Re: Docker storage on Fedora 25?
On 12/27/2016 10:55 AM, Dave Johansen wrote: > On Tue, Dec 27, 2016 at 5:16 AM, Daniel J Walsh <dwa...@redhat.com > <mailto:dwa...@redhat.com>> wrote: > > > > On 12/26/2016 08:39 PM, Matthew Miller wrote: > > On Mon, Dec 26, 2016 at 12:37:46PM -0700, Dave Johansen wrote: > >> > > http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/ > > <http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/> > >> Does the above recommendation still hold true with Fedora > 25/Docker 1.12.5? > >> If so, is the configuration the same? > > Quick glance, yeah, looks still basically right. You have a new > option, > > overlay2, which is a newer Docker driver for OverlayFS and generally > > preferred. See > > > https://docs.docker.com/engine/userguide/storagedriver/selectadriver/ > <https://docs.docker.com/engine/userguide/storagedriver/selectadriver/> > > > F25 now uses docker-storage-setup, so the right way to select the > driver was a bit different, but this instructions showed how to do it: > https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/7/paged/managing-containers/chapter-1-managing-storage-with-docker-formatted-containers#overlay_graph_driver > > > *But*, I'm not sure offhand if SELinux support is complete -- I > know it > > *was being worked on. > > > SELinux should work fine on F25. We are working to change the default > in F26 to the overlay2 driver. > > > That's good to hear. Do I need to add the :z or :Z when mounting a > host directory for SELinux to work? If so, will that cause any > problems when running on Mac/Windows? > If you want to share the volume on an SELinux system then you need :z and :Z, on a non SELinux system these options will be ignored. If you are using a docker client on Mac/Windows and a docker daemon on an SELinux system, then these options should work fine. > Thanks for the help, > Dave > > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Docker storage on Fedora 25?
On 12/26/2016 08:39 PM, Matthew Miller wrote: > On Mon, Dec 26, 2016 at 12:37:46PM -0700, Dave Johansen wrote: >> http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/ >> Does the above recommendation still hold true with Fedora 25/Docker 1.12.5? >> If so, is the configuration the same? > Quick glance, yeah, looks still basically right. You have a new option, > overlay2, which is a newer Docker driver for OverlayFS and generally > preferred. See > https://docs.docker.com/engine/userguide/storagedriver/selectadriver/ > > *But*, I'm not sure offhand if SELinux support is complete -- I know it > *was being worked on. > SELinux should work fine on F25. We are working to change the default in F26 to the overlay2 driver. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Apache Authentication with System Accounts?
On 12/23/2016 05:38 PM, Aero Maxx D wrote: >> On 23 Dec 2016, at 21:19, Matthew Millerwrote: >> >> Oh, just to check -- any SELinux AVC logged? From the mod_authnz_pam >> page, you need to do `sudo setsebool -P allow_httpd_mod_auth_pam 1`. >> >> Other than that, anything at all else logged? > Yeah I've done that still the same as before. > > mod_authnz_pam: PAM authentication failed for user <>: > Authentication failure > > user <>: authentication failure for "/": Password Mismatch. > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org If you put SELinux in permissive mode does it work? If not, then it most likely NOT an SELinux issue. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux forces Fedora 25 upgrade into a reboot loop
On 11/25/2016 01:28 PM, Sam Varshavchik wrote: > Patrick O'Callaghan writes: > >> On Fri, 2016-11-25 at 11:08 -0500, Sam Varshavchik wrote: >> > Wondering if all upgrades with selinux enabled are broken, or just >> something >> > with this particular laptop. This doesn't look like a system-specific >> > failure to me, but if all upgrades with enforcing selinux blow up >> like this, >> > I would've expected a lot of noise in here, by now… More details in >> bug >> > 1398696. >> >> My system has been enforcing for at least the last 5 versions (possibly >> more), and I had no problem with this. > > What output do you get from: > > ls -alZd /var/lib/dnf/system-upgrade > > On the one with the problem I get: > > drwxr-xr-x. 2 root root unconfined_u:object_r:user_tmp_t:s0 233472 Nov > 25 10:31 /var/lib/dnf/system-upgrade > user_tmp_t means that it was created by a user process in a /tmp or /var/tmp and then mv'd to /var/lib/dnf. > Now, another one of my laptops shows: > > drwxr-xr-x. 2 root root unconfined_u:object_r:rpm_var_lib_t:s0 221184 > Nov 23 16:09 system-upgrade > > However that laptop was already running in permissive mode. Still, > according to rpm: > > file /var/lib/dnf/system-upgrade is not owned by any package > > After rmdir-ing and mkdir-ing /var/lib/dnf/system-upgrade its selinux > context is changed to unconfined_u:object_r:rpm_var_lib_t:s0, so I > think that's where the problem was. Unclear how the former selinux > context was what it was. > Just running restorecon -R -v /var/lib/dnf Would have fixed the problem. > > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Running docker images crashing F25?
On 09/16/2016 11:22 PM, Philip Rhoades wrote: > People, > > I couldn't find a specific docker Fedora list so I am posting here - > feel free to tell me a more appropriate list . . > > I decided to live on the edge and did a bare-metal install of F25 > x86_64 a little while ago - it has been going pretty smoothly but in > the last few days I have been playing around with docker again > (specifically: cprogrammer/indimail:fedora-23 ie a qmail server) and I > have had a few spontaneous reboots - one that locked up at a BIOS > splash screen. > > Is this something I should be helping to debug somehow? I just did a > full "dnf update" before the last couple of crashes . . > > Thanks, > > Phil. I have no idea why docker would be causing this, seems like a bad kernel or this is a very evil docker image. :^) I run Rawhide and have been having no problems. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
FYI: systemd as pid one on an unprivileged container.
http://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Fedora 23 Server: can't startx
On 03/30/2016 12:06 PM, Braden McDaniel wrote: I have a fresh, updated install of Fedora 23 Server. After installation, I installed the "Basic Desktop" group. Now, when I try to run startx, it fails with the error: xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted) Where should I look to diagnose/resolve this? Could this be related to the fact that my home directories are NFS mounted? (I have set the use_nfs_home_dirs SELinux setting to "on".) What AVC's are you seeing? ausearch -m avc -ts recent -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: PulseAudio
On 03/25/2016 12:49 PM, Joe Zeff wrote: On 03/25/2016 06:58 AM, Richard Ibbotson wrote: On Friday 25 March 2016 09:41:05 Daniel J Walsh wrote: What avcs are you seeing ausearch -m avc -ts recent Well, that just about proves that SELinux isn't involved, doesn't it? Well maybe. Could you get this error to happen again, and then run the ausearch command. you could also check to see if it happens with setenforce 0. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: PulseAudio
On 03/25/2016 09:20 AM, Richard Ibbotson wrote: Hi I know a lot of people don't like PulseAudio but that's what comes with Fedora 23. My problem is this. After a dnf update I find that selinux has done something it didn't do before. PulseAudio has ceased to work properly. I'm looking at a dummy output the sound card is not found by PulseAudio in my workstation. I've tried to set permissions for PulseAudio in selinux. This allowed the sound server to start up when I did 'service pulseaudio restart' . Then there was some kind of error message about some keys not being created. Still no sound. I've seen this somewhere before but can't find it on the internet with a search. Tried the PulseAudio site. Can anyone point me in the right direction with this ? Also tried man pulseaudio. Nothing useful there What avcs are you seeing ausearch -m avc -ts recent -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Discourse - DeviceMapper causing corruption?
Do we have bugzillas with these Spectacular failures? On 03/21/2016 03:03 PM, Philip Rhoades wrote: People, I had a couple of issues to sort out with installing the Docker Discourse app and while that was being done people made these comments: "Devicemapper is non starter, fails spectacularly under load and causes corruption. We block setup if we detect devicemapper. You need aufs or another better supported docker filesystem." - which was not true - it did install without resorting to aufs. also: "Redhat team get very upset when we mention that it just does not work for us, but release after release they say there are no bugs left, and each time we keep seeing Discourse users complain about corruption due to device mapper." Any comments? Thanks, Phil. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: SELinux is preventing rsyslogd from getattr access on the file
Looks like it wants you to fix your labels on /var/log restorecon -R -v /var/log On 10/22/2015 11:00 AM, Neal Becker wrote: > Oct 22 10:59:22 nbecker2 setroubleshoot: Plugin Exception restorecon_source > Oct 22 10:59:22 nbecker2 setroubleshoot: SELinux is preventing rsyslogd from > getattr access on the file > /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5- > c0bb6e169852fd4d.journal~. For complete SELinux messages. run sealert -l > e90ea6c1-782b-49f6-8eee-23d630f05551 > Oct 22 10:59:22 nbecker2 python: SELinux is preventing rsyslogd from getattr > access on the file > /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5- > c0bb6e169852fd4d.journal~.#012#012* Plugin restorecon (94.8 confidence) > suggests #012#012If you want to fix the label. > #012/var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5- > c0bb6e169852fd4d.journal~ default label should be var_log_t.#012Then you can > run restorecon.#012Do#012# /sbin/restorecon -v > /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5- > c0bb6e169852fd4d.journal~#012#012* Plugin catchall_labels (5.21 > confidence) suggests ***#012#012If you want to allow > rsyslogd to have getattr access on the user-1000@000522048e0844a5- > c0bb6e169852fd4d.journal~ file#012Then you need to change the label on > /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5- > c0bb6e169852fd4d.journal~#012Do#012# semanage fcontext -a -t FILE_TYPE > '/var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5- > c0bb6e169852fd4d.journal~'#012where FILE_TYPE is one of the following: > NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, > abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, > acct_data_t, admin_crontab_tmp_t, afs_logfile_t, aide_log_t, alsa_tmp_t, > amanda_log_t, amanda_tmp_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, > apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, > asterisk_tmp_t, auditadm_sudo_tmp_t, auth_cache_t, automount_tmp_t, > awstats_tmp_t, bacula_log_t, bacula_tmp_t, bin_t, bitlbee_log_t, > bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, > bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, > boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, calamaris_log_t, > callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, > ccs_var_log_t, cdcc_tmp_t, cert_t, certmaster_var_log_t, cfengine_log_t, > cgred_log_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_var_log_t, > cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, > cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, > cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, > cobbler_tmp_t, cobbler_var_log_t, cockpit_tmp_t, collectd_script_tmp_t, > colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, > condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, > consolekit_log_t, couchdb_log_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, > cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, > cups_pdf_tmp_t, cupscloudprint_log_t, cupsd_log_t, cupsd_lpd_tmp_t, > cupsd_tmp_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, > dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, > dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, > deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, > devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, > dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, > dkim_milter_tmp_t, dlm_controld_var_log_t, dnsmasq_var_log_t, > dnssec_trigger_tmp_t, docker_log_t, docker_tmp_t, dovecot_auth_tmp_t, > dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, > dspam_log_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_log_t, > exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, fail2ban_var_lib_t, faillog_t, > fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, file_context_t, > fingerd_log_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_tmp_t, > foghorn_var_log_t, fonts_cache_t, fonts_t, fsadm_log_t, fsadm_tmp_t, > fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, > gconf_tmp_t, gear_log_t, geoclue_tmp_t, getty_log_t, getty_tmp_t, > gfs_controld_var_log_t, git_script_tmp_t, gkeyringd_tmp_t, glance_log_t, > glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, > gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, > groupd_var_log_t, gssd_tmp_t, haproxy_var_log_t, hostname_etc_t, > httpd_log_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, > icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, > initrc_tmp_t, initrc_var_log_t,
Re: Copying files without losing selinux context
On 10/10/2015 05:07 AM, Suvayu Ali wrote: > Hi Rejy, > > On Sat, Oct 10, 2015 at 12:31:59PM +0530, Rejy M Cyriac wrote: >> On 10/08/2015 06:35 PM, Suvayu Ali wrote: >>> Yesterday I installed a new SSD in my laptop. I moved all my files >>> (/home, /var, /opt) with rsync and rebooted. However I see the selinux >>> filecontexts are wrong, and many services are failing because of that, >>> e.g. the user crontab doesn't load. >>> >>> # ls -Z /var/spool/cron/user >>> unconfined_u:object_r:var_spool_t:s0 /var/spool/cron/user >>> >>> I did an autorelabel on boot, I also ran `restorecon -p -r /var', >>> neither helped. To get the crontab working, I had to change the context >>> by hand. >>> >>> # chcon --reference=/old/part/spool/cron/user /var/spool/cron/user >>> # ls -Z /var/spool/cron/user >>> unconfined_u:object_r:user_cron_spool_t:s0 /var/spool/cron/user >>> >>> I would like to know how I can fix the rest, and what I should have used >>> to do the copy in the first place. I guess `cp -c' would work, but then >>> I wouldn't have the ability to resume the transfer. >> The following would have retained the SELinux contexts >> >> rsync with the --xattrs option >> tar with the --selinux or --xattrs option > Thanks a lot! I'll remember this for the future. Is there any simple > way to restore the contexts now, after the fact? If not, maybe > something like the command below? > > # cd /old && find . -exec chcon --reference=\{\} /var/\{\} \; > > Cheers, > If you are moving content around you should reset the default labeling. In this case you could do something like # semanage fcontext -a -e /var /old # restorecon -R -v /old Which would make your labels survive a relabel -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: SElinux issue
Looks like prelude.te provides the prewikka code. grep prew * prelude.fc:/usr/share/*prew*ikka/cgi-bin(/.*)? gen_context(system_u:object_r:*prew*ikka_script_exec_t,s0) prelude.te: apache_content_template(*prew*ikka) prelude.te: apache_content_alias_template(*prew*ikka, *prew*ikka) prelude.te: can_exec(*prew*ikka_script_t, *prew*ikka_script_exec_t) prelude.te: files_search_tmp(*prew*ikka_script_t) prelude.te: kernel_read_sysctl(*prew*ikka_script_t) prelude.te: kernel_search_network_sysctl(*prew*ikka_script_t) prelude.te: auth_use_nsswitch(*prew*ikka_script_t) prelude.te: logging_send_syslog_msg(*prew*ikka_script_t) prelude.te: apache_search_sys_content(*prew*ikka_script_t) prelude.te: mysql_stream_connect(*prew*ikka_script_t) prelude.te: mysql_tcp_connect(*prew*ikka_script_t) prelude.te: postgresql_stream_connect(*prew*ikka_script_t) prelude.te: postgresql_tcp_connect(*prew*ikka_script_t) semodule -l | grep prelude On 09/25/2015 06:51 PM, Paolo Galtieri wrote: > Daniel, > on the machine on which things work there is a prewikka.pp file, but > on the one that fails there isn't. On the system > that fails I have the following prewikka policy file (prewikkapol.te): > > module prewikka 1.0; > > require { > > type tmp_t; > > type init_var_run_t; > > type httpd_prewikka_script_t; > > type sysfs_t; > > class dir { read search }; > > } > > #= httpd_prewikka_script_t == > > allow httpd_prewikka_script_t init_var_run_t:dir search; > > allow httpd_prewikka_script_t sysfs_t:dir read; > > allow httpd_prewikka_script_t tmp_t:dir read; > > and the corresponding prewikkapol.pp file. > > On the system that works I have the following prewikka policy file > (prewikka.te): > > module prewikka 1.0; > > require { > > type tmp_t; > > type init_var_run_t; > > type httpd_prewikka_script_t; > > type sysfs_t; > > class dir { read search }; > > } > > #= httpd_prewikka_script_t == > > allow httpd_prewikka_script_t init_var_run_t:dir search; > > allow httpd_prewikka_script_t sysfs_t:dir read; > > allow httpd_prewikka_script_t tmp_t:dir read; > > and the corresponding prewikka.pp file. So as far as I know the > prewikka policy files are present, and neither says > anything about httpd_prewikka_rw_content_t. > > Also if I run > > semodule -l > > the appropriate policy file is shown. > > I tried disabling the module: > > sudo semodule -d prewikkapol > [sudo] password for pgaltieri: > libsepol.context_from_record: type httpd_prewikka_rw_content_t is not > defined (No such file or directory). > libsepol.context_from_record: could not create context structure > (Invalid argument). > libsemanage.validate_handler: invalid context > system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for > /usr/share/prewikka/htdocs/generated_images [all files] (Invalid > argument). > libsemanage.dbase_llist_iterate: could not iterate over records > (Invalid argument). > semodule: Failed! > > I tried to remove the module: > > sudo semodule -r prewikkapol > libsepol.context_from_record: type httpd_prewikka_rw_content_t is not > defined (No such file or directory). > libsepol.context_from_record: could not create context structure > (Invalid argument). > libsemanage.validate_handler: invalid context > system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for > /usr/share/prewikka/htdocs/generated_images [all files] (Invalid > argument). > libsemanage.dbase_llist_iterate: could not iterate over records > (Invalid argument). > semodule: Failed! > > It does appear though that setsebool still works despite the errors. > > Still confused though why I'm seeing the error. > > Thanks for the help, > > Paolo > > > On 09/25/2015 12:26 PM, Daniel J Walsh wrote: >> Looks like you might have a prewikka policy around? >> >> locate prewikka.pp >> >> Did you build a custom policy module? >> >> On 09/25/2015 02:30 PM, Paolo Galtieri wrote: >>> Folks, >>>I got an SElinux alert this morning. The suggestion to correct the >>> problem was to do: >>> >>> setsebool -P unconfined_mozilla_plugin_transition 0 >>> >>> When I did this I got the following response: >>> >>> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not >>> defined >>> libsepol.context_from_record: could not create context structure >>> libsepol.context_from_string: could not create context structure >>> libsepol.sepol_contex
Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window
Why use symlinks versus bind mounts? Or mount the directory there directly. On 09/24/2015 07:20 PM, jd1008 wrote: > > > On 09/24/2015 04:54 PM, Rahul Sundaram wrote: >> Hi >> >> On Thu, Sep 24, 2015 at 4:20 PM, jd1008 wrote: >> >> But /home is a symlink to /home on another mount point. >> Would not selinux be "savvy" enough to follow symlinks??? >> >> >> Following symlinks can be a security problem. It is pretty common >> for that to be restricted by default >> >> Rahul >> >> > Agreed. > Thanks for the heads up. > -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window
On 09/25/2015 03:55 PM, jd1008 wrote: > > > On 09/25/2015 01:26 PM, Daniel J Walsh wrote: >> >> On 09/25/2015 01:54 PM, jd1008 wrote: >>> >>> On 09/25/2015 11:28 AM, Daniel J Walsh wrote: >>>> mount the directory there directly >>> You mean mount a partition as /home? >>> I do not have that. >>> >> Anyways where are your homedirs? > Went ahead and did a bind in /etc/fstab > and it is working OK. > I hope next relabel will not miss anything :) > Well the problem with just a bind is that the code now exists in two places, and a full relabel could cause the labels to revert to the alternate label. Which is why it is still good to put in the semange fcontext -a -e /home /PATH -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: SElinux issue
