FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-26-2010, 12:45 PM
Daniel J Walsh
 
Default Help with messed up F11 SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/25/2010 06:35 PM, Steve Blackwell wrote:
> On Sun, 25 Apr 2010 20:32:53 +0200
> Dominick Grift <domg472@gmail.com> wrote:
>
>
>>>>
>>>> Please try to run fixfiles restore as root in permissive mode.
>>>
>>> The previous attempt was as root and in permissive mode. I tried
>>> again:
>>>
>>> [root@steve ~]# id
>>> uid=0(root) gid=0(root)
>>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
>>> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>
>>> [root@steve ~]# sestatus
>>> SELinux status: enabled
>>> SELinuxfs mount: /selinux
>>> Current mode: permissive
>>> Mode from config file: disabled
>>> Policy version: 24
>>> Policy from config file: targeted
>>>
>>> [root@steve ~]# fixfiles
>>> restore ********************/sbin/setfiles: unable to stat
>>> file /home/steve/.gvfs: Permission denied
>>> /sbin/setfiles: error while labeling /: Permission
>>> denied
>>> /sbin/setfiles: error while labeling /boot: Permission
>>> denied
>>> /sbin/setfiles: error while
>>> labeling /media/blah-blah: Permission denied
>>
>> in /etc/selinux/config set "SELINUX=permissive"
>>
>> then do: touch /.autorelabel && reboot
>>
>
> OK, I did that and I still get these messages in /var/log/dmesg:
>
> SELinux: Context system_ubject_r:mysqld_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_ubject_r:fsdaemon_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_ubject_r:nscd_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_ubject_r:auditd_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_ubject_r:samba_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_ubject_r:rpcbind_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_ubject_r:dnsmasq_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_ubject_r:ntpd_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_ubject_r:automount_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_ubject_r:snmp_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_ubject_r:apcupsd_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_ubject_r:syslogd_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_ubject_r:bluetooth_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_ubject_r:squid_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_ubject_r:soundd_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_ubject_r:httpd_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_ubject_rppd_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_ubject_r:NetworkManager_script_exec_t:s0 is
> not valid (left unmapped).
>
>
>> once rebooted change SELINUX=permissive back to SELINUX=enforcing
>> and setenforce 1
>
> I have always been running in permissive mode because of the issues
> I've benn experiencing but I'll try it and see how it goes.
>
> Thanks,
> Steve
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Steve lets make sure you have a good selinux-policy-targeted install.

# yum reinstall selinux-policy-targeted

Make sure nothing blows up.

Then execute

#fixfiles restore

You should also see no errors.

One last thing would be what file systems are you using? ext3?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvViugACgkQrlYvE4MpobONyQCfeSVhImaZlX I9TeY8fkStBhS8
z4YAoMYoZBw1CDyhVF19SLR6OPEWqIJq
=8cuI
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-26-2010, 01:47 PM
Steve Blackwell
 
Default Help with messed up F11 SELinux

On Mon, 26 Apr 2010 09:27:34 +0200
Dominick Grift <domg472@gmail.com> wrote:


> > > > [root@steve ~]# fixfiles
> > > > restore ********************/sbin/setfiles: unable to stat
> > > > file /home/steve/.gvfs: Permission denied
> > > > /sbin/setfiles: error while labeling /: Permission
> > > > denied
> > > > /sbin/setfiles: error while labeling /boot: Permission
> > > > denied
> > > > /sbin/setfiles: error while
> > > > labeling /media/blah-blah: Permission denied
> > >
> > > in /etc/selinux/config set "SELINUX=permissive"
> > >
> > > then do: touch /.autorelabel && reboot
> > >
> >
> > OK, I did that and I still get these messages in /var/log/dmesg:
>
> If relabeling succeeded these issues should be fixed now.
> You can check by listing: "ls -alZ /etc/rc.d/init.d/mysqld"
>
> if the type returned is mysqld_initrc_exec_t, then its fixed
> if the type returned is unlabeled_t, then something went wrong.

The type is mysqld_initrc_exec_t so it must be fixed.
Things have definitely improved. I'm not getting streams of AVCs any
more when I open the sevices GUI. Thnk you, Dominick!

I do still have one (so far) problem though. When I tried to point my
browser at my local BackupPC server page a get an "Unable to Connect"
message and an AVC:

Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied
{ write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0
ino=36667496 scontext=system_u:system_r:httpd_t:s0
tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file

node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null)

Now I know I could change the context of that socket file but I'm
guessing that it gets created every time and so that is not a permanent
solution. Is there a boolean I need to set; nothing looked obvious or
perhaps a BackupPC policy I need to install?

