FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 04-06-2008, 09:01 AM
"Valent Turkovic"
 
Default gconf alert

On Sun, Apr 6, 2008 at 10:37 AM, Valent Turkovic
<valent.turkovic@gmail.com> wrote:
>
> On Sat, Apr 5, 2008 at 9:21 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Valent Turkovic wrote:
> > > On Sat, Mar 29, 2008 at 6:55 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > >> -----BEGIN PGP SIGNED MESSAGE-----
> > >> Hash: SHA1
> > >>
> > >> Valent Turkovic wrote:
> > >>
> > >>> On Thu, Mar 27, 2008 at 6:36 PM, John Dennis <jdennis@redhat.com> wrote:
> > >> >> Valent Turkovic wrote:
> > >> >> > I'm creating live cds under rawhide and I have selinux in permissive
> > >> >> > mode, could that be reason I'm seeing these hundreds of alerts?
> > >> >>
> > >> >> https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00130.html
> > >> >>
> > >> >> --
> > >> >> John Dennis <jdennis@redhat.com>
> > >> >>
> > >> >
> > >> > Ok, I'm an idiot I got so much going on at once (work, moving to
> > >> > new apartment, etc...) that I totally forgot I got this replied
> > >> > already.
> > >> >
> > >> > But I want to keep in permissive an not enforcing mode so is just
> > >> > "load_policy" enough ?
> > >> >
> > >> > Cheers,
> > >> > Valent.
> > >> >
> > >> load_policy and you might need to kill any processes that are running as
> > >> unlabeled_t. Potentially you could have files that are mislabeled.
> > >
> > >
> > >
> > > I made several load_policy and relabels with reboot ans I still see
> > > these errors!
> > > Do you have any idea why?
> > >
> > > Cheers,
> > > Valent
> > > .
> > >
> > >
> > Do you have two policy files in /etc/selinux/targeted/policy?
>
> # ls -al /etc/selinux/targeted/policy
> total 4056
> drwxr-xr-x 2 root root 4096 2008-04-03 23:05 .
> drwxr-xr-x 5 root root 4096 2008-04-03 23:05 ..
> -rw-r--r-- 1 root root 4128435 2008-04-03 23:05 policy.21
>
> as you can see I have only on file in policy directory
>
>
> > If you do, remove the lower version and then execute load_policy,
> > Relabel the file in question and you should not have a problem. If the
> > file is in /tmp you can remove it or set its label to tmp_t.
>
> I'm going now to move all files from /tmp to another folder and then
> if reboot succeeds I'll delete those files and see if I still see
> selinux alerts.
>
> So you haven't seen this kind of error? Nobody has reported anything similar?
>
>
>
> Valent.
>
> --
> http://kernelreloaded.blog385.com/
> linux, blog, anime, spirituality, windsurf, wireless
> registered as user #367004 with the Linux Counter, http://counter.li.org.
> ICQ: 2125241, Skype: valent.turkovic
>


Even after deleting all files in /tmp folder I still see these two
alerts (in attachemen).

I investigated alert about saved_state.tmp file and with locate file
command I found this:
/home/valentt/.gconfd/saved_state

does that give you any more clues why I'm seeing these alerts? I'm now
in Fedora 8 not in Rawhide but in Rawhide I see same alerts.

Is it possible that livecd-creator does some things and breaks selinux
in some way that you still aren't aware of?

Valent.

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

Sažetak:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.

Detaljan opis:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Dopuštanje pristupa:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Dodatni podaci:

Izvorni kontekst unconfined_ubject_r:unlabeled_t:s0
Ciljani kontekst system_ubject_r:fs_t:s0
Ciljani objekti .testing.writeability [ filesystem ]
Source gconfd-2
Source Path /usr/libexec/gconfd-2
Port <Nepoznato>
Host valent.oswireless
Source RPM Packages GConf2-2.20.1-1.fc8
Target RPM Packages
RPM pravila selinux-policy-3.0.8-95.fc8
Selinux je omogu?en True
Vrsta pravila targeted
MLS je omogu?en True
Na?in prisile Permissive
Naziv dodatka filesystem_associate
Naziv ra?unala valent.oswireless
Platforma Linux valent.oswireless 2.6.24.4-64.fc8 #1 SMP Sat
Mar 29 09:54:46 EDT 2008 i686 i686
Broj uzbuna 2
First Seen Ned 06 Tra 2008 10:45:05
Last Seen Ned 06 Tra 2008 10:45:06
Local ID a8146644-9f87-4a21-a503-44839f130435
Brojevi redaka

Sirova poruke revizije

host=valent.oswireless type=AVC msg=audit(1207471506.417:34): avc: denied { associate } for pid=3289 comm="gconfd-2" name=".testing.writeability" scontext=unconfined_ubject_r:unlabeled_t:s0 tcontext=system_ubject_r:fs_t:s0 tclass=filesystem

host=valent.oswireless type=SYSCALL msg=audit(1207471506.417:34): arch=40000003 syscall=5 success=yes exit=35 a0=88c4818 a1=41 a2=1c0 a3=88c4818 items=0 ppid=1 pid=3289 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Sažetak:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.