Looks like you might have a prewikka policy around? locate prewikka.pp Did you build a custom policy module? On 09/25/2015 02:30 PM, Paolo Galtieri wrote: > Folks, > I got an SElinux alert this morning. The suggestion to correct the > problem was to do: > > setsebool -P unconfined_mozilla_plugin_transition 0 > > When I did this I got the following response: > > libsepol.context_from_record: type httpd_prewikka_rw_content_t is not > defined > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid > invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0 > libsepol.context_from_record: type httpd_prewikka_rw_content_t is not > defined > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid > invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0 > > I have 2 systems running F22, I got this response on one of the > systems, but not the other. When I was running F19 on the affected > system (prior to upgrading to F22) I did have the prewikka packages > installed, but I have since removed them. However, it appears that > some remnants of those packages remain. > > How do I fix this issue? I looked in the httpd config files and > couldn't find any reference. > > Any help is appreciated. > > Paolo -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window
On 09/25/2015 01:54 PM, jd1008 wrote: > > > On 09/25/2015 11:28 AM, Daniel J Walsh wrote: >> mount the directory there directly > You mean mount a partition as /home? > I do not have that. > Anyways where are your homedirs? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window
What AVC are you seeing? On 09/24/2015 01:58 PM, jd1008 wrote: > After getting AVC denial, I touched /.autorelabel and rebooted. > Took about 5 minutes to finish re-labeling. > Then, I started to ge more AVC denials. > I clicked on the denial icon and read the details. > > Could someone please explain the argument in the suggested "solution" : > restorecon -v '#SharedObjects' > > What in tarnation is '#SharedObjects' > > The man page for semanage and for restorcon do not even > make use of such notation. > > So, how is a user going to correctly interpret the meaning > of such an opaque item as '#SharedObjects' ? > > The selinux troubleshoot says: (but does not explain where the > #SharedObjects directory is ) > > > If you want to allow plugin-containe to have read access on the > #SharedObjects directory > Then you need to change the label on #SharedObjects > Do > # semanage fcontext -a -t FILE_TYPE '#SharedObjects' > where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, > NetworkManager_etc_t, abrt_etc_t, admin_home_t, aiccu_etc_t, > alsa_etc_rw_t, alsa_home_t, antivirus_conf_t, antivirus_home_t, > asterisk_etc_t, audio_home_t, auth_home_t, bin_t, bitlbee_conf_t, > bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, > cgconfig_etc_t, cgrules_etc_t, chrome_sandbox_home_t, cluster_conf_t, > cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, > couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, > cupsd_rw_etc_t, cvs_home_t, data_home_t, dbus_home_t, dbusd_etc_t, > ddclient_etc_t, device_t, devpts_t, dhcp_etc_t, dictd_etc_t, > dnsmasq_etc_t, docker_config_t, docker_home_t, dosfs_t, dovecot_etc_t, > etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, > fetchmail_home_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, > firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, > gconf_home_t, gdomap_conf_t, getty_etc_t, git_user_content_t, > gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gpm_conf_t, > gstreamer_home_t, hddtemp_etc_t, home_bin_t, home_cert_t, home_root_t, > hostname_etc_t, httpd_config_t, httpd_modules_t, httpd_user_content_t, > httpd_user_htaccess_t, httpd_user_ra_content_t, > httpd_user_rw_content_t, httpd_user_script_exec_t, hugetlbfs_t, > icc_data_home_t, iceauth_home_t, innd_etc_t, irc_conf_t, irc_home_t, > irc_tmp_t, irssi_etc_t, irssi_home_t, kdump_etc_t, kismet_home_t, > kmscon_conf_t, krb5_conf_t, krb5_home_t, krb5kdc_conf_t, l2tp_conf_t, > lib_t, likewise_etc_t, lircd_etc_t, local_login_home_t, locale_t, > lvm_etc_t, machineid_t, mail_home_rw_t, mail_home_t, man_cache_t, > man_t, mandb_home_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, > minissdpd_conf_t, mnt_t, mock_etc_t, modules_conf_t, mozilla_conf_t, > mozilla_home_t, mozilla_plugin_rw_t, mozilla_plugin_tmp_t, > mozilla_plugin_tmpfs_t, mpd_etc_t, mpd_home_t, mpd_user_data_t, > mplayer_etc_t, mplayer_home_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, > mysqld_etc_t, mysqld_home_t, nagios_etc_t, named_conf_t, net_conf_t, > nrpe_etc_t, nscd_var_run_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, > nut_conf_t, openshift_var_lib_t, openvpn_etc_rw_t, openvpn_etc_t, > openvswitch_rw_t, pads_config_t, pegasus_conf_t, pingd_etc_t, > piranha_etc_rw_t, piranha_web_conf_t, polipo_cache_home_t, > polipo_config_home_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, > postgresql_etc_t, postgrey_etc_t, pppd_etc_t, > prelude_correlator_config_t, printconf_t, proc_t, procmail_home_t, > psad_etc_t, ptal_etc_t, pulseaudio_home_t, puppet_etc_t, qmail_etc_t, > radiusd_etc_t, radvd_etc_t, rhnsd_conf_t, rlogind_home_t, root_t, > rssh_ro_t, rssh_rw_t, rsync_etc_t, samba_etc_t, sandbox_file_t, > sanlock_conf_t, screen_home_t, shell_exec_t, shorewall_etc_t, > slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamc_home_t, > spamd_etc_t, speech-dispatcher_home_t, squid_conf_t, src_t, > ssh_home_t, sssd_conf_t, sssd_public_t, stunnel_etc_t, svc_conf_t, > svirt_home_t, sysctl_fs_t, sysctl_t, sysfs_t, syslog_conf_t, > system_conf_t, system_db_t, systemd_home_t, systemd_logind_sessions_t, > telepathy_cache_home_t, telepathy_data_home_t, > telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, > telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, > telepathy_mission_control_data_home_t, > telepathy_mission_control_home_t, telepathy_sunshine_home_t, > texlive_home_t, textrel_shlib_t, tftpd_etc_t, thumb_home_t, tmp_t, > tmpfs_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, tvtime_home_t, > udev_etc_t, udev_var_run_t, ulogd_etc_t, uml_ro_t, uml_rw_t, > user_fonts_cache_t, user_fonts_config_t, user_fonts_t, > user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, > var_lib_t, var_run_t, varnishd_etc_t, virt_content_t, virt_etc_t, > virt_home_t, vmware_conf_t, vmware_file_t, vmware_sys_conf_t, > webalizer_etc_t, wine_home_t, wireshark_home_t, xauth_home_t, > xdm_etc_t, xdm_home_t, xdm_rw_etc_t, xserver_etc_t, ypserv_conf_t, > zarafa_etc_t, zebra_conf_t. > Then
Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window
On 09/24/2015 03:15 PM, jd1008 wrote: > > > On 09/24/2015 12:58 PM, Daniel J Walsh wrote: >> What AVC are you seeing? >> >> On 09/24/2015 01:58 PM, jd1008 wrote: >>> After getting AVC denial, I touched /.autorelabel and rebooted. >>> Took about 5 minutes to finish re-labeling. >>> Then, I started to ge more AVC denials. >>> I clicked on the denial icon and read the details. >>> >>> Could someone please explain the argument in the suggested "solution" : >>> restorecon -v '#SharedObjects' >>> >>> What in tarnation is '#SharedObjects' >>> >>> The man page for semanage and for restorcon do not even >>> make use of such notation. >>> >>> So, how is a user going to correctly interpret the meaning >>> of such an opaque item as '#SharedObjects' ? >>> >>> The selinux troubleshoot says: (but does not explain where the >>> #SharedObjects directory is ) >>> >>> >>> If you want to allow plugin-containe to have read access on the >>> #SharedObjects directory >>> Then you need to change the label on #SharedObjects >>> Do >>> # semanage fcontext -a -t FILE_TYPE '#SharedObjects' >>> where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, >>> NetworkManager_etc_t, abrt_etc_t, admin_home_t, aiccu_etc_t, >>> alsa_etc_rw_t, alsa_home_t, antivirus_conf_t, antivirus_home_t, >>> asterisk_etc_t, audio_home_t, auth_home_t, bin_t, bitlbee_conf_t, >>> bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, >>> cgconfig_etc_t, cgrules_etc_t, chrome_sandbox_home_t, cluster_conf_t, >>> cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, >>> couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, >>> cupsd_rw_etc_t, cvs_home_t, data_home_t, dbus_home_t, dbusd_etc_t, >>> ddclient_etc_t, device_t, devpts_t, dhcp_etc_t, dictd_etc_t, >>> dnsmasq_etc_t, docker_config_t, docker_home_t, dosfs_t, dovecot_etc_t, >>> etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, >>> fetchmail_home_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, >>> firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, >>> gconf_home_t, gdomap_conf_t, getty_etc_t, git_user_content_t, >>> gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gpm_conf_t, >>> gstreamer_home_t, hddtemp_etc_t, home_bin_t, home_cert_t, home_root_t, >>> hostname_etc_t, httpd_config_t, httpd_modules_t, httpd_user_content_t, >>> httpd_user_htaccess_t, httpd_user_ra_content_t, >>> httpd_user_rw_content_t, httpd_user_script_exec_t, hugetlbfs_t, >>> icc_data_home_t, iceauth_home_t, innd_etc_t, irc_conf_t, irc_home_t, >>> irc_tmp_t, irssi_etc_t, irssi_home_t, kdump_etc_t, kismet_home_t, >>> kmscon_conf_t, krb5_conf_t, krb5_home_t, krb5kdc_conf_t, l2tp_conf_t, >>> lib_t, likewise_etc_t, lircd_etc_t, local_login_home_t, locale_t, >>> lvm_etc_t, machineid_t, mail_home_rw_t, mail_home_t, man_cache_t, >>> man_t, mandb_home_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, >>> minissdpd_conf_t, mnt_t, mock_etc_t, modules_conf_t, mozilla_conf_t, >>> mozilla_home_t, mozilla_plugin_rw_t, mozilla_plugin_tmp_t, >>> mozilla_plugin_tmpfs_t, mpd_etc_t, mpd_home_t, mpd_user_data_t, >>> mplayer_etc_t, mplayer_home_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, >>> mysqld_etc_t, mysqld_home_t, nagios_etc_t, named_conf_t, net_conf_t, >>> nrpe_etc_t, nscd_var_run_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, >>> nut_conf_t, openshift_var_lib_t, openvpn_etc_rw_t, openvpn_etc_t, >>> openvswitch_rw_t, pads_config_t, pegasus_conf_t, pingd_etc_t, >>> piranha_etc_rw_t, piranha_web_conf_t, polipo_cache_home_t, >>> polipo_config_home_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, >>> postgresql_etc_t, postgrey_etc_t, pppd_etc_t, >>> prelude_correlator_config_t, printconf_t, proc_t, procmail_home_t, >>> psad_etc_t, ptal_etc_t, pulseaudio_home_t, puppet_etc_t, qmail_etc_t, >>> radiusd_etc_t, radvd_etc_t, rhnsd_conf_t, rlogind_home_t, root_t, >>> rssh_ro_t, rssh_rw_t, rsync_etc_t, samba_etc_t, sandbox_file_t, >>> sanlock_conf_t, screen_home_t, shell_exec_t, shorewall_etc_t, >>> slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamc_home_t, >>> spamd_etc_t, speech-dispatcher_home_t, squid_conf_t, src_t, >>> ssh_home_t, sssd_conf_t, sssd_public_t, stunnel_etc_t, svc_conf_t, >>> svirt_home_t, sysctl_fs_t, sysctl_t, sysfs_t, syslog_conf_t, >>> system_conf_t, system_db_t, systemd_home_t, systemd_logind_s
Re: doing docker build, SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process., kills wireless
You have a bad label on /etc/resolv.conf. restorecon -v /etc/resolv.conf I have no idea how this is getting mislabeled. Are you doing anything special with /etc/resolv.conf? Also turn on the cups_execmem boolean setsebool -P cups_execmem 1 On 08/19/2015 10:10 AM, Robert P. J. Day wrote: On Wed, 19 Aug 2015, Rick Stevens wrote: On 08/19/2015 08:41 AM, Robert P. J. Day wrote: On Wed, 19 Aug 2015, Daniel J Walsh wrote: On 08/19/2015 07:36 AM, Robert P. J. Day wrote: On Wed, 19 Aug 2015, Daniel J Walsh wrote: On 08/19/2015 02:43 AM, Robert P. J. Day wrote: On Tue, 18 Aug 2015, Robert P. J. Day wrote: by now, i'm getting *really* good at debugging. was doing a simple docker build (docker-1.8.1) with first few lines of Dockerfile (which worked fine not that long ago): FROM ubuntu:14.04 MAINTAINER Robert P. J. Day ENV REFRESHED_AT 2015-08-18 RUN apt-get -y -q update apt-get -y -q install nginx ... snip ... and it was *entirely* reproducible that the instant docker started to process that RUN apt-get command, the wireless connection on my Fedora 22 laptop was blown away. grabbed this from SELinux: = start = SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process. * Plugin catchall (100. confidence) suggests ** If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Contextsystem_u:system_r:NetworkManager_t:s0 Target Contextsystem_u:system_r:kernel_t:s0 Target ObjectsUnknown [ process ] Sourceabrt-hook-ccpp Source Path /usr/libexec/abrt-hook-ccpp Port Unknown Host localhost.localdomain Source RPM Packages abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64 Target RPM Packages Policy RPMselinux-policy-3.13.1-128.10.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing ModePermissive Host Name localhost.localdomain Platform Linux localhost.localdomain 4.1.5-200.fc22.x86_64 #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen2015-08-18 12:57:36 EDT Last Seen 2015-08-18 12:57:36 EDT Local ID 523c8bed-7428-49e7-b301-3a932852b135 Raw Audit Messages type=AVC msg=audit(1439917056.327:640): avc: denied { sigchld } for pid=4555 comm=abrt-hook-ccpp scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null) Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld = end = followup to the above ... i ran the suggested selinux-related commands, but that had no apparent effect, so i'm still stuck. for people who know docker, you'll recognize that the error occurred at the first instruction in the Dockerfile that requires network access, the RUN apt-get ... command (i already have the ubuntu base image on my system). i grabbed a few hundred lines from journalctl and stuck them here: http://pastebin.com/KzrYMFvC. you can see the very first command there is the docker invocation: Aug 19 05:24:35 localhost.localdomain sudo[4190]: rpjday : TTY=pts/0 ; PWD=/home/rpjday/docker/TDB/sample ; USER=root ; COMMAND=/bin/docker build -t jamtur01/nginx . thoughts? is it bugzilla time? rday Yes open a bugzilla, although this is a very strange AVC. It basically shows abrt-hook-ccpp executing under networkmanager domain and sending sigchld to kernel_t. Why would networkmanager execed processes be sending a sigchld to a kernel process? beats me, this is way outside my comfort zone. by the way, even though selinux was in permissive mode, i thought i'd play it safe and just disable it entirely, so i did, rebooted, sestatus clearly shows selinux disabled, but i got the same error. i'll do it one more time shortly just to make sure it's not some intermittent weirdness, then i'll BZ it. open to suggestions as to anything else i might try, or add to the BZ submission. rday With SELinux disabled you should not be getting
Re: doing docker build, SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process., kills wireless
On 08/19/2015 07:36 AM, Robert P. J. Day wrote: On Wed, 19 Aug 2015, Daniel J Walsh wrote: On 08/19/2015 02:43 AM, Robert P. J. Day wrote: On Tue, 18 Aug 2015, Robert P. J. Day wrote: by now, i'm getting *really* good at debugging. was doing a simple docker build (docker-1.8.1) with first few lines of Dockerfile (which worked fine not that long ago): FROM ubuntu:14.04 MAINTAINER Robert P. J. Day ENV REFRESHED_AT 2015-08-18 RUN apt-get -y -q update apt-get -y -q install nginx ... snip ... and it was *entirely* reproducible that the instant docker started to process that RUN apt-get command, the wireless connection on my Fedora 22 laptop was blown away. grabbed this from SELinux: = start = SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process. * Plugin catchall (100. confidence) suggests ** If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Contextsystem_u:system_r:NetworkManager_t:s0 Target Contextsystem_u:system_r:kernel_t:s0 Target ObjectsUnknown [ process ] Sourceabrt-hook-ccpp Source Path /usr/libexec/abrt-hook-ccpp Port Unknown Host localhost.localdomain Source RPM Packages abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64 Target RPM Packages Policy RPMselinux-policy-3.13.1-128.10.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing ModePermissive Host Name localhost.localdomain Platform Linux localhost.localdomain 4.1.5-200.fc22.x86_64 #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen2015-08-18 12:57:36 EDT Last Seen 2015-08-18 12:57:36 EDT Local ID 523c8bed-7428-49e7-b301-3a932852b135 Raw Audit Messages type=AVC msg=audit(1439917056.327:640): avc: denied { sigchld } for pid=4555 comm=abrt-hook-ccpp scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null) Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld = end = followup to the above ... i ran the suggested selinux-related commands, but that had no apparent effect, so i'm still stuck. for people who know docker, you'll recognize that the error occurred at the first instruction in the Dockerfile that requires network access, the RUN apt-get ... command (i already have the ubuntu base image on my system). i grabbed a few hundred lines from journalctl and stuck them here: http://pastebin.com/KzrYMFvC. you can see the very first command there is the docker invocation: Aug 19 05:24:35 localhost.localdomain sudo[4190]: rpjday : TTY=pts/0 ; PWD=/home/rpjday/docker/TDB/sample ; USER=root ; COMMAND=/bin/docker build -t jamtur01/nginx . thoughts? is it bugzilla time? rday Yes open a bugzilla, although this is a very strange AVC. It basically shows abrt-hook-ccpp executing under networkmanager domain and sending sigchld to kernel_t. Why would networkmanager execed processes be sending a sigchld to a kernel process? beats me, this is way outside my comfort zone. by the way, even though selinux was in permissive mode, i thought i'd play it safe and just disable it entirely, so i did, rebooted, sestatus clearly shows selinux disabled, but i got the same error. i'll do it one more time shortly just to make sure it's not some intermittent weirdness, then i'll BZ it. open to suggestions as to anything else i might try, or add to the BZ submission. rday With SELinux disabled you should not be getting any AVC's If you turn SELInux back on and do a full relabel, I think the problem will go away. Something is crashing though which is causing the AVC -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki
Re: doing docker build, SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process., kills wireless
On 08/19/2015 08:03 AM, Robert P. J. Day wrote: On Wed, 19 Aug 2015, Daniel J Walsh wrote: With SELinux disabled you should not be getting any AVC's If you turn SELInux back on and do a full relabel, I think the problem will go away. Something is crashing though which is causing the AVC as in, enabled and not just permissive? rday Either way. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: doing docker build, SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process., kills wireless
On 08/19/2015 02:43 AM, Robert P. J. Day wrote: On Tue, 18 Aug 2015, Robert P. J. Day wrote: by now, i'm getting *really* good at debugging. was doing a simple docker build (docker-1.8.1) with first few lines of Dockerfile (which worked fine not that long ago): FROM ubuntu:14.04 MAINTAINER Robert P. J. Day ENV REFRESHED_AT 2015-08-18 RUN apt-get -y -q update apt-get -y -q install nginx ... snip ... and it was *entirely* reproducible that the instant docker started to process that RUN apt-get command, the wireless connection on my Fedora 22 laptop was blown away. grabbed this from SELinux: = start = SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process. * Plugin catchall (100. confidence) suggests ** If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Contextsystem_u:system_r:NetworkManager_t:s0 Target Contextsystem_u:system_r:kernel_t:s0 Target ObjectsUnknown [ process ] Sourceabrt-hook-ccpp Source Path /usr/libexec/abrt-hook-ccpp Port Unknown Host localhost.localdomain Source RPM Packages abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64 Target RPM Packages Policy RPMselinux-policy-3.13.1-128.10.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing ModePermissive Host Name localhost.localdomain Platform Linux localhost.localdomain 4.1.5-200.fc22.x86_64 #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen2015-08-18 12:57:36 EDT Last Seen 2015-08-18 12:57:36 EDT Local ID 523c8bed-7428-49e7-b301-3a932852b135 Raw Audit Messages type=AVC msg=audit(1439917056.327:640): avc: denied { sigchld } for pid=4555 comm=abrt-hook-ccpp scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null) Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld = end = followup to the above ... i ran the suggested selinux-related commands, but that had no apparent effect, so i'm still stuck. for people who know docker, you'll recognize that the error occurred at the first instruction in the Dockerfile that requires network access, the RUN apt-get ... command (i already have the ubuntu base image on my system). i grabbed a few hundred lines from journalctl and stuck them here: http://pastebin.com/KzrYMFvC. you can see the very first command there is the docker invocation: Aug 19 05:24:35 localhost.localdomain sudo[4190]: rpjday : TTY=pts/0 ; PWD=/home/rpjday/docker/TDB/sample ; USER=root ; COMMAND=/bin/docker build -t jamtur01/nginx . thoughts? is it bugzilla time? rday Yes open a bugzilla, although this is a very strange AVC. It basically shows abrt-hook-ccpp executing under networkmanager domain and sending sigchld to kernel_t. Why would networkmanager execed processes be sending a sigchld to a kernel process? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: current/proposed docker-related packages?
On 08/16/2015 05:04 AM, Robert P. J. Day wrote: On Sat, 15 Aug 2015, Kenneth Wolcott wrote: I have a related question about Fedora docker packages. There seems to be a docker-engine at version 1.8.1 and docker at version 1.7.1. I'd like to have docker AND docker engine at the same version, preferably at 1.8.1. I don't mind having to get docker-compose and docker-machine via the docker website directly, but it would also be nice to get them via the normal Fedora repositories. Even though docker-machine appears to be broken for all Linux distributions that I've tried when running with a local vm (VirtualBox) rather than a cloud (AWS). docker-swarm is still considered beta, so I could see why that might not be provided via a Fedora repository. you've summed up my wish list nicely ... i'm just trying to make a list of where to get all the cool stuff in the docker ecosystem, either as an official fedora package or, if not, then from docker.com directly. as i read it (and i'm willing to be corrected), there will be some package renaming in the near future, either synchronized with when docker 1.8 gets packaged with fedora, or with f23, or maybe both. i found this page of docker-related fedora packages: https://admin.fedoraproject.org/pkgdb/packages/docker*/ and i know what *was* docker-io is now docker, and that's going to become docker-engine, is it not? oddly, that list includes docker-compose as being approved in f22, but i don't yet see it in dnf search, so i can only assume it's coming. same thing with docker-client? docker-machine? etc, etc. regarding other possible packages, i ran across this page at docker.com, talking about kitematic: http://docs.docker.com/kitematic/ which refers to something called the docker toolbox, but it looks like all that is windows/mac only: https://www.docker.com/toolbox and as d walsh(?) mentioned recently, the improved builder dock has been renamed to atomic-reactor. like i said, i'm just trying to keep up. rday docker-1.8.1 (docker-engine) should be out soon. I believe lokesh is working on packaging up the other docker content for Fedora. I am not a big fan of changing the name of docker to docker-engine at this time. (We just changed it from docker-io to docker, and would probably have to alias it anyways.) Lokesh can you add a provides docker-engine to docker package. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: current/proposed docker-related packages?
On 08/17/2015 08:06 AM, Daniel J Walsh wrote: On 08/16/2015 05:04 AM, Robert P. J. Day wrote: On Sat, 15 Aug 2015, Kenneth Wolcott wrote: I have a related question about Fedora docker packages. There seems to be a docker-engine at version 1.8.1 and docker at version 1.7.1. I'd like to have docker AND docker engine at the same version, preferably at 1.8.1. I don't mind having to get docker-compose and docker-machine via the docker website directly, but it would also be nice to get them via the normal Fedora repositories. Even though docker-machine appears to be broken for all Linux distributions that I've tried when running with a local vm (VirtualBox) rather than a cloud (AWS). docker-swarm is still considered beta, so I could see why that might not be provided via a Fedora repository. you've summed up my wish list nicely ... i'm just trying to make a list of where to get all the cool stuff in the docker ecosystem, either as an official fedora package or, if not, then from docker.com directly. as i read it (and i'm willing to be corrected), there will be some package renaming in the near future, either synchronized with when docker 1.8 gets packaged with fedora, or with f23, or maybe both. i found this page of docker-related fedora packages: https://admin.fedoraproject.org/pkgdb/packages/docker*/ and i know what *was* docker-io is now docker, and that's going to become docker-engine, is it not? oddly, that list includes docker-compose as being approved in f22, but i don't yet see it in dnf search, so i can only assume it's coming. same thing with docker-client? docker-machine? etc, etc. regarding other possible packages, i ran across this page at docker.com, talking about kitematic: http://docs.docker.com/kitematic/ which refers to something called the docker toolbox, but it looks like all that is windows/mac only: https://www.docker.com/toolbox and as d walsh(?) mentioned recently, the improved builder dock has been renamed to atomic-reactor. like i said, i'm just trying to keep up. rday docker-1.8.1 (docker-engine) should be out soon. I believe lokesh is working on packaging up the other docker content for Fedora. I am not a big fan of changing the name of docker to docker-engine at this time. (We just changed it from docker-io to docker, and would probably have to alias it anyways.) Lokesh can you add a provides docker-engine to docker package. Looks like docker-1.8.1-1.git9281dc3.fc22 is in updates-testing? docker-1.8.1-1.git3c1d7c8.fc23 http://koji.fedoraproject.org/koji/buildinfo?buildID=677363 is also built and I believe movind along. docker-1.9.0-2.gitf8950e0.fc24 http://koji.fedoraproject.org/koji/buildinfo?buildID=677354 is in Rawhide. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: fedora-dockerfiles: LABEL lines in cockpit-ws sample file look weird
Wow, we removed this command a while ago and I guess forgot to remove the man page. atomic info Will show you the labels. Latest atomic has added --display command atomic install imagename --display Will show the command that will be executed without executing it. On 08/10/2015 02:53 PM, Robert P. J. Day wrote: On Mon, 10 Aug 2015, Daniel J Walsh wrote: Here are a couple of blogs on the atomic command http://developerblog.redhat.com/2015/04/21/introducing-the-atomic-command/ http://www.projectatomic.io/blog/2015/04/using-environment-substitution-with-the-atomic-command/ atomic command is available for both fedora and fedora atomic host. hmm ... didn't take long to run into issues: $ man atomic-defaults ATOMIC(1) January 2015 ATOMIC(1) NAME atomic - List default commands SYNOPSIS atomic defaults [-h] IMAGE DESCRIPTION atomic defaults list default commands with which atomic will RUN/INSTALL/REMOVE containers. ... snip ... ok, then: $ atomic defaults fedora /usr/bin/atomic: invalid choice: 'defaults' (choose from 'info', 'install', 'images', 'mount', 'stop', 'run', 'uninstall', 'unmount', 'update', 'upload', 'version', 'verify') Try 'atomic --help' for more information. $ the list in that error message isn't even complete (it's missing atomic host), but why does the atomic command not accept the defaults subcommand? rday -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: fedora-dockerfiles: LABEL lines in cockpit-ws sample file look weird
On 08/10/2015 08:31 AM, Robert P. J. Day wrote: On Mon, 10 Aug 2015, Daniel J Walsh wrote: On 08/10/2015 05:43 AM, Robert P. J. Day wrote: brief digression from my discussion of docker roadmap and stuff like that ... i'm using the sample Dockerfiles from the fedora-dockerfiles package to demonstrate various Dockerfile instructions in an upcoming course, and i ran across this: cockpit-ws/Dockerfile:LABEL INSTALL /usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install cockpit-ws/Dockerfile:LABEL UNINSTALL /usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /cockpit/atomic-uninstall cockpit-ws/Dockerfile:LABEL RUN /usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh i have no idea what those lines mean, they don't even seem valid as the documentation suggests the proper form of a Dockerfile LABEL instruction requires an = sign. what does the above mean, if anything? rday I think the = sign is optional. ah, man Dockerfile doesn't mention that -- bugzilla time? Although I would prefer it in the form of LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install as would i. by the way, i'm assuming there's nothing magical about the labels INSTALL, UNINSTALL or RUN, right? they're simply being added as metadata to the image as documentation that someone can dig out later with docker inspect? beyond that, they have no special power, is that correct? The special power it the atomic run|install|uninstall command will automatically use them atomic install cockpit-ws Does a docker pull cockpit-ws Then docker inspect to get the INSTALL label, then it executes the INSTALL label substituting environment variables like ${NAME} and ${IMAGE} Do a man atomic. And with the latest atomic we now support LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host \${IMAGE} /container/atomic-install just to clarify these two uses of IMAGE, the first one will simply keep the literal string IMAGE, correct? while the second will use escaping so that the label saved will incorporate the literal string $(IMAGE} -- i'm assuming to show the reader that that is supposed to represent an image name? rday No in either case IMAGE will be substituted with the image specified on the atomic install command. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: fedora-dockerfiles: LABEL lines in cockpit-ws sample file look weird
Here are a couple of blogs on the atomic command http://developerblog.redhat.com/2015/04/21/introducing-the-atomic-command/ http://www.projectatomic.io/blog/2015/04/using-environment-substitution-with-the-atomic-command/ atomic command is available for both fedora and fedora atomic host. On 08/10/2015 08:43 AM, Daniel J Walsh wrote: On 08/10/2015 08:31 AM, Robert P. J. Day wrote: On Mon, 10 Aug 2015, Daniel J Walsh wrote: On 08/10/2015 05:43 AM, Robert P. J. Day wrote: brief digression from my discussion of docker roadmap and stuff like that ... i'm using the sample Dockerfiles from the fedora-dockerfiles package to demonstrate various Dockerfile instructions in an upcoming course, and i ran across this: cockpit-ws/Dockerfile:LABEL INSTALL /usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install cockpit-ws/Dockerfile:LABEL UNINSTALL /usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /cockpit/atomic-uninstall cockpit-ws/Dockerfile:LABEL RUN /usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh i have no idea what those lines mean, they don't even seem valid as the documentation suggests the proper form of a Dockerfile LABEL instruction requires an = sign. what does the above mean, if anything? rday I think the = sign is optional. ah, man Dockerfile doesn't mention that -- bugzilla time? Although I would prefer it in the form of LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install as would i. by the way, i'm assuming there's nothing magical about the labels INSTALL, UNINSTALL or RUN, right? they're simply being added as metadata to the image as documentation that someone can dig out later with docker inspect? beyond that, they have no special power, is that correct? The special power it the atomic run|install|uninstall command will automatically use them atomic install cockpit-ws Does a docker pull cockpit-ws Then docker inspect to get the INSTALL label, then it executes the INSTALL label substituting environment variables like ${NAME} and ${IMAGE} Do a man atomic. And with the latest atomic we now support LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host \${IMAGE} /container/atomic-install just to clarify these two uses of IMAGE, the first one will simply keep the literal string IMAGE, correct? while the second will use escaping so that the label saved will incorporate the literal string $(IMAGE} -- i'm assuming to show the reader that that is supposed to represent an image name? rday No in either case IMAGE will be substituted with the image specified on the atomic install command. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: fedora-dockerfiles: LABEL lines in cockpit-ws sample file look weird
On 08/10/2015 05:43 AM, Robert P. J. Day wrote: brief digression from my discussion of docker roadmap and stuff like that ... i'm using the sample Dockerfiles from the fedora-dockerfiles package to demonstrate various Dockerfile instructions in an upcoming course, and i ran across this: cockpit-ws/Dockerfile:LABEL INSTALL /usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install cockpit-ws/Dockerfile:LABEL UNINSTALL /usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /cockpit/atomic-uninstall cockpit-ws/Dockerfile:LABEL RUN /usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh i have no idea what those lines mean, they don't even seem valid as the documentation suggests the proper form of a Dockerfile LABEL instruction requires an = sign. what does the above mean, if anything? rday I think the = sign is optional. Although I would prefer it in the form of LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install And with the latest atomic we now support LABEL INSTALL=/usr/bin/docker run -ti --rm --privileged -v /:/host \${IMAGE} /container/atomic-install -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: SE alert
You can just run # restorecon -R -v / From the booted machine. On 07/20/2015 03:49 PM, jd1008 wrote: On 07/20/2015 01:42 PM, Martin Cigorraga wrote: Hi, ~ getenforce Enforcing Please be aware that setenforce will only change the mode SELinux is running in. For a permanent change, you have to edit the configuration file. I already stated that /etc/sysconfig/selinux says (and did say when my system was in permissive mode): # $ sudo cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted Thus going into permissive mode was not done by me. As I also stated, this is a fresh install since mid-day, yesterday, with only yum update bringing in new versions of packages. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: which images is docker pull supposed to pull by default?
Please open a bugzilla with the docker package to fix the man page. On 07/19/2015 05:05 AM, Robert P. J. Day wrote: more nitpicky pedantry regarding docker on fedora 22 ... if i read the man page for docker-pull on my f22 system, i see: This command pulls down an image or a repository from a registry. If there is more than one image for a repository (e.g., fedora) then all images for that repository name are pulled down including any tags. note the reference to all images being pulled down. and the example given seems to reinforce the notion that, if you specify simply a repository, you'll get all corresponding tagged images: docker pull fedora Pulling repository fedora ad57ef8d78d7: Download complete 105182bb5e8b: Download complete 511136ea3c5a: Download complete 73bd853d2ea5: Download complete Status: Downloaded newer image for fedora docker images REPOSITORY TAG IMAGE IDCREATED VIRTUAL SIZE fedora rawhide ad57ef8d78d75 days ago 359.3 MB fedora 20 105182bb5e8b5 days ago 372.7 MB fedora heisenbug 105182bb5e8b5 days ago 372.7 MB fedora latest 105182bb5e8b5 days ago 372.7 MB *however*, the explanation of the -a option seems to disagree with that: OPTIONS -a, --all-tags=true|false Download all tagged images in the repository. The default is false. which suggests that, by default, you *don't* get all tagged images unless you specify -a. and a quick test shows that, if i run docker pull fedora, all i appear to get is: # docker images REPOSITORY TAG IMAGE IDCREATED VIRTUAL SIZE docker.io/fedoralatest ded7cd95e0597 weeks ago 186.5 MB # so ... what am i misreading here? the man page seems just a touch confusing and contradictory. rday -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: discrepancy in instructions to install docker on fedora 22
docker-engine == docker from fedora point of view. Docker.io is trying to rebrand docker to docker-engine, so it can differentiate docker-swarm, docker-registry, docker-engine ... On 07/17/2015 10:42 AM, Robert P. J. Day wrote: been playing with docker for a few days now, then starting reading the docs over at docker.com, and here are the fedora installation instructions one finds there: https://docs.docker.com/installation/fedora/ which refer to some RPM named docker-engine, of which i am unaware. all i've installed for a working docker setup is: * docker * docker-selinux * fedora-dockerfiles so ... do i care about this docker-engine thingy? rday -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: discrepancy in instructions to install docker on fedora 22
On 07/17/2015 11:55 AM, Robert P. J. Day wrote: On Fri, 17 Jul 2015, Daniel J Walsh wrote: docker-engine == docker from fedora point of view. Docker.io is trying to rebrand docker to docker-engine, so it can differentiate docker-swarm, docker-registry, docker-engine ... ok, so if i wanted to follow that path, would i simply download and install the docker-engine RPM on my f22 system, rather than the current docker and docker-selinux packages? would i add a new yum repo entry for it? just trying to keep up. rday No just install docker package from the fedora repo, which will bring in the updates. I have asked Lokesh Mandevekar to update the docker.spec to provide docker-engine. You should almost never download a package from the internet that exists from the distribution. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: discrepancy in instructions to install docker on fedora 22
On 07/17/2015 12:59 PM, Robert P. J. Day wrote: On Fri, 17 Jul 2015, Daniel J Walsh wrote: On 07/17/2015 11:55 AM, Robert P. J. Day wrote: On Fri, 17 Jul 2015, Daniel J Walsh wrote: docker-engine == docker from fedora point of view. Docker.io is trying to rebrand docker to docker-engine, so it can differentiate docker-swarm, docker-registry, docker-engine ... ok, so if i wanted to follow that path, would i simply download and install the docker-engine RPM on my f22 system, rather than the current docker and docker-selinux packages? would i add a new yum repo entry for it? just trying to keep up. rday No just install docker package from the fedora repo, which will bring in the updates. I have asked Lokesh Mandevekar to update the docker.spec to provide docker-engine. i did notice that the fedora docker package has a dependency on docker-selinux, while that docker-engine package didn't, so i'm assuming the repackaging will take care of the selinux component. rday Yes. We ship with a series of patches on the docker-engine/docker package also. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.
On 06/30/2015 07:57 AM, Ed Greshko wrote: On 06/30/15 19:31, Daniel J Walsh wrote: On 06/29/2015 01:45 PM, Andras Simon wrote: [Sorry for the late answer, I was away from this machine.] 2015-06-28 1:01 GMT+02:00, Ed Greshko ed.gres...@greshko.com: On 06/27/15 21:15, Andras Simon wrote: 2015-06-27 15:11 GMT+02:00, Andras Simon sza...@gmail.com: Should I be worried about the $subject? And there's also a SELinux is preventing sh from execute access on the file /usr/sbin/ldconfig which I've only just noticed. It sounds even scarier. Does your output match these? [egreshko@meimei ~]$ ls -Z /bin/bash system_u:object_r:shell_exec_t:s0 /bin/bash [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig Yes, I get the same result. Andras Everything seems correct. But the AVC's indicate that firewalld was attempting to runldconfig... Which I believe should not happen normally. The transactions at the time of yum/rpm indicate that the transaction or at least the post install sections were being run as firewalld_t. Should that be BZ's to against firewalld? Sure we should have this in a bugzilla, but not sure those guys will figure it out either. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.
On 06/29/2015 01:45 PM, Andras Simon wrote: [Sorry for the late answer, I was away from this machine.] 2015-06-28 1:01 GMT+02:00, Ed Greshko ed.gres...@greshko.com: On 06/27/15 21:15, Andras Simon wrote: 2015-06-27 15:11 GMT+02:00, Andras Simon sza...@gmail.com: Should I be worried about the $subject? And there's also a SELinux is preventing sh from execute access on the file /usr/sbin/ldconfig which I've only just noticed. It sounds even scarier. Does your output match these? [egreshko@meimei ~]$ ls -Z /bin/bash system_u:object_r:shell_exec_t:s0 /bin/bash [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig Yes, I get the same result. Andras Everything seems correct. But the AVC's indicate that firewalld was attempting to runldconfig... Which I believe should not happen normally. The transactions at the time of yum/rpm indicate that the transaction or at least the post install sections were being run as firewalld_t. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.
On 06/29/2015 06:13 AM, Ed Greshko wrote: On 06/29/15 18:09, Daniel J Walsh wrote: On 06/28/2015 07:53 AM, Suvayu Ali wrote: On Sun, Jun 28, 2015 at 06:04:38AM -0400, Daniel J Walsh wrote: On 06/27/2015 07:01 PM, Ed Greshko wrote: On 06/27/15 21:15, Andras Simon wrote: 2015-06-27 15:11 GMT+02:00, Andras Simon sza...@gmail.com: Should I be worried about the $subject? And there's also a SELinux is preventing sh from execute access on the file /usr/sbin/ldconfig which I've only just noticed. It sounds even scarier. Does your output match these? [egreshko@meimei ~]$ ls -Z /bin/bash system_u:object_r:shell_exec_t:s0 /bin/bash [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig Do you have the avc's? ausearch -m avc I also saw these alerts during a package update. time-Thu Jun 25 17:56:49 2015 type=PROCTITLE msg=audit(1435247809.870:4079): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C type=SYSCALL msg=audit(1435247809.870:4079): arch=c03e syscall=59 success=no exit=-13 a0=7f955d728b00 a1=7f955d728c00 a2=7f955d727c40 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(1435247809.870:4079): avc: denied { execute } for pid=30357 comm=sh name=ldconfig dev=sdb1 ino=450673 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 time-Thu Jun 25 17:56:49 2015 type=PROCTITLE msg=audit(1435247809.870:4080): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C type=SYSCALL msg=audit(1435247809.870:4080): arch=c03e syscall=4 success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab9b0 a2=7fffc7dab9b0 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(1435247809.870:4080): avc: denied { getattr } for pid=30357 comm=sh path=/usr/sbin/ldconfig dev=sdb1 ino=450673 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 time-Thu Jun 25 17:56:49 2015 type=PROCTITLE msg=audit(1435247809.870:4081): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C type=SYSCALL msg=audit(1435247809.870:4081): arch=c03e syscall=4 success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab990 a2=7fffc7dab990 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(1435247809.870:4081): avc: denied { getattr } for pid=30357 comm=sh path=/usr/sbin/ldconfig dev=sdb1 ino=450673 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 This is very strange. Doing ldconfig during a package update is expected, but why would firewalld be executing it. ps -eZ | grep firewalld [root@meimei ~]# ps -eZ | grep firewalld system_u:system_r:firewalld_t:s0 781 ?00:00:00 firewalld Ok well I am stumped, one possible thing would be if firewalld somehow caused an rpm/yum/dnf transaction to happen. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.
On 06/28/2015 07:53 AM, Suvayu Ali wrote: On Sun, Jun 28, 2015 at 06:04:38AM -0400, Daniel J Walsh wrote: On 06/27/2015 07:01 PM, Ed Greshko wrote: On 06/27/15 21:15, Andras Simon wrote: 2015-06-27 15:11 GMT+02:00, Andras Simon sza...@gmail.com: Should I be worried about the $subject? And there's also a SELinux is preventing sh from execute access on the file /usr/sbin/ldconfig which I've only just noticed. It sounds even scarier. Does your output match these? [egreshko@meimei ~]$ ls -Z /bin/bash system_u:object_r:shell_exec_t:s0 /bin/bash [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig Do you have the avc's? ausearch -m avc I also saw these alerts during a package update. time-Thu Jun 25 17:56:49 2015 type=PROCTITLE msg=audit(1435247809.870:4079): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C type=SYSCALL msg=audit(1435247809.870:4079): arch=c03e syscall=59 success=no exit=-13 a0=7f955d728b00 a1=7f955d728c00 a2=7f955d727c40 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(1435247809.870:4079): avc: denied { execute } for pid=30357 comm=sh name=ldconfig dev=sdb1 ino=450673 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 time-Thu Jun 25 17:56:49 2015 type=PROCTITLE msg=audit(1435247809.870:4080): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C type=SYSCALL msg=audit(1435247809.870:4080): arch=c03e syscall=4 success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab9b0 a2=7fffc7dab9b0 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(1435247809.870:4080): avc: denied { getattr } for pid=30357 comm=sh path=/usr/sbin/ldconfig dev=sdb1 ino=450673 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 time-Thu Jun 25 17:56:49 2015 type=PROCTITLE msg=audit(1435247809.870:4081): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C type=SYSCALL msg=audit(1435247809.870:4081): arch=c03e syscall=4 success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab990 a2=7fffc7dab990 a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(1435247809.870:4081): avc: denied { getattr } for pid=30357 comm=sh path=/usr/sbin/ldconfig dev=sdb1 ino=450673 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 This is very strange. Doing ldconfig during a package update is expected, but why would firewalld be executing it. ps -eZ | grep firewalld -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.
On 06/27/2015 07:01 PM, Ed Greshko wrote: On 06/27/15 21:15, Andras Simon wrote: 2015-06-27 15:11 GMT+02:00, Andras Simon sza...@gmail.com: Should I be worried about the $subject? And there's also a SELinux is preventing sh from execute access on the file /usr/sbin/ldconfig which I've only just noticed. It sounds even scarier. Does your output match these? [egreshko@meimei ~]$ ls -Z /bin/bash system_u:object_r:shell_exec_t:s0 /bin/bash [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig Do you have the avc's? ausearch -m avc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Disabling auditd on Fedora 22
On 06/23/2015 12:36 AM, Kevin Wilson wrote: Dan, Thanks a lot for your reply. In fact, I ran pm -e selinux-policy-targeted rpm -e selinux-policy And after reboot I got some message about freeze from systemd, I could not login (tried twice), so I reinstalled Linux on this machine. The question is: what do you mean by If you disable SELinux. Does that mean adding selinux=0 on command line? Or is it enough to set, in /etc/selinux/config SELINUX=disabled (or maybe better is SELINUX=permissive, as Ali suggested ). Regards, Kevin Either will work, although I advise against it... :^) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Disabling auditd on Fedora 22
On 06/22/2015 03:44 AM, Suvayu Ali wrote: On Mon, Jun 22, 2015 at 08:01:41AM +0300, Kevin Wilson wrote: In /etc/selinux/config I set SELINUX=disabled Which means that I do not use in fact SElinux, so it seems to me. It is recommended to keep it permissive instead of disabled. So will it be OK to run: rpm -e selinux-policy-targeted rpm -e selinux-policy I do not think this is possible. SELinux support is in the kernel, many applications expect the libraries to be there, eventhough it is disabled or set to permissive. Hope this helps, If you disable SELinux on your system you can remove those two packages, you will not be able to remove libselinux. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Problem with Python??
On 06/18/2015 11:46 AM, jd1008 wrote: selinux issues the following If you believe /usr/bin/bython2.7 tried to disable selinux you may be under attack by a hacker, since confined applications should never need this access. Contact your security administrator and report this issue. Is anyone else seeing this? What avc did you see? This should be some process trying to run setenforce 0 from a python script. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
FYI: Is SELinux good anti-venom?
http://danwalsh.livejournal.com/71489.html -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: SELinux is preventing abrt-dump-journ from read access on the file /usr/lib64/libreport.so.0.
On 03/21/2015 02:03 PM, Lawrence E Graves wrote: SELinux is preventing abrt-dump-journ from read access on the file /usr/lib64/libreport.so.0. * Plugin restorecon (82.4 confidence) suggests If you want to fix the label. /usr/lib64/libreport.so.0 default label should be lib_t. Then you can run restorecon. Do # /sbin/restorecon -v /usr/lib64/libreport.so.0 * Plugin file (7.05 confidence) suggests ** If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot * Plugin file (7.05 confidence) suggests ** If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot * Plugin catchall_labels (4.59 confidence) suggests *** If you want to allow abrt-dump-journ to have read access on the libreport.so.0 file Then you need to change the label on /usr/lib64/libreport.so.0 Do # semanage fcontext -a -t FILE_TYPE '/usr/lib64/libreport.so.0' where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_lib_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, anon_inodefs_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, automount_tmp_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, chrome_sandbox_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_tmp_t, cobbler_tmp_t, cockpit_tmp_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, debugfs_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fenced_tmp_t, firewalld_tmp_t, firewallgui_tmp_t, fonts_cache_t, fonts_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_script_tmp_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gssd_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_tmp_t, mplayer_tmpfs_t, mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, netutils_tmp_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t, pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t,
Re: swapping
On 02/17/2015 02:16 AM, Patrick Dupre wrote: It is very long. Just the end. time-Tue Feb 17 11:15:08 2015 type=PROCTITLE msg=audit(1424168108.864:452969): proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972 type=SYSCALL msg=audit(1424168108.864:452969): arch=c03e syscall=9 success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25724 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=916 comm=plugin-containe exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1424168108.864:452969): avc: denied { execute } for pid=25724 comm=plugin-containe path=/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so dev=dm-0 ino=241943 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0 time-Tue Feb 17 11:15:08 2015 type=PROCTITLE msg=audit(1424168108.864:452970): proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972 type=SYSCALL msg=audit(1424168108.864:452970): arch=c03e syscall=9 success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25724 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=916 comm=plugin-containe exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1424168108.864:452970): avc: denied { execute } for pid=25724 comm=plugin-containe path=/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so dev=dm-0 ino=241943 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0 time-Tue Feb 17 11:15:08 2015 type=PROCTITLE msg=audit(1424168108.915:452971): proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972 type=SYSCALL msg=audit(1424168108.915:452971): arch=c03e syscall=9 success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25730 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=916 comm=plugin-containe exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1424168108.915:452971): avc: denied { execute } for pid=25730 comm=plugin-containe path=/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so dev=dm-0 ino=241943 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0 time-Tue Feb 17 11:15:08 2015 type=PROCTITLE msg=audit(1424168108.915:452972): proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972 type=SYSCALL msg=audit(1424168108.915:452972): arch=c03e syscall=9 success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25730 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=916 comm=plugin-containe exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1424168108.915:452972): avc: denied { execute } for pid=25730 comm=plugin-containe path=/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so dev=dm-0 ino=241943 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0 time-Tue Feb 17 11:15:08 2015 type=PROCTITLE msg=audit(1424168108.977:452973): proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972 type=SYSCALL msg=audit(1424168108.977:452973): arch=c03e syscall=9 success=no exit=-13 a0=0 a1=223800 a2=5 a3=802
Re: swapping
On 02/12/2015 06:42 AM, Patrick Dupre wrote: Hello, I did both. Unfortunately, sometimes, like today I have to kill the setroubleshootd process all the times without much success at the end! Any suggestion? === Patrick DUPRÉ | | email: pdu...@gmx.com Laboratoire de Physico-Chimie de l'Atmosphère | | Université du Littoral-Côte d'Opale | | Tel. (33)-(0)3 28 23 76 12 | | Fax: 03 28 65 82 44 189A, avenue Maurice Schumann | | 59140 Dunkerque, France === Sent: Friday, January 16, 2015 at 4:24 AM From: Michael Cronenworth m...@cchtml.com To: Community support for Fedora users users@lists.fedoraproject.org Subject: Re: swapping On 01/15/2015 04:15 PM, Daniel J Walsh wrote: Usually if you are in this situation, you have a bad labeling problem. touch /.autorelabel; reboot Will fix the labels, or you could just do restorecon -R / Except that is not the case in this instance. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org Could you attach the current list of AVC's you are receiving? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: swapping
On 01/16/2015 03:45 PM, poma wrote: On 16.01.2015 20:35, Daniel J Walsh wrote: On 01/16/2015 01:57 PM, poma wrote: On 16.01.2015 19:47, Daniel J Walsh wrote: On 01/16/2015 07:47 AM, Patrick O'Callaghan wrote: On Fri, 2015-01-16 at 08:28 +0100, Heinz Diehl wrote: On 16.01.2015, Tim wrote: Of course *you* do not *use* it, it's there as a protective device against *things* on your system. Any recent Linux distribution can be secured without using selinux. Selinux requires at least basic knowledge and administration. Most of the people I installed Linux for didn't even know it was there or what it's good for. You mean like the fuses in your house or the airbag in your car? When Selinux is working you don't know it's there. When it alerts you it means there's something wrong. I agree that the alerts are not always as clear as they might be, but it's a fallacy to suggest that it doesn't provide benefit. poc Here is a case of SELinux protecting your house. http://danwalsh.livejournal.com/71122.html Not to fall to false sense of security, does SElinux need SElinux? SELinux is the kernel, so does the Kernel need the kernel. You've probably wanted to write, SELinux is a Linux(kernel) feature. But in some another context, the kernel needs the kernel, and not only. But theoretically SELinux/Kernel can protect itself. We can prevent privileged processes (root) from manipulating the SELinux settings. Can SELinux, AppArmor and Grsecurity perform together, to achieve an even greater level of security? SELinux and AppArmor can not, although there was some effort to allow multiple LSM's. Check out discussion on the selinux upstream list. I have no idea whether Grsecurity and SELinux can run on the same kernel. Grsecurity has never been upstreamed. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Removing obsolete selinux setup
On 01/18/2015 04:58 PM, Pete Stieber wrote: I received an answer that worked on the fedora forums. 1. Edit the file /etc/selinux/targeted/modules/active/file_contexts.local and comment/fix the wrong contexts. In my case this meant changing httpd_mediawiki_rw_content_t to mediawiki_rw_content_t. Then I used # semanage fcontext -a -t httpd_sys_rw_content_t '/etc/dokuwiki' # semanage fcontext -a -t httpd_sys_rw_content_t '/etc/dokuwiki/users.auth.php' # semanage fcontext -a -t httpd_sys_rw_content_t '/etc/dokuwiki/local.php' # restorecon -R /etc/dokuwiki to get the files setup properly. Seems like the dokuwiki selinux package should be setup to do something similar. Pete A better label should have been semanage fcontext -a -t httpd_sys_rw_content_t '/etc/dokuwiki(/.*?)' This would allow apache processes to write to any file/directory under /etc/dokuwiki. I would argue this is might be a bad design of dokuwiki, applictions should not be writing their config files. If these are not config files, they should be in /var/lib/dokuwiki. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: swapping
On 01/16/2015 07:47 AM, Patrick O'Callaghan wrote: On Fri, 2015-01-16 at 08:28 +0100, Heinz Diehl wrote: On 16.01.2015, Tim wrote: Of course *you* do not *use* it, it's there as a protective device against *things* on your system. Any recent Linux distribution can be secured without using selinux. Selinux requires at least basic knowledge and administration. Most of the people I installed Linux for didn't even know it was there or what it's good for. You mean like the fuses in your house or the airbag in your car? When Selinux is working you don't know it's there. When it alerts you it means there's something wrong. I agree that the alerts are not always as clear as they might be, but it's a fallacy to suggest that it doesn't provide benefit. poc Here is a case of SELinux protecting your house. http://danwalsh.livejournal.com/71122.html -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Removing obsolete selinux setup
On 01/16/2015 12:19 PM, Pete Stieber wrote: I have a machine that has dokuwiki loaded. In order to get it to work with selinux, I followed some advice that was on: https://www.dokuwiki.org/install:fedora to allow apache to edit some files: semanage fcontext -a -t httpd_mediawiki_rw_content_t '/etc/dokuwiki' restorecon -v '/etc/dokuwiki' semanage fcontext -a -t httpd_mediawiki_rw_content_t '/etc/dokuwiki/users.auth.php' restorecon -v '/etc/dokuwiki/users.auth.php' semanage fcontext -a -t httpd_mediawiki_rw_content_t '/etc/dokuwiki/local.php' restorecon -v '/etc/dokuwiki/local.php' This worked on 19 and 20, but when I upgraded the machine to Fedora 21 and the httpd_mediawiki_rw_content_t no longer exists. I tried semanage fcontext -d -t httpd_mediawiki_rw_content_t '/etc/dokuwiki' but I get complaints about the media wiki context being invalid. How do I remove these obsolete entries from the selinux database? Pete semanage fcontext -d '/etc/dokuwiki/users.auth.php' Although I am surprised they do not work. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: swapping
On 01/16/2015 01:57 PM, poma wrote: On 16.01.2015 19:47, Daniel J Walsh wrote: On 01/16/2015 07:47 AM, Patrick O'Callaghan wrote: On Fri, 2015-01-16 at 08:28 +0100, Heinz Diehl wrote: On 16.01.2015, Tim wrote: Of course *you* do not *use* it, it's there as a protective device against *things* on your system. Any recent Linux distribution can be secured without using selinux. Selinux requires at least basic knowledge and administration. Most of the people I installed Linux for didn't even know it was there or what it's good for. You mean like the fuses in your house or the airbag in your car? When Selinux is working you don't know it's there. When it alerts you it means there's something wrong. I agree that the alerts are not always as clear as they might be, but it's a fallacy to suggest that it doesn't provide benefit. poc Here is a case of SELinux protecting your house. http://danwalsh.livejournal.com/71122.html Not to fall to false sense of security, does SElinux need SElinux? SELinux is the kernel, so does the Kernel need the kernel. But theoretically SELinux/Kernel can protect itself. We can prevent privileged processes (root) from manipulating the SELinux settings. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: swapping
Usually if you are in this situation, you have a bad labeling problem. touch /.autorelabel; reboot Will fix the labels, or you could just do restorecon -R / On 01/15/2015 08:15 AM, Michael Cronenworth wrote: On 01/15/2015 06:06 AM, Patrick Dupre wrote: Very often I reach a situation where I cannot work because fedora is swapping permanently. I attach the top file. I need to restart the machine to have it fix! I've seen this on my box, too, but only once. Kill the setroubleshoot process and it will return to normal. I've filed a bug. https://bugzilla.redhat.com/show_bug.cgi?id=1175827 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: selinux relabel at boot
I will schedule a relabel and take a look at my box. ssd relabel is pretty quick. On 12/16/2014 06:07 PM, Tom Horsley wrote: On Tue, 16 Dec 2014 16:58:41 -0500 Daniel J Walsh wrote: What version of Fedora was this? A brand new fedora 21 workstation install. restorecon -p -R / 7.4%^C Shows Percent done now. I'm not sure the actual percentage makes it through systemd though to the messages I was looking at during boot (I had rhgb turned off, so I was booting in text mode). I'm really not sure though if the percent was there and I just didn't notice it. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Cannot contact any KDC for realm since upgrading to Fedora 21
On 12/17/2014 10:19 AM, Braden McDaniel wrote: On 2014-12-17 09:37, fedora wrote: selinux? It's set to permissive on the F21 (server) box; shouldn't that be sufficient? Or do I need to disable it completely to make sure it isn't interfering? If it is in permissive then SELinux is not the issue. Would prefer that you ran in enforcing mode though. :^) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: selinux relabel at boot
On 12/13/2014 11:42 AM, Marko Vojinovic wrote: On Sat, 13 Dec 2014 09:52:35 -0500 Tom Horsley horsley1...@gmail.com wrote: Just a note for someone who might care about this: I foolishly forgot to disable selinux in a system I created by copying all the files from a virtual image. When it booted, it said I've got to relabel everything, this may take a while. So I figured I'd just wait for it, then a few minutes later a message came up about a watchdog expiring and it rebooted the system. What fun :-). I assume it could have done that all day, but I took advantage of the reboot to disable selinux. I'm curious --- after the reboot, selinux should continue relabeling remaining files, right? So I assume that after a certain numbers of reboots it would eventually finish and continue booting? Or not? Though I agree that selinux should somehow inform the watchdog that a global relabel is in progress and that it may take more time than usual... Best, :-) Marko There should be an indicator on the screen telling you the progress of the relabel. DId this machine have a HUGE number of files on it? SELinux should take about as much time as a find / on a system. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: selinux relabel at boot
What version of Fedora was this? restorecon -p -R / 7.4%^C Shows Percent done now. On 12/16/2014 02:03 PM, Tom Horsley wrote: On Tue, 16 Dec 2014 13:36:08 -0500 Daniel J Walsh wrote: There should be an indicator on the screen telling you the progress of the relabel. I don't remember for sure, but I think there was just a cylon eyeball bouncing asterisks, not anything telling me about progress. DId this machine have a HUGE number of files on it? SELinux should take about as much time as a find / on a system. It was a copy of a virtual disk image that had the fedora workstation ISO installed on it, so how ever many files that is :-). All I did was edit a few UUID and msdosNN partition identifiers in grub.cfg and fstab, then booted into it via configfile from a functioning grub. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Heads up: possible BASH security vulnerability
On 09/24/2014 08:27 PM, Chris Adams wrote: Once upon a time, jd1008 jd1...@gmail.com said: So, is this one of the ways javascripts exec bash to install malware or do other nasty stuff? This has nothing to do with Javascript. It is probably more serious to servers, such as web servers, than to desktops. On a web server, let's say you have some PHP or perl CGI code, and it needs to call out to an external program. Depending on how the code is written, the PHP/perl interpreter may run the external program via /bin/sh (which is bash on many systems, especially Linux systems). Now, if the web client has set some specific variables that get put into environment variables that get passed on to /bin/sh, bash will execute the arbitrary shell code as the web server user (e.g. Apache). At that point, it can get full remote access, which can then often see database credentials and such, accessing a lot of potentially secure data. Even on RHEL/CentOS/Fedora systems, SELinux probably won't help much (since the web user already has access to read that information). This is wrong. SELinux would help in the situation of a confined application, if an application is running as httpd_sys_script_t or httpd_t it would only be allowed to do what apache or a cgi script is allowed to do. SELinux would block it from reading random parts of the OS. For example if I had a world readable file container credit card data in my home directory and I had a faulty bash being run by a cgi script on apache, SELinux would block the bash/cgi script from reading the world readable file. Now if you were running as unconfined_t or running in permissive mode or disabled, then you would not get the protections. On a client system, there are some potential routes to exploiting this as well. For example, I think the DHCP and PPP clients will run external scripts to configure things (such as DNS, NTP, etc.), using environment variables to pass information, so a malicious server could potentially get full root access to a vulnerable client system. In most cases though, I don't think bash or /bin/sh get passed arbitrary remote data in environment variables on a client system (e.g. desktop). I could be missing some things (I'm not entirely familiar with the complexity added by modern desktop environments), but I don't think this is probably a huge deal for desktop Linux; I think the biggest impact would be on web servers with PHP/perl that calls out to external programs. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
SELinux and the bash exploit.
