FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-18-2008, 05:36 PM
Tony Molloy
 
Default Running a script from Samba

This is on Centos not Fedora but that shouldn't matter.

If I want Samba to run a script ( logon logout scripts ) what context should I
set the scripts to.

Thanks,,

Tony

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-18-2008, 05:51 PM
Daniel J Walsh
 
Default Running a script from Samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Molloy wrote:
> This is on Centos not Fedora but that shouldn't matter.
>
> If I want Samba to run a script ( logon logout scripts ) what context should I
> set the scripts to.
>
> Thanks,,
>
> Tony
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

/var/lib/samba/scripts(/.*)?
system_ubject_r:samba_unconfined_script_exec_t:s 0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiA2DIACgkQrlYvE4MpobP4RgCgn/bb+/7Sib1X9I4j6/yiNaZt
eSMAn0rvmr9llM0CdeOIISjN+FfE/Nq0
=oCfz
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-11-2008, 10:32 AM
Aleksander Adamowski
 
Default Running a script from Samba

Daniel J Walsh wrote:

Tony Molloy wrote:


This is on Centos not Fedora but that shouldn't matter.

If I want Samba to run a script ( logon logout scripts ) what context should I
set the scripts to.


Thanks,,

Tony


/var/lib/samba/scripts(/.*)?
system_ubject_r:samba_unconfined_script_exec_t:s 0



Hi!

I have a problem with this type on Fedora 9 (upgraded from Fedora 8).

I'm trying to rebuild the policy and recompile my custom modules for
policy version 3.3, but when I try to replace the base policy I get the
error that this type is not defined:


# semodule -b /usr/share/selinux/targeted/base.pp
libsepol.context_from_record: type samba_unconfined_script_exec_t is not
defined

libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_ubject_r:samba_unconfined_script_exec_t:s 0 to sid

invalid context system_ubject_r:samba_unconfined_script_exec_t:s 0
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule: Failed!

I've removed all my custom modules; my file_contexts.local contains only
one entry that concerns stunnel:

/usr/bin/stunnel -- system_ubject_r:stunnel_exec_t:s0

I also have the unconfined.pp module unloaded (when it was Fedora 8).
But when I try to load it back on Fedora 9, I get this error:


# semodule -i /usr/share/selinux/targeted/unconfined.pp
libsepol.permission_copy_callback: Module unconfined depends on
permission forward_out in class packet, not satisfied

libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!

Which is probably (I think) due to the old base.pp being still used
because I cannot install the new one because of this problem with Samba
script type.


Could you suggest a path for getting out of this situation?

--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-11-2008, 11:58 AM
Aleksander Adamowski
 
Default Running a script from Samba

Aleksander Adamowski wrote:


Hi!

I have a problem with this type on Fedora 9 (upgraded from Fedora 8).

I'm trying to rebuild the policy and recompile my custom modules for
policy version 3.3, but when I try to replace the base policy I get
the error that this type is not defined:


# semodule -b /usr/share/selinux/targeted/base.pp
libsepol.context_from_record: type samba_unconfined_script_exec_t is
not defined

libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_ubject_r:samba_unconfined_script_exec_t:s 0 to sid

invalid context system_ubject_r:samba_unconfined_script_exec_t:s 0
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule: Failed!

I've removed all my custom modules; my file_contexts.local contains
only one entry that concerns stunnel:

/usr/bin/stunnel -- system_ubject_r:stunnel_exec_t:s0

I also have the unconfined.pp module unloaded (when it was Fedora 8).
But when I try to load it back on Fedora 9, I get this error:


# semodule -i /usr/share/selinux/targeted/unconfined.pp
libsepol.permission_copy_callback: Module unconfined depends on
permission forward_out in class packet, not satisfied

libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!

Which is probably (I think) due to the old base.pp being still used
because I cannot install the new one because of this problem with
Samba script type.


Could you suggest a path for getting out of this situation?



I've figured out that indeed my unloading of unconfined.pp was causing
the problem with loading the base policy. However, copying
/usr/share/selinux/targeted/unconfined.pp manually to
/etc/selinux/targeted/modules/active/modules has allowed me to load the
new base.pp.



--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-11-2008, 02:46 PM
Aleksander Adamowski
 
Default Running a script from Samba

Aleksander Adamowski wrote:


I've figured out that indeed my unloading of unconfined.pp was causing
the problem with loading the base policy. However, copying
/usr/share/selinux/targeted/unconfined.pp manually to
/etc/selinux/targeted/modules/active/modules has allowed me to load
the new base.pp.
The problem with the solution is that now I cannot "semodule -r
unconfined" like Dan has advised for Fedora 8.

On Fedora 9 this results in this error:

# semodule -r unconfined
libsepol.context_from_record: type samba_unconfined_script_exec_t is not
defined

libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_ubject_r:samba_unconfined_script_exec_t:s 0 to sid

invalid context system_ubject_r:samba_unconfined_script_exec_t:s 0

Has the procedure of removing the "unconfined" module been superseded by
something else in Fedora 9?


BTW, this is probably a question to Dan: is there any single place with
documentation about all the changes in the SELinux policy and procedures
relating to its customisation between Fedora releases? There is no such
information in Fedora's release notes (where any sane being would look
for them first).


Currently with each Fedora Release there are numerous changes that break
backward compatibility and significantly change the customisation
procedures. However, I were able to find information about them only by
scraping them from all around the web - from interviews with Dan Walsh,
his LiveJournal blog, some random mailing list discussions,
half-finished Fedora Wiki pages and so on. Am I missing something?

Is there a place where comprehensive documentation for all this lies?


--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-13-2008, 07:16 PM
Daniel J Walsh
 
Default Running a script from Samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aleksander Adamowski wrote:
> Aleksander Adamowski wrote:
>>
>> I've figured out that indeed my unloading of unconfined.pp was causing
>> the problem with loading the base policy. However, copying
>> /usr/share/selinux/targeted/unconfined.pp manually to
>> /etc/selinux/targeted/modules/active/modules has allowed me to load
>> the new base.pp.
> The problem with the solution is that now I cannot "semodule -r
> unconfined" like Dan has advised for Fedora 8.
> On Fedora 9 this results in this error:
>
> # semodule -r unconfined
> libsepol.context_from_record: type samba_unconfined_script_exec_t is not
> defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> system_ubject_r:samba_unconfined_script_exec_t:s 0 to sid
> invalid context system_ubject_r:samba_unconfined_script_exec_t:s 0
>
> Has the procedure of removing the "unconfined" module been superseded by
> something else in Fedora 9?
>
> BTW, this is probably a question to Dan: is there any single place with
> documentation about all the changes in the SELinux policy and procedures
> relating to its customisation between Fedora releases? There is no such
> information in Fedora's release notes (where any sane being would look
> for them first).
>
> Currently with each Fedora Release there are numerous changes that break
> backward compatibility and significantly change the customisation
> procedures. However, I were able to find information about them only by
> scraping them from all around the web - from interviews with Dan Walsh,
> his LiveJournal blog, some random mailing list discussions,
> half-finished Fedora Wiki pages and so on. Am I missing something?
> Is there a place where comprehensive documentation for all this lies?
>
>
I am fixing this in policy so you can remove the unconfined_domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkijMwEACgkQrlYvE4MpobNNGACfUJzZWk6p8y Nz7FmoJX48fWOa
DK4AoIO3MV4oZUjiCgAV8P17DqKOjuzh
=22eQ
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 11:24 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org