-tags=true|false
   Download all tagged images in the repository. The default is false.

 which suggests that, by default, you *don't* get all tagged images
 unless you specify -a.

   and a quick test shows that, if i run docker pull fedora, all i
 appear to get is:

 # docker images
 REPOSITORY  TAG IMAGE IDCREATED   
   VIRTUAL SIZE
 docker.io/fedoralatest  ded7cd95e0597 weeks ago   
   186.5 MB
 #

   so ... what am i misreading here? the man page seems just a touch
 confusing and contradictory.

 rday


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: discrepancy in instructions to install docker on fedora 22

[Daniel J Walsh]

docker-engine == docker from fedora point of view.

Docker.io is trying to rebrand docker to docker-engine, so it
can differentiate docker-swarm, docker-registry, docker-engine ...


On 07/17/2015 10:42 AM, Robert P. J. Day wrote:
   been playing with docker for a few days now, then starting reading
 the docs over at docker.com, and here are the fedora installation
 instructions one finds there:

 https://docs.docker.com/installation/fedora/

 which refer to some RPM named docker-engine, of which i am unaware.

   all i've installed for a working docker setup is:

   * docker
   * docker-selinux
   * fedora-dockerfiles

 so ... do i care about this docker-engine thingy?

 rday


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: discrepancy in instructions to install docker on fedora 22

[Daniel J Walsh]

On 07/17/2015 11:55 AM, Robert P. J. Day wrote:
 On Fri, 17 Jul 2015, Daniel J Walsh wrote:

 docker-engine == docker from fedora point of view.

 Docker.io is trying to rebrand docker to docker-engine, so it
 can differentiate docker-swarm, docker-registry, docker-engine ...
   ok, so if i wanted to follow that path, would i simply download and
 install the docker-engine RPM on my f22 system, rather than the
 current docker and docker-selinux packages? would i add a new yum repo
 entry for it? just trying to keep up.

 rday

No just install docker package from the fedora repo, which will bring in
the updates.

I have asked Lokesh Mandevekar to update the docker.spec to provide
docker-engine.

You should almost never download a package from the internet that exists
from the
distribution.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: discrepancy in instructions to install docker on fedora 22

[Daniel J Walsh]

On 07/17/2015 12:59 PM, Robert P. J. Day wrote:
 On Fri, 17 Jul 2015, Daniel J Walsh wrote:


 On 07/17/2015 11:55 AM, Robert P. J. Day wrote:
 On Fri, 17 Jul 2015, Daniel J Walsh wrote:

 docker-engine == docker from fedora point of view.

 Docker.io is trying to rebrand docker to docker-engine, so it
 can differentiate docker-swarm, docker-registry, docker-engine ...
   ok, so if i wanted to follow that path, would i simply download and
 install the docker-engine RPM on my f22 system, rather than the
 current docker and docker-selinux packages? would i add a new yum repo
 entry for it? just trying to keep up.

 rday

 No just install docker package from the fedora repo, which will
 bring in the updates.

 I have asked Lokesh Mandevekar to update the docker.spec to provide
 docker-engine.
   i did notice that the fedora docker package has a dependency on
 docker-selinux, while that docker-engine package didn't, so i'm
 assuming the repackaging will take care of the selinux component.

 rday

Yes.  We ship with a series of patches on the docker-engine/docker
package also.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.

[Daniel J Walsh]

On 06/30/2015 07:57 AM, Ed Greshko wrote:
 On 06/30/15 19:31, Daniel J Walsh wrote:
 On 06/29/2015 01:45 PM, Andras Simon wrote:
 [Sorry for the late answer, I was away from this machine.]

 2015-06-28 1:01 GMT+02:00, Ed Greshko ed.gres...@greshko.com:
 On 06/27/15 21:15, Andras Simon wrote:
 2015-06-27 15:11 GMT+02:00, Andras Simon sza...@gmail.com:
 Should I be worried about the $subject?
 And there's also a SELinux is preventing sh from execute access on
 the file /usr/sbin/ldconfig which I've only just noticed. It sounds
 even scarier.

 Does your output match these?

 [egreshko@meimei ~]$ ls -Z /bin/bash
 system_u:object_r:shell_exec_t:s0 /bin/bash

 [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig
 system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig
 Yes, I get the same result.

 Andras
 Everything seems correct.

 But the AVC's indicate that firewalld was attempting to runldconfig...

 Which I believe should not happen normally.  The transactions at the
 time of yum/rpm indicate
 that the transaction or at least the post install sections were being
 run as firewalld_t.
 Should that be BZ's to against firewalld?

Sure we should have this in a bugzilla, but not sure those guys will
figure it out either.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.

[Daniel J Walsh]

On 06/29/2015 01:45 PM, Andras Simon wrote:
 [Sorry for the late answer, I was away from this machine.]

 2015-06-28 1:01 GMT+02:00, Ed Greshko ed.gres...@greshko.com:
 On 06/27/15 21:15, Andras Simon wrote:
 2015-06-27 15:11 GMT+02:00, Andras Simon sza...@gmail.com:
 Should I be worried about the $subject?
 And there's also a SELinux is preventing sh from execute access on
 the file /usr/sbin/ldconfig which I've only just noticed. It sounds
 even scarier.

 Does your output match these?

 [egreshko@meimei ~]$ ls -Z /bin/bash
 system_u:object_r:shell_exec_t:s0 /bin/bash

 [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig
 system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig
 Yes, I get the same result.

 Andras
Everything seems correct.

But the AVC's indicate that firewalld was attempting to runldconfig...

Which I believe should not happen normally.  The transactions at the
time of yum/rpm indicate
that the transaction or at least the post install sections were being
run as firewalld_t.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.

[Daniel J Walsh]

On 06/29/2015 06:13 AM, Ed Greshko wrote:
 On 06/29/15 18:09, Daniel J Walsh wrote:
 On 06/28/2015 07:53 AM, Suvayu Ali wrote:
 On Sun, Jun 28, 2015 at 06:04:38AM -0400, Daniel J Walsh wrote:
 On 06/27/2015 07:01 PM, Ed Greshko wrote:
 On 06/27/15 21:15, Andras Simon wrote:
 2015-06-27 15:11 GMT+02:00, Andras Simon sza...@gmail.com:
 Should I be worried about the $subject?
 And there's also a SELinux is preventing sh from execute access on
 the file /usr/sbin/ldconfig which I've only just noticed. It sounds
 even scarier.

 Does your output match these?

 [egreshko@meimei ~]$ ls -Z /bin/bash
 system_u:object_r:shell_exec_t:s0 /bin/bash

 [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig
 system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig

 Do you have the avc's?

 ausearch -m avc
 I also saw these alerts during a package update.

 time-Thu Jun 25 17:56:49 2015
 type=PROCTITLE msg=audit(1435247809.870:4079): 
 proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
 type=SYSCALL msg=audit(1435247809.870:4079): arch=c03e syscall=59 
 success=no exit=-13 a0=7f955d728b00 a1=7f955d728c00 a2=7f955d727c40 
 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 
 key=(null)
 type=AVC msg=audit(1435247809.870:4079): avc:  denied  { execute } for  
 pid=30357 comm=sh name=ldconfig dev=sdb1 ino=450673 
 scontext=system_u:system_r:firewalld_t:s0 
 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
 
 time-Thu Jun 25 17:56:49 2015
 type=PROCTITLE msg=audit(1435247809.870:4080): 
 proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
 type=SYSCALL msg=audit(1435247809.870:4080): arch=c03e syscall=4 
 success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab9b0 a2=7fffc7dab9b0 
 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 
 key=(null)
 type=AVC msg=audit(1435247809.870:4080): avc:  denied  { getattr } for  
 pid=30357 comm=sh path=/usr/sbin/ldconfig dev=sdb1 ino=450673 
 scontext=system_u:system_r:firewalld_t:s0 
 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
 
 time-Thu Jun 25 17:56:49 2015
 type=PROCTITLE msg=audit(1435247809.870:4081): 
 proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
 type=SYSCALL msg=audit(1435247809.870:4081): arch=c03e syscall=4 
 success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab990 a2=7fffc7dab990 
 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 
 key=(null)
 type=AVC msg=audit(1435247809.870:4081): avc:  denied  { getattr } for  
 pid=30357 comm=sh path=/usr/sbin/ldconfig dev=sdb1 ino=450673 
 scontext=system_u:system_r:firewalld_t:s0 
 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0

 This is very strange.  Doing ldconfig during a package update is
 expected, but why would firewalld be executing it. 
 ps -eZ | grep firewalld

 [root@meimei ~]# ps -eZ | grep firewalld
 system_u:system_r:firewalld_t:s0  781 ?00:00:00 firewalld


Ok well I am stumped, one possible thing would be if firewalld somehow
caused an rpm/yum/dnf transaction to happen.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.

[Daniel J Walsh]

On 06/28/2015 07:53 AM, Suvayu Ali wrote:
 On Sun, Jun 28, 2015 at 06:04:38AM -0400, Daniel J Walsh wrote:

 On 06/27/2015 07:01 PM, Ed Greshko wrote:
 On 06/27/15 21:15, Andras Simon wrote:
 2015-06-27 15:11 GMT+02:00, Andras Simon sza...@gmail.com:
 Should I be worried about the $subject?
 And there's also a SELinux is preventing sh from execute access on
 the file /usr/sbin/ldconfig which I've only just noticed. It sounds
 even scarier.

 Does your output match these?

 [egreshko@meimei ~]$ ls -Z /bin/bash
 system_u:object_r:shell_exec_t:s0 /bin/bash

 [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig
 system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig

 Do you have the avc's?

 ausearch -m avc
 I also saw these alerts during a package update.

 time-Thu Jun 25 17:56:49 2015
 type=PROCTITLE msg=audit(1435247809.870:4079): 
 proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
 type=SYSCALL msg=audit(1435247809.870:4079): arch=c03e syscall=59 
 success=no exit=-13 a0=7f955d728b00 a1=7f955d728c00 a2=7f955d727c40 
 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 key=(null)
 type=AVC msg=audit(1435247809.870:4079): avc:  denied  { execute } for  
 pid=30357 comm=sh name=ldconfig dev=sdb1 ino=450673 
 scontext=system_u:system_r:firewalld_t:s0 
 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
 
 time-Thu Jun 25 17:56:49 2015
 type=PROCTITLE msg=audit(1435247809.870:4080): 
 proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
 type=SYSCALL msg=audit(1435247809.870:4080): arch=c03e syscall=4 
 success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab9b0 a2=7fffc7dab9b0 
 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 key=(null)
 type=AVC msg=audit(1435247809.870:4080): avc:  denied  { getattr } for  
 pid=30357 comm=sh path=/usr/sbin/ldconfig dev=sdb1 ino=450673 
 scontext=system_u:system_r:firewalld_t:s0 
 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
 
 time-Thu Jun 25 17:56:49 2015
 type=PROCTITLE msg=audit(1435247809.870:4081): 
 proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
 type=SYSCALL msg=audit(1435247809.870:4081): arch=c03e syscall=4 
 success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab990 a2=7fffc7dab990 
 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 key=(null)
 type=AVC msg=audit(1435247809.870:4081): avc:  denied  { getattr } for  
 pid=30357 comm=sh path=/usr/sbin/ldconfig dev=sdb1 ino=450673 
 scontext=system_u:system_r:firewalld_t:s0 
 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0

This is very strange.  Doing ldconfig during a package update is
expected, but why would firewalld be executing it. 
ps -eZ | grep firewalld

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.

[Daniel J Walsh]

On 06/27/2015 07:01 PM, Ed Greshko wrote:
 On 06/27/15 21:15, Andras Simon wrote:
 2015-06-27 15:11 GMT+02:00, Andras Simon sza...@gmail.com:
 Should I be worried about the $subject?
 And there's also a SELinux is preventing sh from execute access on
 the file /usr/sbin/ldconfig which I've only just noticed. It sounds
 even scarier.

 Does your output match these?

 [egreshko@meimei ~]$ ls -Z /bin/bash
 system_u:object_r:shell_exec_t:s0 /bin/bash

 [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig
 system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig

Do you have the avc's?

ausearch -m avc
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Disabling auditd on Fedora 22

[Daniel J Walsh]

On 06/23/2015 12:36 AM, Kevin Wilson wrote:
 Dan,
 Thanks a lot for your reply.
 In fact, I ran
 pm -e selinux-policy-targeted
 rpm -e selinux-policy
 And after reboot I got some message about freeze from systemd, I could
 not login (tried twice), so I reinstalled Linux on this machine.
 The question is: what do you mean by If you disable SELinux.

 Does that mean adding selinux=0 on command line?
 Or is it enough to set,  in /etc/selinux/config

 SELINUX=disabled

 (or maybe better is SELINUX=permissive, as Ali suggested ).
 Regards,
 Kevin
Either will work, although I advise against it...  :^)


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Disabling auditd on Fedora 22

[Daniel J Walsh]

On 06/22/2015 03:44 AM, Suvayu Ali wrote:
 On Mon, Jun 22, 2015 at 08:01:41AM +0300, Kevin Wilson wrote:
 In /etc/selinux/config

 I set
 SELINUX=disabled
 Which means that I do not use in fact SElinux, so it seems to me.
 It is recommended to keep it permissive instead of disabled.

 So will it be OK to run:
 rpm -e selinux-policy-targeted
 rpm -e selinux-policy
 I do not think this is possible.  SELinux support is in the kernel, many
 applications expect the libraries to be there, eventhough it is disabled
 or set to permissive.

 Hope this helps,

If you disable SELinux on your system you can remove those two packages,
you will not be able to remove
libselinux.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Problem with Python??

[Daniel J Walsh]

On 06/18/2015 11:46 AM, jd1008 wrote:
 selinux issues the following
 If you believe /usr/bin/bython2.7 tried to disable selinux

 you may be under attack by a hacker, since confined applications
 should never need this access.
 Contact your security administrator and report this issue.

 Is anyone else seeing this?
What avc did you see?  This should be some process trying to run
setenforce 0 from a python script.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

FYI: Is SELinux good anti-venom?

[Daniel J Walsh]

http://danwalsh.livejournal.com/71489.html
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing abrt-dump-journ from read access on the file /usr/lib64/libreport.so.0.

[Daniel J Walsh]

On 03/21/2015 02:03 PM, Lawrence E Graves wrote:
 SELinux is preventing abrt-dump-journ from read access on the file
 /usr/lib64/libreport.so.0.

 * Plugin restorecon (82.4 confidence) suggests
 

 If you want to fix the label.
 /usr/lib64/libreport.so.0 default label should be lib_t.
 Then you can run restorecon.
 Do
 # /sbin/restorecon -v /usr/lib64/libreport.so.0

 * Plugin file (7.05 confidence) suggests
 **

 If you think this is caused by a badly mislabeled machine.
 Then you need to fully relabel.
 Do
 touch /.autorelabel; reboot

 * Plugin file (7.05 confidence) suggests
 **

 If you think this is caused by a badly mislabeled machine.
 Then you need to fully relabel.
 Do
 touch /.autorelabel; reboot

 * Plugin catchall_labels (4.59 confidence) suggests
 ***

 If you want to allow abrt-dump-journ to have read access on the
 libreport.so.0 file
 Then you need to change the label on /usr/lib64/libreport.so.0
 Do
 # semanage fcontext -a -t FILE_TYPE '/usr/lib64/libreport.so.0'
 where FILE_TYPE is one of the following: NetworkManager_tmp_t,
 abrt_dump_oops_exec_t, abrt_etc_t, abrt_helper_exec_t, abrt_tmp_t,
 abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_lib_t,
 abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t,
 amanda_tmp_t, anon_inodefs_t, antivirus_tmp_t, apcupsd_tmp_t,
 apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t,
 automount_tmp_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t,
 bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t,
 boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t,
 bugzilla_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t,
 chrome_sandbox_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t,
 cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t,
 cluster_tmp_t, cobbler_tmp_t, cockpit_tmp_t, collectd_script_tmp_t,
 colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t,
 condor_startd_tmp_t, conman_tmp_t, couchdb_tmp_t, cpu_online_t,
 crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t,
 cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t,
 dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t,
 dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, debugfs_t,
 deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t,
 dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t,
 dkim_milter_tmp_t, docker_tmp_t, dovecot_auth_tmp_t,
 dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, etc_runtime_t,
 etc_t, exim_tmp_t, fail2ban_tmp_t, fenced_tmp_t, firewalld_tmp_t,
 firewallgui_tmp_t, fonts_cache_t, fonts_t, fsadm_tmp_t,
 fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t,
 gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_script_tmp_t,
 gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t,
 gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t,
 gssd_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t,
 inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t,
 iptables_tmp_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t,
 kdumpgui_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t,
 klogd_tmp_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t,
 l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t,
 livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t,
 logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t,
 lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t,
 mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t,
 mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t,
 mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t,
 mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t,
 mozilla_tmp_t, mozilla_tmpfs_t, mpd_tmp_t, mplayer_tmpfs_t,
 mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_tmp_t,
 nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t,
 nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, netutils_tmp_t,
 neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t,
 nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t,
 nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t,
 nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t,
 ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t,
 nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t,
 openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t,
 openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t,
 pam_timestamp_tmp_t, passenger_tmp_t, pcp_tmp_t,
 pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t,
 pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t,
 podsleuth_tmpfs_t, policykit_tmp_t, portmap_tmp_t,
 postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t,
 postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t,
 postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t,
 

Re: swapping

[Daniel J Walsh]

On 02/17/2015 02:16 AM, Patrick Dupre wrote:
 It is very long.
 Just the end.


 time-Tue Feb 17 11:15:08 2015
 type=PROCTITLE msg=audit(1424168108.864:452969): 
 proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972
 type=SYSCALL msg=audit(1424168108.864:452969): arch=c03e syscall=9 
 success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25724 
 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
 sgid=1000 fsgid=1000 tty=(none) ses=916 comm=plugin-containe 
 exe=/usr/lib64/firefox/plugin-container 
 subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
 type=AVC msg=audit(1424168108.864:452969): avc:  denied  { execute } for  
 pid=25724 comm=plugin-containe 
 path=/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so 
 dev=dm-0 ino=241943 
 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0
 
 time-Tue Feb 17 11:15:08 2015
 type=PROCTITLE msg=audit(1424168108.864:452970): 
 proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972
 type=SYSCALL msg=audit(1424168108.864:452970): arch=c03e syscall=9 
 success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25724 
 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
 sgid=1000 fsgid=1000 tty=(none) ses=916 comm=plugin-containe 
 exe=/usr/lib64/firefox/plugin-container 
 subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
 type=AVC msg=audit(1424168108.864:452970): avc:  denied  { execute } for  
 pid=25724 comm=plugin-containe 
 path=/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so 
 dev=dm-0 ino=241943 
 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0
 
 time-Tue Feb 17 11:15:08 2015
 type=PROCTITLE msg=audit(1424168108.915:452971): 
 proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972
 type=SYSCALL msg=audit(1424168108.915:452971): arch=c03e syscall=9 
 success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25730 
 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
 sgid=1000 fsgid=1000 tty=(none) ses=916 comm=plugin-containe 
 exe=/usr/lib64/firefox/plugin-container 
 subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
 type=AVC msg=audit(1424168108.915:452971): avc:  denied  { execute } for  
 pid=25730 comm=plugin-containe 
 path=/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so 
 dev=dm-0 ino=241943 
 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0
 
 time-Tue Feb 17 11:15:08 2015
 type=PROCTITLE msg=audit(1424168108.915:452972): 
 proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972
 type=SYSCALL msg=audit(1424168108.915:452972): arch=c03e syscall=9 
 success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25730 
 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
 sgid=1000 fsgid=1000 tty=(none) ses=916 comm=plugin-containe 
 exe=/usr/lib64/firefox/plugin-container 
 subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
 type=AVC msg=audit(1424168108.915:452972): avc:  denied  { execute } for  
 pid=25730 comm=plugin-containe 
 path=/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so 
 dev=dm-0 ino=241943 
 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0
 
 time-Tue Feb 17 11:15:08 2015
 type=PROCTITLE msg=audit(1424168108.977:452973): 
 proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972
 type=SYSCALL msg=audit(1424168108.977:452973): arch=c03e syscall=9 
 success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 

Re: swapping

[Daniel J Walsh]

On 02/12/2015 06:42 AM, Patrick Dupre wrote:
 Hello,

 I did both. Unfortunately, sometimes, like today I have to kill 
 the setroubleshootd process all the times without much success at the end!

 Any suggestion?

 ===
  Patrick DUPRÉ | | email: pdu...@gmx.com
  Laboratoire de Physico-Chimie de l'Atmosphère | |
  Université du Littoral-Côte d'Opale   | |
  Tel.  (33)-(0)3 28 23 76 12   | | Fax: 03 28 65 82 44
  189A, avenue Maurice Schumann | | 59140 Dunkerque, France
 ===


 Sent: Friday, January 16, 2015 at 4:24 AM
 From: Michael Cronenworth m...@cchtml.com
 To: Community support for Fedora users users@lists.fedoraproject.org
 Subject: Re: swapping

 On 01/15/2015 04:15 PM, Daniel J Walsh wrote:
 Usually if you are in this situation, you have a bad labeling problem.

 touch /.autorelabel; reboot

 Will fix the labels, or you could just do

 restorecon -R /
 Except that is not the case in this instance.
 -- 
 users mailing list
 users@lists.fedoraproject.org
 To unsubscribe or change subscription options:
 https://admin.fedoraproject.org/mailman/listinfo/users
 Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
 Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 Have a question? Ask away: http://ask.fedoraproject.org

Could you attach the current list of AVC's you are receiving?
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: swapping

[Daniel J Walsh]

On 01/16/2015 03:45 PM, poma wrote:
 On 16.01.2015 20:35, Daniel J Walsh wrote:
 On 01/16/2015 01:57 PM, poma wrote:
 On 16.01.2015 19:47, Daniel J Walsh wrote:
 On 01/16/2015 07:47 AM, Patrick O'Callaghan wrote:
 On Fri, 2015-01-16 at 08:28 +0100, Heinz Diehl wrote:
 On 16.01.2015, Tim wrote: 

 Of course *you* do not *use* it, it's there as a protective device
 against *things* on your system.
 Any recent Linux distribution can be secured without using selinux.
 Selinux requires at least basic knowledge and administration. Most of
 the people I installed Linux for didn't even know it was there or what
 it's good for.
 You mean like the fuses in your house or the airbag in your car? When
 Selinux is working you don't know it's there. When it alerts you it
 means there's something wrong. I agree that the alerts are not always as
 clear as they might be, but it's a fallacy to suggest that it doesn't
 provide benefit.

 poc

 Here is a case of SELinux protecting your house.

 http://danwalsh.livejournal.com/71122.html

 Not to fall to false sense of security, does SElinux need SElinux?


 SELinux is the kernel, so does the Kernel need the kernel.

 You've probably wanted to write, SELinux is a Linux(kernel) feature.
 But in some another context, the kernel needs the kernel, and not only.

 But theoretically SELinux/Kernel can protect itself.  We can prevent
 privileged processes (root) from manipulating the SELinux settings.

 Can SELinux, AppArmor and Grsecurity perform together, to achieve an even 
 greater level of security?


SELinux and AppArmor can not, although there was some effort to allow
multiple LSM's.  Check out discussion on the selinux upstream list.

I have no idea whether Grsecurity and SELinux can run on the same
kernel.  Grsecurity has never been upstreamed.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Removing obsolete selinux setup

[Daniel J Walsh]

On 01/18/2015 04:58 PM, Pete Stieber wrote:
 I received an answer that worked on the fedora forums.

 1. Edit the file
 /etc/selinux/targeted/modules/active/file_contexts.local and
 comment/fix the wrong contexts.

 In my case this meant changing httpd_mediawiki_rw_content_t to
 mediawiki_rw_content_t.  Then I used

 # semanage fcontext -a -t httpd_sys_rw_content_t '/etc/dokuwiki'
 # semanage fcontext -a -t httpd_sys_rw_content_t
 '/etc/dokuwiki/users.auth.php'
 # semanage fcontext -a -t httpd_sys_rw_content_t
 '/etc/dokuwiki/local.php'
 # restorecon -R /etc/dokuwiki

 to get the files setup properly.

 Seems like the dokuwiki selinux package should be setup to do
 something similar.

 Pete
A better label should have been

semanage fcontext -a -t httpd_sys_rw_content_t '/etc/dokuwiki(/.*?)'

This would allow apache processes to write to any file/directory under
/etc/dokuwiki.

I would argue this is might be a bad design of dokuwiki, applictions
should not be writing their config files.
If these are not config files, they should be in /var/lib/dokuwiki.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: swapping

[Daniel J Walsh]

On 01/16/2015 07:47 AM, Patrick O'Callaghan wrote:
 On Fri, 2015-01-16 at 08:28 +0100, Heinz Diehl wrote:
 On 16.01.2015, Tim wrote: 

 Of course *you* do not *use* it, it's there as a protective device
 against *things* on your system.
 Any recent Linux distribution can be secured without using selinux.
 Selinux requires at least basic knowledge and administration. Most of
 the people I installed Linux for didn't even know it was there or what
 it's good for.
 You mean like the fuses in your house or the airbag in your car? When
 Selinux is working you don't know it's there. When it alerts you it
 means there's something wrong. I agree that the alerts are not always as
 clear as they might be, but it's a fallacy to suggest that it doesn't
 provide benefit.

 poc

Here is a case of SELinux protecting your house.

http://danwalsh.livejournal.com/71122.html
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Removing obsolete selinux setup

[Daniel J Walsh]

On 01/16/2015 12:19 PM, Pete Stieber wrote:
 I have a machine that has dokuwiki loaded.  In order to get it to work
 with selinux, I followed some advice that was on:

 https://www.dokuwiki.org/install:fedora

 to allow apache to edit some files:

 semanage fcontext -a -t httpd_mediawiki_rw_content_t '/etc/dokuwiki'
 restorecon -v '/etc/dokuwiki'
 semanage fcontext -a -t httpd_mediawiki_rw_content_t
 '/etc/dokuwiki/users.auth.php'
 restorecon -v '/etc/dokuwiki/users.auth.php'
 semanage fcontext -a -t httpd_mediawiki_rw_content_t
 '/etc/dokuwiki/local.php'
 restorecon -v '/etc/dokuwiki/local.php'

 This worked on 19 and 20, but when I upgraded the machine to Fedora 21
 and the httpd_mediawiki_rw_content_t no longer exists.  I tried

 semanage fcontext -d -t httpd_mediawiki_rw_content_t '/etc/dokuwiki'

 but I get complaints about the media wiki context being invalid.

 How do I remove these obsolete entries from the selinux database?

 Pete
semanage fcontext -d '/etc/dokuwiki/users.auth.php'

Although I am surprised they do not work.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: swapping

[Daniel J Walsh]

On 01/16/2015 01:57 PM, poma wrote:
 On 16.01.2015 19:47, Daniel J Walsh wrote:
 On 01/16/2015 07:47 AM, Patrick O'Callaghan wrote:
 On Fri, 2015-01-16 at 08:28 +0100, Heinz Diehl wrote:
 On 16.01.2015, Tim wrote: 

 Of course *you* do not *use* it, it's there as a protective device
 against *things* on your system.
 Any recent Linux distribution can be secured without using selinux.
 Selinux requires at least basic knowledge and administration. Most of
 the people I installed Linux for didn't even know it was there or what
 it's good for.
 You mean like the fuses in your house or the airbag in your car? When
 Selinux is working you don't know it's there. When it alerts you it
 means there's something wrong. I agree that the alerts are not always as
 clear as they might be, but it's a fallacy to suggest that it doesn't
 provide benefit.

 poc

 Here is a case of SELinux protecting your house.

 http://danwalsh.livejournal.com/71122.html

 Not to fall to false sense of security, does SElinux need SElinux?


SELinux is the kernel, so does the Kernel need the kernel.

But theoretically SELinux/Kernel can protect itself.  We can prevent
privileged processes (root) from manipulating the SELinux settings.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: swapping

[Daniel J Walsh]

Usually if you are in this situation, you have a bad labeling problem.

touch /.autorelabel; reboot

Will fix the labels, or you could just do

restorecon -R /

On 01/15/2015 08:15 AM, Michael Cronenworth wrote:
 On 01/15/2015 06:06 AM, Patrick Dupre wrote:
 Very often I reach a situation where I cannot work because fedora
 is swapping permanently.
 I attach the top file.

 I need to restart the machine to have it fix!

 I've seen this on my box, too, but only once. Kill the setroubleshoot
 process and it will return to normal. I've filed a bug.

 https://bugzilla.redhat.com/show_bug.cgi?id=1175827

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: selinux relabel at boot

[Daniel J Walsh]

I will schedule a relabel and take a look at my box.  ssd relabel is
pretty quick.

On 12/16/2014 06:07 PM, Tom Horsley wrote:
 On Tue, 16 Dec 2014 16:58:41 -0500
 Daniel J Walsh wrote:

 What version of Fedora was this?
 A brand new fedora 21 workstation install.

 restorecon -p -R /
 7.4%^C

 Shows Percent done now.
 I'm not sure the actual percentage makes it through
 systemd though to the messages I was looking at during
 boot (I had rhgb turned off, so I was booting in
 text mode). I'm really not sure though if the percent
 was there and I just didn't notice it.

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Cannot contact any KDC for realm since upgrading to Fedora 21

[Daniel J Walsh]

On 12/17/2014 10:19 AM, Braden McDaniel wrote:
 On 2014-12-17 09:37, fedora wrote:
 selinux?

 It's set to permissive on the F21 (server) box; shouldn't that be
 sufficient? Or do I need to disable it completely to make sure it
 isn't interfering?

If it is in permissive then SELinux is not the issue.  Would prefer that
you ran in enforcing mode though.  :^)
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: selinux relabel at boot

[Daniel J Walsh]

On 12/13/2014 11:42 AM, Marko Vojinovic wrote:
 On Sat, 13 Dec 2014 09:52:35 -0500
 Tom Horsley horsley1...@gmail.com wrote:
 Just a note for someone who might care about this:

 I foolishly forgot to disable selinux in a system
 I created by copying all the files from a virtual image.

 When it booted, it said I've got to relabel everything,
 this may take a while.

 So I figured I'd just wait for it, then a few minutes
 later a message came up about a watchdog expiring
 and it rebooted the system.

 What fun :-). I assume it could have done that all day,
 but I took advantage of the reboot to disable selinux.
 I'm curious --- after the reboot, selinux should continue
 relabeling remaining files, right? So I assume that after a certain
 numbers of reboots it would eventually finish and continue booting?

 Or not?

 Though I agree that selinux should somehow inform the watchdog that a
 global relabel is in progress and that it may take more time than
 usual...

 Best, :-)
 Marko

There should be an indicator on the screen telling you the progress of
the relabel.

DId this machine have a HUGE number of files on it?  SELinux should take
about as much
time as a find /  on a system.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: selinux relabel at boot

[Daniel J Walsh]

What version of Fedora was this?

restorecon -p -R /
7.4%^C

Shows Percent done now.

On 12/16/2014 02:03 PM, Tom Horsley wrote:
 On Tue, 16 Dec 2014 13:36:08 -0500
 Daniel J Walsh wrote:

 There should be an indicator on the screen telling you the progress of
 the relabel.
 I don't remember for sure, but I think there was just a cylon eyeball
 bouncing asterisks, not anything telling me about progress.

 DId this machine have a HUGE number of files on it?  SELinux should take
 about as much
 time as a find /  on a system.
 It was a copy of a virtual disk image that had the fedora workstation
 ISO installed on it, so how ever many files that is :-). All I did
 was edit a few UUID and msdosNN partition identifiers in grub.cfg
 and fstab, then booted into it via configfile from a functioning grub.

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Heads up: possible BASH security vulnerability

[Daniel J Walsh]

On 09/24/2014 08:27 PM, Chris Adams wrote:
 Once upon a time, jd1008 jd1...@gmail.com said:
 So, is this one of the ways javascripts exec bash to install malware
 or do other nasty stuff?
 This has nothing to do with Javascript.  It is probably more serious to
 servers, such as web servers, than to desktops.

 On a web server, let's say you have some PHP or perl CGI code, and it
 needs to call out to an external program.  Depending on how the code is
 written, the PHP/perl interpreter may run the external program via
 /bin/sh (which is bash on many systems, especially Linux systems).  Now,
 if the web client has set some specific variables that get put into
 environment variables that get passed on to /bin/sh, bash will execute
 the arbitrary shell code as the web server user (e.g. Apache).

 At that point, it can get full remote access, which can then often see
 database credentials and such, accessing a lot of potentially secure
 data.  Even on RHEL/CentOS/Fedora systems, SELinux probably won't help
 much (since the web user already has access to read that information).
This is wrong.  SELinux would help in the situation of a confined
application, if an application is running as httpd_sys_script_t or
httpd_t it would only be allowed to do what apache or a cgi script is
allowed to do.

SELinux would block it from reading random parts of the OS.  For example
if I had  a world readable file container
credit card data in my home directory and I had a faulty bash being run
by a cgi script on apache, SELinux would block
the bash/cgi script from reading the world readable file.

Now if you were running as unconfined_t or running in permissive mode or
disabled, then you would not get the protections.
 On a client system, there are some potential routes to exploiting this
 as well.  For example, I think the DHCP and PPP clients will run
 external scripts to configure things (such as DNS, NTP, etc.), using
 environment variables to pass information, so a malicious server could
 potentially get full root access to a vulnerable client system.  In most
 cases though, I don't think bash or /bin/sh get passed arbitrary remote
 data in environment variables on a client system (e.g. desktop).

 I could be missing some things (I'm not entirely familiar with the
 complexity added by modern desktop environments), but I don't think this
 is probably a huge deal for desktop Linux; I think the biggest impact
 would be on web servers with PHP/perl that calls out to external
 programs.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

SELinux and the bash exploit.

[Daniel J Walsh]

https://danwalsh.livejournal.com/71122.html
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux contexts

[Daniel J Walsh]

On 07/31/2014 01:52 PM, Paolo Galtieri wrote:
 On 07/31/2014 09:51 AM, Michael Cronenworth wrote:
 On 07/31/2014 10:54 AM, pgaltieri . wrote:
 sudo semanage fcontext -a -t var_log_t 'logs'
 [snip]

 You need to pass the full path here.

 # semanage fcontext -a -t var_log_t /media/NSM/NSM-SENSOR-2/logs

 I tried that and the restorecon and the file type is still file_t
 instead of var_log_t.

 Paolo
# semanage fcontext -a -t var_log_t '/media/NSM/NSM-SENSOR-2/logs(/.*)?'
# restorecon -R -v /media/NSM/NSM-SENSOR-2

Should change labels. 

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: CPU/Memory

[Daniel J Walsh]

I would bet you have a mislabeled machine that is generating hundreds of
AVC's.

ausearch -m avc -ts today

If the system is mislabeled, the easiest thing to do would be

touch /.autorelabel; reboot

On 07/22/2014 07:02 PM, Rick Stevens wrote:
 On 07/22/2014 01:23 PM, Patrick Dupre issued this missive:
 Hello,

 I have 2 machines running fedora 20, one from 2007 with a dual processor
 and 3 Go, and a recent one (2013) with a quad processor an 8 Go.
 But it is a lot more convenient to use the old machine!!!
 The recent one is always busy, 4 processors running
 53.1 55.9 /usr/bin/python -Es /usr/sbin/setroublesootd -f
   and the memory becomes full quickly requiring swapping!!
 8 Go for the OS and firefox! Something is wrong.

 Should I kill setroublesootd?

 The first thing is to see why you're getting AVC denials from SELinux
 in the first place. setroubleshootd should only fire if it's getting
 denials. Try running sealert -b and see if you're getting denials and
 what you can do about them.

 --
 - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
 - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
 --
 -   To err is human, to moo bovine.  -
 --

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Wifi connection issues with Intel?

[Daniel J Walsh]

On 06/12/2014 10:14 AM, Richard Shaw wrote:
 On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh dwa...@redhat.com
 mailto:dwa...@redhat.com wrote:

 The full unifi software is java with a mongodb database backend
 and works fine. I have a RPM I created, the only problem I
 haven't been able to fix is the selinux issues, one for the
 private mongodb instance, and then the ports it binds to. 
 Please open a bugzilla for the SELinux issues.


 Before I open a BZ, here's what I have in my spec file which from what
 I understand should be persistent...

 %posttrans
 /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/logs(/.*)?
 /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/data(/.*)?
 /usr/sbin/semanage port -m -t mongod_port_t 27117

 Or should this be handled in a policy?

 Thanks,
 Richard


I think your post install should look like.

/usr/sbin/semanage fcontext -e /var/log/mongod /var/lib/unifi/logs
/usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/data
/usr/sbin/semanage port -m -t mongod_port_t 27117

Don't use the regex. Also I would figure the logs should be labeled
mongod_log_t rather then mongod_lib_t.

If this is a standard location for this code, we should put it into the
base package.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Wifi connection issues with Intel?

[Daniel J Walsh]

On 06/16/2014 01:35 PM, Richard Shaw wrote:
 On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh dwa...@redhat.com
 mailto:dwa...@redhat.com wrote:


 On 06/12/2014 10:14 AM, Richard Shaw wrote:
 On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh
 dwa...@redhat.com mailto:dwa...@redhat.com wrote:

 The full unifi software is java with a mongodb database
 backend and works fine. I have a RPM I created, the only
 problem I haven't been able to fix is the selinux issues,
 one for the private mongodb instance, and then the ports it
 binds to. 
 Please open a bugzilla for the SELinux issues.


 Before I open a BZ, here's what I have in my spec file which from
 what I understand should be persistent...

 %posttrans
 /usr/sbin/semanage fcontext -e /var/lib/mongod
 /var/lib/unifi/logs(/.*)?
 /usr/sbin/semanage fcontext -e /var/lib/mongod
 /var/lib/unifi/data(/.*)?
 /usr/sbin/semanage port -m -t mongod_port_t 27117

 Or should this be handled in a policy?

 Thanks,
 Richard


 I think your post install should look like.

 /usr/sbin/semanage fcontext -e /var/log/mongod /var/lib/unifi/logs
 /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/data
 /usr/sbin/semanage port -m -t mongod_port_t 27117

 Don't use the regex. Also I would figure the logs should be
 labeled mongod_log_t rather then mongod_lib_t.


 What is the concern with regex?

 It is specific to packaging? Most of the examples I found online used
 that method... As far as the label, since everything is getting dumped
 in /var/lib I figured that would be OK. 


Not a concern with regex. it just will not work.  The examples you have
seen on line, were not using equivalence.  They were using generic
labelling.

Equivalence tells SELinux to swap the second part of the path with the
first.  You code would only match file paths that began with
/var/lib/unifi/logs(/.*?)  Not /var/lib/unifi/logs/foobar.log

 If this is a standard location for this code, we should put it
 into the base package.


 There is not a standard install location, the install will work as
 long as everything stays in the same relative location (the unifi
 directory). Since it writes a lot of stuff I figured /var was the best
 (only?) real option. 

Yes
 Following the example of a draft wiki I can't find anymore I had
 modified the scripts to this instead of using %posttrans:
 %post
 semanage fcontext -a -t mongod_var_lib_t \
 %{_sharedstatedir}/unifi/logs(/.*)? 2/dev/null || :
 semanage fcontext -a -t mongod_var_lib_t \
 %{_sharedstatedir}/unifi/data(/.*)? 2/dev/null || :
 restorecon -R %{_sharedstatedir}/unifi/logs || :
 restorecon -R %{_sharedstatedir}/unifi/data || :
 semanage port -m -t mongod_port_t 27117 || :

 %postun
 if [ $1 -eq 0 ] ; then  # final removal
 semanage fcontext -d -t mongod_var_lib_t \
 %{_sharedstatedir}/unifi/logs(/.*)? 2/dev/null || :
 semanage fcontext -d -t mongod_var_lib_t \
 %{_sharedstatedir}/unifi/data(/.*)? 2/dev/null || :
 fi

 Thanks,
 Richard


That should work.  You could speed it up by combining both semange
fcontext lines into a single transaction. Something like.

semanage -S targeted -i -  _EOF
fcontext -a -t mongod_var_lib_t %{_sharedstatedir}/unifi/logs(/.*)?
fcontext -a -t mongod_var_lib_t %{_sharedstatedir}/unifi/data(/.*)?
_EOF 2/dev/null || :

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Selinux Packaging [WAS: Wifi connection issues with Intel?]

[Daniel J Walsh]

On 06/16/2014 02:15 PM, Richard Shaw wrote:
 On Mon, Jun 16, 2014 at 1:08 PM, Daniel J Walsh dwa...@redhat.com
 mailto:dwa...@redhat.com wrote:


 On 06/16/2014 01:35 PM, Richard Shaw wrote:
 On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh
 dwa...@redhat.com mailto:dwa...@redhat.com wrote:


 On 06/12/2014 10:14 AM, Richard Shaw wrote:
 On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh
 dwa...@redhat.com mailto:dwa...@redhat.com wrote:

 The full unifi software is java with a mongodb database
 backend and works fine. I have a RPM I created, the
 only problem I haven't been able to fix is the selinux
 issues, one for the private mongodb instance, and then
 the ports it binds to. 
 Please open a bugzilla for the SELinux issues.


 Before I open a BZ, here's what I have in my spec file which
 from what I understand should be persistent...

 %posttrans
 /usr/sbin/semanage fcontext -e /var/lib/mongod
 /var/lib/unifi/logs(/.*)?
 /usr/sbin/semanage fcontext -e /var/lib/mongod
 /var/lib/unifi/data(/.*)?
 /usr/sbin/semanage port -m -t mongod_port_t 27117

 Or should this be handled in a policy?

 Thanks,
 Richard


 I think your post install should look like.

 /usr/sbin/semanage fcontext -e /var/log/mongod
 /var/lib/unifi/logs
 /usr/sbin/semanage fcontext -e /var/lib/mongod
 /var/lib/unifi/data
 /usr/sbin/semanage port -m -t mongod_port_t 27117

 Don't use the regex. Also I would figure the logs should be
 labeled mongod_log_t rather then mongod_lib_t.


 What is the concern with regex?

 It is specific to packaging? Most of the examples I found online
 used that method... As far as the label, since everything is
 getting dumped in /var/lib I figured that would be OK. 


 Not a concern with regex. it just will not work.  The examples you
 have seen on line, were not using equivalence.  They were using
 generic labelling.

 Equivalence tells SELinux to swap the second part of the path with
 the first.  You code would only match file paths that began with
 /var/lib/unifi/logs(/.*?)  Not /var/lib/unifi/logs/foobar.log

 If this is a standard location for this code, we should put
 it into the base package.


 There is not a standard install location, the install will work
 as long as everything stays in the same relative location (the
 unifi directory). Since it writes a lot of stuff I figured /var
 was the best (only?) real option. 

 Yes

 Following the example of a draft wiki I can't find anymore I had
 modified the scripts to this instead of using %posttrans:
 %post
 semanage fcontext -a -t mongod_var_lib_t \
 %{_sharedstatedir}/unifi/logs(/.*)? 2/dev/null || :
 semanage fcontext -a -t mongod_var_lib_t \
 %{_sharedstatedir}/unifi/data(/.*)? 2/dev/null || :
 restorecon -R %{_sharedstatedir}/unifi/logs || :
 restorecon -R %{_sharedstatedir}/unifi/data || :
 semanage port -m -t mongod_port_t 27117 || :

 %postun
 if [ $1 -eq 0 ] ; then  # final removal
 semanage fcontext -d -t mongod_var_lib_t \
 %{_sharedstatedir}/unifi/logs(/.*)? 2/dev/null || :
 semanage fcontext -d -t mongod_var_lib_t \
 %{_sharedstatedir}/unifi/data(/.*)? 2/dev/null || :
 fi


 That should work.  You could speed it up by combining both semange
 fcontext lines into a single transaction. Something like.

 semanage -S targeted -i -  _EOF

 fcontext -a -t mongod_var_lib_t %{_sharedstatedir}/unifi/logs(/.*)?
 fcontext -a -t mongod_var_lib_t %{_sharedstatedir}/unifi/data(/.*)?
 _EOF 2/dev/null || :


 Ok, just to be clear, I still need to remove the (/.*)? parts? I found
 the packaging draft I referred to:

 http://fedoraproject.org/wiki/PackagingDrafts/SELinux

 Which shows including it.

 Thanks,
 Richard


If you use -e option, you do not use them, if you are using -a
option you do.

Your first message said you used

/usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/logs(/.*)?
/usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/data(/.*)?

Which is wrong because you used the -e

Your second email said you were doing.

semanage fcontext -d -t mongod_var_lib_t \
%{_sharedstatedir}/unifi/logs(/.*)? 2/dev/null || :
semanage fcontext -d -t mongod_var_lib_t \
%{_sharedstatedir}/unifi/data(/.*)? 2/dev/null || :

Which used the -a  which was correct, it needs the regex.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http

Re: Wifi connection issues with Intel?

[Daniel J Walsh]

On 06/11/2014 01:48 PM, Richard Shaw wrote:
 On Wed, Jun 11, 2014 at 3:31 PM, poma pomidorabelis...@gmail.com
 mailto:pomidorabelis...@gmail.com wrote:

 There are four indoor models, and basic one ain't 5 GHz.


 Yes, I have the basic one, so it does support n but in 2.4GHz only.

  

 Besides there is no soft for the linux distros.

  
 The discovery software is java based and does run, but I couldn't get
 it to work.

 The full unifi software is java with a mongodb database backend and
 works fine. I have a RPM I created, the only problem I haven't been
 able to fix is the selinux issues, one for the private mongodb
 instance, and then the ports it binds to. 

 Richard


Please open a bugzilla for the SELinux issues.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: google-chrome + selinux + ecryptfs

[Daniel J Walsh]

How is ecryptfs supposed to work?

On 06/12/2014 03:13 PM, Pal, Laszlo wrote:
 node= type=SYSCALL msg=audit(1402610675.802:3612): arch=c03e
 syscall=47 success=yes exit=1 a0=12 a1=7f4cb29bb490 a2=40 a3=2 items=0
 ppid=8 pid=13635 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2
 comm=Chrome_ChildIOT exe=/opt/google/chrome/chrome
 subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
 key=(null)
 node=tohuvabohu.balabit type=AVC msg=audit(1402610675.802:3613): avc:
 denied  { write } for  pid=13634 comm=chrome
 path=/home/.ecryptfs/vlad/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gSom1uZp3eGnWRADC8b67AE--/ECRYPTFS_FNEK_ENCRYPTED.FXbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gTtA3nsOQygKTjpvYs63foAeJEpmcXUfgP6gU.7wmAuY-/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7g5coEDCbOTnV-amR0ZN6y1---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gT3djTOmDHoPUHtuBzF97EU--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7geU1qaFnPHLsuy1RmqbGnBE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7glEd5RSiZ49p5vw44TzFM3E--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gKBDK1Q1GxCxyo3TiIlYCnE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gmuai.t4ZEmP-LatO12SQ.E--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gIB221z5L1BsC-c-sHPGaQ---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gqsU3WtY8FrzmtcENIeC0CE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gt-ZfSVe491Z7eplRchJ3qE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gSHKUZ6b8Mf6vlIo3pRzAj---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gC2jhQP5bAQcJMOMBLlUW1U--
 dev=dm-2 ino=16123428
 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
 tcontext=unconfined_u:object_r:ecryptfs_t:s0 tclass=file

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Problem with selinux and milter-greylist

[Daniel J Walsh]

On 05/27/2014 01:35 PM, arag...@dcsnow.com wrote:
  Looks like the milter-greylist.sock is mislabeled. What directory is it
  in? Why isn't it in /run?

 Well, see, I was following a guide (probably old) that pointed
 Sendmail to /var/milter-greylist so I just changed the greylist.conf
 file instead of changing the semdial.mc file.

 Now that you mentioned that, I switched them and it works fine. 
 However, I'm still a bit confused why I was not able to just add a
 rule to get Selinux to allow the access.  It just seemed confused as
 to what needed done.

You could either adjust SELinux or adjust the App.  If the app is doing
the wrong thing, I would prefer to fix the app.
 ---
 Will Y.
 -- 
 This message has been scanned for viruses and
 dangerous content by *MailScanner* http://www.mailscanner.info/, and is
 believed to be clean.



-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Set SELinux to allow only httpd daemon to use specific tty device

[Daniel J Walsh]

On 05/06/2014 12:03 AM, Emmanuel Noobadmin wrote:
 On 5/5/14, Daniel J Walsh dwa...@redhat.com wrote:
 Simplest would be to just use
 # grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp
 # semodule -i myhttp.pp

 This would allot httpd_t processes the ability to use usb_device_t.
 If you really wanted to tighten it up, you could build a custom policy
 that put a different label on /dev/usbDataCollector and allow httpd_t
 access to this device.

 Something like

 # cat myhttp.te
 policy_module(myhttp, 1.0)
 gen_require(`
 type httpd_t;
 ')

 type httpd_device_t;
 dev_node(httpd_device_t)

 allow httpd_t httpd_device_t:chr_file rw_chr_file_perms;

 # cat myhttpd.fc
 /dev/usbDataCollector-c
 gen_context(system_u:object_r:httpd_device_t,s0)

 # make -f /usr/share/selinux/devel/Makefile
 # semodule -i myhttp.pp
 # restorecon -v /dev/usbDataCollector
 Thanks for the reply, I'll keep this in mind for the next machine.
 Currently, I'm unable to test it out since F20 stopped booting (for no
 reason I could figure out) on the laptop and I had to resort to
 another distribution.
I wrote a blog on this discussion.

https://danwalsh.livejournal.com/69221.html
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: cups-pdf

[Daniel J Walsh]

On 05/04/2014 06:27 PM, Patrick Dupre wrote:

 - Original Message -
 From: Steven Stern
 Sent: 05/05/14 12:03 AM
 To: Community support for Fedora users
 Subject: Re: cups-pdf

 On 05/04/2014 04:57 PM, Patrick Dupre wrote:

 - Original Message -
 From: Steven Stern
 Sent: 05/04/14 11:53 PM
 To: Community support for Fedora users
 Subject: Re: cups-pdf

 On 05/04/2014 04:48 PM, Patrick Dupre wrote:
 When I try to use cups-pdf to generate pdf file, I have no output.
 /var/log//cups/cups-pdf_log
 shows an error:

 Sun May 4 23:22:44 2014 [ERROR] ghostscript reported an error (256)
 Sun May 4 23:22:44 2014 [ERROR] failed to set file mode for PDF file 
 (non fatal) (/home/pdupre/Desktop/NICE-OHMS_v2.pdf)

 I did not find the solution on internet!

 Thank for your help.

 Is SELinux in enforcing mode?
 Yes, If I switch to permissive then the pdf file is generated.

 But on another machine, the file generation is OK even in enforced mode!
 (BOTH fc20).
 Well, there you go! Either you once created an overriding policy or...

 How do I do this?
 sealert should offer to show you how to create a policy to allow it. Do
 you have the setroubleshootd daemon running?
 Yes, I think so.
 It is running, but it does not report any alert!

 Now it works,
 Thank.

 sealert -a /var/log/audit

 or

 sudo grep pdf /var/log/audit/audit.log | audit2allow -M mypol
 sudo semodule -i mypol.pp


 -- 
 -- Steve
 -- 
 users mailing list
 users@lists.fedoraproject.org
 To unsubscribe or change subscription options:
 https://admin.fedoraproject.org/mailman/listinfo/users
 Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
 Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 Have a question? Ask away: http://ask.fedoraproject.org

 ===
  Patrick DUPRÉ | | email: pdu...@gmx.com
  Laboratoire de Physico-Chimie de l'Atmosphère | |
  Université du Littoral-Côte d'Opale   | |
  Tel.  (33)-(0)3 28 23 76 12   | | Fax: 03 28 65 82 44
  189A, avenue Maurice Schumann | | 59140 Dunkerque, France
 ===

After cups-pdf is denied execute

audit2allow -m avc -ts recent -i

If this does not generate any AVC's then try with semodule -DB then
run the test again.

semodule -DB will disable dontaudit rules.

semodule -B will turn them back on.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Set SELinux to allow only httpd daemon to use specific tty device

[Daniel J Walsh]

On 05/04/2014 12:22 AM, Emmanuel Noobadmin wrote:
 Using Fedora 20 3.11.10-301.fc20.x86_64 and selinux targeted policy.29

 I've a PHP application that sends data to a USB tty device e.g.
 /dev/usbDataCollector

 Unfortunately selinux is blocking this action. When set to permissive,
 the alert browser suggests the command: setsebool -P daemons_use_tty 1

 The documentation says Allow all daemons the ability to use
 unallocated ttys. This naturally doesn't sound like a good idea
 although admittedly it probably won't hurt in this particular
 installation. However, I thought it would be good to find the
 'correct' solution to this.

 But I am unable to find a more fine grain SELinux control for this,
 Fedora 20 has no documentation and the only vaguely relevant one I
 could find elsewhere is httpd_tty_com which appears unrelated as it is
 about allow httpd to communicate with terminal.

 So the question is whether there is any way to do this or is allowing
 all daemons the only option?
Simplest would be to just use
# grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp
# semodule -i myhttp.pp

This would allot httpd_t processes the ability to use usb_device_t. 
If you really wanted to tighten it up, you could build a custom policy
that put a different label on /dev/usbDataCollector and allow httpd_t
access to this device.

Something like

# cat myhttp.te
policy_module(myhttp, 1.0)
gen_require(`
type httpd_t;
')

type httpd_device_t;
dev_node(httpd_device_t)

allow httpd_t httpd_device_t:chr_file rw_chr_file_perms;

# cat myhttpd.fc
/dev/usbDataCollector-c   
gen_context(system_u:object_r:httpd_device_t,s0)

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myhttp.pp
# restorecon -v /dev/usbDataCollector



-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trouble starting webex in F20

[Daniel J Walsh]

On 05/01/2014 06:26 PM, Chris Kottaridis wrote:

 On 05/01/2014 05:08 PM, Rick Stevens wrote:
 On 05/01/2014 01:40 PM, Andrew Azores issued this missive:
 On 05/01/2014 04:27 PM, Chris Kottaridis wrote:

 On 05/01/2014 02:11 PM, Deepak Bhole wrote:
 * Chris Kottaridis chris...@quietwind.net [2014-05-01 13:25]:
 I have an F19 and an F20 host and when I try to start a webex on the
 F20 host it doesn't work right. It works fine on the F19 machine.

 The symptom is that when I start the webex in F20 it sends up a
 message about wanting to run an applet and I tell it yes it's OK to
 run the applet. That doesn't come up on the F19 host. On the F19 the
 icedtea icon pops up for a short time and then I get connected. I
 don't see the icedtea icon pop up in F20.

 I did notice that icedtea is at 1.5 in F20, but at 1.4 for F19 and
 there is some policy control added in 1.5. I set the policy to allow
 all applets to do everything for the time being in the
 .config/icedtea-web/security/java.policy file which the icedtea-web
 man page says is the default policy file.

 Any ideas on what the difference might be between F19 and F20 would
 be appreciated or pointer to a different group that could help.

 Sorry that I only have rather high level usage info, but so far
 other then this issue with starting a webex everything seems OK that
 I have tried so far.

 Hi Chris,

 Is it possible for us to reproduce this? If so, what are the steps?
 You'd need a webex account.

 Hmm, there's no way to reproduce it with the test meeting [0] ?


 After some more playing it seems the issue is when I try to share my
 desktop it doesn't get shared in F20, but does in F19.

 So the Webex applet is successfully starting with both, then?


 That is what's so weird is it works like a champ in F19. I assume
 there is just something missing, maybe something I need to install or
 some permission or configuration setting. I haven't found anything in
 any log files yet to help point to what the problem might be.

 When I connect to webex to start a session if I click on Activities I
 see a webex icon of a ball that is half green and half blue and the
 name is sun-applet-PluginMain on the activites list. After I click
 on share desktop I see a second icon like that which says Atasjni on
 the F19, but still only have the one on F20. So, it seems some app is
 having trouble getting started when I click to share desktop. So, far
 I haven't found any complaint in any log file though.

 Thanks
 Chris Kottaridis

 Do you have any log files at all to share? You can also try launching
 your browser from terminal (assuming this is starting through a browser
 at all), and capture the output with a redirect or tee there.

 Also, just a note that IcedTea-Web 1.5 is available for Fedora 19 as
 well. Although if you appear to be having problems after the 1.5
 update,
 I wouldn't recommend you update to it yet - not until we figure out
 what's going on here! With 1.5 on both Fedora 19 (native) and 20 (VM),
 Webex works fine, but I haven't tried this 'share desktop'
 functionality.

 [0] http://www.webex.com/test-meeting.html

 Also check to see if there's perhaps a SELinux alert going along with
 this. There may be changes to selinux configs that block sharing the
 desktop.

 I don't know a lot about selinux, but I used the SELinux management
 tool to just disable SELinux.



 So, I assume SELinux is out of the picture for now.

 But, I think it is probably some local configuration issue like that.

 Thanks
 Chris Kottaridis
 --
 - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
 - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
 --
 - We have enough youth, how about a fountain of SMART?   -
 --



Putting SELinux into permissive mode, would have been plenty.  Setting
the machine to disabled will only take place on the next reboot.

If SELinux is blocking the web browser from sharing desktop you could
turn off one of these booleans, which would probably fix your problem.

unconfined_chrome_sandbox_transition -- on
unconfined_mozilla_plugin_transition -- on
setsebool -P unconfined_chrome_sandbox_transition 0
setsebool -P unconfined_mozilla_plugin_transition 0

You would need to restart the browser.

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trouble starting webex in F20

[Daniel J Walsh]

On 05/02/2014 01:19 PM, Chris Kottaridis wrote:

 On 05/02/2014 12:07 PM, Daniel J Walsh wrote:

 On 05/01/2014 06:26 PM, Chris Kottaridis wrote:

 On 05/01/2014 05:08 PM, Rick Stevens wrote:
 On 05/01/2014 01:40 PM, Andrew Azores issued this missive:
 On 05/01/2014 04:27 PM, Chris Kottaridis wrote:

 On 05/01/2014 02:11 PM, Deepak Bhole wrote:
 * Chris Kottaridis chris...@quietwind.net [2014-05-01 13:25]:
 I have an F19 and an F20 host and when I try to start a webex
 on the
 F20 host it doesn't work right. It works fine on the F19 machine.

 The symptom is that when I start the webex in F20 it sends up a
 message about wanting to run an applet and I tell it yes it's
 OK to
 run the applet. That doesn't come up on the F19 host. On the
 F19 the
 icedtea icon pops up for a short time and then I get connected. I
 don't see the icedtea icon pop up in F20.

 I did notice that icedtea is at 1.5 in F20, but at 1.4 for F19 and
 there is some policy control added in 1.5. I set the policy to
 allow
 all applets to do everything for the time being in the
 .config/icedtea-web/security/java.policy file which the
 icedtea-web
 man page says is the default policy file.

 Any ideas on what the difference might be between F19 and F20
 would
 be appreciated or pointer to a different group that could help.

 Sorry that I only have rather high level usage info, but so far
 other then this issue with starting a webex everything seems OK
 that
 I have tried so far.

 Hi Chris,

 Is it possible for us to reproduce this? If so, what are the steps?
 You'd need a webex account.

 Hmm, there's no way to reproduce it with the test meeting [0] ?


 After some more playing it seems the issue is when I try to share my
 desktop it doesn't get shared in F20, but does in F19.

 So the Webex applet is successfully starting with both, then?


 That is what's so weird is it works like a champ in F19. I assume
 there is just something missing, maybe something I need to
 install or
 some permission or configuration setting. I haven't found
 anything in
 any log files yet to help point to what the problem might be.

 When I connect to webex to start a session if I click on
 Activities I
 see a webex icon of a ball that is half green and half blue and the
 name is sun-applet-PluginMain on the activites list. After I click
 on share desktop I see a second icon like that which says Atasjni on
 the F19, but still only have the one on F20. So, it seems some
 app is
 having trouble getting started when I click to share desktop. So,
 far
 I haven't found any complaint in any log file though.

 Thanks
 Chris Kottaridis

 Do you have any log files at all to share? You can also try launching
 your browser from terminal (assuming this is starting through a
 browser
 at all), and capture the output with a redirect or tee there.

 Also, just a note that IcedTea-Web 1.5 is available for Fedora 19 as
 well. Although if you appear to be having problems after the 1.5
 update,
 I wouldn't recommend you update to it yet - not until we figure out
 what's going on here! With 1.5 on both Fedora 19 (native) and 20
 (VM),
 Webex works fine, but I haven't tried this 'share desktop'
 functionality.

 [0] http://www.webex.com/test-meeting.html

 Also check to see if there's perhaps a SELinux alert going along with
 this. There may be changes to selinux configs that block sharing the
 desktop.

 I don't know a lot about selinux, but I used the SELinux management
 tool to just disable SELinux.



 So, I assume SELinux is out of the picture for now.

 But, I think it is probably some local configuration issue like that.

 Thanks
 Chris Kottaridis
 --
 - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
 - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
 --
 - We have enough youth, how about a fountain of SMART?   -
 --



 Putting SELinux into permissive mode, would have been plenty. 
 Setting the machine to disabled will only take place on the next reboot.

 If SELinux is blocking the web browser from sharing desktop you could
 turn off one of these booleans, which would probably fix your problem.

 unconfined_chrome_sandbox_transition -- on
 unconfined_mozilla_plugin_transition -- on
 setsebool -P unconfined_chrome_sandbox_transition 0
 setsebool -P unconfined_mozilla_plugin_transition 0

 You would need to restart the browser.

 I have rebooted many times after disabling SELinux, it was getting in
 the way of other issues and so for the time being I just want to get
 it out of the way. Thanks for the pointers though. Once I get things
 right I'll re-enable it and make sure to make the changes you recommend.

 Thanks
 Chris Kottaridis







If it causes you any problems, please open a bug report or reach out

Re: Two SELinux-related things

[Daniel J Walsh]

On 04/24/2014 04:56 PM, Mark Brader wrote:
 # semanage fcontext -a -e /home /u
 # restorecon -R -v /u

 Should fix you up.
 Bingo.  Thanks for your time.

 I did wonder if this was the cause of the problem, but (1) it didn't happen
 with the previous Linux configuration I had, and (2) I actually write
 remounting the filesystem as /home before I wrote to you.  But (I now
 realize) I left /u as a symlink to /home instead of changing my actual
 home directory, so that didn't cover it.


 This still leaves me with two questions.

 [1] What about the way the message from SELinux failed to name a
 directory?  That made it impossible for me to see what was actually
 going on.  It seems to me like a bug in the alert reporting.
http://danwalsh.livejournal.com/34903.html?thread=220247
 [2] How do I reach the fedora-devel people you mentioned, to ask them
 my other question?
Just send a question to the Community support for Fedora users
users@lists.fedoraproject.org list
and with information about what you are trying to do, meantion SELinux
in the message or CC me, and I will follow the discussion.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedup 19=20 hangs: selinux

[Daniel J Walsh]

Strange, if selinux-policy-targeted is not installed SELinux is disabled. 
On 04/09/2014 08:31 PM, Sean Darcy wrote:
 On 04/09/2014 06:01 PM, Daniel J Walsh wrote:
 So this looks like selinux-policy-targeted got removed during the
 update?

 On 04/09/2014 04:21 PM, Sean Darcy wrote:
 On 04/08/2014 11:54 AM, Daniel J Walsh wrote:
 This usually means there is no /etc/selinux/targeted/policy/policy.*
 file.

 If you run semodule -B  Does one get created?
 On 04/08/2014 10:59 AM, Sean Darcy wrote:
 Trying to upgrade F19 to F20 using fedup. On the upgrade reboot it
 hangs:

 
 Reached target Initrd Default Target
 systemd-journal1d166]: Received SIGTERM
 systemd[1]: Failed to initialize SELinux context: no such file or
 directory


 selinux is set to permissive. F19 works fine.

 I suppose I could set selinux=0 , but then none of the contexts would
 be set. Correct?

 sean



   No. There's no such file:
 ls /etc/selinux/targeted
 contexts  modules  seusers.rpmnew  seusers.rpmsave

 But:

 semodule -B
 libsemanage.semanage_link_sandbox: Could not access sandbox base file
 /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
 semodule:  Failed!

 sean



 selinux-policy-targeted was never installed.

 There a bugzilla entry on this:

 https://bugzilla.redhat.com/show_bug.cgi?id=1044484

 It seems fedup requires selinux-policy-targeted, even if the policy is
 permissive. And better yet, fedup doesn't check to see if it's installed.

 So the drill seems to be

 1. install selinux-policy-targeted

 2. reboot to change all the contexts

 3. retry fedup.

 It'll fail. I got about 600 dupes. And there's no log, so you won't
 find out what's wrong.

 fedup --clean

 And try again.

 Sigh.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedup 19=20 hangs: selinux

[Daniel J Walsh]

So this looks like selinux-policy-targeted got removed during the update? 

On 04/09/2014 04:21 PM, Sean Darcy wrote:
 On 04/08/2014 11:54 AM, Daniel J Walsh wrote:
 This usually means there is no /etc/selinux/targeted/policy/policy.*
 file.

 If you run semodule -B  Does one get created?
 On 04/08/2014 10:59 AM, Sean Darcy wrote:
 Trying to upgrade F19 to F20 using fedup. On the upgrade reboot it
 hangs:

 
 Reached target Initrd Default Target
 systemd-journal1d166]: Received SIGTERM
 systemd[1]: Failed to initialize SELinux context: no such file or
 directory


 selinux is set to permissive. F19 works fine.

 I suppose I could set selinux=0 , but then none of the contexts would
 be set. Correct?

 sean



  No. There's no such file:
 ls /etc/selinux/targeted
 contexts  modules  seusers.rpmnew  seusers.rpmsave

 But:

 semodule -B
 libsemanage.semanage_link_sandbox: Could not access sandbox base file
 /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
 semodule:  Failed!

 sean


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedup 19=20 hangs: selinux

[Daniel J Walsh]

This usually means there is no /etc/selinux/targeted/policy/policy.* file.

If you run semodule -B  Does one get created?
On 04/08/2014 10:59 AM, Sean Darcy wrote:
 Trying to upgrade F19 to F20 using fedup. On the upgrade reboot it hangs:

 
 Reached target Initrd Default Target
 systemd-journal1d166]: Received SIGTERM
 systemd[1]: Failed to initialize SELinux context: no such file or
 directory


 selinux is set to permissive. F19 works fine.

 I suppose I could set selinux=0 , but then none of the contexts would
 be set. Correct?

 sean



-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: new SELinux error

[Daniel J Walsh]

ausearch -m avc,user_avc -i

Or just attach the full output of the sealert command. 

The AVC's are at the bottom.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: new SELinux error

[Daniel J Walsh]

What was the AVC that you got?
On 03/27/2014 04:58 PM, Paul Cartwright wrote:
 I am not sure what to do..

 I got this error message:
 # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
 where FILE_TYPE is one of the following: NetworkManager_log_t,
 NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t,
 abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t,
 abrt_var_run_t, acct_data_t, admin_crontab_tmp_t, admin_home_t,
 afs_logfile_t, aide_log_t, alsa_home_t, alsa_tmp_t, amanda_log_t,
 amanda_tmp_t, antivirus_home_t, antivirus_log_t, antivirus_tmp_t,
 apcupsd_log_t, apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t,
 asterisk_log_t, asterisk_tmp_t, audio_home_t, auditadm_sudo_tmp_t,
 auth_cache_t, auth_home_t, automount_tmp_t, awstats_tmp_t, bacula_log_t,
 bin_t, bitlbee_log_t, bitlbee_tmp_t, bluetooth_helper_tmp_t,
 bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t,
 bootloader_tmp_t, cache_home_t, calamaris_log_t, callweaver_log_t,
 canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t,
 cdcc_tmp_t, cert_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t,
 cgroup_t, checkpc_log_t, chrome_sandbox_exec_t, chrome_sandbox_home_t,
 chrome_sandbox_nacl_exec_t, chrome_sandbox_tmp_t,
 chrome_sandbox_tmpfs_t, chronyd_var_log_t, cloud_init_tmp_t,
 cloud_log_t, cluster_tmp_t, cluster_var_log_t, cobbler_tmp_t,
 cobbler_var_log_t, colord_tmp_t, comsat_tmp_t, condor_log_t,
 condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t,
 config_home_t, conman_log_t, consolekit_log_t, couchdb_log_t,
 couchdb_tmp_t, cpu_online_t, crack_tmp_t, cron_log_t, crond_tmp_t,
 crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t,
 cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_home_t, cvs_tmp_t, cyphesis_log_t,
 cyphesis_tmp_t, cyrus_tmp_t, data_home_t, dbadm_sudo_tmp_t,
 dbskkd_tmp_t, dbus_home_t, dcc_client_tmp_t, dcc_dbclean_tmp_t,
 dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t,
 deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t,
 devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t,
 dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t,
 dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t,
 dlm_controld_var_log_t, dnsmasq_var_log_t, docker_log_t, docker_tmp_t,
 dosfs_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t,
 dovecot_var_log_t, dspam_log_t, etc_t, evtchnd_var_log_t, exim_log_t,
 exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, faillog_t, fenced_tmp_t,
 fenced_var_log_t, fetchmail_home_t, fetchmail_log_t, fingerd_log_t,
 firewalld_tmp_t, firewalld_var_log_t, firewallgui_tmp_t,
 foghorn_var_log_t, fonts_cache_t, fonts_t, fsadm_log_t, fsadm_tmp_t,
 fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, gconf_home_t,
 gconf_tmp_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t,
 git_user_content_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t,
 glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t,
 glusterd_tmp_t, gnome_home_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t,
 gpg_secret_t, gpm_tmp_t, groupd_var_log_t, gssd_tmp_t, gstreamer_home_t,
 haproxy_var_log_t, home_bin_t, home_cert_t, httpd_bugzilla_tmp_t,
 httpd_collectd_script_tmp_t, httpd_log_t, httpd_mojomojo_tmp_t,
 httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t,
 httpd_tmp_t, httpd_user_content_t, httpd_user_htaccess_t,
 httpd_user_ra_content_t, httpd_user_rw_content_t,
 httpd_user_script_exec_t, httpd_w3c_validator_tmp_t, hugetlbfs_t,
 icc_data_home_t, iceauth_home_t, icecast_log_t, inetd_child_tmp_t,
 inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t,
 innd_log_t, ipsec_log_t, ipsec_tmp_t, iptables_tmp_t, irc_home_t,
 irc_tmp_t, irssi_home_t, iscsi_log_t, iscsi_tmp_t, iwhd_log_t,
 jetty_log_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t,
 kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_log_t, keystone_tmp_t,
 kismet_home_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t,
 krb5_home_t, krb5_host_rcache_t, krb5kdc_log_t, krb5kdc_tmp_t,
 ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t,
 ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t,
 local_login_home_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t,
 logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t,
 lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_home_rw_t, mail_home_t,
 mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t,
 mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t,
 mandb_cache_t, mandb_home_t, mcelog_log_t, mock_tmp_t, mongod_log_t,
 mongod_tmp_t, motion_log_t, mount_tmp_t, mozilla_home_t,
 mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_home_t, mpd_log_t, mpd_tmp_t,
 mpd_user_data_t, mplayer_home_t, mrtg_log_t, mscan_tmp_t, munin_log_t,
 munin_tmp_t, mysqld_home_t, mysqld_log_t, mysqld_tmp_t,
 mythtv_var_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t,
 nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t,
 named_log_t, named_tmp_t, net_conf_t, 

Re: after upgrading fedora rawhide this morning, no graphical desktop

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/13/2014 02:58 PM, Robert P. J. Day wrote:
 On Thu, 13 Mar 2014, Kevin Martin wrote:
 
 On 03/13/2014 07:57 AM, Robert P. J. Day wrote:
 
 recently, i upgraded my ASUS G74S laptop to fedora rawhide and it was
 running nicely. then this morning, i did another yum update, which
 appeared to update well over 200 packages (including a slightly newer
 kernel), after which, when i booted, i had no graphical desktop 
 anymore, just the little blue and white fedora logo.
 
 i can still switch to VC2 and log in at the command line (where i am 
 now), so i can certainly check log files, but i don't see anything 
 immediately amiss.
 
 i rebooted both to the earlier rawhide kernel, and even back to the 
 latest fedora 20 official kernel -- same result, the fedora logo in the
 middle of the screen on VC1, but the ability to log in on another 
 virtual console.
 
 has anyone else run into this? i have an nvidia graphics card, and am
 running the nouveau driver. i'll keep poking around the log files, and
 if you have any suggestions, i'm all ears.
 
 rday
 
 Hmm, sounds similar to what I'm experiencing.  When you go into VC2 what
 does lsmod | grep nouveau show?  I've found that I've been having to
 manually modprobe nouveau modeset=1 since doing my update about 4 days
 ago.  I'm not sure why nouveau won't load and I find that if I don't set
 the modeset=1 when I do the manual modprobe that I still can't get X.
 
 h ... it's possible this is not related to rawhide at all, and is due
 to something silly i did earlier this morning. could the following be the
 cause?
 
 in order to install drupal 8.x on my fedora (rawhide) system, i had to
 disable selinux (setenforce 0). i *think* that while selinux was thus
 disabled, i may have done yum update, which would have of course updated
 those 200+ packages while my system was in permissive mode. once i saw i
 had a new kernel due to the update, i of course rebooted, which rebooted
 with selinux back in enforcing mode, and the problems started. simply
 putting selinux back into permissive mode fixed everything.
 
 i'm by no means an selinux expert -- is that how i caused my problem?
 
 rday
 
What AVC messages are you getting?

ausearch -m avc -ts today


-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMjB30ACgkQrlYvE4MpobPkTwCfS2ZwxCYQVkgnLwrjKAn0yYct
MR8AoNH1bSq3XdCM/rELRPB5zAL3KZTO
=tLQG
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: google-chrome not displaying text with selinux enforcing

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/27/2014 02:38 PM, Ed K. wrote:
 On Thu, 27 Feb 2014, Dale Dellutri wrote:
 
 On 02/27/14 05:50, Dale Dellutri wrote:
 I did this and set selinux back to enforcing.  google-chrome is now
 working as it should.
 