https://danwalsh.livejournal.com/71122.html -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: SELinux contexts
On 07/31/2014 01:52 PM, Paolo Galtieri wrote: On 07/31/2014 09:51 AM, Michael Cronenworth wrote: On 07/31/2014 10:54 AM, pgaltieri . wrote: sudo semanage fcontext -a -t var_log_t 'logs' [snip] You need to pass the full path here. # semanage fcontext -a -t var_log_t /media/NSM/NSM-SENSOR-2/logs I tried that and the restorecon and the file type is still file_t instead of var_log_t. Paolo # semanage fcontext -a -t var_log_t '/media/NSM/NSM-SENSOR-2/logs(/.*)?' # restorecon -R -v /media/NSM/NSM-SENSOR-2 Should change labels. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: CPU/Memory
I would bet you have a mislabeled machine that is generating hundreds of AVC's. ausearch -m avc -ts today If the system is mislabeled, the easiest thing to do would be touch /.autorelabel; reboot On 07/22/2014 07:02 PM, Rick Stevens wrote: On 07/22/2014 01:23 PM, Patrick Dupre issued this missive: Hello, I have 2 machines running fedora 20, one from 2007 with a dual processor and 3 Go, and a recent one (2013) with a quad processor an 8 Go. But it is a lot more convenient to use the old machine!!! The recent one is always busy, 4 processors running 53.1 55.9 /usr/bin/python -Es /usr/sbin/setroublesootd -f and the memory becomes full quickly requiring swapping!! 8 Go for the OS and firefox! Something is wrong. Should I kill setroublesootd? The first thing is to see why you're getting AVC denials from SELinux in the first place. setroubleshootd should only fire if it's getting denials. Try running sealert -b and see if you're getting denials and what you can do about them. -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - To err is human, to moo bovine. - -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Wifi connection issues with Intel?
On 06/12/2014 10:14 AM, Richard Shaw wrote: On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com wrote: The full unifi software is java with a mongodb database backend and works fine. I have a RPM I created, the only problem I haven't been able to fix is the selinux issues, one for the private mongodb instance, and then the ports it binds to. Please open a bugzilla for the SELinux issues. Before I open a BZ, here's what I have in my spec file which from what I understand should be persistent... %posttrans /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/logs(/.*)? /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/data(/.*)? /usr/sbin/semanage port -m -t mongod_port_t 27117 Or should this be handled in a policy? Thanks, Richard I think your post install should look like. /usr/sbin/semanage fcontext -e /var/log/mongod /var/lib/unifi/logs /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/data /usr/sbin/semanage port -m -t mongod_port_t 27117 Don't use the regex. Also I would figure the logs should be labeled mongod_log_t rather then mongod_lib_t. If this is a standard location for this code, we should put it into the base package. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Wifi connection issues with Intel?
On 06/16/2014 01:35 PM, Richard Shaw wrote: On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com wrote: On 06/12/2014 10:14 AM, Richard Shaw wrote: On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com wrote: The full unifi software is java with a mongodb database backend and works fine. I have a RPM I created, the only problem I haven't been able to fix is the selinux issues, one for the private mongodb instance, and then the ports it binds to. Please open a bugzilla for the SELinux issues. Before I open a BZ, here's what I have in my spec file which from what I understand should be persistent... %posttrans /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/logs(/.*)? /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/data(/.*)? /usr/sbin/semanage port -m -t mongod_port_t 27117 Or should this be handled in a policy? Thanks, Richard I think your post install should look like. /usr/sbin/semanage fcontext -e /var/log/mongod /var/lib/unifi/logs /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/data /usr/sbin/semanage port -m -t mongod_port_t 27117 Don't use the regex. Also I would figure the logs should be labeled mongod_log_t rather then mongod_lib_t. What is the concern with regex? It is specific to packaging? Most of the examples I found online used that method... As far as the label, since everything is getting dumped in /var/lib I figured that would be OK. Not a concern with regex. it just will not work. The examples you have seen on line, were not using equivalence. They were using generic labelling. Equivalence tells SELinux to swap the second part of the path with the first. You code would only match file paths that began with /var/lib/unifi/logs(/.*?) Not /var/lib/unifi/logs/foobar.log If this is a standard location for this code, we should put it into the base package. There is not a standard install location, the install will work as long as everything stays in the same relative location (the unifi directory). Since it writes a lot of stuff I figured /var was the best (only?) real option. Yes Following the example of a draft wiki I can't find anymore I had modified the scripts to this instead of using %posttrans: %post semanage fcontext -a -t mongod_var_lib_t \ %{_sharedstatedir}/unifi/logs(/.*)? 2/dev/null || : semanage fcontext -a -t mongod_var_lib_t \ %{_sharedstatedir}/unifi/data(/.*)? 2/dev/null || : restorecon -R %{_sharedstatedir}/unifi/logs || : restorecon -R %{_sharedstatedir}/unifi/data || : semanage port -m -t mongod_port_t 27117 || : %postun if [ $1 -eq 0 ] ; then # final removal semanage fcontext -d -t mongod_var_lib_t \ %{_sharedstatedir}/unifi/logs(/.*)? 2/dev/null || : semanage fcontext -d -t mongod_var_lib_t \ %{_sharedstatedir}/unifi/data(/.*)? 2/dev/null || : fi Thanks, Richard That should work. You could speed it up by combining both semange fcontext lines into a single transaction. Something like. semanage -S targeted -i - _EOF fcontext -a -t mongod_var_lib_t %{_sharedstatedir}/unifi/logs(/.*)? fcontext -a -t mongod_var_lib_t %{_sharedstatedir}/unifi/data(/.*)? _EOF 2/dev/null || : -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Selinux Packaging [WAS: Wifi connection issues with Intel?]
On 06/16/2014 02:15 PM, Richard Shaw wrote: On Mon, Jun 16, 2014 at 1:08 PM, Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com wrote: On 06/16/2014 01:35 PM, Richard Shaw wrote: On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com wrote: On 06/12/2014 10:14 AM, Richard Shaw wrote: On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com wrote: The full unifi software is java with a mongodb database backend and works fine. I have a RPM I created, the only problem I haven't been able to fix is the selinux issues, one for the private mongodb instance, and then the ports it binds to. Please open a bugzilla for the SELinux issues. Before I open a BZ, here's what I have in my spec file which from what I understand should be persistent... %posttrans /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/logs(/.*)? /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/data(/.*)? /usr/sbin/semanage port -m -t mongod_port_t 27117 Or should this be handled in a policy? Thanks, Richard I think your post install should look like. /usr/sbin/semanage fcontext -e /var/log/mongod /var/lib/unifi/logs /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/data /usr/sbin/semanage port -m -t mongod_port_t 27117 Don't use the regex. Also I would figure the logs should be labeled mongod_log_t rather then mongod_lib_t. What is the concern with regex? It is specific to packaging? Most of the examples I found online used that method... As far as the label, since everything is getting dumped in /var/lib I figured that would be OK. Not a concern with regex. it just will not work. The examples you have seen on line, were not using equivalence. They were using generic labelling. Equivalence tells SELinux to swap the second part of the path with the first. You code would only match file paths that began with /var/lib/unifi/logs(/.*?) Not /var/lib/unifi/logs/foobar.log If this is a standard location for this code, we should put it into the base package. There is not a standard install location, the install will work as long as everything stays in the same relative location (the unifi directory). Since it writes a lot of stuff I figured /var was the best (only?) real option. Yes Following the example of a draft wiki I can't find anymore I had modified the scripts to this instead of using %posttrans: %post semanage fcontext -a -t mongod_var_lib_t \ %{_sharedstatedir}/unifi/logs(/.*)? 2/dev/null || : semanage fcontext -a -t mongod_var_lib_t \ %{_sharedstatedir}/unifi/data(/.*)? 2/dev/null || : restorecon -R %{_sharedstatedir}/unifi/logs || : restorecon -R %{_sharedstatedir}/unifi/data || : semanage port -m -t mongod_port_t 27117 || : %postun if [ $1 -eq 0 ] ; then # final removal semanage fcontext -d -t mongod_var_lib_t \ %{_sharedstatedir}/unifi/logs(/.*)? 2/dev/null || : semanage fcontext -d -t mongod_var_lib_t \ %{_sharedstatedir}/unifi/data(/.*)? 2/dev/null || : fi That should work. You could speed it up by combining both semange fcontext lines into a single transaction. Something like. semanage -S targeted -i - _EOF fcontext -a -t mongod_var_lib_t %{_sharedstatedir}/unifi/logs(/.*)? fcontext -a -t mongod_var_lib_t %{_sharedstatedir}/unifi/data(/.*)? _EOF 2/dev/null || : Ok, just to be clear, I still need to remove the (/.*)? parts? I found the packaging draft I referred to: http://fedoraproject.org/wiki/PackagingDrafts/SELinux Which shows including it. Thanks, Richard If you use -e option, you do not use them, if you are using -a option you do. Your first message said you used /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/logs(/.*)? /usr/sbin/semanage fcontext -e /var/lib/mongod /var/lib/unifi/data(/.*)? Which is wrong because you used the -e Your second email said you were doing. semanage fcontext -d -t mongod_var_lib_t \ %{_sharedstatedir}/unifi/logs(/.*)? 2/dev/null || : semanage fcontext -d -t mongod_var_lib_t \ %{_sharedstatedir}/unifi/data(/.*)? 2/dev/null || : Which used the -a which was correct, it needs the regex. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http
Re: Wifi connection issues with Intel?
