-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Richard Chapman wrote:
> Hi again Daniel
>
> Here is some more info on this problem - which may be significant...
> After checking the link from my last email again I tried:
> [root@C5 ~]# fixfiles relabel
>
> Files in the /tmp directory may be labeled incorrectly, this command
> can remove all files in /tmp. If you choose to remove files from /tmp,
> a reboot will be required after completion.
> Do you wish to clean out the /tmp directory [N]? y
> Cleaning out /tmp
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 18
> has invalid context user_u
bject_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 19
> has invalid context user_u
bject_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 20
> has invalid context user_u
bject_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21
> has invalid context user_u
bject_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 23
> has invalid context user_u
bject_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 40
> has invalid context root
bject_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 41
> has invalid context root
bject_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 42
> has invalid context root
bject_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 43
> has invalid context root
bject_r:user_mozilla_home_t:s0
> Exiting after 10 errors.
> [root@C5 ~]#
>
> Looks like there is a problem with the policy? Any suggestions how to
> resolve this?
>
>
> Richard.
>
>
> Richard Chapman wrote:
>> Thanks Daniel
>>
>> I'm pretty sure you are right - that there is something wrong with the
>> labelling - but
>>
>> touch /.autorelabel; reboot
>>
>> Doesn't seem to cause the relabelling.
>> I was a bit suspicious that the relabelling didn't work the first time
>> - because I also did a touch /forcefsck at the boot when I was
>> expecting relabelling - and it seemed to do 3 fscks - but no obvious
>> relabelling. I assumed one of the fscks must have really been a
>> relabel - but maybe not.... Now wehn I do the touch and reboot - there
>> is no delay in the reboot messages on the system console.
>>
>> I have found this thread - which seem to describe a similar lack of
>> relabelling - but doesn't offer a solution:
>> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=6085 9
>> <http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=6085 9>
>>
>>
>> I haven't tried the 5.3 policy preview yet. Might that help me with
>> the relabelling?
>>
>> Thanks again
>>
>> Richard.
>>
>>
>>
>>
>> Daniel J Walsh wrote:
> Richard Chapman wrote:
>
>>>>> Hi.. When I first installed Centos 5.0 - I disabled SELinux at the
>>>>> first
>>>>> sign of trouble. I have now seen the light - and have enabled SELinux
>>>>> on the system which is now updated to Centos 5.2 with Kernel Linux
>>>>> 2.6.18-92.1.22.el5 on x86_64. I initially enabled Selinux in permissive
>>>>> mode - and tried looking at the GUI SELinux Troubleshooter - but it
>>>>> shows no problems. This may be OK - because there are no "type=avc"
>>>>> messages in the audit.log file. However there are thousands of "type=
>>>>> user_avc". Here are the last 20 while in permissive mode:
>>>>>
>>>>> type=USER_AVC msg=audit(1231052785.984:833): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.984:834): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.985:835): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.986:836): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>> scontext=system_u:system_r:init_t:s0
>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.987:837): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.987:838): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.987:839): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.988:840): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.989:841): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>> scontext=system_u:system_r:init_t:s0
>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.990:842): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.990:843): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.990:844): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.991:845): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.991:846): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>> scontext=system_u:system_r:init_t:s0
>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.992:847): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.992:848): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.992:849): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.992:850): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.993:851): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>> scontext=system_u:system_r:init_t:s0
>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.994:852): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>
>>>>>
>>>>> If I set the system to Enforcing mode - and log out and log back in -
>>>>> the login seems to run very slowly. If I try to run the gui SELinux
>>>>> Troubleshooter - the application window doesn't come up - but I see the
>>>>> following errors in the boot.log file.
