Re: SElinux issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Looks like prelude.te provides the prewikka code.

grep prew *
prelude.fc:/usr/share/prewikka/cgi-bin(/.*)?	gen_context(system_u:object_r:prewikka_script_exec_t,s0)
prelude.te:	apache_content_template(prewikka)
prelude.te:	apache_content_alias_template(prewikka, prewikka)
prelude.te:	can_exec(prewikka_script_t, prewikka_script_exec_t)
prelude.te:	files_search_tmp(prewikka_script_t)
prelude.te:	kernel_read_sysctl(prewikka_script_t)
prelude.te:	kernel_search_network_sysctl(prewikka_script_t)
prelude.te:	auth_use_nsswitch(prewikka_script_t)
prelude.te:	logging_send_syslog_msg(prewikka_script_t)
prelude.te:	apache_search_sys_content(prewikka_script_t)
prelude.te:		mysql_stream_connect(prewikka_script_t)
prelude.te:		mysql_tcp_connect(prewikka_script_t)
prelude.te:		postgresql_stream_connect(prewikka_script_t)
prelude.te:		postgresql_tcp_connect(prewikka_script_t)

semodule -l | grep prelude





On 09/25/2015 06:51 PM, Paolo Galtieri wrote:
Daniel,
  on the machine on which things work there is a prewikka.pp file, but on the one that fails there isn't.  On the system
that fails I have the following prewikka policy file (prewikkapol.te):

module prewikka 1.0;

require {

    type tmp_t;

    type init_var_run_t;

    type httpd_prewikka_script_t;

    type sysfs_t;

    class dir { read search };

}

#============= httpd_prewikka_script_t ==============

allow httpd_prewikka_script_t init_var_run_t:dir search;

allow httpd_prewikka_script_t sysfs_t:dir read;

allow httpd_prewikka_script_t tmp_t:dir read;

and the corresponding prewikkapol.pp file.

On the system that works I have the following prewikka policy file (prewikka.te):

module prewikka 1.0;

require {

    type tmp_t;

    type init_var_run_t;

    type httpd_prewikka_script_t;

    type sysfs_t;

    class dir { read search };

}

#============= httpd_prewikka_script_t ==============

allow httpd_prewikka_script_t init_var_run_t:dir search;

allow httpd_prewikka_script_t sysfs_t:dir read;

allow httpd_prewikka_script_t tmp_t:dir read;

and the corresponding prewikka.pp file.  So as far as I know the prewikka policy files are present, and neither says
anything about httpd_prewikka_rw_content_t.

Also if I run

semodule -l

the appropriate policy file is shown.

I tried disabling the module:

sudo semodule -d prewikkapol
[sudo] password for pgaltieri:
libsepol.context_from_record: type httpd_prewikka_rw_content_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsemanage.validate_handler: invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for /usr/share/prewikka/htdocs/generated_images [all files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
semodule:  Failed!

I tried to remove the module:

sudo semodule -r prewikkapol
libsepol.context_from_record: type httpd_prewikka_rw_content_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsemanage.validate_handler: invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for /usr/share/prewikka/htdocs/generated_images [all files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
semodule:  Failed!

It does appear though that setsebool still works despite the errors.

Still confused though why I'm seeing the error.

Thanks for the help,

Paolo


On 09/25/2015 12:26 PM, Daniel J Walsh wrote:
Looks like you might have a prewikka policy around?

locate prewikka.pp

Did you build a custom policy module?

On 09/25/2015 02:30 PM, Paolo Galtieri wrote:
Folks,
   I got an SElinux alert this morning.  The suggestion to correct the
problem was to do:

setsebool -P unconfined_mozilla_plugin_transition 0

When I did this I got the following response:

libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0
libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0

I have 2 systems running F22, I got this response on one of the
systems, but not the other.  When I was running F19 on the affected
system (prior to upgrading to F22) I did have the prewikka packages
installed, but I have since removed them.  However, it appears that
some remnants of those packages remain.

How do I fix this issue?  I looked in the httpd config files and
couldn't find any reference.

Any help is appreciated.

Paolo


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux