Re: Selinux labelling problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alberto Ferrante wrote:
> A thing I just tried: if I run "setfiles -n" it gives me the wrong
> labels for the files:
> setfiles -nd /etc/selinux/targeted/contexts/files/file_contexts
> '/var/lib/xenstored'
> setfiles:  /var/lib/xenstored matched by
> unconfined_u:object_r:unconfined_home_dir_t:s0
> setfiles:  /var/lib/xenstored/tdb matched by
> unconfined_u:object_r:unconfined_home_t:s0
> filespec_eval:  hash table stats: 2 elements, 2/65536 buckets used,
> longest chain length 1
> 
> In /etc/selinux/targeted/contexts/files/file_contexts I have the
> following two entries for that directory:
> /var/lib/xenstored(/.*)?        system_u:object_r:xenstored_var_lib_t:s0
> /var/run/xenstored(/.*)?        system_u:object_r:xenstored_var_run_t:s0
> 
> It sounds like it's not matching the entries in the file...
> 
> Here is the AVC message related to xenstored, but I have many others!
> 
> type=AVC msg=audit(1204647044.542:940): avc:  denied  { unlink } for
> pid=2322 comm="xenstored" name="tdb" dev=sda8 ino=704271
> scontext=system_u:system_r:xenstored_t:s0
> tcontext=system_u:object_r:unconfined_home_dir_t:s0 tclass=file
> type=SYSCALL msg=audit(1204647044.542:940): arch=c000003e syscall=82
> success=yes exit=0 a0=815480 a1=613780 a2=613796 a3=40da82 items=0
> ppid=1 pid=2322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="xenstored" exe="/usr/sbin/xenstored"
> subj=system_u:system_r:xenstored_t:s0 key=(null)
> 
> Thanks for your help.
> 
> Best regards,
>     Alberto Ferrante
> 
> |> > during the last days I have been experiencing some strange problems
> on a
> |> > pre-production server (planned to become a production one this
> week...).
> |> > I am running xen with two virtual hosts. The problem is in the real
> host
> |> > where something with selinux seems to have gone bad. I started having
> |> > selinux blocking different file accesses from different services. I
> |> > tried a full relabeling (the problems started after the last targeted
> |> > policy update made by yum) but it did not work. It seems like
> restorecon
> |> > always assigns the unconfined_u:object_r:unconfined_home_t label to
> all
> |> > the files. I am using the targeted policy. Please give advices on
> how to
> |> > solve this problem.
> |> >
> | Please attach the AVC messages from the audit.log.  What directory is
> | labeled unconfined_home_t?
> 
Do you have an entry in /etc/passwd with a homedir containing /var/lib?
 Does it have a UID > 500 and a login shell other than /bin/false or
/sbin/nologin?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfNeR0ACgkQrlYvE4MpobPjfQCgwnih+F+ByOTQ4jKDoIUx3PLy
u2MAn2Kr6iNgJHdXZVZVobM9aXZv9752
=UvkA
-----END PGP SIGNATURE-----

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux