Hi Simon, As far as I know this is a bog standard Fedora 14 install.
I cannot comment on that recent discussion on this list because I just joined this list to yesterday in order to resolve this problem. Regards, Don On 10/05/2011 1:35 AM, Simon Matter wrote: >> Thanks to [email protected] and<[email protected]> we are >> up and running. >> >> 1) After running restorecon, ls -lasZ still reports usr_t - so it looks >> like a Fedora/SELinux bug. >> 2) According to [email protected] the fc14 and SELinux folks >> are already aware of this, so I will not post a bug report. >> 3) but now that this topic has all the keywords, anybody facing the same >> problem should be able to find this solution. >> 4) I solved this problem by editing /etc/rc.local to read as follows. >> (Yes this does create a tiny security race condition, but that tiny race >> condition is better than permanently disabling SELinux. :-) >> >> [don@mclachlan1 ~]$ cat /etc/rc.local >> #!/bin/sh >> # >> # This script will be executed *after* all the other init scripts. >> # You can put your own initialization stuff in here if you don't >> # want to do the full Sys V style init stuff. >> >> touch /var/lock/subsys/local >> >> # DGM 08/05/2011 - work around Fedora 14 / SELinux bug. >> echo 0> /selinux/enforce >> /sbin/shorewall start >> echo 1> /selinux/enforce >> > Just because I'm interested, is this with the official Fedora shorewall > package? Isn't this whole "bug" about the "don't put executable code into > /usr/share but /usr/lib[exec] instead" thing discussed recently on this > list? > At least I have changed my rpms for RHEL to use /usr/libexec and I think > the Fedora maintainer did the same (but the package may not have been > released yet). > > Regards, > Simon > >> Thanks again, >> Don >> >> >> On 09/05/2011 2:01 PM, Mr Dash Four wrote: >>> Mr Dash Four wrote: >>>>> May 9 11:04:57 mclachlan1 kernel: [ 14.943055] type=1400 >>>>> audit(1304953497.367:4): avc: denied { execute } for pid=1461 >>>>> comm="perl" name="getparams" dev=dm-0 ino=395957 >>>>> scontext=system_u:system_r:shorewall_t:s0 >>>>> tcontext=system_u:object_r:usr_t:s >>>>> 0 tclass=file >>>>> >>>> This is an error with the selinux policy in FC14 (the main reason I am >>>> *NOT* on FC14)! Run "restorecon -vF /usr/share/shorewall/getparams" >>>> and then check the selinux context with "ls -lasZ >>>> /usr/share/shorewall/getparams" - if it is still "usr_t" you could try >>>> and submit a bug with Fedora. As a temporary "solution" you could do >>>> this (as root): >>> Yeah, I just checked what I have on one of my machines - the context is >>> "bin_t" which is a context not constrained by any SELinux policies (a >>> work-around I did a while ago to avoid this very bug when I tried to >>> upgrade to FC14 and then backtracked to FC13) - definitely a bug and >>> SELinux people definitely know about it! >>> >>> ------------------------------------------------------------------------------ >>> WhatsUp Gold - Download Free Network Management Software >>> The most intuitive, comprehensive, and cost-effective network >>> management toolset available today. Delivers lowest initial >>> acquisition cost and overall TCO of any competing solution. >>> http://p.sf.net/sfu/whatsupgold-sd >>> _______________________________________________ >>> Shorewall-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> ------------------------------------------------------------------------------ >> WhatsUp Gold - Download Free Network Management Software >> The most intuitive, comprehensive, and cost-effective network >> management toolset available today. Delivers lowest initial >> acquisition cost and overall TCO of any competing solution. >> http://p.sf.net/sfu/whatsupgold-sd_______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > > ------------------------------------------------------------------------------ > Achieve unprecedented app performance and reliability > What every C/C++ and Fortran developer should know. > Learn how Intel has extended the reach of its next-generation tools > to help boost performance applications - inlcuding clusters. > http://p.sf.net/sfu/intel-dev2devmay > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