On 06/11/2014 01:48 PM, Richard Shaw wrote: On Wed, Jun 11, 2014 at 3:31 PM, poma pomidorabelis...@gmail.com mailto:pomidorabelis...@gmail.com wrote: There are four indoor models, and basic one ain't 5 GHz. Yes, I have the basic one, so it does support n but in 2.4GHz only. Besides there is no soft for the linux distros. The discovery software is java based and does run, but I couldn't get it to work. The full unifi software is java with a mongodb database backend and works fine. I have a RPM I created, the only problem I haven't been able to fix is the selinux issues, one for the private mongodb instance, and then the ports it binds to. Richard Please open a bugzilla for the SELinux issues. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: google-chrome + selinux + ecryptfs
How is ecryptfs supposed to work? On 06/12/2014 03:13 PM, Pal, Laszlo wrote: node= type=SYSCALL msg=audit(1402610675.802:3612): arch=c03e syscall=47 success=yes exit=1 a0=12 a1=7f4cb29bb490 a2=40 a3=2 items=0 ppid=8 pid=13635 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=Chrome_ChildIOT exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) node=tohuvabohu.balabit type=AVC msg=audit(1402610675.802:3613): avc: denied { write } for pid=13634 comm=chrome path=/home/.ecryptfs/vlad/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gSom1uZp3eGnWRADC8b67AE--/ECRYPTFS_FNEK_ENCRYPTED.FXbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gTtA3nsOQygKTjpvYs63foAeJEpmcXUfgP6gU.7wmAuY-/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7g5coEDCbOTnV-amR0ZN6y1---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gT3djTOmDHoPUHtuBzF97EU--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7geU1qaFnPHLsuy1RmqbGnBE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7glEd5RSiZ49p5vw44TzFM3E--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gKBDK1Q1GxCxyo3TiIlYCnE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gmuai.t4ZEmP-LatO12SQ.E--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gIB221z5L1BsC-c-sHPGaQ---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gqsU3WtY8FrzmtcENIeC0CE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gt-ZfSVe491Z7eplRchJ3qE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gSHKUZ6b8Mf6vlIo3pRzAj---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gC2jhQP5bAQcJMOMBLlUW1U-- dev=dm-2 ino=16123428 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ecryptfs_t:s0 tclass=file -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Problem with selinux and milter-greylist
On 05/27/2014 01:35 PM, arag...@dcsnow.com wrote: Looks like the milter-greylist.sock is mislabeled. What directory is it in? Why isn't it in /run? Well, see, I was following a guide (probably old) that pointed Sendmail to /var/milter-greylist so I just changed the greylist.conf file instead of changing the semdial.mc file. Now that you mentioned that, I switched them and it works fine. However, I'm still a bit confused why I was not able to just add a rule to get Selinux to allow the access. It just seemed confused as to what needed done. You could either adjust SELinux or adjust the App. If the app is doing the wrong thing, I would prefer to fix the app. --- Will Y. -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Set SELinux to allow only httpd daemon to use specific tty device
On 05/06/2014 12:03 AM, Emmanuel Noobadmin wrote: On 5/5/14, Daniel J Walsh dwa...@redhat.com wrote: Simplest would be to just use # grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp This would allot httpd_t processes the ability to use usb_device_t. If you really wanted to tighten it up, you could build a custom policy that put a different label on /dev/usbDataCollector and allow httpd_t access to this device. Something like # cat myhttp.te policy_module(myhttp, 1.0) gen_require(` type httpd_t; ') type httpd_device_t; dev_node(httpd_device_t) allow httpd_t httpd_device_t:chr_file rw_chr_file_perms; # cat myhttpd.fc /dev/usbDataCollector-c gen_context(system_u:object_r:httpd_device_t,s0) # make -f /usr/share/selinux/devel/Makefile # semodule -i myhttp.pp # restorecon -v /dev/usbDataCollector Thanks for the reply, I'll keep this in mind for the next machine. Currently, I'm unable to test it out since F20 stopped booting (for no reason I could figure out) on the laptop and I had to resort to another distribution. I wrote a blog on this discussion. https://danwalsh.livejournal.com/69221.html -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: cups-pdf
On 05/04/2014 06:27 PM, Patrick Dupre wrote: - Original Message - From: Steven Stern Sent: 05/05/14 12:03 AM To: Community support for Fedora users Subject: Re: cups-pdf On 05/04/2014 04:57 PM, Patrick Dupre wrote: - Original Message - From: Steven Stern Sent: 05/04/14 11:53 PM To: Community support for Fedora users Subject: Re: cups-pdf On 05/04/2014 04:48 PM, Patrick Dupre wrote: When I try to use cups-pdf to generate pdf file, I have no output. /var/log//cups/cups-pdf_log shows an error: Sun May 4 23:22:44 2014 [ERROR] ghostscript reported an error (256) Sun May 4 23:22:44 2014 [ERROR] failed to set file mode for PDF file (non fatal) (/home/pdupre/Desktop/NICE-OHMS_v2.pdf) I did not find the solution on internet! Thank for your help. Is SELinux in enforcing mode? Yes, If I switch to permissive then the pdf file is generated. But on another machine, the file generation is OK even in enforced mode! (BOTH fc20). Well, there you go! Either you once created an overriding policy or... How do I do this? sealert should offer to show you how to create a policy to allow it. Do you have the setroubleshootd daemon running? Yes, I think so. It is running, but it does not report any alert! Now it works, Thank. sealert -a /var/log/audit or sudo grep pdf /var/log/audit/audit.log | audit2allow -M mypol sudo semodule -i mypol.pp -- -- Steve -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org === Patrick DUPRÉ | | email: pdu...@gmx.com Laboratoire de Physico-Chimie de l'Atmosphère | | Université du Littoral-Côte d'Opale | | Tel. (33)-(0)3 28 23 76 12 | | Fax: 03 28 65 82 44 189A, avenue Maurice Schumann | | 59140 Dunkerque, France === After cups-pdf is denied execute audit2allow -m avc -ts recent -i If this does not generate any AVC's then try with semodule -DB then run the test again. semodule -DB will disable dontaudit rules. semodule -B will turn them back on. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Set SELinux to allow only httpd daemon to use specific tty device
On 05/04/2014 12:22 AM, Emmanuel Noobadmin wrote: Using Fedora 20 3.11.10-301.fc20.x86_64 and selinux targeted policy.29 I've a PHP application that sends data to a USB tty device e.g. /dev/usbDataCollector Unfortunately selinux is blocking this action. When set to permissive, the alert browser suggests the command: setsebool -P daemons_use_tty 1 The documentation says Allow all daemons the ability to use unallocated ttys. This naturally doesn't sound like a good idea although admittedly it probably won't hurt in this particular installation. However, I thought it would be good to find the 'correct' solution to this. But I am unable to find a more fine grain SELinux control for this, Fedora 20 has no documentation and the only vaguely relevant one I could find elsewhere is httpd_tty_com which appears unrelated as it is about allow httpd to communicate with terminal. So the question is whether there is any way to do this or is allowing all daemons the only option? Simplest would be to just use # grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp This would allot httpd_t processes the ability to use usb_device_t. If you really wanted to tighten it up, you could build a custom policy that put a different label on /dev/usbDataCollector and allow httpd_t access to this device. Something like # cat myhttp.te policy_module(myhttp, 1.0) gen_require(` type httpd_t; ') type httpd_device_t; dev_node(httpd_device_t) allow httpd_t httpd_device_t:chr_file rw_chr_file_perms; # cat myhttpd.fc /dev/usbDataCollector-c gen_context(system_u:object_r:httpd_device_t,s0) # make -f /usr/share/selinux/devel/Makefile # semodule -i myhttp.pp # restorecon -v /dev/usbDataCollector -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Trouble starting webex in F20
On 05/01/2014 06:26 PM, Chris Kottaridis wrote: On 05/01/2014 05:08 PM, Rick Stevens wrote: On 05/01/2014 01:40 PM, Andrew Azores issued this missive: On 05/01/2014 04:27 PM, Chris Kottaridis wrote: On 05/01/2014 02:11 PM, Deepak Bhole wrote: * Chris Kottaridis chris...@quietwind.net [2014-05-01 13:25]: I have an F19 and an F20 host and when I try to start a webex on the F20 host it doesn't work right. It works fine on the F19 machine. The symptom is that when I start the webex in F20 it sends up a message about wanting to run an applet and I tell it yes it's OK to run the applet. That doesn't come up on the F19 host. On the F19 the icedtea icon pops up for a short time and then I get connected. I don't see the icedtea icon pop up in F20. I did notice that icedtea is at 1.5 in F20, but at 1.4 for F19 and there is some policy control added in 1.5. I set the policy to allow all applets to do everything for the time being in the .config/icedtea-web/security/java.policy file which the icedtea-web man page says is the default policy file. Any ideas on what the difference might be between F19 and F20 would be appreciated or pointer to a different group that could help. Sorry that I only have rather high level usage info, but so far other then this issue with starting a webex everything seems OK that I have tried so far. Hi Chris, Is it possible for us to reproduce this? If so, what are the steps? You'd need a webex account. Hmm, there's no way to reproduce it with the test meeting [0] ? After some more playing it seems the issue is when I try to share my desktop it doesn't get shared in F20, but does in F19. So the Webex applet is successfully starting with both, then? That is what's so weird is it works like a champ in F19. I assume there is just something missing, maybe something I need to install or some permission or configuration setting. I haven't found anything in any log files yet to help point to what the problem might be. When I connect to webex to start a session if I click on Activities I see a webex icon of a ball that is half green and half blue and the name is sun-applet-PluginMain on the activites list. After I click on share desktop I see a second icon like that which says Atasjni on the F19, but still only have the one on F20. So, it seems some app is having trouble getting started when I click to share desktop. So, far I haven't found any complaint in any log file though. Thanks Chris Kottaridis Do you have any log files at all to share? You can also try launching your browser from terminal (assuming this is starting through a browser at all), and capture the output with a redirect or tee there. Also, just a note that IcedTea-Web 1.5 is available for Fedora 19 as well. Although if you appear to be having problems after the 1.5 update, I wouldn't recommend you update to it yet - not until we figure out what's going on here! With 1.5 on both Fedora 19 (native) and 20 (VM), Webex works fine, but I haven't tried this 'share desktop' functionality. [0] http://www.webex.com/test-meeting.html Also check to see if there's perhaps a SELinux alert going along with this. There may be changes to selinux configs that block sharing the desktop. I don't know a lot about selinux, but I used the SELinux management tool to just disable SELinux. So, I assume SELinux is out of the picture for now. But, I think it is probably some local configuration issue like that. Thanks Chris Kottaridis -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - We have enough youth, how about a fountain of SMART? - -- Putting SELinux into permissive mode, would have been plenty. Setting the machine to disabled will only take place on the next reboot. If SELinux is blocking the web browser from sharing desktop you could turn off one of these booleans, which would probably fix your problem. unconfined_chrome_sandbox_transition -- on unconfined_mozilla_plugin_transition -- on setsebool -P unconfined_chrome_sandbox_transition 0 setsebool -P unconfined_mozilla_plugin_transition 0 You would need to restart the browser. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Trouble starting webex in F20
On 05/02/2014 01:19 PM, Chris Kottaridis wrote: On 05/02/2014 12:07 PM, Daniel J Walsh wrote: On 05/01/2014 06:26 PM, Chris Kottaridis wrote: On 05/01/2014 05:08 PM, Rick Stevens wrote: On 05/01/2014 01:40 PM, Andrew Azores issued this missive: On 05/01/2014 04:27 PM, Chris Kottaridis wrote: On 05/01/2014 02:11 PM, Deepak Bhole wrote: * Chris Kottaridis chris...@quietwind.net [2014-05-01 13:25]: I have an F19 and an F20 host and when I try to start a webex on the F20 host it doesn't work right. It works fine on the F19 machine. The symptom is that when I start the webex in F20 it sends up a message about wanting to run an applet and I tell it yes it's OK to run the applet. That doesn't come up on the F19 host. On the F19 the icedtea icon pops up for a short time and then I get connected. I don't see the icedtea icon pop up in F20. I did notice that icedtea is at 1.5 in F20, but at 1.4 for F19 and there is some policy control added in 1.5. I set the policy to allow all applets to do everything for the time being in the .config/icedtea-web/security/java.policy file which the icedtea-web man page says is the default policy file. Any ideas on what the difference might be between F19 and F20 would be appreciated or pointer to a different group that could help. Sorry that I only have rather high level usage info, but so far other then this issue with starting a webex everything seems OK that I have tried so far. Hi Chris, Is it possible for us to reproduce this? If so, what are the steps? You'd need a webex account. Hmm, there's no way to reproduce it with the test meeting [0] ? After some more playing it seems the issue is when I try to share my desktop it doesn't get shared in F20, but does in F19. So the Webex applet is successfully starting with both, then? That is what's so weird is it works like a champ in F19. I assume there is just something missing, maybe something I need to install or some permission or configuration setting. I haven't found anything in any log files yet to help point to what the problem might be. When I connect to webex to start a session if I click on Activities I see a webex icon of a ball that is half green and half blue and the name is sun-applet-PluginMain on the activites list. After I click on share desktop I see a second icon like that which says Atasjni on the F19, but still only have the one on F20. So, it seems some app is having trouble getting started when I click to share desktop. So, far I haven't found any complaint in any log file though. Thanks Chris Kottaridis Do you have any log files at all to share? You can also try launching your browser from terminal (assuming this is starting through a browser at all), and capture the output with a redirect or tee there. Also, just a note that IcedTea-Web 1.5 is available for Fedora 19 as well. Although if you appear to be having problems after the 1.5 update, I wouldn't recommend you update to it yet - not until we figure out what's going on here! With 1.5 on both Fedora 19 (native) and 20 (VM), Webex works fine, but I haven't tried this 'share desktop' functionality. [0] http://www.webex.com/test-meeting.html Also check to see if there's perhaps a SELinux alert going along with this. There may be changes to selinux configs that block sharing the desktop. I don't know a lot about selinux, but I used the SELinux management tool to just disable SELinux. So, I assume SELinux is out of the picture for now. But, I think it is probably some local configuration issue like that. Thanks Chris Kottaridis -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - We have enough youth, how about a fountain of SMART? - -- Putting SELinux into permissive mode, would have been plenty. Setting the machine to disabled will only take place on the next reboot. If SELinux is blocking the web browser from sharing desktop you could turn off one of these booleans, which would probably fix your problem. unconfined_chrome_sandbox_transition -- on unconfined_mozilla_plugin_transition -- on setsebool -P unconfined_chrome_sandbox_transition 0 setsebool -P unconfined_mozilla_plugin_transition 0 You would need to restart the browser. I have rebooted many times after disabling SELinux, it was getting in the way of other issues and so for the time being I just want to get it out of the way. Thanks for the pointers though. Once I get things right I'll re-enable it and make sure to make the changes you recommend. Thanks Chris Kottaridis If it causes you any problems, please open a bug report or reach out
Re: Two SELinux-related things
On 04/24/2014 04:56 PM, Mark Brader wrote: # semanage fcontext -a -e /home /u # restorecon -R -v /u Should fix you up. Bingo. Thanks for your time. I did wonder if this was the cause of the problem, but (1) it didn't happen with the previous Linux configuration I had, and (2) I actually write remounting the filesystem as /home before I wrote to you. But (I now realize) I left /u as a symlink to /home instead of changing my actual home directory, so that didn't cover it. This still leaves me with two questions. [1] What about the way the message from SELinux failed to name a directory? That made it impossible for me to see what was actually going on. It seems to me like a bug in the alert reporting. http://danwalsh.livejournal.com/34903.html?thread=220247 [2] How do I reach the fedora-devel people you mentioned, to ask them my other question? Just send a question to the Community support for Fedora users users@lists.fedoraproject.org list and with information about what you are trying to do, meantion SELinux in the message or CC me, and I will follow the discussion. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: fedup 19=20 hangs: selinux
Strange, if selinux-policy-targeted is not installed SELinux is disabled. On 04/09/2014 08:31 PM, Sean Darcy wrote: On 04/09/2014 06:01 PM, Daniel J Walsh wrote: So this looks like selinux-policy-targeted got removed during the update? On 04/09/2014 04:21 PM, Sean Darcy wrote: On 04/08/2014 11:54 AM, Daniel J Walsh wrote: This usually means there is no /etc/selinux/targeted/policy/policy.* file. If you run semodule -B Does one get created? On 04/08/2014 10:59 AM, Sean Darcy wrote: Trying to upgrade F19 to F20 using fedup. On the upgrade reboot it hangs: Reached target Initrd Default Target systemd-journal1d166]: Received SIGTERM systemd[1]: Failed to initialize SELinux context: no such file or directory selinux is set to permissive. F19 works fine. I suppose I could set selinux=0 , but then none of the contexts would be set. Correct? sean No. There's no such file: ls /etc/selinux/targeted contexts modules seusers.rpmnew seusers.rpmsave But: semodule -B libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory). semodule: Failed! sean selinux-policy-targeted was never installed. There a bugzilla entry on this: https://bugzilla.redhat.com/show_bug.cgi?id=1044484 It seems fedup requires selinux-policy-targeted, even if the policy is permissive. And better yet, fedup doesn't check to see if it's installed. So the drill seems to be 1. install selinux-policy-targeted 2. reboot to change all the contexts 3. retry fedup. It'll fail. I got about 600 dupes. And there's no log, so you won't find out what's wrong. fedup --clean And try again. Sigh. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: fedup 19=20 hangs: selinux
So this looks like selinux-policy-targeted got removed during the update? On 04/09/2014 04:21 PM, Sean Darcy wrote: On 04/08/2014 11:54 AM, Daniel J Walsh wrote: This usually means there is no /etc/selinux/targeted/policy/policy.* file. If you run semodule -B Does one get created? On 04/08/2014 10:59 AM, Sean Darcy wrote: Trying to upgrade F19 to F20 using fedup. On the upgrade reboot it hangs: Reached target Initrd Default Target systemd-journal1d166]: Received SIGTERM systemd[1]: Failed to initialize SELinux context: no such file or directory selinux is set to permissive. F19 works fine. I suppose I could set selinux=0 , but then none of the contexts would be set. Correct? sean No. There's no such file: ls /etc/selinux/targeted contexts modules seusers.rpmnew seusers.rpmsave But: semodule -B libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory). semodule: Failed! sean -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: fedup 19=20 hangs: selinux
This usually means there is no /etc/selinux/targeted/policy/policy.* file. If you run semodule -B Does one get created? On 04/08/2014 10:59 AM, Sean Darcy wrote: Trying to upgrade F19 to F20 using fedup. On the upgrade reboot it hangs: Reached target Initrd Default Target systemd-journal1d166]: Received SIGTERM systemd[1]: Failed to initialize SELinux context: no such file or directory selinux is set to permissive. F19 works fine. I suppose I could set selinux=0 , but then none of the contexts would be set. Correct? sean -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: new SELinux error
ausearch -m avc,user_avc -i Or just attach the full output of the sealert command. The AVC's are at the bottom. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: new SELinux error
