FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-11-2008, 03:16 PM
Dan Thurman
 
Default mod_mono_server_global

I get this consistenly. What can I do to fix this?
=====================================
Summary:

SELinux is preventing the mono from using potentially mislabeled files
(mod_mono_server_global).

Detailed Description:

SELinux has denied mono access to potentially mislabeled file(s)
(mod_mono_server_global). This means that SELinux will not allow mono to use
these files. It is common for users to edit files in their home
directory or tmp
directories and then move (mv) them to system directories. The problem
is that
the files end up with the wrong file context which confined applications
are not

allowed to access.

Allowing Access:

If you want mono to access this files, you need to relabel them using
restorecon

-v 'mod_mono_server_global'. You might want to relabel the entire directory
using restorecon -R -v '<Unknown>'.

Additional Information:

Source Context system_u:system_r:httpd_t:s0
Target Context system_ubject_r:tmp_t:s0
Target Objects mod_mono_server_global [ sock_file ]
Source mono
Source Path /usr/bin/mono
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages mono-core-1.9.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-74.fc9

Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP

Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 4
First Seen Thu 10 Jul 2008 10:55:05 AM PDT
Last Seen Fri 11 Jul 2008 07:37:33 AM PDT
Local ID 96f5392e-305d-47db-8dc8-93a057a25b0e
Line Numbers

Raw Audit Messages

host=bronze.cdkkt.com type=AVC msg=audit(1215787053.571:36): avc:
denied { create } for pid=8865 comm="mono"
name="mod_mono_server_global" scontext=system_u:system_r:httpd_t:s0
tcontext=system_ubject_r:tmp_t:s0 tclass=sock_file


host=bronze.cdkkt.com type=SYSCALL msg=audit(1215787053.571:36):
arch=40000003 syscall=102 per=400000 success=no exit=-13 a0=2
a1=bfc83fe0 a2=823b524 a3=4 items=0 ppid=1 pid=8865 auid=4294967295
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono"
subj=system_u:system_r:httpd_t:s0 key=(null)



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-14-2008, 12:57 PM
Daniel J Walsh
 
Default mod_mono_server_global

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Thurman wrote:
> I get this consistenly. What can I do to fix this?
> =====================================
> Summary:
>
> SELinux is preventing the mono from using potentially mislabeled files
> (mod_mono_server_global).
>
> Detailed Description:
>
> SELinux has denied mono access to potentially mislabeled file(s)
> (mod_mono_server_global). This means that SELinux will not allow mono to
> use
> these files. It is common for users to edit files in their home
> directory or tmp
> directories and then move (mv) them to system directories. The problem
> is that
> the files end up with the wrong file context which confined applications
> are not
> allowed to access.
>
> Allowing Access:
>
> If you want mono to access this files, you need to relabel them using
> restorecon
> -v 'mod_mono_server_global'. You might want to relabel the entire directory
> using restorecon -R -v '<Unknown>'.
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_t:s0
> Target Context system_ubject_r:tmp_t:s0
> Target Objects mod_mono_server_global [ sock_file ]
> Source mono
> Source Path /usr/bin/mono
> Port <Unknown>
> Host bronze.cdkkt.com
> Source RPM Packages mono-core-1.9.1-2.fc9
> Target RPM Packages Policy RPM
> selinux-policy-3.3.1-74.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name home_tmp_bad_labels
> Host Name bronze.cdkkt.com
> Platform Linux bronze.cdkkt.com
> 2.6.25.9-76.fc9.i686 #1 SMP
> Fri Jun 27 16:14:35 EDT 2008 i686 i686
> Alert Count 4
> First Seen Thu 10 Jul 2008 10:55:05 AM PDT
> Last Seen Fri 11 Jul 2008 07:37:33 AM PDT
> Local ID 96f5392e-305d-47db-8dc8-93a057a25b0e
> Line Numbers
> Raw Audit Messages
> host=bronze.cdkkt.com type=AVC msg=audit(1215787053.571:36): avc:
> denied { create } for pid=8865 comm="mono"
> name="mod_mono_server_global" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_ubject_r:tmp_t:s0 tclass=sock_file
>
> host=bronze.cdkkt.com type=SYSCALL msg=audit(1215787053.571:36):
> arch=40000003 syscall=102 per=400000 success=no exit=-13 a0=2
> a1=bfc83fe0 a2=823b524 a3=4 items=0 ppid=1 pid=8865 auid=4294967295
> uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
> tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can add policy to allow it by using audit2allow.