 Good to see it is OK now.  FWIW, I have a fully updated F20 system.
 I'm using KDE and google chrome and I am not seeing any problems when I
 visit your website.
 
 Yes, it's fixed now.  The original problem occurred because I added a
 directory of private fonts to /usr/share/fonts/, but I did not adjust
 the selinux context for that directory.  The ausearch suggested by Daniel
 Walsh discovered the problem.
 
 I really must learn more about the care and feeding of selinux if I'm
 going to use it.
 
 
 Dale, I've been having the same problem. But with $HOME/.fonts
 
 What chcon command did you use to permit chrome to read the fonts
 directory?
 
 ed
Should be allowed, restorecon -R -v ~/

Should fix any labels.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMPpd0ACgkQrlYvE4MpobOIGgCeLalpj8AmzDHNVeAzWqbmV3ZX
lP0AmgIuaUZRFHGyo2Ji7c4Ozv212QOE
=Ych2
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: google-chrome not displaying text with selinux enforcing

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/26/2014 02:00 PM, Dale Dellutri wrote:
 I've got a Fedora 20 XFCE desktop.  I installed google-chrome. It fails to
 display some text on many web sites if selinux is set to enforcing, but
 shows the text with selinux set to permissive.
 
 For example, with selinux set to enforcing, my web site: 
 http://www.DaleDellutri.com only shows the icon image in the upper left
 corner, an empty box, and the bluish outer color, but does not show any of
 the text on the page.  If I do # setenforce 0 and re-start google-chrome,
 then the page is displayed properly.
 
 Firefox shows the page properly no matter how selinux is set.
 
 With selinux enforcing, when I start google-chrome from the command line,
 it does not provide any error messages, and I don't see any error messages
 from selinux.
 
 Where are the selinux logs?  I've used # journalctl | grep -i selinux but
 there are no errors or warnings.
 
 What could cause this problem?
 
 Do you have any suggestions for debugging?
 
 -- Dale Dellutri
 
 
Are you seeing any AVCs?

ausearch -m avc -ts recent

You can turn off SELinux confinement of chrome sandbox, with

setsebool -P unconfined_chrome_sandbox_transition=0


-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMOWjcACgkQrlYvE4MpobNTaQCdElyQpDTq4A2Ylz4NixKXV8OS
gZAAn2PA9exYIGt/v4cvNsLq9za5cQUE
=QI7q
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: policycoreutils packaging bug?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/17/2014 10:14 AM, Jon Ingason wrote:
 2014-02-17 15:56, Suvayu Ali skrev:
 install policycoreutils-sandbox
 I have two machines, both x86_64. On does have 
 policycoreutils-sandbox-2.2.5-3.fc20.x86_64 installed while the other
 don't.
 
 I get exactly same result as you with yum when I try to install 
 policycoreutils-sandbox! So there are a bug in teh.
 
 $ sudo yum install policycoreutils-sandbox Inlästa insticksmoduler:
 langpacks, refresh-packagekit Löser upp beroenden -- Kör
 transaktionskontroll --- Paket policycoreutils-sandbox.x86_64
 0:2.2.2-3.fc20 blir installerat -- Bearbetar beroende:
 policycoreutils-python = 2.2.2-3.fc20 för paket: 
 policycoreutils-sandbox-2.2.2-3.fc20.x86_64 ...
 
 -- Avslutade beroendeupplösning Fel: Paket:
 policycoreutils-sandbox-2.2.2-3.fc20.x86_64 (fedora) Behöver:
 policycoreutils-python = 2.2.2-3.fc20 Installerade:
 policycoreutils-python-2.2.5-3.fc20.x86_64 (@updates) 
 policycoreutils-python = 2.2.5-3.fc20 Tillgängliga:
 policycoreutils-python-2.2.2-2.fc20.x86_64 (updates) policycoreutils-python
 = 2.2.2-2.fc20 Tillgängliga: policycoreutils-python-2.2.2-3.fc20.x86_64
 (fedora) policycoreutils-python = 2.2.2-3.fc20 Du kan försöka använda
 --skip-broken för att gå runt problemet Du kan försöka köra: rpm -Va
 --nofiles --nodigest
 
 And $ yum info policycoreutils-sandbox Inlästa insticksmoduler: langpacks,
 refresh-packagekit Tillgängliga paket Namn:
 policycoreutils-sandbox Arkitektur  : x86_64 Version : 2.2.2 Utgåva
 : 3.fc20 Storlek : 163 k Förråd  : fedora/20/x86_64 Sammandrag  :
 SELinux sandbox utilities URL : http://www.selinuxproject.org 
 Licens  : GPLv2 Beskrivning : The policycoreutils-sandbox package
 contains the scripts to create : graphical sandboxes
 
 
Could you try to update policycoreutils first?

yum -y update policycoreutils

-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMCNnAACgkQrlYvE4MpobPvUwCgslPzfdjGEXuc0FigurVARFQ3
7lEAnRvDAVHbODmzy3iOvmsb2Ee2MreM
=X8Tp
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: logwatch error messages

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/22/2014 11:07 PM, Robert Moskowitz wrote:
 I am seeing the following errors via journalctl |grep logwatch:
 
 Jan 22 03:37:14 lx120e.htt-consult.com setroubleshoot[11102]: dbus 
 avc(node=lx120e.htt-consult.com type=AVC msg=audit(1390390627.456:1007):
 avc: denied  { execute } for pid=11100 comm=logwatch name=procmail
 dev=sda3 ino=1187050
 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:procmail_exec_t:s0 tclass=file 
 node=lx120e.htt-consult.com type=SYSCALL msg=audit(1390390627.456:1007): 
 arch=c03e syscall=59 success=no exit=-13 a0=d13ad0 a1=d13a50 a2=d137c0
 a3=8 items=0 ppid=11013 pid=11100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
 egid=0 sgid=0 fsgid=0 ses=16 tty=(none) comm=logwatch
 exe=/usr/bin/perl subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023
 key=(null) Jan 22 03:37:14 lx120e.htt-consult.com setroubleshoot[11102]: 
 AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com
 type=AVC msg=audit(1390390627.456:1007): avc:  denied  { execute } for
 pid=11100 comm=logwatch name=procmail dev=sda3 ino=1187050 
 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:procmail_exec_t:s0 tclass=file Jan 22 03:37:14
 lx120e.htt-consult.com setroubleshoot[11102]: 
 AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com 
 type=SYSCALL msg=audit(1390390627.456:1007): arch=c03e syscall=59
 success=no exit=-13 a0=d13ad0 a1=d13a50 a2=d137c0 a3=8 items=0 ppid=11013
 pid=11100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
 ses=16 tty=(none) comm=logwatch exe=/usr/bin/perl 
 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Jan 22 03:37:14
 lx120e.htt-consult.com setroubleshoot[11102]: analyze_avc() 
 avc=scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:procmail_exec_t:s0 access=['execute']
 tclass=file tpath=procmail
 
 
 I had performed the following selinux policy:
 
 On 01/06/2014 08:14 AM, Daniel J Walsh wrote:
 
 Create a file mylogwatch.te with the following content.
 
 policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ')
 
 mta_filetrans_admin_home_content(logwatch_mail_t)
 
 Now execute this command to compile the policy and load it into the
 kernel
 
 # make -f /usr/share/selinux/devel/Makefile # semodule -i mylogwatch.pp
 
 Now you should be allowed to run logwatch_mail_t in enforcing mode.
 
 
 What do these messages mean?
 
 
They mean that logwatch is not allowed to execute the procmail program.

You could add policy for it.

procmail_domtrans(logwatch_t)



-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLhG0cACgkQrlYvE4MpobP1gQCg1SkBm1tHzCGpLV89R+CdDq0f
/PMAn3UQmCO4ubKl2QonXSarQt/R6H9t
=/HFU
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: logwatch error messages

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/23/2014 01:54 PM, Robert Moskowitz wrote:
 
 On 01/23/2014 08:38 AM, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 01/22/2014 11:07 PM, Robert Moskowitz wrote:
 I am seeing the following errors via journalctl |grep logwatch:
 
 I had performed the following selinux policy:
 
 On 01/06/2014 08:14 AM, Daniel J Walsh wrote:
 Create a file mylogwatch.te with the following content.
 
 policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t;
 ')
 
 mta_filetrans_admin_home_content(logwatch_mail_t)
 
 Now execute this command to compile the policy and load it into the 
 kernel
 
 # make -f /usr/share/selinux/devel/Makefile # semodule -i
 mylogwatch.pp
 
 Now you should be allowed to run logwatch_mail_t in enforcing mode.
 
 What do these messages mean?
 
 
 They mean that logwatch is not allowed to execute the procmail program.
 
 You could add policy for it.
 
 Obvious.  hindsight is just great!
 
 procmail_domtrans(logwatch_t)
 
 I am looking at what you gave me before:
 
 #cat mylogwatch.te policy_module(mylogwatch, 1.0) gen_require(` type
 logwatch_mail_t; ')
 
 mta_filetrans_admin_home_content(logwatch_mail_t)
 
 
 
 Would mylogwprocmail.te contain:
 
 policy_module(mylogwprocmail, 1.0) gen_require(` type logwatch_t; ')
 
 procmail_domtrans(logwatch_t)
 
 
 
 ???
 
 
Yes basically.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLhZZoACgkQrlYvE4MpobN43QCg6ooHByLX265OJlYWdQOcSp63
KJAAn3I6AaBpOoaqEjm8/O3gjVpJYdH7
=7Wpk
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: update partially fails

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/18/2014 12:15 PM, antonio montagnani wrote:
 Patrick Dupre ha scritto / said the followingil giorno/on 18/01/2014
 17:59:
 Hello,
 
 The last update did not go very well. I got: Failed: bind.i686
 32:9.9.4-8.fc20 bind.i686 32:9.9.4-11.P2.fc20 firefox.i686 0:26.0-3.fc20 
 firewalld.noarch 0:0.3.9-1.fc20 initscripts.i686 0:9.50-1.fc20 
 initscripts.i686 0:9.51-1.fc20 nfs-utils.i686 1:1.2.8-6.0.fc20 
 nfs-utils.i686 1:1.2.9-2.1.fc20 selinux-policy-targeted.noarch
 0:3.12.1-116.fc20 selinux-policy-targeted.noarch 0:3.12.1-117.fc20 
 tcpdump.i686 14:4.5.0-1.20131108gitb07944a.fc20 tcpdump.i686
 14:4.5.1-1.fc20 yum.noarch 0:3.4.3-129.fc20
 
 
 then rpm -q yum yum-3.4.3-129.fc20.noarch yum-3.4.3-130.fc20.noarch
 
 yum remove yum-3.4.3-129.fc20.noarch Loaded plugins: langpacks,
 refresh-packagekit Resolving Dependencies -- Running transaction check 
 --- Package yum.noarch 0:3.4.3-129.fc20 will be erased -- Finished
 Dependency Resolution
 
 Dependencies Resolved
 
 

 
Package  ArchVersion   Repository Size
 

 
Removing:
 yum  noarch  3.4.3-129.fc20@updates
 5.4 M
 
 Transaction Summary 
 

 
Remove  1 Package
 
 Installed size: 5.4 M Is this ok [y/N]: y Downloading packages: Running
 transaction check Running transaction test Transaction test succeeded 
 Running transaction error: %preun(yum-3.4.3-129.fc20.noarch) scriptlet
 failed, exit status 127 Error in PREUN scriptlet in rpm package
 yum-3.4.3-129.fc20.noarch Verifying  : yum-3.4.3-129.fc20.noarch
 1/1
 
 Failed: yum.noarch 0:3.4.3-129.fc20
 
 Complete!
 
 ===

 
Patrick DUPRÉ | | email: pdu...@gmx.com
 Laboratoire de Physico-Chimie de l'Atmosphère | | Université du
 Littoral-Côte d'Opale   | | Tel.  (33)-(0)3 28 23 76 12
 | | Fax: 03 28 65 82 44 189A, avenue Maurice Schumann | |
 59140 Dunkerque, France 
 ===


 
 it is a common bug since yesterday. Please check in the mail archive about
 failed scripts.
 
 Anyway the easiest way is to set Selinux to permissive, perform update and
 back to enforcing.
 
 Hope it can help
 

There is a big bug in selinux-policy.

You need to install selinux-policy-targeted.noarch 0:3.12.1-117.fc20 in
permissive mode if you ended up with 116 installed

Since you have 117 installed, you can just do

# semodule -B

Which should update the selinux-policy and fix your problem.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLdNEgACgkQrlYvE4MpobOAFgCfTE+vBzmDOm2D9KVSMGfkBY7g
TbEAoLg57bLkfg0Ee6nmY+8owq3Wz0X/
=sJ04
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trying to use mailx for logwatch

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/07/2014 11:44 AM, Robert Moskowitz wrote:
 getting closer.  I am running a new install.  So a fresh start on this...
 
 On 01/06/2014 11:14 AM, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 01/03/2014 12:25 PM, Robert Moskowitz wrote:
 On 01/03/2014 12:03 PM, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 01/03/2014 11:34 AM, Robert Moskowitz wrote:
 On 01/03/2014 11:21 AM, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 01/02/2014 05:29 PM, Robert Moskowitz wrote:
 And the mail is failing.  Here is what I have done:
 
 I determined that in: 
 /usr/share/logwatch/default.conf/logwatch.conf mailer = 
 /usr/sbin/sendmail -t
 
 so in: /etc/logwatch/conf/logwatch.conf mailer =
 /usr/bin/mailx -t
 
 In /etc/aliases I have:
 
 # Person who should get root's mail root:rgm
 
 and I ran newaliases
 
 'journalctl |grep -i logwatch' shows the following (along with 
 other lines):
 
 Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]: 
 (/etc/cron.daily) starting 0logwatch Jan 02 03:32:12 
 lx120e.htt-consult.com run-parts[16429]: (/etc/cron.daily) 
 finished 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com 
 setroubleshoot[16427]: dbus avc(node=lx120e.htt-consult.com 
 type=AVC msg=audit(1388651532.024:734): avc: denied  { write }
 for pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 
 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
 node=lx120e.htt-consult.com type=SYSCALL 
 msg=audit(1388651532.024:734): arch=4003 syscall=5
 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c
 items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0
 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm=mailx
 exe=/usr/bin/mailx 
 subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
 key=(null) Jan 02 03:32:16 lx120e.htt-consult.com
 setroubleshoot[16427]: 
 AuditRecordReceiver.add_record_to_cache(): 
 node=lx120e.htt-consult.com type=AVC
 msg=audit(1388651532.24:734): avc:  denied  { write } for
 pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 
 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02 
 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
 AuditRecordReceiver.add_record_to_cache(): 
 node=lx120e.htt-consult.com type=SYSCALL 
 msg=audit(1388651532.24:734): arch=4003 syscall=5
 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c
 items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0
 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm=mailx
 exe=/usr/bin/mailx 
 subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
 key=(null) Jan 02 03:32:16 lx120e.htt-consult.com
 setroubleshoot[16427]: analyze_avc() 
 avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 access=['write'] 
 tclass=dir tpath=/root
 
 oh, here are the mail files:
 
 # ls -ls /var/spool/mail/ total 8 0 -rw-rw. 1 rgm  mail
 0 Jan 2 16:47 rgm 8 -rw---. 1 root mail 5886 Dec 31 12:27
 root 0 -rw-rw. 1 rpc  mail0 Dec 25 13:27 rpc
 
 The content in root mail is from when I had postfix installed.
 I have since deleted it to work on getting mailx to work
 instead.
 