>>>>>
>>>>> Jan 3 16:55:54 C5 dbus: avc: received setenforce notice (enforcing=1)
>>>>> Jan 3 16:56:23 C5 userhelper[24703]: running
>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>> with system_u:system_r:unconfined_t context Jan 3 16:56:23 C5
>>>>> userhelper[24703]: running
>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>> with root privileges on behalf of 'root'
>>>>> Jan 3 16:58:02 C5 gconfd (root-21790): Exiting
>>>>> Jan 3 16:58:02 C5 sshd[21044]: pam_unix(sshd:session): session closed
>>>>> for user nx
>>>>> Jan 3 16:58:02 C5 su: pam_unix(su-l:session): session closed for
>>>>> user root
>>>>> Jan 3 16:58:23 C5 sshd[24747]: Accepted publickey for nx from
>>>>> 192.168.0.2 port 33869 ssh2
>>>>> Jan 3 16:58:23 C5 sshd[24747]: pam_unix(sshd:session): session opened
>>>>> for user nx by (uid=0)
>>>>> Jan 3 16:58:25 C5 su: pam_unix(su-l:session): session opened for user
>>>>> root by (uid=102)
>>>>> Jan 3 16:58:28 C5 dovecot: IMAP(tim): Disconnected: Logged out
>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): starting (version 2.14.0), pid
>>>>> 25493 user 'root'
>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>>>> "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
>>>>> configuration source at position 0
>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>>>> "xml:readwrite:/root/.gconf" to a writable configuration source at
>>>>> position 1
>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>>>> "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only
>>>>> configuration source at position 2
>>>>> Jan 3 16:58:33 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate
>>>>> 0 0
>>>>> Not Found
>>>>> Jan 3 16:58:33 C5 last message repeated 4 times
>>>>> Jan 3 16:58:33 C5 gconfd (root-25493): Resolved address
>>>>> "xml:readwrite:/root/.gconf" to a writable configuration source at
>>>>> position 0
>>>>> Jan 3 16:59:46 C5 gdm[4045]: pam_unix(gdm:session): session opened for
>>>>> user root by (uid=0)
>>>>> Jan 3 16:59:59 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate
>>>>> 0 0
>>>>> Not Found
>>>>> Jan 3 16:59:59 C5 last message repeated 4 times
>>>>> Jan 3 17:00:01 C5 crond[25738]: (root) CMD (/var/www/sarg/sarg.cron >
>>>>> /dev/null 2>&1)
>>>>> Jan 3 17:00:01 C5 crond[25740]: (root) CMD
>>>>> (/etc/webmin/webalizer/webalizer.pl /var/log/squid/access.log)
>>>>> Jan 3 17:00:01 C5 crond[25742]: (root) CMD
>>>>> (/etc/webmin/status/monitor.pl)
>>>>> Jan 3 17:00:01 C5 crond[25743]: (root) CMD
>>>>> (/etc/webmin/fetchmail/check.pl --mail rchapman@aardvark.com.au
>>>>> --errors)
>>>>> Jan 3 17:00:01 C5 su: pam_unix(su:session): session opened for user
>>>>> richard by (uid=0)
>>>>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session opened for user
>>>>> postgres by (uid=0)
>>>>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session closed for user
>>>>> postgres
>>>>> Jan 3 17:00:13 C5 su: pam_unix(su:session): session closed for user
>>>>> richard
>>>>> Jan 3 17:01:01 C5 crond[25911]: (root) CMD (run-parts /etc/cron.hourly)
>>>>> Jan 3 17:01:15 C5 userhelper[25928]: running
>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>> with system_u:system_r:unconfined_t context Jan 3 17:01:15 C5
>>>>> userhelper[25928]: running
>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>> with root privileges on behalf of 'root'
>>>>> Jan 3 17:02:18 C5 setroubleshoot: [dbus.ERROR] could not start dbus:
>>>>> Did
>>>>> not receive a reply. Possible causes include: the remote application
>>>>> did
>>>>> not send a reply, the message bus security policy blocked the reply,
>>>>> the
>>>>> reply timeout expired, or the network connection was broken.
>>>>> Jan 3 17:03:06 C5 dovecot: imap-login: Login: user=<tim>, method=PLAIN,
>>>>> rip=192.168.0.199, lip=192.168.0.201
>>>>> Jan 3 17:03:37 C5 dovecot: IMAP(tim): Disconnected: Logged out
>>>>> Jan 3 17:04:14 C5 setroubleshoot: [dbus.ERROR] could not start dbus:
>>>>> Did
>>>>> not receive a reply. Possible causes include: the remote application
>>>>> did
>>>>> not send a reply, the message bus security policy blocked the reply,
>>>>> the
>>>>> reply timeout expired, or the network connection was broken.
>>>>>
>>>>> I have also tried the comand line sealert application - which runs fine
>>>>> - but shows no problems:
>>>>>
>>>>> [root@C5 <mailto:root@C5> ~]# sealert -a /var/log/audit/audit.log
>>>>> 100% donefound 0 alerts in /var/log/audit/audit.log
>>>>> [root@C5 <mailto:root@C5> ~]#
>>>>> It looks to me as if there is some problem (possibly a policy issue)
>>>>> with my dbus connection. and this is preventing the selinux
>>>>> troubleshooter operating in enforcing mode - and also probably causing
>>>>> some other problems in enforcing mode - though no "type-avc" problems
>>>>> show up int eh audit logs.
>>>>>
>>>>> Can anyone explain to me what "type=user_avc" messages are - and why
>>>>> they are not reported by teh gui SELinux troubleshooter or sealert? How
>>>>> should I debug the remainig issues in theis system?
>>>>>
>>>>> All adice appreciated.
>>>>>
>>>>> Richard.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>
> Please make sure your labeling is correct.
>
> touch /.autorelabel; reboot
>
> Looks like the entire system is running with a signal context which is
> causing you your problems.
>
> You might also want to grab the 5.3 policy, a preview is currently
> available on
>
> http://people.redhat.com/dwalsh/SELinux/RHEL5
>>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
Upgrade to the 5.3 policy and see if the problem goes away.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkllFbEACgkQrlYvE4MpobPrLgCgv/4rm8ybxO3TfRKjRlXtj9M9
ryIAnRpcVUZgeIGvO2E4g6XYhpb3JUQ3
=QxJn
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Troubleshootng the Selunix troubleshooter
