FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-15-2010, 07:05 AM
Sandro Janke
 
Default snmp Permission denied on mounted filesystems

On 04/15/2010 06:49 AM, Paul Ward wrote:
> Hi all,
>
> I am sure this comes up a lot but have spent hours trying to find th
> eanswers with no success apart from disabling selinux which I don't
> want to do.
>
> Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
>
> The following filesystems are mounted with same issue.
>
> /dev/sda7 3.9G 427M 3.3G 12% /home/appl
> /dev/sda6 4.0G 2.7G 1.2G 71% /home/users
> /dev/sda8 3.9G 2.5G 1.2G 68% /home/work
>
> ls -ldZ /home/appl/
> drwxr-xr-x root root /home/appl/

This shows that the directory has not been labeled, yet.

> /usr/sbin/sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
>

Could it be that you don't have any policy package installed?

What does 'rpm -qv selinux-policy-targeted' say?
What are the settings in /etc/selinux/config?

> What do I need to do to fix this chcon? If so what is the full comman
> / context to enter?
>
> Thanks
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-15-2010, 12:55 PM
Daniel J Walsh
 
Default snmp Permission denied on mounted filesystems

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/15/2010 12:49 AM, Paul Ward wrote:
> Hi all,
>
> I am sure this comes up a lot but have spent hours trying to find th
> eanswers with no success apart from disabling selinux which I don't
> want to do.
>
> Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
>
> The following filesystems are mounted with same issue.
>
> /dev/sda7 3.9G 427M 3.3G 12% /home/appl
> /dev/sda6 4.0G 2.7G 1.2G 71% /home/users
> /dev/sda8 3.9G 2.5G 1.2G 68% /home/work
>
> ls -ldZ /home/appl/
> drwxr-xr-x root root /home/appl/
>
> /usr/sbin/sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
>
> What do I need to do to fix this chcon? If so what is the full comman
> / context to enter?
>
> Thanks
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Try running restorecon -R -v /home

ANd see if this fixes the labels.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvHDLsACgkQrlYvE4MpobOKSgCdHH/Z/0RLVjXRi6W56i5Uw0iz
QZEAoN4r3hCGHwy1/BWBDcO4FT4+hlHe
=HGXN
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-15-2010, 10:33 PM
Paul Ward
 
Default snmp Permission denied on mounted filesystems

> What does 'rpm -qv selinux-policy-targeted' say?
> What are the settings in /etc/selinux/config?

My server shows the following selinux packages.

selinux-policy-targeted-1.17.30-2.152.el4
selinux-policy-targeted-sources-1.17.30-2.152.el4

I have run:
snmpwalk -v 2c -c public .iso
cd /etc/selinux/targeted/src/policy
audit2allow -d -l -o domains/misc/local.te
make load

Until no more errors were found, this fixed theoriginal errors from
selinux, but not the permissions.

> Try running restorecon -R -v /home

If I run

restorecon -R -v /home

Would this affect a production servers running or should I do this in
a mainaintance window?


On 15 April 2010 19:05, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
> On 04/15/2010 06:49 AM, Paul Ward wrote:
>> Hi all,
>>
>> I am sure this comes up a lot but have spent hours trying to find th
>> eanswers with no success apart from disabling selinux which I don't
>> want to do.
>>
>> Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
>>
>> The following filesystems are mounted with same issue.
>>
>> /dev/sda7 * * * * * * 3.9G *427M *3.3G *12% /home/appl
>> /dev/sda6 * * * * * * 4.0G *2.7G *1.2G *71% /home/users
>> /dev/sda8 * * * * * * 3.9G *2.5G *1.2G *68% /home/work
>>
>> ls -ldZ /home/appl/
>> drwxr-xr-x *root * * root * * * * * * * * * * * * * * * * * * */home/appl/
>
> This shows that the directory has not been labeled, yet.
>
>> /usr/sbin/sestatus
>> SELinux status: * * * * enabled
>> SELinuxfs mount: * * * */selinux
>> Current mode: * * * * * enforcing
>>
>
> Could it be that you don't have any policy package installed?
>
> What does 'rpm -qv selinux-policy-targeted' say?
> What are the settings in /etc/selinux/config?
>
>> What do I need to do to fix this chcon? If so what is the full comman
>> / context to enter?
>>
>> Thanks
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-15-2010, 11:11 PM
Sandro Janke
 
Default snmp Permission denied on mounted filesystems

On 04/16/2010 12:33 AM, Paul Ward wrote:
>> What does 'rpm -qv selinux-policy-targeted' say?
>> What are the settings in /etc/selinux/config?
>
> My server shows the following selinux packages.
>
> selinux-policy-targeted-1.17.30-2.152.el4
> selinux-policy-targeted-sources-1.17.30-2.152.el4
>
> I have run:
> snmpwalk -v 2c -c public .iso
> cd /etc/selinux/targeted/src/policy
> audit2allow -d -l -o domains/misc/local.te
> make load
>
> Until no more errors were found, this fixed theoriginal errors from
> selinux, but not the permissions.
>
>> Try running restorecon -R -v /home
>
> If I run
>
> restorecon -R -v /home
>
> Would this affect a production servers running or should I do this in
> a mainaintance window?

Well, you can try to run it with the -n switch first to show you what
would happen. According to the man page: "It can be run at any time to
correct errors..."

> On 15 April 2010 19:05, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
>> On 04/15/2010 06:49 AM, Paul Ward wrote:
>>> Hi all,
>>>
>>> I am sure this comes up a lot but have spent hours trying to find th
>>> eanswers with no success apart from disabling selinux which I don't
>>> want to do.
>>>
>>> Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
>>>
>>> The following filesystems are mounted with same issue.
>>>
>>> /dev/sda7 3.9G 427M 3.3G 12% /home/appl
>>> /dev/sda6 4.0G 2.7G 1.2G 71% /home/users
>>> /dev/sda8 3.9G 2.5G 1.2G 68% /home/work
>>>
>>> ls -ldZ /home/appl/
>>> drwxr-xr-x root root /home/appl/
>>
>> This shows that the directory has not been labeled, yet.
>>
>>> /usr/sbin/sestatus
>>> SELinux status: enabled
>>> SELinuxfs mount: /selinux
>>> Current mode: enforcing
>>>
>>
>> Could it be that you don't have any policy package installed?
>>
>> What does 'rpm -qv selinux-policy-targeted' say?
>> What are the settings in /etc/selinux/config?
>>
>>> What do I need to do to fix this chcon? If so what is the full comman
>>> / context to enter?
>>>
>>> Thanks
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-16-2010, 12:10 AM
Paul Ward
 
Default snmp Permission denied on mounted filesystems

I have run the command as follows but I am still getting the permission issues.

Apr 16 11:48:13 sargas snmpd[23987]: /home/work/exports: Permission denied

# restorecon -v /home/work/exports
restorecon reset context /home/work/exports:->system_ubject_r:user_home_t

ls -lZd /home/work/exports

drwxrwxr-x *oracle * dba * * *system_ubject_r:user_home_t
/home/work/exports

Whats next?
Do I need to restart something?




On 16 April 2010 11:11, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
> On 04/16/2010 12:33 AM, Paul Ward wrote:
>>> What does 'rpm -qv selinux-policy-targeted' say?
>>> What are the settings in /etc/selinux/config?
>>
>> My server shows the following selinux packages.
>>
>> selinux-policy-targeted-1.17.30-2.152.el4
>> selinux-policy-targeted-sources-1.17.30-2.152.el4
>>
>> I have run:
>> snmpwalk -v 2c -c public .iso
>> cd /etc/selinux/targeted/src/policy
>> audit2allow -d -l -o domains/misc/local.te
>> make load
>>
>> Until no more errors were found, this fixed theoriginal errors from
>> selinux, but not the permissions.
>>
>>> Try running restorecon -R -v /home
>>
>> If I run
>>
>> restorecon -R -v /home
>>
>> Would this affect a production servers running or should I do this in
>> a mainaintance window?
>
> Well, you can try to run it with the -n switch first to show you what
> would happen. According to the man page: "It can be run at any time to
> correct errors..."
>
>> On 15 April 2010 19:05, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
>>> On 04/15/2010 06:49 AM, Paul Ward wrote:
>>>> Hi all,
>>>>
>>>> I am sure this comes up a lot but have spent hours trying to find th
>>>> eanswers with no success apart from disabling selinux which I don't
>>>> want to do.
>>>>
>>>> Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
>>>>
>>>> The following filesystems are mounted with same issue.
>>>>
>>>> /dev/sda7 * * * * * * 3.9G *427M *3.3G *12% /home/appl
>>>> /dev/sda6 * * * * * * 4.0G *2.7G *1.2G *71% /home/users
>>>> /dev/sda8 * * * * * * 3.9G *2.5G *1.2G *68% /home/work
>>>>
>>>> ls -ldZ /home/appl/
>>>> drwxr-xr-x *root * * root * * * * * * * * * * * * * * * * * * */home/appl/
>>>
>>> This shows that the directory has not been labeled, yet.
>>>
>>>> /usr/sbin/sestatus
>>>> SELinux status: * * * * enabled
>>>> SELinuxfs mount: * * * */selinux
>>>> Current mode: * * * * * enforcing
>>>>
>>>
>>> Could it be that you don't have any policy package installed?
>>>
>>> What does 'rpm -qv selinux-policy-targeted' say?
>>> What are the settings in /etc/selinux/config?
>>>
>>>> What do I need to do to fix this chcon? If so what is the full comman
>>>> / context to enter?
>>>>
>>>> Thanks
>>>> --
>>>> selinux mailing list
>>>> selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-16-2010, 12:11 AM
Sandro Janke
 
Default snmp Permission denied on mounted filesystems

On 04/16/2010 01:51 AM, Paul Ward wrote:
> I have run the command as follows but I am still getting the permission issues.
>
> Apr 16 11:48:13 sargas snmpd[23987]: /home/work/exports: Permission denied
>
> # restorecon -v /home/work/exports
> restorecon reset context /home/work/exports:->system_ubject_r:user_home_t

Without the -R switch only the directory itself will be labeled. I'm
pretty sure you want to run restorecon as suggested by dwalsh.

What does 'ausearch -m -ts recent' tell? You can pipe the output to
audit2why or audit2allow like:

ausearch -m avc -ts recent | audit2why
ausearch -m avc -ts recent | audit2allow -M mysnmp

The latter will generate a loadable module. There is some documentation
at [1] about creating and loading your own modules.

[1]
http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

> ls -lZd /home/work/exports
>
> drwxrwxr-x oracle dba system_ubject_r:user_home_t
> /home/work/exports
>
> Whats next?
> Do I need to restart something?
>
>
>
>
> On 16 April 2010 11:11, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
>> On 04/16/2010 12:33 AM, Paul Ward wrote:
>>>> What does 'rpm -qv selinux-policy-targeted' say?
>>>> What are the settings in /etc/selinux/config?
>>>
>>> My server shows the following selinux packages.
>>>
>>> selinux-policy-targeted-1.17.30-2.152.el4
>>> selinux-policy-targeted-sources-1.17.30-2.152.el4
>>>
>>> I have run:
>>> snmpwalk -v 2c -c public .iso
>>> cd /etc/selinux/targeted/src/policy
>>> audit2allow -d -l -o domains/misc/local.te
>>> make load
>>>
>>> Until no more errors were found, this fixed theoriginal errors from
>>> selinux, but not the permissions.
>>>
>>>> Try running restorecon -R -v /home
>>>
>>> If I run
>>>
>>> restorecon -R -v /home
>>>
>>> Would this affect a production servers running or should I do this in
>>> a mainaintance window?
>>
>> Well, you can try to run it with the -n switch first to show you what
>> would happen. According to the man page: "It can be run at any time to
>> correct errors..."
>>
>>> On 15 April 2010 19:05, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
>>>> On 04/15/2010 06:49 AM, Paul Ward wrote:
>>>>> Hi all,
>>>>>
>>>>> I am sure this comes up a lot but have spent hours trying to find th
>>>>> eanswers with no success apart from disabling selinux which I don't
>>>>> want to do.
>>>>>
>>>>> Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
>>>>>
>>>>> The following filesystems are mounted with same issue.
>>>>>
>>>>> /dev/sda7 3.9G 427M 3.3G 12% /home/appl
>>>>> /dev/sda6 4.0G 2.7G 1.2G 71% /home/users
>>>>> /dev/sda8 3.9G 2.5G 1.2G 68% /home/work
>>>>>
>>>>> ls -ldZ /home/appl/
>>>>> drwxr-xr-x root root /home/appl/
>>>>
>>>> This shows that the directory has not been labeled, yet.
>>>>
>>>>> /usr/sbin/sestatus
>>>>> SELinux status: enabled
>>>>> SELinuxfs mount: /selinux
>>>>> Current mode: enforcing
>>>>>
>>>>
>>>> Could it be that you don't have any policy package installed?
>>>>
>>>> What does 'rpm -qv selinux-policy-targeted' say?
>>>> What are the settings in /etc/selinux/config?
>>>>
>>>>> What do I need to do to fix this chcon? If so what is the full comman
>>>>> / context to enter?
>>>>>
>>>>> Thanks
>>>>> --
>>>>> selinux mailing list
>>>>> selinux@lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-16-2010, 12:25 AM
Paul Ward
 
Default snmp Permission denied on mounted filesystems

I have just run the command with : restorecon -R -v /home/work/exports

I am still getting errors though.

Apr 16 12:24:28 sargas snmpd[23987]: /home/users: Permission denied
Apr 16 12:24:28 sargas snmpd[23987]: /home/work: Permission denied
Apr 16 12:24:28 sargas snmpd[23987]: /home/work/exports: Permission denied




On 16 April 2010 12:11, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
> On 04/16/2010 01:51 AM, Paul Ward wrote:
>> I have run the command as follows but I am still getting the permission issues.
>>
>> Apr 16 11:48:13 sargas snmpd[23987]: /home/work/exports: Permission denied
>>
>> # restorecon -v /home/work/exports
>> restorecon reset context /home/work/exports:->system_ubject_r:user_home_t
>
> Without the -R switch only the directory itself will be labeled. I'm
> pretty sure you want to run restorecon as suggested by dwalsh.
>
> What does 'ausearch -m -ts recent' tell? You can pipe the output to
> audit2why or audit2allow like:
>
> ausearch -m avc -ts recent | audit2why
> ausearch -m avc -ts recent | audit2allow -M mysnmp
>
> The latter will generate a loadable module. There is some documentation
> at [1] about creating and loading your own modules.
>
> [1]
> http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
>
>> ls -lZd /home/work/exports
>>
>> drwxrwxr-x *oracle * dba * * *system_ubject_r:user_home_t
>> /home/work/exports
>>
>> Whats next?
>> Do I need to restart something?
>>
>>
>>
>>
>> On 16 April 2010 11:11, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
>>> On 04/16/2010 12:33 AM, Paul Ward wrote:
>>>>> What does 'rpm -qv selinux-policy-targeted' say?
>>>>> What are the settings in /etc/selinux/config?
>>>>
>>>> My server shows the following selinux packages.
>>>>
>>>> selinux-policy-targeted-1.17.30-2.152.el4
>>>> selinux-policy-targeted-sources-1.17.30-2.152.el4
>>>>
>>>> I have run:
>>>> snmpwalk -v 2c -c public .iso
>>>> cd /etc/selinux/targeted/src/policy
>>>> audit2allow -d -l -o domains/misc/local.te
>>>> make load
>>>>
>>>> Until no more errors were found, this fixed theoriginal errors from
>>>> selinux, but not the permissions.
>>>>
>>>>> Try running restorecon -R -v /home
>>>>
>>>> If I run
>>>>
>>>> restorecon -R -v /home
>>>>
>>>> Would this affect a production servers running or should I do this in
>>>> a mainaintance window?
>>>
>>> Well, you can try to run it with the -n switch first to show you what
>>> would happen. According to the man page: "It can be run at any time to
>>> correct errors..."
>>>
>>>> On 15 April 2010 19:05, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
>>>>> On 04/15/2010 06:49 AM, Paul Ward wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I am sure this comes up a lot but have spent hours trying to find th
>>>>>> eanswers with no success apart from disabling selinux which I don't
>>>>>> want to do.
>>>>>>
>>>>>> Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
>>>>>>
>>>>>> The following filesystems are mounted with same issue.
>>>>>>
>>>>>> /dev/sda7 * * * * * * 3.9G *427M *3.3G *12% /home/appl
>>>>>> /dev/sda6 * * * * * * 4.0G *2.7G *1.2G *71% /home/users
>>>>>> /dev/sda8 * * * * * * 3.9G *2.5G *1.2G *68% /home/work
>>>>>>
>>>>>> ls -ldZ /home/appl/
>>>>>> drwxr-xr-x *root * * root * * * * * * * * * * * * * * * * * * */home/appl/
>>>>>
>>>>> This shows that the directory has not been labeled, yet.
>>>>>
>>>>>> /usr/sbin/sestatus
>>>>>> SELinux status: * * * * enabled
>>>>>> SELinuxfs mount: * * * */selinux
>>>>>> Current mode: * * * * * enforcing
>>>>>>
>>>>>
>>>>> Could it be that you don't have any policy package installed?
>>>>>
>>>>> What does 'rpm -qv selinux-policy-targeted' say?
>>>>> What are the settings in /etc/selinux/config?
>>>>>
>>>>>> What do I need to do to fix this chcon? If so what is the full comman
>>>>>> / context to enter?
>>>>>>
>>>>>> Thanks
>>>>>> --
>>>>>> selinux mailing list
>>>>>> selinux@lists.fedoraproject.org
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-16-2010, 12:28 AM
Paul Ward
 
Default snmp Permission denied on mounted filesystems

I should add ausearch found nothing.

ausearch -m avc -ts recent
<no matches>


On 16 April 2010 12:25, Paul Ward <pnward@googlemail.com> wrote:
> I have just run the command with : restorecon -R -v /home/work/exports
>
> I am still getting errors though.
>
> Apr 16 12:24:28 sargas snmpd[23987]: /home/users: Permission denied
> Apr 16 12:24:28 sargas snmpd[23987]: /home/work: Permission denied
> Apr 16 12:24:28 sargas snmpd[23987]: /home/work/exports: Permission denied
>
>
>
>
> On 16 April 2010 12:11, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
>> On 04/16/2010 01:51 AM, Paul Ward wrote:
>>> I have run the command as follows but I am still getting the permission issues.
>>>
>>> Apr 16 11:48:13 sargas snmpd[23987]: /home/work/exports: Permission denied
>>>
>>> # restorecon -v /home/work/exports
>>> restorecon reset context /home/work/exports:->system_ubject_r:user_home_t
>>
>> Without the -R switch only the directory itself will be labeled. I'm
>> pretty sure you want to run restorecon as suggested by dwalsh.
>>
>> What does 'ausearch -m -ts recent' tell? You can pipe the output to
>> audit2why or audit2allow like:
>>
>> ausearch -m avc -ts recent | audit2why
>> ausearch -m avc -ts recent | audit2allow -M mysnmp
>>
>> The latter will generate a loadable module. There is some documentation
>> at [1] about creating and loading your own modules.
>>
>> [1]
>> http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
>>
>>> ls -lZd /home/work/exports
>>>
>>> drwxrwxr-x *oracle * dba * * *system_ubject_r:user_home_t
>>> /home/work/exports
>>>
>>> Whats next?
>>> Do I need to restart something?
>>>
>>>
>>>
>>>
>>> On 16 April 2010 11:11, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
>>>> On 04/16/2010 12:33 AM, Paul Ward wrote:
>>>>>> What does 'rpm -qv selinux-policy-targeted' say?
>>>>>> What are the settings in /etc/selinux/config?
>>>>>
>>>>> My server shows the following selinux packages.
>>>>>
>>>>> selinux-policy-targeted-1.17.30-2.152.el4
>>>>> selinux-policy-targeted-sources-1.17.30-2.152.el4
>>>>>
>>>>> I have run:
>>>>> snmpwalk -v 2c -c public .iso
>>>>> cd /etc/selinux/targeted/src/policy
>>>>> audit2allow -d -l -o domains/misc/local.te
>>>>> make load
>>>>>
>>>>> Until no more errors were found, this fixed theoriginal errors from
>>>>> selinux, but not the permissions.
>>>>>
>>>>>> Try running restorecon -R -v /home
>>>>>
>>>>> If I run
>>>>>
>>>>> restorecon -R -v /home
>>>>>
>>>>> Would this affect a production servers running or should I do this in
>>>>> a mainaintance window?
>>>>
>>>> Well, you can try to run it with the -n switch first to show you what
>>>> would happen. According to the man page: "It can be run at any time to
>>>> correct errors..."
>>>>
>>>>> On 15 April 2010 19:05, Sandro Janke <gui1ty_fedora@penguinpee.nl> wrote:
>>>>>> On 04/15/2010 06:49 AM, Paul Ward wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I am sure this comes up a lot but have spent hours trying to find th