Thanks,
Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-26-2010, 01:50 PM
Steve Blackwell
 
Default Help with messed up F11 SELinux

On Mon, 26 Apr 2010 08:45:28 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:


> Steve lets make sure you have a good selinux-policy-targeted install.
>
> # yum reinstall selinux-policy-targeted

Dominick has already had me reinstall a couple of selinux rpms.
My situation has definitely improved so I must have had a corrupted
policy somehow.

> Make sure nothing blows up.
>
> Then execute
>
> #fixfiles restore
>
> You should also see no errors.
>
> One last thing would be what file systems are you using? ext3?

Thanks,
Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-26-2010, 03:11 PM
Daniel J Walsh
 
Default Help with messed up F11 SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/26/2010 09:47 AM, Steve Blackwell wrote:
> On Mon, 26 Apr 2010 09:27:34 +0200
> Dominick Grift <domg472@gmail.com> wrote:
>
>
>>>>> [root@steve ~]# fixfiles
>>>>> restore ********************/sbin/setfiles: unable to stat
>>>>> file /home/steve/.gvfs: Permission denied
>>>>> /sbin/setfiles: error while labeling /: Permission
>>>>> denied
>>>>> /sbin/setfiles: error while labeling /boot: Permission
>>>>> denied
>>>>> /sbin/setfiles: error while
>>>>> labeling /media/blah-blah: Permission denied
>>>>
>>>> in /etc/selinux/config set "SELINUX=permissive"
>>>>
>>>> then do: touch /.autorelabel && reboot
>>>>
>>>
>>> OK, I did that and I still get these messages in /var/log/dmesg:
>>
>> If relabeling succeeded these issues should be fixed now.
>> You can check by listing: "ls -alZ /etc/rc.d/init.d/mysqld"
>>
>> if the type returned is mysqld_initrc_exec_t, then its fixed
>> if the type returned is unlabeled_t, then something went wrong.
>
> The type is mysqld_initrc_exec_t so it must be fixed.
> Things have definitely improved. I'm not getting streams of AVCs any
> more when I open the sevices GUI. Thnk you, Dominick!
>
> I do still have one (so far) problem though. When I tried to point my
> browser at my local BackupPC server page a get an "Unable to Connect"
> message and an AVC:
>
> Raw Audit Messages :
> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied
> { write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0
> ino=36667496 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
>
> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48
> gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> Now I know I could change the context of that socket file but I'm
> guessing that it gets created every time and so that is not a permanent
> solution. Is there a boolean I need to set; nothing looked obvious or
> perhaps a BackupPC policy I need to install?
>
> Thanks,
> Steve
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
What directory is the socket in?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvVrQQACgkQrlYvE4MpobP6yACguSMgFt9DYp/cQvFUxlIIANtZ
rrgAoNMyZUbItaC96e512IR1A0IIoZZk
=0S/U
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-26-2010, 04:41 PM
Steve Blackwell
 
Default Help with messed up F11 SELinux

On Mon, 26 Apr 2010 11:11:00 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:


> > I do still have one (so far) problem though. When I tried to point
> > my browser at my local BackupPC server page a get an "Unable to
> > Connect" message and an AVC:
> >
> > Raw Audit Messages :
> > node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
> > denied { write } for pid=31707 comm="perl5.10.0"
> > name="BackupPC.sock" dev=dm-0 ino=36667496
> > scontext=system_u:system_r:httpd_t:s0
> > tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
> >
> > node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
> > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
> > a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
> > uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> > tty=(none) ses=4294967295 comm="perl5.10.0"
> > exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> > key=(null)
> >
> > Now I know I could change the context of that socket file but I'm
> > guessing that it gets created every time and so that is not a
> > permanent solution. Is there a boolean I need to set; nothing
> > looked obvious or perhaps a BackupPC policy I need to install?
> >
> > Thanks,
> > Steve
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> What directory is the socket in?

/var/log/BackupPC

Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-27-2010, 12:45 PM
Daniel J Walsh
 
Default Help with messed up F11 SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> On Mon, 26 Apr 2010 11:11:00 -0400
> Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>
>>> I do still have one (so far) problem though. When I tried to point
>>> my browser at my local BackupPC server page a get an "Unable to
>>> Connect" message and an AVC:
>>>
>>> Raw Audit Messages :
>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
>>> denied { write } for pid=31707 comm="perl5.10.0"
>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
>>>
>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>> key=(null)
>>>
>>> Now I know I could change the context of that socket file but I'm
>>> guessing that it gets created every time and so that is not a
>>> permanent solution. Is there a boolean I need to set; nothing
>>> looked obvious or perhaps a BackupPC policy I need to install?
>>>
>>> Thanks,
>>> Steve
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>> What directory is the socket in?
>
> /var/log/BackupPC
>
> Steve

The BackupPC package comes with labeling in F12/F13 of httpd_sys_content_t.

# matchpathcon /var/log/BackupPC/
/var/log/BackupPC system_ubject_r:httpd_sys_content_t:s0

Execute the following, should fix the problem

# semanage fcontext -a -t httpd_sys_content_t '/var/log/BackupPC(/.*)?'
# restorecon -R -v /var/log/BackupPC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvW3GUACgkQrlYvE4MpobMsrwCg6k7LkOJ85D ZVKlsugvy7ieRQ
N/MAn0YvPOqpcOckrhNmQqXVJfsQIUJp
=Eo2t
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-27-2010, 02:57 PM
Steve Blackwell
 
Default Help with messed up F11 SELinux

On Tue, 27 Apr 2010 08:45:25 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> > On Mon, 26 Apr 2010 11:11:00 -0400
> > Daniel J Walsh <dwalsh@redhat.com> wrote:
> >
> >
> >>> I do still have one (so far) problem though. When I tried to point
> >>> my browser at my local BackupPC server page a get an "Unable to
> >>> Connect" message and an AVC:
> >>>
> >>> Raw Audit Messages :
> >>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
> >>> denied { write } for pid=31707 comm="perl5.10.0"
> >>> name="BackupPC.sock" dev=dm-0 ino=36667496
> >>> scontext=system_u:system_r:httpd_t:s0
> >>> tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
> >>>
> >>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
> >>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
> >>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
> >>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> >>> tty=(none) ses=4294967295 comm="perl5.10.0"
> >>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> >>> key=(null)
> >>>
> >>> Now I know I could change the context of that socket file but I'm
> >>> guessing that it gets created every time and so that is not a
> >>> permanent solution. Is there a boolean I need to set; nothing
> >>> looked obvious or perhaps a BackupPC policy I need to install?
> >>>
> >>> Thanks,
> >>> Steve
> >>> --
> >>> selinux mailing list
> >>> selinux@lists.fedoraproject.org
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>
> >>>
> >> What directory is the socket in?
> >
> > /var/log/BackupPC
> >
> > Steve
>
> The BackupPC package comes with labeling in F12/F13 of
> httpd_sys_content_t.
>
> # matchpathcon /var/log/BackupPC/
> /var/log/BackupPC system_ubject_r:httpd_sys_content_t:s0
>
> Execute the following, should fix the problem
>
> # semanage fcontext -a -t httpd_sys_content_t
> '/var/log/BackupPC(/.*)?'
> # restorecon -R -v /var/log/BackupPC

No luck.

This did relabel the files in /var/log/BackupPC

[root@steve ~]# ls -lZ /var/log/BackupPC
-r--r--r--. backuppc backuppc system_ubject_r:httpd_sys_content_t:s0
BackupPC.pid
srwxr-x---. backuppc backuppc system_ubject_r:httpd_sys_content_t:s0
BackupPC.sock
...

but SELinux still won't let me access the server. I get a slightly
different but essentially the same AVC as before:

Raw Audit Messages :

node=steve.blackwell type=AVC
msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
scontext=system_u:system_r:httpd_t:s0
tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=sock_file

node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null)

So it looks to my untrained eye that we have a process with context
system_u:system_r:httpd_t:s0
trying to write to a file that has a context
system_ubject_r:httpd_sys_content_t:s0

and there is no rule to say that this is OK. Is that about right?

Thanks,
Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-27-2010, 03:01 PM
Dominick Grift
 
Default Help with messed up F11 SELinux

On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 08:45:25 -0400
> Daniel J Walsh <dwalsh@redhat.com> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> > > On Mon, 26 Apr 2010 11:11:00 -0400
> > > Daniel J Walsh <dwalsh@redhat.com> wrote:
> > >
> > >
> > >>> I do still have one (so far) problem though. When I tried to point
> > >>> my browser at my local BackupPC server page a get an "Unable to
> > >>> Connect" message and an AVC:
> > >>>
> > >>> Raw Audit Messages :
> > >>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
> > >>> denied { write } for pid=31707 comm="perl5.10.0"
> > >>> name="BackupPC.sock" dev=dm-0 ino=36667496
> > >>> scontext=system_u:system_r:httpd_t:s0
> > >>> tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
> > >>>
> > >>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
> > >>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
> > >>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
> > >>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> > >>> tty=(none) ses=4294967295 comm="perl5.10.0"
> > >>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> > >>> key=(null)
> > >>>
> > >>> Now I know I could change the context of that socket file but I'm
> > >>> guessing that it gets created every time and so that is not a
> > >>> permanent solution. Is there a boolean I need to set; nothing
> > >>> looked obvious or perhaps a BackupPC policy I need to install?
> > >>>
> > >>> Thanks,
> > >>> Steve
> > >>> --
> > >>> selinux mailing list
> > >>> selinux@lists.fedoraproject.org
> > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>>
> > >>>
> > >> What directory is the socket in?
> > >
> > > /var/log/BackupPC
> > >
> > > Steve
> >
> > The BackupPC package comes with labeling in F12/F13 of
> > httpd_sys_content_t.
> >
> > # matchpathcon /var/log/BackupPC/
> > /var/log/BackupPC system_ubject_r:httpd_sys_content_t:s0
> >
> > Execute the following, should fix the problem
> >
> > # semanage fcontext -a -t httpd_sys_content_t
> > '/var/log/BackupPC(/.*)?'
> > # restorecon -R -v /var/log/BackupPC
>
> No luck.
>
> This did relabel the files in /var/log/BackupPC
>
> [root@steve ~]# ls -lZ /var/log/BackupPC
> -r--r--r--. backuppc backuppc system_ubject_r:httpd_sys_content_t:s0
> BackupPC.pid
> srwxr-x---. backuppc backuppc system_ubject_r:httpd_sys_content_t:s0
> BackupPC.sock

This pid and sock need to mv to /var/run, i asked backuppc packager to do this long time ago but for some reason not fixed yet

> ...
>
> but SELinux still won't let me access the server. I get a slightly
> different but essentially the same AVC as before:
>
> Raw Audit Messages :
>
> node=steve.blackwell type=AVC
> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=sock_file
>
> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48
> gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> So it looks to my untrained eye that we have a process with context
> system_u:system_r:httpd_t:s0
> trying to write to a file that has a context
> system_ubject_r:httpd_sys_content_t:s0
>
> and there is no rule to say that this is OK. Is that about right?
>
> Thanks,
> Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-27-2010, 03:31 PM
Daniel J Walsh
 
Default Help with messed up F11 SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2010 10:57 AM, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 08:45:25 -0400
> Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>> Daniel J Walsh <dwalsh@redhat.com> wrote:
>>>
>>>
>>>>> I do still have one (so far) problem though. When I tried to point
>>>>> my browser at my local BackupPC server page a get an "Unable to
>>>>> Connect" message and an AVC:
>>>>>
>>>>> Raw Audit Messages :
>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
>>>>> denied { write } for pid=31707 comm="perl5.10.0"
>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>> tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
>>>>>
>>>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
>>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
>>>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
>>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>>> key=(null)
>>>>>
>>>>> Now I know I could change the context of that socket file but I'm
>>>>> guessing that it gets created every time and so that is not a
>>>>> permanent solution. Is there a boolean I need to set; nothing
>>>>> looked obvious or perhaps a BackupPC policy I need to install?
>>>>>
>>>>> Thanks,
>>>>> Steve
>>>>> --
>>>>> selinux mailing list
>>>>> selinux@lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>>
>>>> What directory is the socket in?
>>>
>>> /var/log/BackupPC
>>>
>>> Steve
>>
>> The BackupPC package comes with labeling in F12/F13 of
>> httpd_sys_content_t.
>>
>> # matchpathcon /var/log/BackupPC/
>> /var/log/BackupPC system_ubject_r:httpd_sys_content_t:s0
>>
>> Execute the following, should fix the problem
>>
>> # semanage fcontext -a -t httpd_sys_content_t
>> '/var/log/BackupPC(/.*)?'
>> # restorecon -R -v /var/log/BackupPC
>
> No luck.
>
> This did relabel the files in /var/log/BackupPC
>
> [root@steve ~]# ls -lZ /var/log/BackupPC
> -r--r--r--. backuppc backuppc system_ubject_r:httpd_sys_content_t:s0
> BackupPC.pid
> srwxr-x---. backuppc backuppc system_ubject_r:httpd_sys_content_t:s0
> BackupPC.sock
> ...
>
> but SELinux still won't let me access the server. I get a slightly
> different but essentially the same AVC as before:
>
> Raw Audit Messages :
>
> node=steve.blackwell type=AVC
> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=sock_file
>
> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48
> gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> So it looks to my untrained eye that we have a process with context
> system_u:system_r:httpd_t:s0
> trying to write to a file that has a context
> system_ubject_r:httpd_sys_content_t:s0
>
> and there is no rule to say that this is OK. Is that about right?
>
> Thanks,
> Steve
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

