FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 11-05-2008, 06:44 PM
"Jerry James"
 
Default How to get an SELinux policy change

I'm working on getting GCL to run again. The current Debian patch
(which is enormous) fixes most problems, but not the long-running
SELinux problem that GCL has had. I took a hint from a thread on this
list a couple of months ago. I let make run until it crashed due to a
denied mprotect() call, did chcon -t java_exec_t on the binaries, and
restarted the make. It completed successfully. I can patch the
makefile to do the chcon call in the right place, but I'm worried
about getting the right security context on installation now. First,
is using java_exec_t in this way acceptable? Second, if so, how do I
ask for Fedora's policy to reflect that: bugzilla, request on this
list, some other list? Thanks,
--
Jerry James
http://loganjerry.googlepages.com/

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-05-2008, 06:48 PM
Jochen Schmitt
 
Default How to get an SELinux policy change

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jerry James schrieb:
> I'm working on getting GCL to run again. The current Debian patch
> (which is enormous) fixes most problems, but not the long-running
> SELinux problem that GCL has had. I took a hint from a thread on this
> list a couple of months ago. I let make run until it crashed due to a
> denied mprotect() call, did chcon -t java_exec_t on the binaries, and
> restarted the make. It completed successfully. I can patch the
> makefile to do the chcon call in the right place, but I'm worried
> about getting the right security context on installation now. First,
> is using java_exec_t in this way acceptable? Second, if so, how do I
> ask for Fedora's policy to reflect that: bugzilla, request on this
> list, some other list? Thanks,
There should be a fedora-selinux-list mailing list.

Best Regards:

Jochen Schmitt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkR+FgACgkQT2AHK6txfgycTwCgtNdtJispTM x+9LdFqVz1wipC
Di4AoJPvs50m0NrSlLI+U20VqIfDb9Fz
=DywW
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-05-2008, 06:52 PM
Rahul Sundaram
 
Default How to get an SELinux policy change

Jochen Schmitt wrote:


There should be a fedora-selinux-list mailing list.


There already is for many years now.


Rahul

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-05-2008, 06:52 PM
Hans de Goede
 
Default How to get an SELinux policy change

Jerry James wrote:

I'm working on getting GCL to run again. The current Debian patch
(which is enormous) fixes most problems, but not the long-running
SELinux problem that GCL has had. I took a hint from a thread on this
list a couple of months ago. I let make run until it crashed due to a
denied mprotect() call, did chcon -t java_exec_t on the binaries, and
restarted the make. It completed successfully. I can patch the
makefile to do the chcon call in the right place, but I'm worried
about getting the right security context on installation now. First,
is using java_exec_t in this way acceptable? Second, if so, how do I
ask for Fedora's policy to reflect that: bugzilla, request on this
list, some other list? Thanks,


Just file a bugzilla against selinux-policy. Dan Walsh (the maintainer) is
usually very fast and correct in fixing issues like this one.


Regards,

Hans

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-05-2008, 07:20 PM
Daniel J Walsh
 
Default How to get an SELinux policy change

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jerry James wrote:
> I'm working on getting GCL to run again. The current Debian patch
> (which is enormous) fixes most problems, but not the long-running
> SELinux problem that GCL has had. I took a hint from a thread on this
> list a couple of months ago. I let make run until it crashed due to a
> denied mprotect() call, did chcon -t java_exec_t on the binaries, and
> restarted the make. It completed successfully. I can patch the
> makefile to do the chcon call in the right place, but I'm worried
> about getting the right security context on installation now. First,
> is using java_exec_t in this way acceptable? Second, if so, how do I
> ask for Fedora's policy to reflect that: bugzilla, request on this
> list, some other list? Thanks,
You can get the context of the final destination of the file using

chcon `matchpathcon -n /usr/bin/gcl` LOCALPATH/gcl

Which seems to be a fine way of doing. this.

Of course I am guessing that gcl is the name of the executable.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkSAAoACgkQrlYvE4MpobMH5gCbBjXxGYUFEs ELC3bi3dOwEXEy
TxcAoOs5vcMsDnUwHPmAZP05G/76273D
=tQE6
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-05-2008, 11:44 PM
"Jerry James"
 
Default How to get an SELinux policy change

On Wed, Nov 5, 2008 at 1:20 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> You can get the context of the final destination of the file using
>
> chcon `matchpathcon -n /usr/bin/gcl` LOCALPATH/gcl
>
> Which seems to be a fine way of doing. this.

So that tells me that it will have a type of bin_t. Due to the funny
stuff that GCL is doing on the heap, SELinux won't let it run. The
type java_exec_t is sufficiently lenient that GCL runs fine with that
type. Is it okay to abuse the name java_exec_t in this way? If so,
I'll bugzilla a request for the label change.

Thanks to everyone who responded.
--
Jerry James
http://loganjerry.googlepages.com/

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-06-2008, 03:41 PM
Jochen Schmitt
 
Default How to get an SELinux policy change

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 5 Nov 2008 17:44:16 -0700, you wrote:

>So that tells me that it will have a type of bin_t. Due to the funny
>stuff that GCL is doing on the heap, SELinux won't let it run. The
>type java_exec_t is sufficiently lenient that GCL runs fine with that
>type. Is it okay to abuse the name java_exec_t in this way? If so,
>I'll bugzilla a request for the label change.

Because you wrote, that all works fine, if you are labeled
/usr/bin/gcl with java_exec_t. I will suggest the following:

Installing the selinux-policy soruce rpm on your system and make
a rpmbuild -bp to get the sources of the SELinux reference
policy.

- From this you should search for the following files:

Java.fc
java.if
java.te

Fromt this files, you should create copies with the names:

gcl.fc
gcl.if
gcl.te

Now you should rename any occurence of 'java' into 'gcl'.

At last you should assigned the lable 'gcl_exec_t' to
/usr/bin/gcl into the gcl.fc file.

Now you should be abled to create a SELinux module which should
fix your reported mprotect-SELinux issue.

Best Regards:

Jochen Schmitt

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.0 (Build 397)
Charset: us-ascii

wj8DBQFJEx4/T2AHK6txfgwRAmFTAKCT+/1XGfR1G1LblKy2oNkIE5NhYgCeMMuh
PGptOsP6/3B9xdGCNBBu2B8=
=lxCm
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-06-2008, 05:45 PM
Jochen Schmitt
 
Default How to get an SELinux policy change

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jochen Schmitt schrieb:
> On Wed, 5 Nov 2008 17:44:16 -0700, you wrote:
>
>> So that tells me that it will have a type of bin_t. Due to the
>> funny stuff that GCL is doing on the heap, SELinux won't let it
>> run. The type java_exec_t is sufficiently lenient that GCL runs
>> fine with that type. Is it okay to abuse the name java_exec_t in
>> this way? If so, I'll bugzilla a request for the label change.
>
> Because you wrote, that all works fine, if you are labeled
> /usr/bin/gcl with java_exec_t. I will suggest the following:
>
> Installing the selinux-policy soruce rpm on your system and make a
> rpmbuild -bp to get the sources of the SELinux reference policy.
>
> - From this you should search for the following files:
>
> Java.fc java.if java.te
>
> Fromt this files, you should create copies with the names:
>
> gcl.fc gcl.if gcl.te
>
> Now you should rename any occurence of 'java' into 'gcl'.
>
> At last you should assigned the lable 'gcl_exec_t' to /usr/bin/gcl
> into the gcl.fc file.
>
> Now you should be abled to create a SELinux module which should fix
> your reported mprotect-SELinux issue.
>
> Best Regards:
>
> Jochen Schmitt
>
I have try to create a SELinux module which I have uploaded to:

http://www.herr-schmitt.de/pub/gcl/gcl.tar.gz

I home this may be helpful for the original poster.

