FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 10-29-2008, 02:23 PM
Al Freundorfer
 
Default External ext3 USB Hard drive and selinux

I was directed to post this on the mailing list. See the following forum post
as a reference.

http://www.centos.org/modules/newbb/viewtopic.php?topic_id=16710&forum=42

I formatted my external ext3 372GB USB hard drive in ubuntu and now want to
use it
in Centos. I made sure that my group/user numbers were the same. I was not
able to write to the mounted USB hard drive (HD). I suspected selinux and
shut it of and I was able to copy the file! I set selinux back to enforce and
rebooted. I like the security features of selinux.

I tried:
1) chcon -v
2) restorecon -Rv /media/disk
3) cp -P

and still am not able to write to the USB HD. The sad part is I can delete
files from the USB HD. See forum post for details.

I tried it in fedora 9 and it is able to write to the USB HD

I tried an 32GB USB memory stick in Centos 5.2 and it worked!
I am wondering why it doesn't work for my USB HD? The only difference is the
the size.

Your help would be much appreciated.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-01-2008, 07:24 PM
Nifty Cluster Mitch
 
Default External ext3 USB Hard drive and selinux

On Wed, Oct 29, 2008 at 11:23:28AM -0400, Al Freundorfer wrote:
>
> I was directed to post this on the mailing list. See the following forum post
> as a reference.
>
> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=16710&forum=42
>
> I formatted my external ext3 372GB USB hard drive in ubuntu and now want to
> use it
> in Centos. I made sure that my group/user numbers were the same. I was not
> able to write to the mounted USB hard drive (HD). I suspected selinux and
> shut it of and I was able to copy the file! I set selinux back to enforce and
> rebooted. I like the security features of selinux.
>
> I tried:
> 1) chcon -v
> 2) restorecon -Rv /media/disk
> 3) cp -P
>
> and still am not able to write to the USB HD. The sad part is I can delete
> files from the USB HD. See forum post for details.
>
> I tried it in fedora 9 and it is able to write to the USB HD
>
> I tried an 32GB USB memory stick in Centos 5.2 and it worked!
> I am wondering why it doesn't work for my USB HD? The only difference is the
> the size.
>

Try rebooting in permissive mode then inspect the avc messages.

Double check the permissions of the mount point before and
after mounting the device.



--
T o m M i t c h e l l
Found me a new hat, now what?

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-06-2008, 05:14 PM
Al Freundorfer
 
Default External ext3 USB Hard drive and selinux

Ok I did as you suggested and my output after a

sealert -a /var/log/audit/audit.log > /root/mylogfile.txt

was
__________________________________________________ __________________________
found 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------


Summary:

SELinux is preventing cp from creating a file with a context of unlabeled_t on
a
filesystem.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux is preventing cp from creating a file with a context of unlabeled_t on
a
filesystem. Usually this happens when you ask the cp command to maintain the
context of a file when copying between file systems, "cp -a" for example. Not
all file contexts should be maintained between the file systems. For example,
a
read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P"
might be a better solution, as this will adopt the default file context for
the
destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context user_ubject_r:unlabeled_t
Target Context system_ubject_r:fs_t
Target Objects test.txt [ filesystem ]
Source cp
Source Path /bin/cp
Port <Unknown>
Host <Unknown>
Source RPM Packages coreutils-5.97-14.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name filesystem_associate
Host Name the-rat.xxxx.ca
Platform Linux the-rat.xxxxx.ca 2.6.18-92.1.13.el5 #1
SMP Wed Sep 24 19:33:52 EDT 2008 i686 i686
Alert Count 5
First Seen Thu Oct 16 13:11:30 2008
Last Seen Wed Nov 5 10:59:39 2008
Local ID 70942f5b-18a0xxxxxxxc86b
Line Numbers 5, 6, 1227, 1228, 1703, 1704, 2766, 2767, 3066,
3067

Raw Audit Messages

type=AVC msg=audit(1225900779.959:311): avc: denied { associate } for
pid=14890 comm="cp" name="test.txt" scontext=user_ubject_r:unlabeled_t:s0
tcontext=system_ubject_r:fs_t:s0 tclass=filesystem

type=SYSCALL msg=audit(1225900779.959:311): arch=40000003 syscall=5
success=yes exit=4 a0=9a720d0 a1=8041 a2=81b4 a3=8041 items=0 ppid=14864
pid=14890 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=1 comm="cp" exe="/bin/cp"
subj=user_u:system_r:unconfined_t:s0 key=(null)



--------------------------------------------------------------------------------
__________________________________________________ ___________________________

But

[freund@the-rat ~]$ ls -Z test.txt
-rw-rw-r-- freund freund user_ubject_r:user_home_t test.txt

so I am wondering where the unlabeled_t is coming from.



On Saturday 01 November 2008 4:24:27 pm Nifty Cluster Mitch wrote:
> On Wed, Oct 29, 2008 at 11:23:28AM -0400, Al Freundorfer wrote:
> > I was directed to post this on the mailing list. See the following forum
> > post as a reference.
> >
> > http://www.centos.org/modules/newbb/viewtopic.php?topic_id=16710&forum=42
> >
> > I formatted my external ext3 372GB USB hard drive in ubuntu and now want
> > to use it
> > in Centos. I made sure that my group/user numbers were the same. I was
> > not able to write to the mounted USB hard drive (HD). I suspected selinux
> > and shut it of and I was able to copy the file! I set selinux back to
> > enforce and rebooted. I like the security features of selinux.
> >
> > I tried:
> > 1) chcon -v
> > 2) restorecon -Rv /media/disk
> > 3) cp -P
> >
> > and still am not able to write to the USB HD. The sad part is I can
> > delete files from the USB HD. See forum post for details.
> >
> > I tried it in fedora 9 and it is able to write to the USB HD
> >
> > I tried an 32GB USB memory stick in Centos 5.2 and it worked!
> > I am wondering why it doesn't work for my USB HD? The only difference is
> > the the size.
>
> Try rebooting in permissive mode then inspect the avc messages.
>
> Double check the permissions of the mount point before and
> after mounting the device.


--
A.P. Freundorfer, P.Eng.
Department of Electrical and Computer Engineering
Queens University
Kingston, Ontario, CANADA K7L 3N6

Phone: (613)533-2943 * * fax613)533-6615
http://www.ece.queensu.ca/directory/laboratories/highspeedcircuits.html
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-14-2008, 08:42 PM
Al Freundorfer
 
Default External ext3 USB Hard drive and selinux

I created a new directory on the root directory of the USB HD and I was able
to write on it in both ubuntu and centos.

I am curious if it didn't have to do with the fact that one of my
sub-directories is called "home" and selinux flagged this and yet didn't show
up in the audit.

The full directory name for the one that couldn't be copied( yet deleteable)
to in centos was:
/media/disk/home/dude

The one that worked was :
/media/disk/dude
In this case everything works normal, sub-directories and all!

al
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org