FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-16-2008, 03:36 PM
"Daniel B. Thurman"
 
Default What is the proper context for .strigi?

Title: What is the proper context for .strigi?






I have run into a problem of
limted space for .strigi


which was located in my home
directory, so I decided


to move ~/.strigi to another
partition with ample space


and created a symbolic link from
~/.strigi to the new


location on a different partition.



Selinux is reporting:


SELinux is preventing strigidaemon
(unconfined_t) "mmap_zero" to


<Unknown> (unconfined_t).



So, what is the proper context for
.strigi and all of the files/directories


contained within?



Thanks!


Dan








--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-16-2008, 03:51 PM
Paul Howarth
 
Default What is the proper context for .strigi?

Daniel B. Thurman wrote:

I have run into a problem of limted space for .strigi
which was located in my home directory, so I decided
to move ~/.strigi to another partition with ample space
and created a symbolic link from ~/.strigi to the new
location on a different partition.

Selinux is reporting:
SELinux is preventing strigidaemon (unconfined_t) "mmap_zero" to
<Unknown> (unconfined_t).

So, what is the proper context for .strigi and all of the files/directories
contained within?


You'll find that bind mounts work much better than symlinks from an
SELinux point of view.


This reminds me to ask though, where is homedir_template as used by
genhomedircon now? I can't find it in Fedora 9 and anything I've tried
editing that looks like it might be it gets overwritten when I run
genhomedircon.


Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-16-2008, 04:10 PM
Eric Paris
 
Default What is the proper context for .strigi?

On Mon, 2008-06-16 at 08:36 -0700, Daniel B. Thurman wrote:
> I have run into a problem of limted space for .strigi
> which was located in my home directory, so I decided
> to move ~/.strigi to another partition with ample space
> and created a symbolic link from ~/.strigi to the new
> location on a different partition.
>
> Selinux is reporting:
> SELinux is preventing strigidaemon (unconfined_t) "mmap_zero" to
> <Unknown> (unconfined_t).

I'm ignoring your question because I have no idea, but I can say that
this denial has nothing at all to do with the location of .strigi. This
denial say that the program is calling mmap with MAP_FIXED on an area of
memory < 64k (usually when people ask for this they ask for NULL). This
is very rarely not needed by any program. emulators like wine sometimes
need this and if so I'd suggest actually writing policy around
strigidaemon to allow this permission rather than twiddle the boolean or
allow it in proc....

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-16-2008, 04:18 PM
Stephen Smalley
 
Default What is the proper context for .strigi?

On Mon, 2008-06-16 at 16:51 +0100, Paul Howarth wrote:
> Daniel B. Thurman wrote:
> > I have run into a problem of limted space for .strigi
> > which was located in my home directory, so I decided
> > to move ~/.strigi to another partition with ample space
> > and created a symbolic link from ~/.strigi to the new
> > location on a different partition.
> >
> > Selinux is reporting:
> > SELinux is preventing strigidaemon (unconfined_t) "mmap_zero" to
> > <Unknown> (unconfined_t).
> >
> > So, what is the proper context for .strigi and all of the files/directories
> > contained within?
>
> You'll find that bind mounts work much better than symlinks from an
> SELinux point of view.
>
> This reminds me to ask though, where is homedir_template as used by
> genhomedircon now? I can't find it in Fedora 9 and anything I've tried
> editing that looks like it might be it gets overwritten when I run
> genhomedircon.

genhomedircon functionality was taken into libsemanage in order to
address various problems with the external implementation, and
homedir_template is generated (from template entries in the .fc files)
and used within the module sandbox, not made externally accessible.

/usr/sbin/genhomedircon is now just a script that invokes semodule -Bn
to regenerate the policy.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-16-2008, 04:31 PM
"Daniel B. Thurman"
 
Default What is the proper context for .strigi?

Title: Re: What is the proper context for .strigi?




Paul Howarth wrote:




Daniel B.
Thurman wrote:

> I have run into a problem of limted space for
.strigi

> which was located in my home directory, so I
decided

> to move ~/.strigi to another partition with ample
space

> and created a symbolic link from ~/.strigi to the
new

> location on a different partition.

>

> Selinux is reporting:

> SELinux is preventing strigidaemon (unconfined_t)
"mmap_zero" to

> <Unknown> (unconfined_t).

>

> So, what is the proper context for .strigi and
all of the files/directories

> contained within?

You'll find that bind mounts work much better than
symlinks from an

SELinux point of view.

Uh, ok - I'll have to look into that again.* I forget how this is done.



This reminds me to ask though, where is
homedir_template as used by

genhomedircon now? I can't find it in Fedora 9 and
anything I've tried

editing that looks like it might be it gets
overwritten when I run

genhomedircon.


Um, dunno.* I am running F8.



BTW: I am getting hammered with SELinux complaining on the above
reported

error.* It looks like a runaway process and hammering both of my CPUs
badly.

How do I temporarily shutdown strigidaemon for now
until I can get this issue resolved?



Thanks!

Dan





--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 02:24 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org