Best Regards:

Jochen Schmitt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkTO0IACgkQT2AHK6txfgylPgCggxAf+9CYR7 k+CnJwxrKbWwBO
I8kAn3Gd8aJSqiJVP/xPNyNBLsb631XS
=frGz
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-06-2008, 07:34 PM
"Jerry James"
 
Default How to get an SELinux policy change

On Thu, Nov 6, 2008 at 11:45 AM, Jochen Schmitt <Jochen@herr-schmitt.de> wrote:
> I have try to create a SELinux module which I have uploaded to:
>
> http://www.herr-schmitt.de/pub/gcl/gcl.tar.gz
>
> I home this may be helpful for the original poster.

Wow, now that's what I call service with a smile! Thank you very
much, Jochen. I will give this a try.
--
Jerry James
http://loganjerry.googlepages.com/

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Thu Nov 6 23:30:01 2008
Return-path: <dm-devel-bounces@redhat.com>
Envelope-to: tom@linux-archive.org
Delivery-date: Thu, 06 Nov 2008 22:35:08 +0200
Received: from hormel1.redhat.com ([209.132.177.33] helo=hormel.redhat.com)
by s2.java-tips.org with esmtp (Exim 4.69)
(envelope-from <dm-devel-bounces@redhat.com>)
id 1KyBZL-0002iG-Sj
for tom@linux-archive.org; Thu, 06 Nov 2008 22:35:08 +0200
Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com [10.8.4.110])
by hormel.redhat.com (Postfix) with ESMTP id EB9C261A1B5;
Thu, 6 Nov 2008 15:35:12 -0500 (EST)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254])
by listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP id
mA6KZ9iZ008481 for <dm-devel@listman.util.phx.redhat.com>;
Thu, 6 Nov 2008 15:35:10 -0500
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id mA6KZ8kT028839
for <dm-devel@redhat.com>; Thu, 6 Nov 2008 15:35:08 -0500
Received: from smtp.l00-bugdead-prods.de (rftonline-212-37-172-123.ccgmbh.net
[212.37.172.123])
by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id mA6KYvaS002096
for <dm-devel@redhat.com>; Thu, 6 Nov 2008 15:34:57 -0500
Received: by smtp.l00-bugdead-prods.de (Postfix, from userid 1002)
id 6DA561336A; Thu, 6 Nov 2008 21:33:44 +0100 (CET)
organization: L00 bugdead prods.
MIME-Version: 1.0
from: "Sebastian Reitenbach" <sebastia@l00-bugdead-prods.de>
subject: Re: [dm-devel] problem with multipathd,
not all paths added to adisk on boot
to: dm-devel@redhat.com, andmike@linux.vnet.ibm.com
content-type: text/plain; charset="us-ascii"
date: Thu, 06 Nov 2008 20:33:43 -0000
content-transfer-encoding: 7bit
Message-Id: <20081106203344.6DA561336A@smtp.l00-bugdead-prods.de>
X-RedHat-Spam-Score: -0.34
X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254
X-Scanned-By: MIMEDefang 2.63 on 172.16.48.32
X-loop: dm-devel@redhat.com
Cc:
X-BeenThere: dm-devel@redhat.com
X-Mailman-Version: 2.1.5
Precedence: junk
Reply-To: Sebastian Reitenbach <sebastia@l00-bugdead-prods.de>,
device-mapper development <dm-devel@redhat.com>
List-Id: device-mapper development <dm-devel.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/dm-devel>,
<mailto:dm-devel-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/dm-devel>
List-Post: <mailto:dm-devel@redhat.com>
List-Help: <mailto:dm-devel-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/dm-devel>,
<mailto:dm-devel-request@redhat.com?subject=subscribe>
Sender: dm-devel-bounces@redhat.com
Errors-To: dm-devel-bounces@redhat.com