What was the AVC that you got? On 03/27/2014 04:58 PM, Paul Cartwright wrote: I am not sure what to do.. I got this error message: # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, acct_data_t, admin_crontab_tmp_t, admin_home_t, afs_logfile_t, aide_log_t, alsa_home_t, alsa_tmp_t, amanda_log_t, amanda_tmp_t, antivirus_home_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, audio_home_t, auditadm_sudo_tmp_t, auth_cache_t, auth_home_t, automount_tmp_t, awstats_tmp_t, bacula_log_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, cache_home_t, calamaris_log_t, callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_tmp_t, cert_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t, cgroup_t, checkpc_log_t, chrome_sandbox_exec_t, chrome_sandbox_home_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_tmp_t, chrome_sandbox_tmpfs_t, chronyd_var_log_t, cloud_init_tmp_t, cloud_log_t, cluster_tmp_t, cluster_var_log_t, cobbler_tmp_t, cobbler_var_log_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, config_home_t, conman_log_t, consolekit_log_t, couchdb_log_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_home_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, data_home_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbus_home_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dnsmasq_var_log_t, docker_log_t, docker_tmp_t, dosfs_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, dspam_log_t, etc_t, evtchnd_var_log_t, exim_log_t, exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_home_t, fetchmail_log_t, fingerd_log_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_tmp_t, foghorn_var_log_t, fonts_cache_t, fonts_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, gconf_home_t, gconf_tmp_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, git_user_content_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gnome_home_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_secret_t, gpm_tmp_t, groupd_var_log_t, gssd_tmp_t, gstreamer_home_t, haproxy_var_log_t, home_bin_t, home_cert_t, httpd_bugzilla_tmp_t, httpd_collectd_script_tmp_t, httpd_log_t, httpd_mojomojo_tmp_t, httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, httpd_w3c_validator_tmp_t, hugetlbfs_t, icc_data_home_t, iceauth_home_t, icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, ipsec_log_t, ipsec_tmp_t, iptables_tmp_t, irc_home_t, irc_tmp_t, irssi_home_t, iscsi_log_t, iscsi_tmp_t, iwhd_log_t, jetty_log_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_log_t, keystone_tmp_t, kismet_home_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_home_t, krb5_host_rcache_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, local_login_home_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_home_rw_t, mail_home_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mandb_home_t, mcelog_log_t, mock_tmp_t, mongod_log_t, mongod_tmp_t, motion_log_t, mount_tmp_t, mozilla_home_t, mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_home_t, mpd_log_t, mpd_tmp_t, mpd_user_data_t, mplayer_home_t, mrtg_log_t, mscan_tmp_t, munin_log_t, munin_tmp_t, mysqld_home_t, mysqld_log_t, mysqld_tmp_t, mythtv_var_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_log_t, named_tmp_t, net_conf_t,
Re: after upgrading fedora rawhide this morning, no graphical desktop
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/13/2014 02:58 PM, Robert P. J. Day wrote: On Thu, 13 Mar 2014, Kevin Martin wrote: On 03/13/2014 07:57 AM, Robert P. J. Day wrote: recently, i upgraded my ASUS G74S laptop to fedora rawhide and it was running nicely. then this morning, i did another yum update, which appeared to update well over 200 packages (including a slightly newer kernel), after which, when i booted, i had no graphical desktop anymore, just the little blue and white fedora logo. i can still switch to VC2 and log in at the command line (where i am now), so i can certainly check log files, but i don't see anything immediately amiss. i rebooted both to the earlier rawhide kernel, and even back to the latest fedora 20 official kernel -- same result, the fedora logo in the middle of the screen on VC1, but the ability to log in on another virtual console. has anyone else run into this? i have an nvidia graphics card, and am running the nouveau driver. i'll keep poking around the log files, and if you have any suggestions, i'm all ears. rday Hmm, sounds similar to what I'm experiencing. When you go into VC2 what does lsmod | grep nouveau show? I've found that I've been having to manually modprobe nouveau modeset=1 since doing my update about 4 days ago. I'm not sure why nouveau won't load and I find that if I don't set the modeset=1 when I do the manual modprobe that I still can't get X. h ... it's possible this is not related to rawhide at all, and is due to something silly i did earlier this morning. could the following be the cause? in order to install drupal 8.x on my fedora (rawhide) system, i had to disable selinux (setenforce 0). i *think* that while selinux was thus disabled, i may have done yum update, which would have of course updated those 200+ packages while my system was in permissive mode. once i saw i had a new kernel due to the update, i of course rebooted, which rebooted with selinux back in enforcing mode, and the problems started. simply putting selinux back into permissive mode fixed everything. i'm by no means an selinux expert -- is that how i caused my problem? rday What AVC messages are you getting? ausearch -m avc -ts today -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMjB30ACgkQrlYvE4MpobPkTwCfS2ZwxCYQVkgnLwrjKAn0yYct MR8AoNH1bSq3XdCM/rELRPB5zAL3KZTO =tLQG -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: google-chrome not displaying text with selinux enforcing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/27/2014 02:38 PM, Ed K. wrote: On Thu, 27 Feb 2014, Dale Dellutri wrote: On 02/27/14 05:50, Dale Dellutri wrote: I did this and set selinux back to enforcing. google-chrome is now working as it should. Good to see it is OK now. FWIW, I have a fully updated F20 system. I'm using KDE and google chrome and I am not seeing any problems when I visit your website. Yes, it's fixed now. The original problem occurred because I added a directory of private fonts to /usr/share/fonts/, but I did not adjust the selinux context for that directory. The ausearch suggested by Daniel Walsh discovered the problem. I really must learn more about the care and feeding of selinux if I'm going to use it. Dale, I've been having the same problem. But with $HOME/.fonts What chcon command did you use to permit chrome to read the fonts directory? ed Should be allowed, restorecon -R -v ~/ Should fix any labels. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMPpd0ACgkQrlYvE4MpobOIGgCeLalpj8AmzDHNVeAzWqbmV3ZX lP0AmgIuaUZRFHGyo2Ji7c4Ozv212QOE =Ych2 -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: google-chrome not displaying text with selinux enforcing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/26/2014 02:00 PM, Dale Dellutri wrote: I've got a Fedora 20 XFCE desktop. I installed google-chrome. It fails to display some text on many web sites if selinux is set to enforcing, but shows the text with selinux set to permissive. For example, with selinux set to enforcing, my web site: http://www.DaleDellutri.com only shows the icon image in the upper left corner, an empty box, and the bluish outer color, but does not show any of the text on the page. If I do # setenforce 0 and re-start google-chrome, then the page is displayed properly. Firefox shows the page properly no matter how selinux is set. With selinux enforcing, when I start google-chrome from the command line, it does not provide any error messages, and I don't see any error messages from selinux. Where are the selinux logs? I've used # journalctl | grep -i selinux but there are no errors or warnings. What could cause this problem? Do you have any suggestions for debugging? -- Dale Dellutri Are you seeing any AVCs? ausearch -m avc -ts recent You can turn off SELinux confinement of chrome sandbox, with setsebool -P unconfined_chrome_sandbox_transition=0 -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMOWjcACgkQrlYvE4MpobNTaQCdElyQpDTq4A2Ylz4NixKXV8OS gZAAn2PA9exYIGt/v4cvNsLq9za5cQUE =QI7q -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: policycoreutils packaging bug?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2014 10:14 AM, Jon Ingason wrote: 2014-02-17 15:56, Suvayu Ali skrev: install policycoreutils-sandbox I have two machines, both x86_64. On does have policycoreutils-sandbox-2.2.5-3.fc20.x86_64 installed while the other don't. I get exactly same result as you with yum when I try to install policycoreutils-sandbox! So there are a bug in teh. $ sudo yum install policycoreutils-sandbox Inlästa insticksmoduler: langpacks, refresh-packagekit Löser upp beroenden -- Kör transaktionskontroll --- Paket policycoreutils-sandbox.x86_64 0:2.2.2-3.fc20 blir installerat -- Bearbetar beroende: policycoreutils-python = 2.2.2-3.fc20 för paket: policycoreutils-sandbox-2.2.2-3.fc20.x86_64 ... -- Avslutade beroendeupplösning Fel: Paket: policycoreutils-sandbox-2.2.2-3.fc20.x86_64 (fedora) Behöver: policycoreutils-python = 2.2.2-3.fc20 Installerade: policycoreutils-python-2.2.5-3.fc20.x86_64 (@updates) policycoreutils-python = 2.2.5-3.fc20 Tillgängliga: policycoreutils-python-2.2.2-2.fc20.x86_64 (updates) policycoreutils-python = 2.2.2-2.fc20 Tillgängliga: policycoreutils-python-2.2.2-3.fc20.x86_64 (fedora) policycoreutils-python = 2.2.2-3.fc20 Du kan försöka använda --skip-broken för att gå runt problemet Du kan försöka köra: rpm -Va --nofiles --nodigest And $ yum info policycoreutils-sandbox Inlästa insticksmoduler: langpacks, refresh-packagekit Tillgängliga paket Namn: policycoreutils-sandbox Arkitektur : x86_64 Version : 2.2.2 Utgåva : 3.fc20 Storlek : 163 k Förråd : fedora/20/x86_64 Sammandrag : SELinux sandbox utilities URL : http://www.selinuxproject.org Licens : GPLv2 Beskrivning : The policycoreutils-sandbox package contains the scripts to create : graphical sandboxes Could you try to update policycoreutils first? yum -y update policycoreutils -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMCNnAACgkQrlYvE4MpobPvUwCgslPzfdjGEXuc0FigurVARFQ3 7lEAnRvDAVHbODmzy3iOvmsb2Ee2MreM =X8Tp -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: logwatch error messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/22/2014 11:07 PM, Robert Moskowitz wrote: I am seeing the following errors via journalctl |grep logwatch: Jan 22 03:37:14 lx120e.htt-consult.com setroubleshoot[11102]: dbus avc(node=lx120e.htt-consult.com type=AVC msg=audit(1390390627.456:1007): avc: denied { execute } for pid=11100 comm=logwatch name=procmail dev=sda3 ino=1187050 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:procmail_exec_t:s0 tclass=file node=lx120e.htt-consult.com type=SYSCALL msg=audit(1390390627.456:1007): arch=c03e syscall=59 success=no exit=-13 a0=d13ad0 a1=d13a50 a2=d137c0 a3=8 items=0 ppid=11013 pid=11100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=16 tty=(none) comm=logwatch exe=/usr/bin/perl subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Jan 22 03:37:14 lx120e.htt-consult.com setroubleshoot[11102]: AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com type=AVC msg=audit(1390390627.456:1007): avc: denied { execute } for pid=11100 comm=logwatch name=procmail dev=sda3 ino=1187050 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:procmail_exec_t:s0 tclass=file Jan 22 03:37:14 lx120e.htt-consult.com setroubleshoot[11102]: AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com type=SYSCALL msg=audit(1390390627.456:1007): arch=c03e syscall=59 success=no exit=-13 a0=d13ad0 a1=d13a50 a2=d137c0 a3=8 items=0 ppid=11013 pid=11100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=16 tty=(none) comm=logwatch exe=/usr/bin/perl subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Jan 22 03:37:14 lx120e.htt-consult.com setroubleshoot[11102]: analyze_avc() avc=scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:procmail_exec_t:s0 access=['execute'] tclass=file tpath=procmail I had performed the following selinux policy: On 01/06/2014 08:14 AM, Daniel J Walsh wrote: Create a file mylogwatch.te with the following content. policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ') mta_filetrans_admin_home_content(logwatch_mail_t) Now execute this command to compile the policy and load it into the kernel # make -f /usr/share/selinux/devel/Makefile # semodule -i mylogwatch.pp Now you should be allowed to run logwatch_mail_t in enforcing mode. What do these messages mean? They mean that logwatch is not allowed to execute the procmail program. You could add policy for it. procmail_domtrans(logwatch_t) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLhG0cACgkQrlYvE4MpobP1gQCg1SkBm1tHzCGpLV89R+CdDq0f /PMAn3UQmCO4ubKl2QonXSarQt/R6H9t =/HFU -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: logwatch error messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/23/2014 01:54 PM, Robert Moskowitz wrote: On 01/23/2014 08:38 AM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/22/2014 11:07 PM, Robert Moskowitz wrote: I am seeing the following errors via journalctl |grep logwatch: I had performed the following selinux policy: On 01/06/2014 08:14 AM, Daniel J Walsh wrote: Create a file mylogwatch.te with the following content. policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ') mta_filetrans_admin_home_content(logwatch_mail_t) Now execute this command to compile the policy and load it into the kernel # make -f /usr/share/selinux/devel/Makefile # semodule -i mylogwatch.pp Now you should be allowed to run logwatch_mail_t in enforcing mode. What do these messages mean? They mean that logwatch is not allowed to execute the procmail program. You could add policy for it. Obvious. hindsight is just great! procmail_domtrans(logwatch_t) I am looking at what you gave me before: #cat mylogwatch.te policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ') mta_filetrans_admin_home_content(logwatch_mail_t) Would mylogwprocmail.te contain: policy_module(mylogwprocmail, 1.0) gen_require(` type logwatch_t; ') procmail_domtrans(logwatch_t) ??? Yes basically. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLhZZoACgkQrlYvE4MpobN43QCg6ooHByLX265OJlYWdQOcSp63 KJAAn3I6AaBpOoaqEjm8/O3gjVpJYdH7 =7Wpk -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: update partially fails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/18/2014 12:15 PM, antonio montagnani wrote: Patrick Dupre ha scritto / said the followingil giorno/on 18/01/2014 17:59: Hello, The last update did not go very well. I got: Failed: bind.i686 32:9.9.4-8.fc20 bind.i686 32:9.9.4-11.P2.fc20 firefox.i686 0:26.0-3.fc20 firewalld.noarch 0:0.3.9-1.fc20 initscripts.i686 0:9.50-1.fc20 initscripts.i686 0:9.51-1.fc20 nfs-utils.i686 1:1.2.8-6.0.fc20 nfs-utils.i686 1:1.2.9-2.1.fc20 selinux-policy-targeted.noarch 0:3.12.1-116.fc20 selinux-policy-targeted.noarch 0:3.12.1-117.fc20 tcpdump.i686 14:4.5.0-1.20131108gitb07944a.fc20 tcpdump.i686 14:4.5.1-1.fc20 yum.noarch 0:3.4.3-129.fc20 then rpm -q yum yum-3.4.3-129.fc20.noarch yum-3.4.3-130.fc20.noarch yum remove yum-3.4.3-129.fc20.noarch Loaded plugins: langpacks, refresh-packagekit Resolving Dependencies -- Running transaction check --- Package yum.noarch 0:3.4.3-129.fc20 will be erased -- Finished Dependency Resolution Dependencies Resolved Package ArchVersion Repository Size Removing: yum noarch 3.4.3-129.fc20@updates 5.4 M Transaction Summary Remove 1 Package Installed size: 5.4 M Is this ok [y/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction error: %preun(yum-3.4.3-129.fc20.noarch) scriptlet failed, exit status 127 Error in PREUN scriptlet in rpm package yum-3.4.3-129.fc20.noarch Verifying : yum-3.4.3-129.fc20.noarch 1/1 Failed: yum.noarch 0:3.4.3-129.fc20 Complete! === Patrick DUPRÉ | | email: pdu...@gmx.com Laboratoire de Physico-Chimie de l'Atmosphère | | Université du Littoral-Côte d'Opale | | Tel. (33)-(0)3 28 23 76 12 | | Fax: 03 28 65 82 44 189A, avenue Maurice Schumann | | 59140 Dunkerque, France === it is a common bug since yesterday. Please check in the mail archive about failed scripts. Anyway the easiest way is to set Selinux to permissive, perform update and back to enforcing. Hope it can help There is a big bug in selinux-policy. You need to install selinux-policy-targeted.noarch 0:3.12.1-117.fc20 in permissive mode if you ended up with 116 installed Since you have 117 installed, you can just do # semodule -B Which should update the selinux-policy and fix your problem. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLdNEgACgkQrlYvE4MpobOAFgCfTE+vBzmDOm2D9KVSMGfkBY7g TbEAoLg57bLkfg0Ee6nmY+8owq3Wz0X/ =sJ04 -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Trying to use mailx for logwatch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/07/2014 11:44 AM, Robert Moskowitz wrote: getting closer. I am running a new install. So a fresh start on this... On 01/06/2014 11:14 AM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/2014 12:25 PM, Robert Moskowitz wrote: On 01/03/2014 12:03 PM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/2014 11:34 AM, Robert Moskowitz wrote: On 01/03/2014 11:21 AM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/02/2014 05:29 PM, Robert Moskowitz wrote: And the mail is failing. Here is what I have done: I determined that in: /usr/share/logwatch/default.conf/logwatch.conf mailer = /usr/sbin/sendmail -t so in: /etc/logwatch/conf/logwatch.conf mailer = /usr/bin/mailx -t In /etc/aliases I have: # Person who should get root's mail root:rgm and I ran newaliases 'journalctl |grep -i logwatch' shows the following (along with other lines): Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]: (/etc/cron.daily) starting 0logwatch Jan 02 03:32:12 lx120e.htt-consult.com run-parts[16429]: (/etc/cron.daily) finished 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: dbus avc(node=lx120e.htt-consult.com type=AVC msg=audit(1388651532.024:734): avc: denied { write } for pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir node=lx120e.htt-consult.com type=SYSCALL msg=audit(1388651532.024:734): arch=4003 syscall=5 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com type=AVC msg=audit(1388651532.24:734): avc: denied { write } for pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com type=SYSCALL msg=audit(1388651532.24:734): arch=4003 syscall=5 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: analyze_avc() avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 access=['write'] tclass=dir tpath=/root oh, here are the mail files: # ls -ls /var/spool/mail/ total 8 0 -rw-rw. 1 rgm mail 0 Jan 2 16:47 rgm 8 -rw---. 1 root mail 5886 Dec 31 12:27 root 0 -rw-rw. 1 rpc mail0 Dec 25 13:27 rpc The content in root mail is from when I had postfix installed. I have since deleted it to work on getting mailx to work instead. = perhaps /var/spool/mail/root needs 660 permissions? Do you know what mailx is trying to write into the /root directory? The output of logwatch. I edited /etc/logwatch/conf/logwatch.conf with the line: mailer = /usr/bin/mailx -t To override /usr/share/logwatch/default.conf/logwatch.conf mailer = /usr/sbin/sendmail -t Ok I just added a patch to git to allow logwatch_mail_t to write to the /root directory certain files. sesearch -T -s logwatch_mail_t | grep mail_home_rw_t type_transition logwatch_mail_t admin_home_t : dir mail_home_rw_t .maildir; type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t .maildir; type_transition logwatch_mail_t admin_home_t : file mail_home_rw_t .esmtp_queue; type_transition logwatch_mail_t admin_home_t : dir mail_home_rw_t Maildir; type_transition logwatch_mail_t user_home_dir_t : file mail_home_rw_t .esmtp_queue; type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t Maildir; You could do something similar by adding: policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ') mta_filetrans_admin_home_content(logwatch_mail_t) Dan, you are way beyond me here. I need pretty clear cookbooks. Changing a line in a .conf is one thing, what are you telling me to do here? Just cut and paste from policy... to mta... into a rooted terminal session? Create a file mylogwatch.te with the following content. policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ') mta_filetrans_admin_home_content(logwatch_mail_t) Now execute this command
Re: GCL get killed everytime I try to execute it