Why does mod_mono_server_global create sock files in /tmp instead of
/var/run? System applications should use /var/run instead of /tmp for
creation of temporary files/sockets.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh7TSoACgkQrlYvE4MpobM9GgCbBmHdw/z9+Ic0I9FdUwq3Dx9+
sRgAn1kX8XmZFC4dG6OwkfAxP/8f/8VL
=XADA
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-17-2008, 03:02 AM
Dan Thurman
 
Default mod_mono_server_global

Daniel J Walsh wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Thurman wrote:
> I get this consistenly. What can I do to fix this?
> =====================================
> Summary:
>
> SELinux is preventing the mono from using potentially mislabeled files
> (mod_mono_server_global).
>
> Detailed Description:
>
> SELinux has denied mono access to potentially mislabeled file(s)
> (mod_mono_server_global). This means that SELinux will not allow
mono to

> use
> these files. It is common for users to edit files in their home
> directory or tmp
> directories and then move (mv) them to system directories. The problem
> is that
> the files end up with the wrong file context which confined
applications

> are not
> allowed to access.
>
> Allowing Access:
>
> If you want mono to access this files, you need to relabel them using
> restorecon
> -v 'mod_mono_server_global'. You might want to relabel the entire
directory

> using restorecon -R -v '<Unknown>'.
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_t:s0
> Target Context system_ubject_r:tmp_t:s0
> Target Objects mod_mono_server_global [ sock_file ]
> Source mono
> Source Path /usr/bin/mono
> Port <Unknown>
> Host bronze.cdkkt.com
> Source RPM Packages mono-core-1.9.1-2.fc9
> Target RPM Packages Policy RPM
> selinux-policy-3.3.1-74.fc9

> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name home_tmp_bad_labels
> Host Name bronze.cdkkt.com
> Platform Linux bronze.cdkkt.com
> 2.6.25.9-76.fc9.i686 #1 SMP
> Fri Jun 27 16:14:35 EDT 2008 i686 i686
> Alert Count 4
> First Seen Thu 10 Jul 2008 10:55:05 AM PDT
> Last Seen Fri 11 Jul 2008 07:37:33 AM PDT
> Local ID 96f5392e-305d-47db-8dc8-93a057a25b0e
> Line Numbers
> Raw Audit Messages
> host=bronze.cdkkt.com type=AVC msg=audit(1215787053.571:36): avc:

> denied { create } for pid=8865 comm="mono"
> name="mod_mono_server_global" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_ubject_r:tmp_t:s0 tclass=sock_file
>
> host=bronze.cdkkt.com type=SYSCALL msg=audit(1215787053.571:36):
> arch=40000003 syscall=102 per=400000 success=no exit=-13 a0=2
> a1=bfc83fe0 a2=823b524 a3=4 items=0 ppid=1 pid=8865 auid=4294967295
> uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
> tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can add policy to allow it by using audit2allow.

Why does mod_mono_server_global create sock files in /tmp instead of
/var/run? System applications should use /var/run instead of /tmp for
creation of temporary files/sockets.