You can add the ok rule using audit2allow

# grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M
mybackuppc
# semodule -i mybackuppc.pp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvXA20ACgkQrlYvE4MpobMO0wCgh3AtQVSiZX el4UWc5bXeHo1J
+zsAoM1omGR3Pv3nz8uwpIdTQE38/sGu
=2Y2i
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-27-2010, 03:41 PM
Steve Blackwell
 
Default Help with messed up F11 SELinux

On Tue, 27 Apr 2010 17:01:26 +0200
Dominick Grift <domg472@gmail.com> wrote:

> On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
> > On Tue, 27 Apr 2010 08:45:25 -0400
> > Daniel J Walsh <dwalsh@redhat.com> wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> > > > On Mon, 26 Apr 2010 11:11:00 -0400
> > > > Daniel J Walsh <dwalsh@redhat.com> wrote:
> > > >
> > > >
> > > >>> I do still have one (so far) problem though. When I tried to
> > > >>> point my browser at my local BackupPC server page a get an
> > > >>> "Unable to Connect" message and an AVC:
> > > >>>
> > > >>> Raw Audit Messages :
> > > >>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138):
> > > >>> avc: denied { write } for pid=31707 comm="perl5.10.0"
> > > >>> name="BackupPC.sock" dev=dm-0 ino=36667496
> > > >>> scontext=system_u:system_r:httpd_t:s0
> > > >>> tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
> > > >>>
> > > >>> node=steve.blackwell type=SYSCALL
> > > >>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
> > > >>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008
> > > >>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48
> > > >>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> > > >>> tty=(none) ses=4294967295 comm="perl5.10.0"
> > > >>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> > > >>> key=(null)
> > > >>>
> > > >>> Now I know I could change the context of that socket file but
> > > >>> I'm guessing that it gets created every time and so that is
> > > >>> not a permanent solution. Is there a boolean I need to set;
> > > >>> nothing looked obvious or perhaps a BackupPC policy I need to
> > > >>> install?
> > > >>>
> > > >>> Thanks,
> > > >>> Steve
> > > >>> --
> > > >>> selinux mailing list
> > > >>> selinux@lists.fedoraproject.org
> > > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > >>>
> > > >>>
> > > >> What directory is the socket in?
> > > >
> > > > /var/log/BackupPC
> > > >
> > > > Steve
> > >
> > > The BackupPC package comes with labeling in F12/F13 of
> > > httpd_sys_content_t.
> > >
> > > # matchpathcon /var/log/BackupPC/
> > > /var/log/BackupPC system_ubject_r:httpd_sys_content_t:s0
> > >
> > > Execute the following, should fix the problem
> > >
> > > # semanage fcontext -a -t httpd_sys_content_t
> > > '/var/log/BackupPC(/.*)?'
> > > # restorecon -R -v /var/log/BackupPC
> >
> > No luck.
> >
> > This did relabel the files in /var/log/BackupPC
> >
> > [root@steve ~]# ls -lZ /var/log/BackupPC
> > -r--r--r--. backuppc backuppc
> > system_ubject_r:httpd_sys_content_t:s0 BackupPC.pid
> > srwxr-x---. backuppc backuppc
> > system_ubject_r:httpd_sys_content_t:s0 BackupPC.sock
>
> This pid and sock need to mv to /var/run, i asked backuppc packager
> to do this long time ago but for some reason not fixed yet
>

I posted another message to the BackupPC list to try and find that
status on your request but I didn't get an answer to my first question
so I'm not holding my breath.

In the meantime, would this work as a temporary workaround?

# semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.sock
# semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.pid
# restorecon -R -v /var/log/BackupPC

Thanks,
Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 02:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org