Detaljan opis:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Dopuštanje pristupa:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Dodatni podaci:

Izvorni kontekst unconfined_ubject_r:unlabeled_t:s0
Ciljani kontekst system_ubject_r:fs_t:s0
Ciljani objekti saved_state.tmp [ filesystem ]
Source gconfd-2
Source Path /usr/libexec/gconfd-2
Port <Nepoznato>
Host valent.oswireless
Source RPM Packages GConf2-2.20.1-1.fc8
Target RPM Packages
RPM pravila selinux-policy-3.0.8-95.fc8
Selinux je omogu?en True
Vrsta pravila targeted
MLS je omogu?en True
Na?in prisile Permissive
Naziv dodatka filesystem_associate
Naziv ra?unala valent.oswireless
Platforma Linux valent.oswireless 2.6.24.4-64.fc8 #1 SMP Sat
Mar 29 09:54:46 EDT 2008 i686 i686
Broj uzbuna 1
First Seen Ned 06 Tra 2008 10:45:35
Last Seen Ned 06 Tra 2008 10:45:35
Local ID dc68311c-e8e2-409c-96a1-de04d58f95b3
Brojevi redaka

Sirova poruke revizije

host=valent.oswireless type=AVC msg=audit(1207471535.121:37): avc: denied { associate } for pid=3289 comm="gconfd-2" name="saved_state.tmp" scontext=unconfined_ubject_r:unlabeled_t:s0 tcontext=system_ubject_r:fs_t:s0 tclass=filesystem

host=valent.oswireless type=SYSCALL msg=audit(1207471535.121:37): arch=40000003 syscall=5 success=yes exit=14 a0=88c2440 a1=241 a2=1c0 a3=8663230 items=0 ppid=1 pid=3289 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-10-2008, 08:08 PM
Daniel J Walsh
 
Default gconf alert

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valent Turkovic wrote:
> On Sun, Apr 6, 2008 at 10:37 AM, Valent Turkovic
> <valent.turkovic@gmail.com> wrote:
>> On Sat, Apr 5, 2008 at 9:21 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> >
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > Valent Turkovic wrote:
>> > > On Sat, Mar 29, 2008 at 6:55 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> > >> -----BEGIN PGP SIGNED MESSAGE-----
>> > >> Hash: SHA1
>> > >>
>> > >> Valent Turkovic wrote:
>> > >>
>> > >>> On Thu, Mar 27, 2008 at 6:36 PM, John Dennis <jdennis@redhat.com> wrote:
>> > >> >> Valent Turkovic wrote:
>> > >> >> > I'm creating live cds under rawhide and I have selinux in permissive
>> > >> >> > mode, could that be reason I'm seeing these hundreds of alerts?
>> > >> >>
>> > >> >> https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00130.html
>> > >> >>
>> > >> >> --
>> > >> >> John Dennis <jdennis@redhat.com>
>> > >> >>
>> > >> >
>> > >> > Ok, I'm an idiot I got so much going on at once (work, moving to
>> > >> > new apartment, etc...) that I totally forgot I got this replied
>> > >> > already.
>> > >> >
>> > >> > But I want to keep in permissive an not enforcing mode so is just
>> > >> > "load_policy" enough ?
>> > >> >
>> > >> > Cheers,
>> > >> > Valent.
>> > >> >
>> > >> load_policy and you might need to kill any processes that are running as
>> > >> unlabeled_t. Potentially you could have files that are mislabeled.
>> > >
>> > >
>> > >
>> > > I made several load_policy and relabels with reboot ans I still see
>> > > these errors!
>> > > Do you have any idea why?
>> > >
>> > > Cheers,
>> > > Valent
>> > > .
>> > >
>> > >
>> > Do you have two policy files in /etc/selinux/targeted/policy?
>>
>> # ls -al /etc/selinux/targeted/policy
>> total 4056
>> drwxr-xr-x 2 root root 4096 2008-04-03 23:05 .
>> drwxr-xr-x 5 root root 4096 2008-04-03 23:05 ..
>> -rw-r--r-- 1 root root 4128435 2008-04-03 23:05 policy.21
>>
>> as you can see I have only on file in policy directory
>>
>>
>> > If you do, remove the lower version and then execute load_policy,
>> > Relabel the file in question and you should not have a problem. If the
>> > file is in /tmp you can remove it or set its label to tmp_t.
>>
>> I'm going now to move all files from /tmp to another folder and then
>> if reboot succeeds I'll delete those files and see if I still see
>> selinux alerts.
>>
>> So you haven't seen this kind of error? Nobody has reported anything similar?
>>
>>
>>
>> Valent.
>>
>> --
>> http://kernelreloaded.blog385.com/
>> linux, blog, anime, spirituality, windsurf, wireless
>> registered as user #367004 with the Linux Counter, http://counter.li.org.
>> ICQ: 2125241, Skype: valent.turkovic
>>
>
>
> Even after deleting all files in /tmp folder I still see these two
> alerts (in attachemen).
>
> I investigated alert about saved_state.tmp file and with locate file
> command I found this:
> /home/valentt/.gconfd/saved_state
>
> does that give you any more clues why I'm seeing these alerts? I'm now
> in Fedora 8 not in Rawhide but in Rawhide I see same alerts.
>
> Is it possible that livecd-creator does some things and breaks selinux
> in some way that you still aren't aware of?
>
> Valent.
>
>
You should run restorecon on your homedir. restorecon -R -v ~/


The loading of a different policy will invalidate file context on disk
that the new policy does not understand. But reloading the original
policy should change the context badk to something that is understood.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkf+c7EACgkQrlYvE4MpobMgWwCffNmGfQExWC WIps7jHy5a1QeJ
Cg0An0dGx1WckFnRoAdp/ZuFpTQEiLqo
=6uxi
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 02:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org