Are you asking me? I have NO CLUE why mono is
creating sockets in /tmp and I know this is improper.
Do you think that I need to look into some configuration
file somewhere that is mis-configured? I couldn't find
it so far.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-18-2008, 02:04 PM
Daniel J Walsh
 
Default mod_mono_server_global

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Thurman wrote:
> Daniel J Walsh wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Dan Thurman wrote:
>> > I get this consistenly. What can I do to fix this?
>> > =====================================
>> > Summary:
>> >
>> > SELinux is preventing the mono from using potentially mislabeled files
>> > (mod_mono_server_global).
>> >
>> > Detailed Description:
>> >
>> > SELinux has denied mono access to potentially mislabeled file(s)
>> > (mod_mono_server_global). This means that SELinux will not allow
>> mono to
>> > use
>> > these files. It is common for users to edit files in their home
>> > directory or tmp
>> > directories and then move (mv) them to system directories. The problem
>> > is that
>> > the files end up with the wrong file context which confined
>> applications
>> > are not
>> > allowed to access.
>> >
>> > Allowing Access:
>> >
>> > If you want mono to access this files, you need to relabel them using
>> > restorecon
>> > -v 'mod_mono_server_global'. You might want to relabel the entire
>> directory
>> > using restorecon -R -v '<Unknown>'.
>> >
>> > Additional Information:
>> >
>> > Source Context system_u:system_r:httpd_t:s0
>> > Target Context system_ubject_r:tmp_t:s0
>> > Target Objects mod_mono_server_global [ sock_file ]
>> > Source mono
>> > Source Path /usr/bin/mono
>> > Port <Unknown>
>> > Host bronze.cdkkt.com
>> > Source RPM Packages mono-core-1.9.1-2.fc9
>> > Target RPM Packages Policy RPM >
>> selinux-policy-3.3.1-74.fc9
>> > Selinux Enabled True
>> > Policy Type targeted
>> > MLS Enabled True
>> > Enforcing Mode Enforcing
>> > Plugin Name home_tmp_bad_labels
>> > Host Name bronze.cdkkt.com
>> > Platform Linux bronze.cdkkt.com
>> > 2.6.25.9-76.fc9.i686 #1 SMP
>> > Fri Jun 27 16:14:35 EDT 2008 i686 i686
>> > Alert Count 4
>> > First Seen Thu 10 Jul 2008 10:55:05 AM PDT
>> > Last Seen Fri 11 Jul 2008 07:37:33 AM PDT
>> > Local ID 96f5392e-305d-47db-8dc8-93a057a25b0e
>> > Line Numbers > Raw Audit Messages >
>> host=bronze.cdkkt.com type=AVC msg=audit(1215787053.571:36): avc:
>> > denied { create } for pid=8865 comm="mono"
>> > name="mod_mono_server_global" scontext=system_u:system_r:httpd_t:s0
>> > tcontext=system_ubject_r:tmp_t:s0 tclass=sock_file
>> >
>> > host=bronze.cdkkt.com type=SYSCALL msg=audit(1215787053.571:36):
>> > arch=40000003 syscall=102 per=400000 success=no exit=-13 a0=2
>> > a1=bfc83fe0 a2=823b524 a3=4 items=0 ppid=1 pid=8865 auid=4294967295
>> > uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
>> > tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono"
>> > subj=system_u:system_r:httpd_t:s0 key=(null)
>> >
>> >
>> > --
>> > fedora-selinux-list mailing list
>> > fedora-selinux-list@redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> You can add policy to allow it by using audit2allow.
>>
>> Why does mod_mono_server_global create sock files in /tmp instead of
>> /var/run? System applications should use /var/run instead of /tmp for
>> creation of temporary files/sockets.
>>
> Are you asking me? I have NO CLUE why mono is
> creating sockets in /tmp and I know this is improper.
> Do you think that I need to look into some configuration
> file somewhere that is mis-configured? I couldn't find
> it so far.
>
No, I will open a bugzilla with the mod mono people.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiAowYACgkQrlYvE4MpobPmqgCfQuIbcyNUg5 KR+Ly1VOdeR2JL
UdkAn00L7F4SQkL5HBIQRfxBRY8R0bLe
=YTew
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 06:49 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org