Hi,

Mike Anderson <andmike@linux.vnet.ibm.com> wrote:
> Sebastian Reitenbach <sebastia@l00-bugdead-prods.de> wrote:
> > /dev/sdb in group vm-store, on 1:0:0:0 is not listed, however, lsscsi
> > has the disk in the list:
> > [1:0:0:0] disk IBM 1814 FAStT 0916 /dev/sdb
> >
> > for the disk that is not added to the group, I see sth like this
> > in /var/log/messages:
> > Nov 6 12:32:36 srv24 kernel: end_request: I/O error, dev sdb, sector 0
> > Nov 6 12:32:39 srv24 kernel: end_request: I/O error, dev sdb, sector 0
> > Nov 6 12:32:39 srv24 kernel: end_request: I/O error, dev sdb, sector 8
> > Nov 6 12:32:42 srv24 kernel: end_request: I/O error, dev sdb, sector 0
> > Nov 6 12:32:42 srv24 multipathd: sdb: add path (uevent)
> > Nov 6 12:32:42 srv24 multipathd: sdb: spurious uevent, path already in
> > pathvec
> > Nov 6 12:32:42 srv24 multipathd: sdb: failed to get path uid
> > Nov 6 12:32:45 srv24 kernel: end_request: I/O error, dev sdb, sector 0
> >
>
> What does running "/sbin/scsi_id -g -u -s /block/sdb" return when you are
> in this failing mode?
/sbin/scsi_id -g -u -s /block/sdb
3600a0b800048b3fe00000431490e90ce


>
> If scsi_id fails what does "sg_inq -v /dev/sdb" and
> "cat /sys/block/sdb/device/state" return?
It doesn't fail, but anyways:
sg_inq -v /dev/sdb
inquiry cdb: 12 00 00 00 24 00
standard INQUIRY:
inquiry cdb: 12 00 00 00 4a 00
PQual=0 Device_type=0 RMB=0 version=0x05 [SPC-3]
[AERC=0] [TrmTsk=0] NormACA=1 HiSUP=1 Resp_data_format=2
SCCS=0 ACC=0 TGPS=0 3PC=0 Protect=0 BQue=0
EncServ=1 MultiP=0 [MChngr=0] [ACKREQQ=0] Addr16=0
[RelAdr=0] WBus16=1 Sync=1 Linked=0 [TranDis=0] CmdQue=1
Clocking=0x0 QAS=0 IUS=0
length=74 (0x4a) Peripheral device type: disk
Vendor identification: IBM
Product identification: 1814 FAStT
Product revision level: 0916
inquiry cdb: 12 01 00 00 fc 00
inquiry: requested 252 bytes but got 21 bytes
inquiry cdb: 12 01 80 00 fc 00
inquiry: requested 252 bytes but got 20 bytes
Unit serial number: SG83955342

cat /sys/block/sdb/device/state
running

thanks
Sebastian

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
 
Old 11-06-2008, 10:15 PM
"Jerry James"
 
Default How to get an SELinux policy change

On Thu, Nov 6, 2008 at 11:45 AM, Jochen Schmitt <Jochen@herr-schmitt.de> wrote:
> I have try to create a SELinux module which I have uploaded to:
>
> http://www.herr-schmitt.de/pub/gcl/gcl.tar.gz
>
> I home this may be helpful for the original poster.

Pardon my ignorance, but I have another question. During the build
process, the gcl binary is created first, then it is executed multiple
times to create the saved images. The build dies when the built
binary is invoked to create the images, if building on an
SElinux-enabled host. Is there any way to use this module to solve
that problem? It seems like this only helps postinstall.

My test SRPM is currently modifying upstream's makefile to insert
"chcon -t java_exec_t <insert name here>" to get around this problem.
Is there a better way?

Thanks again,
--
Jerry James
http://loganjerry.googlepages.com/

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 08:43 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org