 =
 
 
 perhaps /var/spool/mail/root needs 660 permissions?
 
 
 Do you know what mailx is trying to write into the /root
 directory?
 The output of logwatch.  I edited /etc/logwatch/conf/logwatch.conf
 
 with the line:
 
 mailer = /usr/bin/mailx -t
 
 To override /usr/share/logwatch/default.conf/logwatch.conf
 
 mailer = /usr/sbin/sendmail -t
 
 
 Ok I just added a patch to git to allow logwatch_mail_t to write to
 the /root directory certain files.
 
 sesearch -T -s logwatch_mail_t | grep mail_home_rw_t type_transition 
 logwatch_mail_t admin_home_t : dir mail_home_rw_t .maildir; 
 type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t 
 .maildir; type_transition logwatch_mail_t admin_home_t : file 
 mail_home_rw_t .esmtp_queue; type_transition logwatch_mail_t 
 admin_home_t : dir mail_home_rw_t Maildir; type_transition 
 logwatch_mail_t user_home_dir_t : file mail_home_rw_t
 .esmtp_queue; type_transition logwatch_mail_t user_home_dir_t : dir
 mail_home_rw_t Maildir;
 
 You could do something similar by adding:
 
 policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t;
 ')
 
 mta_filetrans_admin_home_content(logwatch_mail_t)
 Dan, you are way beyond me here.  I need pretty clear cookbooks.
 Changing a line in a .conf is one thing, what are you telling me to do
 here?  Just cut and paste from policy... to mta... into a rooted
 terminal session?
 
 
 
 Create a file mylogwatch.te with the following content.
 
 policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ')
 
 mta_filetrans_admin_home_content(logwatch_mail_t)
 
 Now execute this command

Re: GCL get killed everytime I try to execute it

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/05/2014 09:21 PM, Rex Dieter wrote:
 Isaac Cortés González wrote:
 
 Ok here's my problem: I'm trying to learn (Common) Lisp, so I installed 
 GCL, to compile or run the scripts that I'm making for practice; but I'm 
 having problems to run GCL itself, each time I try to run it it get
 killed and I get an alert of SELinux, I try to solved by one of the
 solutions that it suggests; but it can't find a command named
 checkmodule.
 
 So if anyone knows how to solve any of the two issues, please let me
 know it.
 
 Is gcl-selinux installed? If not, does installing it help?
 
 -- rex
 
What AVC are you getting?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEUEARECAAYFAlLK1PEACgkQrlYvE4MpobMZbgCYu46+G0K9e5evATWe62xVu4q0
rwCfSbk5rEB4XXr29ZhFXuYRKBADp8c=
=XetF
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trying to use mailx for logwatch

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/03/2014 12:25 PM, Robert Moskowitz wrote:
 
 On 01/03/2014 12:03 PM, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 01/03/2014 11:34 AM, Robert Moskowitz wrote:
 On 01/03/2014 11:21 AM, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 01/02/2014 05:29 PM, Robert Moskowitz wrote:
 And the mail is failing.  Here is what I have done:
 
 I determined that in:
 /usr/share/logwatch/default.conf/logwatch.conf mailer =
 /usr/sbin/sendmail -t
 
 so in: /etc/logwatch/conf/logwatch.conf mailer = /usr/bin/mailx
 -t
 
 In /etc/aliases I have:
 
 # Person who should get root's mail root:rgm
 
 and I ran newaliases
 
 'journalctl |grep -i logwatch' shows the following (along with
 other lines):
 
 Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]: 
 (/etc/cron.daily) starting 0logwatch Jan 02 03:32:12 
 lx120e.htt-consult.com run-parts[16429]: (/etc/cron.daily)
 finished 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com
 setroubleshoot[16427]: dbus avc(node=lx120e.htt-consult.com
 type=AVC msg=audit(1388651532.024:734): avc: denied  { write } for
 pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 
 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
 node=lx120e.htt-consult.com type=SYSCALL 
 msg=audit(1388651532.024:734): arch=4003 syscall=5 success=no 
 exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1
 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
 fsgid=0 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx 
 subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null)
 Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
 AuditRecordReceiver.add_record_to_cache():
 node=lx120e.htt-consult.com type=AVC msg=audit(1388651532.24:734):
 avc:  denied  { write } for pid=16425 comm=mailx name=root
 dev=dm-0 ino=1308161 
 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02
 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
 AuditRecordReceiver.add_record_to_cache():
 node=lx120e.htt-consult.com type=SYSCALL
 msg=audit(1388651532.24:734): arch=4003 syscall=5 success=no
 exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1
 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
 fsgid=0 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx 
 subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null)
 Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
 analyze_avc() 
 avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 access=['write']
 tclass=dir tpath=/root
 
 oh, here are the mail files:
 
 # ls -ls /var/spool/mail/ total 8 0 -rw-rw. 1 rgm  mail0
 Jan 2 16:47 rgm 8 -rw---. 1 root mail 5886 Dec 31 12:27 root 0 
 -rw-rw. 1 rpc  mail0 Dec 25 13:27 rpc
 
 The content in root mail is from when I had postfix installed.  I
 have since deleted it to work on getting mailx to work instead.
 
 =
 
 
 perhaps /var/spool/mail/root needs 660 permissions?
 
 
 Do you know what mailx is trying to write into the /root directory?
 The output of logwatch.  I edited /etc/logwatch/conf/logwatch.conf
 
 with the line:
 
 mailer = /usr/bin/mailx -t
 
 To override /usr/share/logwatch/default.conf/logwatch.conf
 
 mailer = /usr/sbin/sendmail -t
 
 
 Ok I just added a patch to git to allow logwatch_mail_t to write to the
 /root directory certain files.
 
 sesearch -T -s logwatch_mail_t | grep mail_home_rw_t type_transition
 logwatch_mail_t admin_home_t : dir mail_home_rw_t .maildir; 
 type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t
 .maildir; type_transition logwatch_mail_t admin_home_t : file
 mail_home_rw_t .esmtp_queue; type_transition logwatch_mail_t
 admin_home_t : dir mail_home_rw_t Maildir; type_transition
 logwatch_mail_t user_home_dir_t : file mail_home_rw_t .esmtp_queue; 
 type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t
 Maildir;
 
 You could do something similar by adding:
 
 policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ')
 
 mta_filetrans_admin_home_content(logwatch_mail_t)
 
 Dan, you are way beyond me here.  I need pretty clear cookbooks. Changing a
 line in a .conf is one thing, what are you telling me to do here?  Just cut
 and paste from policy... to mta... into a rooted terminal session?
 
 


Create a file mylogwatch.te with the following content.

policy_module(mylogwatch, 1.0)
gen_require(`
type logwatch_mail_t;
')

mta_filetrans_admin_home_content(logwatch_mail_t)

Now execute this command to compile the policy and load it into the kernel

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mylogwatch.pp

Now you should be allowed to run logwatch_mail_t in enforcing mode.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

Re: Trying to use mailx for logwatch

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/02/2014 05:29 PM, Robert Moskowitz wrote:
 And the mail is failing.  Here is what I have done:
 
 I determined that in: /usr/share/logwatch/default.conf/logwatch.conf mailer
 = /usr/sbin/sendmail -t
 
 so in: /etc/logwatch/conf/logwatch.conf mailer = /usr/bin/mailx -t
 
 In /etc/aliases I have:
 
 # Person who should get root's mail root:rgm
 
 and I ran newaliases
 
 'journalctl |grep -i logwatch' shows the following (along with other
 lines):
 
 Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]: (/etc/cron.daily) 
 starting 0logwatch Jan 02 03:32:12 lx120e.htt-consult.com run-parts[16429]:
 (/etc/cron.daily) finished 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com
 setroubleshoot[16427]: dbus avc(node=lx120e.htt-consult.com type=AVC
 msg=audit(1388651532.024:734): avc: denied  { write } for pid=16425
 comm=mailx name=root dev=dm-0 ino=1308161 
 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
 node=lx120e.htt-consult.com type=SYSCALL msg=audit(1388651532.024:734): 
 arch=4003 syscall=5 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6
 a3=809134c items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0
 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm=mailx
 exe=/usr/bin/mailx subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
 key=(null) Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
 AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com
 type=AVC msg=audit(1388651532.24:734): avc:  denied  { write } for
 pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 
 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02 03:32:16
 lx120e.htt-consult.com setroubleshoot[16427]: 
 AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com 
 type=SYSCALL msg=audit(1388651532.24:734): arch=4003 syscall=5
 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1
 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx 
 subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02
 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: analyze_avc() 
 avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 access=['write'] tclass=dir
 tpath=/root
 
 oh, here are the mail files:
 
 # ls -ls /var/spool/mail/ total 8 0 -rw-rw. 1 rgm  mail0 Jan  2
 16:47 rgm 8 -rw---. 1 root mail 5886 Dec 31 12:27 root 0 -rw-rw. 1
 rpc  mail0 Dec 25 13:27 rpc
 
 The content in root mail is from when I had postfix installed.  I have
 since deleted it to work on getting mailx to work instead.
 
 =
 
 
 perhaps /var/spool/mail/root needs 660 permissions?
 
 
Do you know what mailx is trying to write into the /root directory?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLG44wACgkQrlYvE4MpobNKRQCg5TNJQb4NzrXV/gwM9spZ2bbv
y+gAmwRHRrWywHHQqy/IymmHNIlHvGgH
=5RhR
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trying to use mailx for logwatch

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/03/2014 11:34 AM, Robert Moskowitz wrote:
 
 On 01/03/2014 11:21 AM, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 01/02/2014 05:29 PM, Robert Moskowitz wrote:
 And the mail is failing.  Here is what I have done:
 
 I determined that in: /usr/share/logwatch/default.conf/logwatch.conf
 mailer = /usr/sbin/sendmail -t
 
 so in: /etc/logwatch/conf/logwatch.conf mailer = /usr/bin/mailx -t
 
 In /etc/aliases I have:
 
 # Person who should get root's mail root:rgm
 
 and I ran newaliases
 
 'journalctl |grep -i logwatch' shows the following (along with other 
 lines):
 
 Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]:
 (/etc/cron.daily) starting 0logwatch Jan 02 03:32:12
 lx120e.htt-consult.com run-parts[16429]: (/etc/cron.daily) finished
 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]:
 dbus avc(node=lx120e.htt-consult.com type=AVC 
 msg=audit(1388651532.024:734): avc: denied  { write } for pid=16425 
 comm=mailx name=root dev=dm-0 ino=1308161 
 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
 node=lx120e.htt-consult.com type=SYSCALL
 msg=audit(1388651532.024:734): arch=4003 syscall=5 success=no
 exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1 pid=16425
 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15
 tty=(none) comm=mailx exe=/usr/bin/mailx
 subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02
 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
 AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com 
 type=AVC msg=audit(1388651532.24:734): avc:  denied  { write } for 
 pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 
 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02 03:32:16 
 lx120e.htt-consult.com setroubleshoot[16427]: 
 AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com 
 type=SYSCALL msg=audit(1388651532.24:734): arch=4003 syscall=5 
 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0
 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
 fsgid=0 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx 
 subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan
 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]:
 analyze_avc() 
 avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:admin_home_t:s0 access=['write'] tclass=dir 
 tpath=/root
 
 oh, here are the mail files:
 
 # ls -ls /var/spool/mail/ total 8 0 -rw-rw. 1 rgm  mail0 Jan
 2 16:47 rgm 8 -rw---. 1 root mail 5886 Dec 31 12:27 root 0
 -rw-rw. 1 rpc  mail0 Dec 25 13:27 rpc
 
 The content in root mail is from when I had postfix installed.  I have 
 since deleted it to work on getting mailx to work instead.
 
 =
 
 
 perhaps /var/spool/mail/root needs 660 permissions?
 
 
 Do you know what mailx is trying to write into the /root directory?
 
 The output of logwatch.  I edited /etc/logwatch/conf/logwatch.conf
 
 with the line:
 
 mailer = /usr/bin/mailx -t
 
 To override /usr/share/logwatch/default.conf/logwatch.conf
 
 mailer = /usr/sbin/sendmail -t
 
 
Ok I just added a patch to git to allow logwatch_mail_t to write to the /root
directory certain files.

sesearch -T -s logwatch_mail_t | grep mail_home_rw_t
type_transition logwatch_mail_t admin_home_t : dir mail_home_rw_t .maildir;
type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t .maildir;
type_transition logwatch_mail_t admin_home_t : file mail_home_rw_t
.esmtp_queue;
type_transition logwatch_mail_t admin_home_t : dir mail_home_rw_t Maildir;
type_transition logwatch_mail_t user_home_dir_t : file mail_home_rw_t
.esmtp_queue;
type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t Maildir;

You could do something similar by adding:

policy_module(mylogwatch, 1.0)
gen_require(`
type logwatch_mail_t;
')

mta_filetrans_admin_home_content(logwatch_mail_t)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLG7XEACgkQrlYvE4MpobM0fwCaA28wBEPcvt15fUHUAZvhCp/H
5bAAnjqGB1c0MBy9YBkZi4FZ8wWTf+1I
=42B1
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: failed to ..

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/31/2013 12:20 PM, Chris Murphy wrote:
 
 On Dec 31, 2013, at 8:57 AM, Daniel J Walsh dwa...@redhat.com wrote:
 
 THere was a bug in libselinux which is  now fixed, that was causing the
 problem.
 
 Right, but I thought that the bug caused the setting in /etc/selinux/config
 being ignored, while selinux=0 and enforcing=0 still worked?
 
 Chris Murphy
 
Just back from break, and I believe that is the case.   I am just beginning to
dig into the problem.

selinux=0 should cause the kernel to not load SELinux LSM, which should keep
selinux disabled.  I guess the libselinux could still lie to the init and
cause it to attempt a relabel.

