-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Terry - Fedora Core wrote: > Richard England wrote: >> Terry - Fedora Core wrote: >>> As I reported on another thread, SELinux has caused me trouble and >>> blocked access to my hard disks. >>> >>> To solve the problem, I set SELinux to "permissive" mode. Am I >>> positive that SELinux caused the problem of not being able access the >>> hard disks. No. But then when I set SELinux to permissive mode the >>> problem disappeared. Not proof, but very strong evidence. >>> >>> My question: >>> >>> Should I enable SELinux again? >>> >>> What do I gain if I do? >>> >>> Will the gain be greater than the loss of accessing my computer hard >>> disks? >>> >>> And if I do, how do I try to prevent it from locking me out of the >>> hard disks again? >>> >>> How do I determine what caused SELinux to block access, how much >>> trouble is it to change SELinux to prevent it from doing that again? >>> >>> Your insights are appreciated. >>> >>> Terry >>> >> You need to provide more solid details around "...blocked access to my >> hard disks." What error messages are you seeing? Some one on this >> list might > The error messages were along the lines that an application could not > write to it's resource file in it's hidden directory in my home directory. > > Also, Konqueror simply refused to open any directories whatsoever. It > displayed the directory structure in the navigation panel, but it would > not allow access to any directory, even directories under my home > directory. Nor would it allow access to other hard disks on the system - > hard disks other than the hard disk that FEdora Core 8 is installed on. > The computer was still working, but ALL directories and ALL files were > simply not accesable, either by Konqueror or any other application. Even > when I used File Manager (Konqueror) in super user mode or the super > user terminal. I simply got error messages that I did not have > sufficient permission to access the directory/file - even the super user > (root) got the same message. I attributed t6his to SELinux based on the > simple logic that SELinux was giving me the error messages relating to > blocking access to something or other. See SELinux error reports below. >> be able to assist you. Is SELinux involved? Probably, given your >> experience but how is yet to be determine. It might be as simple as >> a need to relabel your file system ("touch /.autorelabel" and reboot. >> ), but provide more detail and someone can help tell you if that is >> your problem >> >> I've been running F7 and F8 with SElinux enabled for as long as they >> have both been out and have had not difficulties. So it is possible. > I copied the SELinux Troubleshooter reports on another thread, but they > don't seem to have made it to the list so I'll copy them below. They > make no sense to me. It references something about labeling problems, > but I did not label anything. I would expect the installation program to > apply appropriate labels to everything that the user would need to do to > download and install and configure the system for normal use so that > SELinux would not need to complain about such things. (Note the octal > IDs below have been randomly changed by me - I get nervous when I see > such information being made public :-) ) > > Terry > > SELinux Trouble Reports follow - 4 (converted to text from pdf by > pdftotext) > > > Summary SELinux is preventing gdm (xdm_t) "execute" to <Unknown> > (rpm_exec_t). Detailed Description SELinux denied access requested by > gdm. It is not expected that this access is required by gdm and this > access may signal an intrusion attempt. It is also possible that the > specific version or configuration of the application is causing it to > require additional access. Allowing Access Sometimes labeling problems > can cause SELinux denials. You could try to restore the default system > file context for <Unknown>, restorecon -v <Unknown> If this does not > work, there is currently no automatic way to allow this access. Instead, > you can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable SELinux protection altogether. Disabling SELinux protection is > not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > Additional Information Source Context Target Context Target Objects > Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled > Enforcing Mode Plugin Name Host Name Platform Alert Count First Seen > Last Seen Local ID Line Numbers Raw Audit Messages avc: denied { execute > } for comm=gdm dev=sda7 name=rpm pid=3107 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file > tcontext=system_u:object_r:rpm_exec_t:s0 > system_u:system_r:xdm_t:s0-s0:c0.c1023 system_u:object_r:rpm_exec_t:s0 > None [ file ] selinux-policy-3.0.8-44.fc8 True targeted True Enforcing > plugins.catchall_file Home-Net Linux Home-Net 2.6.23.1-42.fc8 #1 SMP Tue > Oct 30 13:55:12 EDT 2007 i686 i686 7 Wed 06 Feb 2008 01:50:35 PM EST Thu > 07 Feb 2008 10:26:00 AM EST 41e3c4c1-b5da-4c6a-8917-01b4013c448f > > Summary SELinux is preventing gdm (xdm_t) "getattr" to /bin/rpm > (rpm_exec_t). Detailed Description SELinux denied access requested by > gdm. It is not expected that this access is required by gdm and this > access may signal an intrusion attempt. It is also possible that the > specific version or configuration of the application is causing it to > require additional access. Allowing Access Sometimes labeling problems > can cause SELinux denials. You could try to restore the default system > file context for /bin/rpm, restorecon -v /bin/rpm If this does not work, > there is currently no automatic way to allow this access. Instead, you > can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable SELinux protection altogether. Disabling SELinux protection is > not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > Additional Information Source Context Target Context Target Objects > Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled > Enforcing Mode Plugin Name Host Name Platform Alert Count First Seen > Last Seen Local ID Line Numbers Raw Audit Messages avc: denied { getattr > } for comm=gdm dev=sda7 egid=0 euid=0 exe=/bin/bash exit=-13 fsgid=0 > fsuid=0 gid=0 items=0 path=/bin/rpm pid=3107 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0 > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file > tcontext=system_u:object_r:rpm_exec_t:s0 tty=(none) uid=0 > system_u:system_r:xdm_t:s0-s0:c0.c1023 system_u:object_r:rpm_exec_t:s0 > /bin/rpm [ file ] rpm-4.4.2.2-3.fc8 [target] selinux-policy-3.0.8-44.fc8 > True targeted True Enforcing plugins.catchall_file Home-Net Linux > Home-Net 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 > 13 Wed 06 Feb 2008 01:50:35 PM EST Thu 07 Feb 2008 10:26:00 AM EST > 845ddb2e-69a4-6f67-5508-83456c0bff19 > > Summary SELinux is preventing sh (loadkeys_t) "search" to <Unknown> > (home_root_t). Detailed Description SELinux denied access requested by > sh. It is not expected that this access is required by sh and this > access may signal an intrusion attempt. It is also possible that the > specific version or configuration of the application is causing it to > require additional access. Allowing Access Sometimes labeling problems > can cause SELinux denials. You could try to restore the default system > file context for <Unknown>, restorecon -v <Unknown> If this does not > work, there is currently no automatic way to allow this access. Instead, > you can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable SELinux protection altogether. Disabling SELinux protection is > not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > Additional Information Source Context Target Context Target Objects > Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled > Enforcing Mode Plugin Name Host Name Platform Alert Count First Seen > Last Seen Local ID Line Numbers Raw Audit Messages avc: denied { search > } for comm=sh dev=sda7 egid=0 euid=0 exe=/bin/bash exit=-13 fsgid=0 > fsuid=0 gid=0 items=0 name=home pid=4986 > scontext=system_u:system_r:loadkeys_t:s0 sgid=0 > subj=system_u:system_r:loadkeys_t:s0 suid=0 tclass=dir > tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0 > system_u:system_r:loadkeys_t:s0 system_u:object_r:home_root_t:s0 None [ > dir ] selinux-policy-3.0.8-44.fc8 True targeted True Enforcing > plugins.catchall_file Home-Net Linux Home-Net 2.6.23.1-42.fc8 #1 SMP Tue > Oct 30 13:55:12 EDT 2007 i686 i686 2 Wed 06 Feb 2008 04:52:48 PM EST Wed > 06 Feb 2008 04:52:48 PM EST 54a23c38-b925-4467-aa0e-5d3fdcc5d799 > > Summary SELinux is preventing sh (loadkeys_t) "search" to <Unknown> > (unconfined_home_dir_t). Detailed Description SELinux denied access > requested by sh. It is not expected that this access is required by sh > and this access may signal an intrusion attempt. It is also possible > that the specific version or configuration of the application is causing > it to require additional access. Allowing Access Sometimes labeling > problems can cause SELinux denials. You could try to restore the default > system file context for <Unknown>, restorecon -v <Unknown> If this does > not work, there is currently no automatic way to allow this access. > Instead, you can generate a local policy module to allow this access - > see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable SELinux protection altogether. Disabling SELinux protection is > not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > Additional Information Source Context Target Context Target Objects > Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled > Enforcing Mode Plugin Name Host Name Platform Alert Count First Seen > Last Seen Local ID Line Numbers Raw Audit Messages avc: denied { search > } for comm=sh dev=sda7 name=terry pid=4986 > scontext=system_u:system_r:loadkeys_t:s0 tclass=dir > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 > system_u:system_r:loadkeys_t:s0 > unconfined_u:object_r:unconfined_home_dir_t:s0 None [ dir ] > selinux-policy-3.0.8-44.fc8 True targeted True Enforcing > plugins.catchall_file Home-Net Linux Home-Net 2.6.23.1-42.fc8 #1 SMP Tue > Oct 30 13:55:12 EDT 2007 i686 i686 22 Wed 06 Feb 2008 04:52:48 PM EST > Wed 06 Feb 2008 04:52:48 PM EST 04bec695-038f-408d-bf7a-fa3c5f6e2812 > >> >> ~~R >> > This looks like you are logging into the system as xdm_t? If you have a terminal shell up, execute id -Z to show what context you are logged in as. I think your system is badly mislabeled. You can execute touch /.autorelabel; reboot To fix the system labeling, you should also update to the latest selinux policy. The installation should have set the labeling in the first place. I have no idea how you got to this state. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkexr1YACgkQrlYvE4MpobPlWQCZASRumpCarxQKq40pD0k6OGDS pqMAn3pDKMcefX0dZSWj+06V1W7fUmoF =il+v -----END PGP SIGNATURE----- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list