>>>>>>> eanswers with no success apart from disabling selinux which I don't
>>>>>>> want to do.
>>>>>>>
>>>>>>> Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
>>>>>>>
>>>>>>> The following filesystems are mounted with same issue.
>>>>>>>
>>>>>>> /dev/sda7 * * * * * * 3.9G *427M *3.3G *12% /home/appl
>>>>>>> /dev/sda6 * * * * * * 4.0G *2.7G *1.2G *71% /home/users
>>>>>>> /dev/sda8 * * * * * * 3.9G *2.5G *1.2G *68% /home/work
>>>>>>>
>>>>>>> ls -ldZ /home/appl/
>>>>>>> drwxr-xr-x *root * * root * * * * * * * * * * * * * * * * * * */home/appl/
>>>>>>
>>>>>> This shows that the directory has not been labeled, yet.
>>>>>>
>>>>>>> /usr/sbin/sestatus
>>>>>>> SELinux status: * * * * enabled
>>>>>>> SELinuxfs mount: * * * */selinux
>>>>>>> Current mode: * * * * * enforcing
>>>>>>>
>>>>>>
>>>>>> Could it be that you don't have any policy package installed?
>>>>>>
>>>>>> What does 'rpm -qv selinux-policy-targeted' say?
>>>>>> What are the settings in /etc/selinux/config?
>>>>>>
>>>>>>> What do I need to do to fix this chcon? If so what is the full comman
>>>>>>> / context to enter?
>>>>>>>
>>>>>>> Thanks
>>>>>>> --
>>>>>>> selinux mailing list
>>>>>>> selinux@lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>
>>>>> --
>>>>> selinux mailing list
>>>>> selinux@lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-16-2010, 12:45 PM
Daniel J Walsh
 
Default snmp Permission denied on mounted filesystems

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The problem you are seeing is dontaudit rules. snmp is not allowed to
read content within the users home dirs. If you want to turn off
dontaudit rules you can by executing

semodule -DB

semodule -B

Will turn the rules back on.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvIW+cACgkQrlYvE4MpobOmqACgvgMQ6oh6XF KuDhzTDIDftRFL
xVkAoIbYMk88+HHHMxcJfkc+R/U2aVf7
=x7Ni
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-19-2010, 03:11 AM
Paul Ward
 
Default snmp Permission denied on mounted filesystems

Hi Daniel,


Thanks for your reply, looks like that may be what I need.

I assume again this wont upset teh running of the machine when this is
performed?

Also is theis change persisteant after reboots?

Is there a way for making a new policy to allow the required actions
instead of removing the dontaudit all together?

many thanks




On 17 April 2010 00:45, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The problem you are seeing is dontaudit rules. *snmp is not allowed to
> read content within the users *home dirs. *If you want to turn off
> dontaudit rules you can by executing
>
> semodule -DB
>
> semodule -B
>
> Will turn the rules back on.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvIW+cACgkQrlYvE4MpobOmqACgvgMQ6oh6XF KuDhzTDIDftRFL
> xVkAoIbYMk88+HHHMxcJfkc+R/U2aVf7
> =x7Ni
> -----END PGP SIGNATURE-----
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 10:55 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org