Adam Williamson has put out a fixed libselinux-2.2.1-6.fc20, which should fix
the problem.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLFbO0ACgkQrlYvE4MpobPeUwCeL1//E9TEd/o4lzt6tcdgHrEd
fQUAn2/eA+YY6TdW9r9c8HCsTQaZc6Gt
=2JON
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedup and selinux

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I blogged on SELinux blocking stuff in permissive mode.

http://danwalsh.livejournal.com/67855.html

I think fedup putting the machine into permissive mode during the update is
the sane thing to do, and since it should be doing this without services
running, it should be relatively safe.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLFhvYACgkQrlYvE4MpobN/nwCgxIvYzgMw6sA4s5K4uvzrcEmR
AcgAnjNjSCG5EvDX8EXbrUR5+pGjJ2O6
=fSw8
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Why did SELinux relable my filesystem?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/25/2013 06:25 AM, Steven P. Ulrick wrote:
 Hello, Everyone During my most recent re-boot, SELinux relabled my entire
 filesystem. Which would be fine, except for the fact that I have SELinux
 disabled on my system:
 
 # This file controls the state of SELinux on the system. # SELINUX= can
 take one of these three values: # enforcing - SELinux security policy
 is enforced. # permissive - SELinux prints warnings instead of
 enforcing. # disabled - No SELinux policy is loaded. 
 SELINUX=disabled # SELINUXTYPE= can take one of these two values: #
 targeted - Targeted processes are protected, # minimum - Modification
 of targeted policy. Only selected processes are protected. # mls -
 Multi Level Security protection. SELINUXTYPE=targeted
 
 Why did SELinux, which is disabled on my system, spend all that time
 re-labeling my filesystem?
 
 Steven P. Ulrick
 
There was a bug in libselinux update that caused this problem, it should now
be fixed in libselinux-2.2.1-6.fc20

-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLFiE8ACgkQrlYvE4MpobPA4QCfV6DSX1UEgeFOYJpXmFw7uTnN
AMYAn2HhQxpKtKapSGXm5RjZW0lnNqNF
=JBIW
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Different actions on different passwords?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/30/2013 08:09 PM, Robert Moskowitz wrote:
 
 On 12/30/2013 08:03 PM, Bill Oliver wrote:
 On Tue, 31 Dec 2013, Patrick O'Callaghan wrote:
 
 
 On Mon, Dec 30, 2013 at 11:25 PM, Bill Oliver ven...@billoblog.com
 wrote:
 
 In linux, is it possible to dictate two different actions upon login 
 with different passwords?
 
 
 
 Short answer: no.
 
 Longer answer: in computing almost anything is possible if you really
 want to achieve it. Given that on Unix-style systems, including Linux,
 the login program can be changed, you can modify the source to do what
 you want. Of course you'll need to have superuser privileges to install
 it in place of the system standard. Note that doing this may well open
 a can of worms, e.g. you might have to modify the format of the
 password file (and hence the library routines that access it), possibly
 fiddle with SElinux settings, etc. etc.
 
 If the conditions are relaxed slightly you can get a partial solution
 using the standard login: write a Shell startup script (.profile or
 whatever) that allows the user to discriminate between the two modes,
 e.g. by using a timeout, detecting the initial state of the Shift (or 
 Control or whatever) key etc., in a way that is hopefully non-obvious
 to an observer. Probably not reliable enough for serious use.
 
 Conclusion: better look for some other way to cover your tracks, and
 note that a forensic investigation can be carried out without having
 you log in at all.
 
 poc
 
 
 
You could setup a pam module that would work with the login shell to do
different things based on the password.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLFkWIACgkQrlYvE4MpobNKdgCgsHU+cA1GPVOWe7UVgVAeImE6
YZ4AnAixcwOhNrKpR6Fw8PfpBx4lfph8
=tjXd
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: selinux=0

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/29/2013 10:31 AM, Patrick Dupre wrote:
 
 Thank, It works.
 
 
 On Sun, 29 Dec 2013 14:40:26 +0100, Patrick Dupre wrote:
 
 Hello,
 
 After cloning a distribution fedora 19, I have to set selinux=0 to be
 able to boot. How can I do to avoid this option? I tried: fixfiles
 relabel system-config-selinux
 
 But I never get a relabelling!
 
 What should I do?
 
 Have you tried booting with enforcing=0 instead of selinux=0 yet? If
 you disable SELinux completing, you cannot hope that anything will work
 related to file labelling. -- users mailing list 
 users@lists.fedoraproject.org To unsubscribe or change subscription
 options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora
 Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines:
 http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question?
 Ask away: http://ask.fedoraproject.org
 
 
 ===

 
Patrick DUPRÉ | | email: pdu...@gmx.com
 Laboratoire de Physico-Chimie de l'Atmosphère | | Université du
 Littoral-Côte d'Opale   | | Tel.  (33)-(0)3 28 23 76 12
 | | Fax: 03 28 65 82 44 189A, avenue Maurice Schumann | |
 59140 Dunkerque, France 
 ===

 
What AVC's are you seeing when booting in permissive mode?  When you say
SELinux would not work, does that mean it would not boot to the login prompt?
 You could not login after booting?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLC6QYACgkQrlYvE4MpobPf+ACg3QmL35tHcDy+yq/1IXzcBXW9
K1kAn39rG8qO3DiI7pf/eZ/Vf1yWT872
=QPig
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: failed to ..

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/30/2013 11:11 AM, Chris Murphy wrote:
 
 On Dec 29, 2013, at 11:37 PM, Ralf Corsepius rc040...@freenet.de wrote:
 
 On 12/30/2013 07:01 AM, Chris Murphy wrote:
 
 On Dec 28, 2013, at 8:15 PM, Patrick Dupre pdu...@gmx.com wrote:
 
 Hello,
 
 I tried to set relabel by using system-config-selinux, but nothing
 happens I have to keep selinux=0 to be able to boot!
 
 Try autorelabel=1, and in the future if you have selinux problems you
 don't want to troubeleshoot use enforcing=0. Disabling selinux is a
 hammer and eventually causes more problems.
 With all due respect, disabling SELinux *must not cause problems*.
 
 The instant you disable SELinux, labeling is no longer being done at all,
 so any software updates while disabled lack labeling. Upon intentional or
 inadvertent re-enabling of SELinux, there will be problems due to that.
 This is why disabling isn't a good idea, and isn't necessary. Use
 enforcing=0 instead.
 
 
 If it does, somebody is critically broken and needs to be fixed, ASAP.
 
 Feel free to rebuild your kernel ASAP, and actually disable SELinux at the
 source.
 
 
 Chris Murphy
 
THere was a bug in libselinux which is  now fixed, that was causing the problem.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLC6W0ACgkQrlYvE4MpobOV8QCgn1e4OH13MaUnwjnhDmYhfdNB
cZ4AnjozfgzZ5ppxSBL7y/jV+qxTzFiO
=3tNQ
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: sharing /boot among multible Linux distros

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/09/2013 11:17 AM, D. Hugh Redelmeier wrote:
 | From: Daniel J Walsh dwa...@redhat.com
 
 | On 12/08/2013 01:11 AM, D. Hugh Redelmeier wrote:
 
 |  https://bugzilla.redhat.com/show_bug.cgi?id=882568 Fedora could not
 mount |  the Ubuntu partition for examination because it wasn't SELinux
 labelled. |  Of course requiring a Ubuntu partition to be labelled for
 Fedora isn't |  reasonable.
 
 | Do you have the SELinux AVC messages that was blocking this?
 
 I don't have anything left but the bug report.
 
 I did include the output of ausearch -m avc -ts recent in that report.
 
Ok I missed the bug report.  Anyways it appears it has been fixed since F18.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKnHUMACgkQrlYvE4MpobOLVQCfeqHjweFGN7FStRASQAZIdbpM
sB8Amwawq/9sBvO58yBGNdZsh2OEZtAr
=63PJ
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: [GW-C] Re: sharing /boot among multible Linux distros

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/08/2013 01:11 AM, D. Hugh Redelmeier wrote:
 | From: Joe Zeff j...@zeff.us
 
 | On 11/26/2013 02:00 PM, Javier Perez wrote: |  For some reason, Ubuntu
 does not find out Fedora unless I mount the disk |  each time I update
 ubuntu kernel. | | How do you expect Ubuntu to find a kernel on an
 unmounted partition?
 
 It is supposed to find it.  There is a bug in Ubuntu 12.04:
 
 https://bugs.launchpad.net/ubuntu/+source/os-prober/+bug/1038093
 
 This was reported more than a year ago.
 
 That bugs.Launchpad notes an upstream fix a year ago, so the bug was marked
 as Fix Released almost a year ago.
 
 But no update to 12.04 has been issued.
 
 This is an example of why I am less comfortable with Ubuntu.
 
 
 I had similar problems with Fedora that were resolved more quickly:
 
 https://bugzilla.redhat.com/show_bug.cgi?id=882568 Fedora could not mount
 the Ubuntu partition for examination because it wasn't SELinux labelled.
 Of course requiring a Ubuntu partition to be labelled for Fedora isn't
 reasonable.
 
Do you have the SELinux AVC messages that was blocking this?
 https://bugzilla.redhat.com/show_bug.cgi?id=995777 Not a Fedora bug.
 Fedora could not mount the Ubuntu partition because Ubuntu didn't cleanly
 unmount it.  An fsck was required.
 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKlzD4ACgkQrlYvE4MpobN2RACeOlgitT+iPpvgVczsjHOdrbDp
fRAAoLrnfr+y0ea0dYv5fK10aVvdhED1
=n6cU
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: rsync errors (selinux?)

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/25/2013 07:51 AM, poma wrote:
 On 24.11.2013 19:03, Wolfgang S. Rupprecht wrote:
 
 For several years I've been doing an rsync across-the-lan backup for home
 directories.  All has worked well until recently (well, since the fedup
 to f20 last night).  Now backups are failing with an inscrutable rsync
 error.  While the errors mention selinux, I don't see any errors in
 either the sending or receiving machines /var/log/secure logfiles.
 ..
 Any ideas what's up and what I need to do to get this working again?
 
 You should know better after all these years of use. F20 ain't an official,
 so https://admin.fedoraproject.org/mailman/listinfo/test
 
 
 poma
 
 
Look in /var/log/audit/audit.log

ausearch -m avc -ts recent

After failure.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKTV3QACgkQrlYvE4MpobP5YACfaUmLw5sslHZ2ATsMH+sBrBu+
o/gAoJ8Cb7syeKxl1+HiDmbOLtaUt+WK
=Zvw2
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: rsync errors (selinux?)

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/25/2013 02:54 PM, Wolfgang S. Rupprecht wrote:
 
 Daniel J Walsh dwa...@redhat.com writes:
 ausearch -m avc -ts recent
 
 local host (source of rsync):
 
 [root@arbol audit]# ausearch -m avc -ts recent no matches [root@arbol
 audit]#
 
 remote host (destination or rsync):
 
 [root@capsicum audit]# ausearch -m avc -ts recent no matches 
 [root@capsicum audit]#
 
 also a tail -f on /var/log/audit/audit.log on both machines while the 
 errors were spewing on the screen showed no corresponding errors (or other
 output for that matter) in audit.log.
 
 -wolfgang
 
Do you have the audit daemon running?

service auditd status

If you run setenforce 0 to the errors stop?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKTvkwACgkQrlYvE4MpobOpMACeIpHZzap/wFpM7aGnpdh+/bpm
pK0An2faK6ZZZUtMkywFBn2TMzK+ojk0
=vJN/
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: F17 boot with lvm does not create all the device nodes

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/18/2013 05:50 AM, Deron Meranda wrote:
 Continuing the exploration of my problem...
 
 Quick problem summary:  I could not boot past emergency mode because it
 could not mount /var; which is a separate filesystem than /.  My /var
 filesystem is a LUKS-encrypted logical volume, which happens to be on
 /dev/dm-11.  Although the logical volume itself was present and active
 (shows up in lvdisplay); the lvm device file was never getting created for
 it.
 
 
 It is the 'udev' subsystem that is responsible for creating the device
 symlinks for all the logical volumes.  I suspect that my missing device
 nodes were being excluded by the /lib/udev/rules.d/10-dm.rules file
 because the dmsetup info command inside it was failing.  This then caused
 the 11-dm-lvm.rules file, which normally makes the decision about
 creating the symlink, to skip that device.
 
 When I ran dmsetup info /dev/dm-11 it failed, saying the device didn't
 exist! Yet the device file /dev/dm-11 was present, and clearly was usable
 as I could manually access the data on it, by a process such as:
 
 ln -s /dev/vg_xyz/lv_var  /dev/dm-11 cryptsetup luksOpen /dev/vg_xyz/lv_var
 /dev/mapper/luks-xyz mount /dev/mapper/luks-xyz /var
 
 So /dev/dm-11 clearly works, yet dmsetup info was failing for it!
 
 
 Since I could manually get /var mounted, and I fortunately had enough free 
 space, I went ahead copied the entire filesystem into /.  [Copying details
 -- I first excluded any security-sensitive files as I was going transfering
 to a non-encrypted filesystem, and copied the rest of the files while
 preserving SELinux contexts, and also renaming mountpoints as appropriate
 so that I ended up with /var on root being an identical copy of what used
 to be in the separate /var filesystem.]
 
 After removing /var from my fstab, a reboot worked completely.
 Furthermore, when I look into the /dev/mapper directory or the device
 directory for the volume group I see ALL the expected device symlinks exist
 - including my old /var as well as the other missing logical volumes.  Also
 dmsetup info now works on all of them.
 
 
 I am still quite curious as to what was going on, and am wondering if I can
 go back to using a separate /var logical volume.
 
 Deron
 
 
 
 On Mon, Nov 18, 2013 at 2:50 AM, Deron Meranda deron.mera...@gmail.com 
 mailto:deron.mera...@gmail.com wrote:
 
 Here's some more information.  It looks like all the LVM device files that 
 correspond to a device mapper minor number of 10 or greater are missing.
 I have four such devices (logical volumes).
 
 After boot the lvm devices look like,
 
 lvhome - ../dm-9 lvroot - ../dm-1 ... and so on.
 
 All the devices with minor numbers  10 appear as I expect.  However all
 the those with minor number = 10 are missing.
 
 If I query dm directly (dmsetup ls), or just look for all dm devices (ls 
 /dev/dm-*) then all of the devices show up.  It is only the symbolic links 
 for the volume group that are missing.
 
 Is there a particular dm bug, or is this just a coincidence?   How can I
 get the system to boot?
 
 Thanks -- Deron Meranda http://deron.meranda.us/
 
 
 
 
 -- Deron Meranda http://deron.meranda.us/
 
 
Fedora 17 is not longer supported.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKKG/MACgkQrlYvE4MpobPs2QCgr+MuIBqbUX/4qxYUA1ZBEkYs
yrcAoM1Wcvni9x/95wXAP/8oJGF3KeFp
=xY6p
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org