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/05/2014 09:21 PM, Rex Dieter wrote: Isaac Cortés González wrote: Ok here's my problem: I'm trying to learn (Common) Lisp, so I installed GCL, to compile or run the scripts that I'm making for practice; but I'm having problems to run GCL itself, each time I try to run it it get killed and I get an alert of SELinux, I try to solved by one of the solutions that it suggests; but it can't find a command named checkmodule. So if anyone knows how to solve any of the two issues, please let me know it. Is gcl-selinux installed? If not, does installing it help? -- rex What AVC are you getting? -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEUEARECAAYFAlLK1PEACgkQrlYvE4MpobMZbgCYu46+G0K9e5evATWe62xVu4q0 rwCfSbk5rEB4XXr29ZhFXuYRKBADp8c= =XetF -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Trying to use mailx for logwatch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/2014 12:25 PM, Robert Moskowitz wrote: On 01/03/2014 12:03 PM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/2014 11:34 AM, Robert Moskowitz wrote: On 01/03/2014 11:21 AM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/02/2014 05:29 PM, Robert Moskowitz wrote: And the mail is failing. Here is what I have done: I determined that in: /usr/share/logwatch/default.conf/logwatch.conf mailer = /usr/sbin/sendmail -t so in: /etc/logwatch/conf/logwatch.conf mailer = /usr/bin/mailx -t In /etc/aliases I have: # Person who should get root's mail root:rgm and I ran newaliases 'journalctl |grep -i logwatch' shows the following (along with other lines): Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]: (/etc/cron.daily) starting 0logwatch Jan 02 03:32:12 lx120e.htt-consult.com run-parts[16429]: (/etc/cron.daily) finished 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: dbus avc(node=lx120e.htt-consult.com type=AVC msg=audit(1388651532.024:734): avc: denied { write } for pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir node=lx120e.htt-consult.com type=SYSCALL msg=audit(1388651532.024:734): arch=4003 syscall=5 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com type=AVC msg=audit(1388651532.24:734): avc: denied { write } for pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com type=SYSCALL msg=audit(1388651532.24:734): arch=4003 syscall=5 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: analyze_avc() avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 access=['write'] tclass=dir tpath=/root oh, here are the mail files: # ls -ls /var/spool/mail/ total 8 0 -rw-rw. 1 rgm mail0 Jan 2 16:47 rgm 8 -rw---. 1 root mail 5886 Dec 31 12:27 root 0 -rw-rw. 1 rpc mail0 Dec 25 13:27 rpc The content in root mail is from when I had postfix installed. I have since deleted it to work on getting mailx to work instead. = perhaps /var/spool/mail/root needs 660 permissions? Do you know what mailx is trying to write into the /root directory? The output of logwatch. I edited /etc/logwatch/conf/logwatch.conf with the line: mailer = /usr/bin/mailx -t To override /usr/share/logwatch/default.conf/logwatch.conf mailer = /usr/sbin/sendmail -t Ok I just added a patch to git to allow logwatch_mail_t to write to the /root directory certain files. sesearch -T -s logwatch_mail_t | grep mail_home_rw_t type_transition logwatch_mail_t admin_home_t : dir mail_home_rw_t .maildir; type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t .maildir; type_transition logwatch_mail_t admin_home_t : file mail_home_rw_t .esmtp_queue; type_transition logwatch_mail_t admin_home_t : dir mail_home_rw_t Maildir; type_transition logwatch_mail_t user_home_dir_t : file mail_home_rw_t .esmtp_queue; type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t Maildir; You could do something similar by adding: policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ') mta_filetrans_admin_home_content(logwatch_mail_t) Dan, you are way beyond me here. I need pretty clear cookbooks. Changing a line in a .conf is one thing, what are you telling me to do here? Just cut and paste from policy... to mta... into a rooted terminal session? Create a file mylogwatch.te with the following content. policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ') mta_filetrans_admin_home_content(logwatch_mail_t) Now execute this command to compile the policy and load it into the kernel # make -f /usr/share/selinux/devel/Makefile # semodule -i mylogwatch.pp Now you should be allowed to run logwatch_mail_t in enforcing mode. -BEGIN PGP SIGNATURE- Version: GnuPG v1
Re: Trying to use mailx for logwatch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/02/2014 05:29 PM, Robert Moskowitz wrote: And the mail is failing. Here is what I have done: I determined that in: /usr/share/logwatch/default.conf/logwatch.conf mailer = /usr/sbin/sendmail -t so in: /etc/logwatch/conf/logwatch.conf mailer = /usr/bin/mailx -t In /etc/aliases I have: # Person who should get root's mail root:rgm and I ran newaliases 'journalctl |grep -i logwatch' shows the following (along with other lines): Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]: (/etc/cron.daily) starting 0logwatch Jan 02 03:32:12 lx120e.htt-consult.com run-parts[16429]: (/etc/cron.daily) finished 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: dbus avc(node=lx120e.htt-consult.com type=AVC msg=audit(1388651532.024:734): avc: denied { write } for pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir node=lx120e.htt-consult.com type=SYSCALL msg=audit(1388651532.024:734): arch=4003 syscall=5 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com type=AVC msg=audit(1388651532.24:734): avc: denied { write } for pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com type=SYSCALL msg=audit(1388651532.24:734): arch=4003 syscall=5 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: analyze_avc() avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 access=['write'] tclass=dir tpath=/root oh, here are the mail files: # ls -ls /var/spool/mail/ total 8 0 -rw-rw. 1 rgm mail0 Jan 2 16:47 rgm 8 -rw---. 1 root mail 5886 Dec 31 12:27 root 0 -rw-rw. 1 rpc mail0 Dec 25 13:27 rpc The content in root mail is from when I had postfix installed. I have since deleted it to work on getting mailx to work instead. = perhaps /var/spool/mail/root needs 660 permissions? Do you know what mailx is trying to write into the /root directory? -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLG44wACgkQrlYvE4MpobNKRQCg5TNJQb4NzrXV/gwM9spZ2bbv y+gAmwRHRrWywHHQqy/IymmHNIlHvGgH =5RhR -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Trying to use mailx for logwatch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/2014 11:34 AM, Robert Moskowitz wrote: On 01/03/2014 11:21 AM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/02/2014 05:29 PM, Robert Moskowitz wrote: And the mail is failing. Here is what I have done: I determined that in: /usr/share/logwatch/default.conf/logwatch.conf mailer = /usr/sbin/sendmail -t so in: /etc/logwatch/conf/logwatch.conf mailer = /usr/bin/mailx -t In /etc/aliases I have: # Person who should get root's mail root:rgm and I ran newaliases 'journalctl |grep -i logwatch' shows the following (along with other lines): Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]: (/etc/cron.daily) starting 0logwatch Jan 02 03:32:12 lx120e.htt-consult.com run-parts[16429]: (/etc/cron.daily) finished 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: dbus avc(node=lx120e.htt-consult.com type=AVC msg=audit(1388651532.024:734): avc: denied { write } for pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir node=lx120e.htt-consult.com type=SYSCALL msg=audit(1388651532.024:734): arch=4003 syscall=5 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com type=AVC msg=audit(1388651532.24:734): avc: denied { write } for pid=16425 comm=mailx name=root dev=dm-0 ino=1308161 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com type=SYSCALL msg=audit(1388651532.24:734): arch=4003 syscall=5 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm=mailx exe=/usr/bin/mailx subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: analyze_avc() avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 access=['write'] tclass=dir tpath=/root oh, here are the mail files: # ls -ls /var/spool/mail/ total 8 0 -rw-rw. 1 rgm mail0 Jan 2 16:47 rgm 8 -rw---. 1 root mail 5886 Dec 31 12:27 root 0 -rw-rw. 1 rpc mail0 Dec 25 13:27 rpc The content in root mail is from when I had postfix installed. I have since deleted it to work on getting mailx to work instead. = perhaps /var/spool/mail/root needs 660 permissions? Do you know what mailx is trying to write into the /root directory? The output of logwatch. I edited /etc/logwatch/conf/logwatch.conf with the line: mailer = /usr/bin/mailx -t To override /usr/share/logwatch/default.conf/logwatch.conf mailer = /usr/sbin/sendmail -t Ok I just added a patch to git to allow logwatch_mail_t to write to the /root directory certain files. sesearch -T -s logwatch_mail_t | grep mail_home_rw_t type_transition logwatch_mail_t admin_home_t : dir mail_home_rw_t .maildir; type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t .maildir; type_transition logwatch_mail_t admin_home_t : file mail_home_rw_t .esmtp_queue; type_transition logwatch_mail_t admin_home_t : dir mail_home_rw_t Maildir; type_transition logwatch_mail_t user_home_dir_t : file mail_home_rw_t .esmtp_queue; type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t Maildir; You could do something similar by adding: policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ') mta_filetrans_admin_home_content(logwatch_mail_t) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLG7XEACgkQrlYvE4MpobM0fwCaA28wBEPcvt15fUHUAZvhCp/H 5bAAnjqGB1c0MBy9YBkZi4FZ8wWTf+1I =42B1 -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: failed to ..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/31/2013 12:20 PM, Chris Murphy wrote: On Dec 31, 2013, at 8:57 AM, Daniel J Walsh dwa...@redhat.com wrote: THere was a bug in libselinux which is now fixed, that was causing the problem. Right, but I thought that the bug caused the setting in /etc/selinux/config being ignored, while selinux=0 and enforcing=0 still worked? Chris Murphy Just back from break, and I believe that is the case. I am just beginning to dig into the problem. selinux=0 should cause the kernel to not load SELinux LSM, which should keep selinux disabled. I guess the libselinux could still lie to the init and cause it to attempt a relabel. Adam Williamson has put out a fixed libselinux-2.2.1-6.fc20, which should fix the problem. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLFbO0ACgkQrlYvE4MpobPeUwCeL1//E9TEd/o4lzt6tcdgHrEd fQUAn2/eA+YY6TdW9r9c8HCsTQaZc6Gt =2JON -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: fedup and selinux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I blogged on SELinux blocking stuff in permissive mode. http://danwalsh.livejournal.com/67855.html I think fedup putting the machine into permissive mode during the update is the sane thing to do, and since it should be doing this without services running, it should be relatively safe. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLFhvYACgkQrlYvE4MpobN/nwCgxIvYzgMw6sA4s5K4uvzrcEmR AcgAnjNjSCG5EvDX8EXbrUR5+pGjJ2O6 =fSw8 -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Why did SELinux relable my filesystem?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/25/2013 06:25 AM, Steven P. Ulrick wrote: Hello, Everyone During my most recent re-boot, SELinux relabled my entire filesystem. Which would be fine, except for the fact that I have SELinux disabled on my system: # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted Why did SELinux, which is disabled on my system, spend all that time re-labeling my filesystem? Steven P. Ulrick There was a bug in libselinux update that caused this problem, it should now be fixed in libselinux-2.2.1-6.fc20 -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLFiE8ACgkQrlYvE4MpobPA4QCfV6DSX1UEgeFOYJpXmFw7uTnN AMYAn2HhQxpKtKapSGXm5RjZW0lnNqNF =JBIW -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Different actions on different passwords?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/30/2013 08:09 PM, Robert Moskowitz wrote: On 12/30/2013 08:03 PM, Bill Oliver wrote: On Tue, 31 Dec 2013, Patrick O'Callaghan wrote: On Mon, Dec 30, 2013 at 11:25 PM, Bill Oliver ven...@billoblog.com wrote: In linux, is it possible to dictate two different actions upon login with different passwords? Short answer: no. Longer answer: in computing almost anything is possible if you really want to achieve it. Given that on Unix-style systems, including Linux, the login program can be changed, you can modify the source to do what you want. Of course you'll need to have superuser privileges to install it in place of the system standard. Note that doing this may well open a can of worms, e.g. you might have to modify the format of the password file (and hence the library routines that access it), possibly fiddle with SElinux settings, etc. etc. If the conditions are relaxed slightly you can get a partial solution using the standard login: write a Shell startup script (.profile or whatever) that allows the user to discriminate between the two modes, e.g. by using a timeout, detecting the initial state of the Shift (or Control or whatever) key etc., in a way that is hopefully non-obvious to an observer. Probably not reliable enough for serious use. Conclusion: better look for some other way to cover your tracks, and note that a forensic investigation can be carried out without having you log in at all. poc You could setup a pam module that would work with the login shell to do different things based on the password. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLFkWIACgkQrlYvE4MpobNKdgCgsHU+cA1GPVOWe7UVgVAeImE6 YZ4AnAixcwOhNrKpR6Fw8PfpBx4lfph8 =tjXd -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: selinux=0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/29/2013 10:31 AM, Patrick Dupre wrote: Thank, It works. On Sun, 29 Dec 2013 14:40:26 +0100, Patrick Dupre wrote: Hello, After cloning a distribution fedora 19, I have to set selinux=0 to be able to boot. How can I do to avoid this option? I tried: fixfiles relabel system-config-selinux But I never get a relabelling! What should I do? Have you tried booting with enforcing=0 instead of selinux=0 yet? If you disable SELinux completing, you cannot hope that anything will work related to file labelling. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org === Patrick DUPRÉ | | email: pdu...@gmx.com Laboratoire de Physico-Chimie de l'Atmosphère | | Université du Littoral-Côte d'Opale | | Tel. (33)-(0)3 28 23 76 12 | | Fax: 03 28 65 82 44 189A, avenue Maurice Schumann | | 59140 Dunkerque, France === What AVC's are you seeing when booting in permissive mode? When you say SELinux would not work, does that mean it would not boot to the login prompt? You could not login after booting? -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLC6QYACgkQrlYvE4MpobPf+ACg3QmL35tHcDy+yq/1IXzcBXW9 K1kAn39rG8qO3DiI7pf/eZ/Vf1yWT872 =QPig -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: failed to ..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/30/2013 11:11 AM, Chris Murphy wrote: On Dec 29, 2013, at 11:37 PM, Ralf Corsepius rc040...@freenet.de wrote: On 12/30/2013 07:01 AM, Chris Murphy wrote: On Dec 28, 2013, at 8:15 PM, Patrick Dupre pdu...@gmx.com wrote: Hello, I tried to set relabel by using system-config-selinux, but nothing happens I have to keep selinux=0 to be able to boot! Try autorelabel=1, and in the future if you have selinux problems you don't want to troubeleshoot use enforcing=0. Disabling selinux is a hammer and eventually causes more problems. With all due respect, disabling SELinux *must not cause problems*. The instant you disable SELinux, labeling is no longer being done at all, so any software updates while disabled lack labeling. Upon intentional or inadvertent re-enabling of SELinux, there will be problems due to that. This is why disabling isn't a good idea, and isn't necessary. Use enforcing=0 instead. If it does, somebody is critically broken and needs to be fixed, ASAP. Feel free to rebuild your kernel ASAP, and actually disable SELinux at the source. Chris Murphy THere was a bug in libselinux which is now fixed, that was causing the problem. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLC6W0ACgkQrlYvE4MpobOV8QCgn1e4OH13MaUnwjnhDmYhfdNB cZ4AnjozfgzZ5ppxSBL7y/jV+qxTzFiO =3tNQ -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: sharing /boot among multible Linux distros
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/09/2013 11:17 AM, D. Hugh Redelmeier wrote: | From: Daniel J Walsh dwa...@redhat.com | On 12/08/2013 01:11 AM, D. Hugh Redelmeier wrote: | https://bugzilla.redhat.com/show_bug.cgi?id=882568 Fedora could not mount | the Ubuntu partition for examination because it wasn't SELinux labelled. | Of course requiring a Ubuntu partition to be labelled for Fedora isn't | reasonable. | Do you have the SELinux AVC messages that was blocking this? I don't have anything left but the bug report. I did include the output of ausearch -m avc -ts recent in that report. Ok I missed the bug report. Anyways it appears it has been fixed since F18. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKnHUMACgkQrlYvE4MpobOLVQCfeqHjweFGN7FStRASQAZIdbpM sB8Amwawq/9sBvO58yBGNdZsh2OEZtAr =63PJ -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: [GW-C] Re: sharing /boot among multible Linux distros
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/08/2013 01:11 AM, D. Hugh Redelmeier wrote: | From: Joe Zeff j...@zeff.us | On 11/26/2013 02:00 PM, Javier Perez wrote: | For some reason, Ubuntu does not find out Fedora unless I mount the disk | each time I update ubuntu kernel. | | How do you expect Ubuntu to find a kernel on an unmounted partition? It is supposed to find it. There is a bug in Ubuntu 12.04: https://bugs.launchpad.net/ubuntu/+source/os-prober/+bug/1038093 This was reported more than a year ago. That bugs.Launchpad notes an upstream fix a year ago, so the bug was marked as Fix Released almost a year ago. But no update to 12.04 has been issued. This is an example of why I am less comfortable with Ubuntu. I had similar problems with Fedora that were resolved more quickly: https://bugzilla.redhat.com/show_bug.cgi?id=882568 Fedora could not mount the Ubuntu partition for examination because it wasn't SELinux labelled. Of course requiring a Ubuntu partition to be labelled for Fedora isn't reasonable. Do you have the SELinux AVC messages that was blocking this? https://bugzilla.redhat.com/show_bug.cgi?id=995777 Not a Fedora bug. Fedora could not mount the Ubuntu partition because Ubuntu didn't cleanly unmount it. An fsck was required. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKlzD4ACgkQrlYvE4MpobN2RACeOlgitT+iPpvgVczsjHOdrbDp fRAAoLrnfr+y0ea0dYv5fK10aVvdhED1 =n6cU -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: rsync errors (selinux?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/25/2013 07:51 AM, poma wrote: On 24.11.2013 19:03, Wolfgang S. Rupprecht wrote: For several years I've been doing an rsync across-the-lan backup for home directories. All has worked well until recently (well, since the fedup to f20 last night). Now backups are failing with an inscrutable rsync error. While the errors mention selinux, I don't see any errors in either the sending or receiving machines /var/log/secure logfiles. .. Any ideas what's up and what I need to do to get this working again? You should know better after all these years of use. F20 ain't an official, so https://admin.fedoraproject.org/mailman/listinfo/test poma Look in /var/log/audit/audit.log ausearch -m avc -ts recent After failure. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKTV3QACgkQrlYvE4MpobP5YACfaUmLw5sslHZ2ATsMH+sBrBu+ o/gAoJ8Cb7syeKxl1+HiDmbOLtaUt+WK =Zvw2 -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: rsync errors (selinux?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/25/2013 02:54 PM, Wolfgang S. Rupprecht wrote: Daniel J Walsh dwa...@redhat.com writes: ausearch -m avc -ts recent local host (source of rsync): [root@arbol audit]# ausearch -m avc -ts recent no matches [root@arbol audit]# remote host (destination or rsync): [root@capsicum audit]# ausearch -m avc -ts recent no matches [root@capsicum audit]# also a tail -f on /var/log/audit/audit.log on both machines while the errors were spewing on the screen showed no corresponding errors (or other output for that matter) in audit.log. -wolfgang Do you have the audit daemon running? service auditd status If you run setenforce 0 to the errors stop? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKTvkwACgkQrlYvE4MpobOpMACeIpHZzap/wFpM7aGnpdh+/bpm pK0An2faK6ZZZUtMkywFBn2TMzK+ojk0 =vJN/ -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F17 boot with lvm does not create all the device nodes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/18/2013 05:50 AM, Deron Meranda wrote: Continuing the exploration of my problem... Quick problem summary: I could not boot past emergency mode because it could not mount /var; which is a separate filesystem than /. My /var filesystem is a LUKS-encrypted logical volume, which happens to be on /dev/dm-11. Although the logical volume itself was present and active (shows up in lvdisplay); the lvm device file was never getting created for it. It is the 'udev' subsystem that is responsible for creating the device symlinks for all the logical volumes. I suspect that my missing device nodes were being excluded by the /lib/udev/rules.d/10-dm.rules file because the dmsetup info command inside it was failing. This then caused the 11-dm-lvm.rules file, which normally makes the decision about creating the symlink, to skip that device. When I ran dmsetup info /dev/dm-11 it failed, saying the device didn't exist! Yet the device file /dev/dm-11 was present, and clearly was usable as I could manually access the data on it, by a process such as: ln -s /dev/vg_xyz/lv_var /dev/dm-11 cryptsetup luksOpen /dev/vg_xyz/lv_var /dev/mapper/luks-xyz mount /dev/mapper/luks-xyz /var So /dev/dm-11 clearly works, yet dmsetup info was failing for it! Since I could manually get /var mounted, and I fortunately had enough free space, I went ahead copied the entire filesystem into /. [Copying details -- I first excluded any security-sensitive files as I was going transfering to a non-encrypted filesystem, and copied the rest of the files while preserving SELinux contexts, and also renaming mountpoints as appropriate so that I ended up with /var on root being an identical copy of what used to be in the separate /var filesystem.] After removing /var from my fstab, a reboot worked completely. Furthermore, when I look into the /dev/mapper directory or the device directory for the volume group I see ALL the expected device symlinks exist - including my old /var as well as the other missing logical volumes. Also dmsetup info now works on all of them. I am still quite curious as to what was going on, and am wondering if I can go back to using a separate /var logical volume. Deron On Mon, Nov 18, 2013 at 2:50 AM, Deron Meranda deron.mera...@gmail.com mailto:deron.mera...@gmail.com wrote: Here's some more information. It looks like all the LVM device files that correspond to a device mapper minor number of 10 or greater are missing. I have four such devices (logical volumes). After boot the lvm devices look like, lvhome - ../dm-9 lvroot - ../dm-1 ... and so on. All the devices with minor numbers 10 appear as I expect. However all the those with minor number = 10 are missing. If I query dm directly (dmsetup ls), or just look for all dm devices (ls /dev/dm-*) then all of the devices show up. It is only the symbolic links for the volume group that are missing. Is there a particular dm bug, or is this just a coincidence? How can I get the system to boot? Thanks -- Deron Meranda http://deron.meranda.us/ -- Deron Meranda http://deron.meranda.us/ Fedora 17 is not longer supported. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKKG/MACgkQrlYvE4MpobPs2QCgr+MuIBqbUX/4qxYUA1ZBEkYs yrcAoM1Wcvni9x/95wXAP/8oJGF3KeFp =xY6p -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org