Looks like prelude.te provides the prewikka code.
grep prew *
prelude.fc:/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:prewikka_script_exec_t,s0)
prelude.te: apache_content_template(prewikka)
prelude.te: apache_content_alias_template(prewikka, prewikka)
prelude.te: can_exec(prewikka_script_t, prewikka_script_exec_t)
prelude.te: files_search_tmp(prewikka_script_t)
prelude.te: kernel_read_sysctl(prewikka_script_t)
prelude.te: kernel_search_network_sysctl(prewikka_script_t)
prelude.te: auth_use_nsswitch(prewikka_script_t)
prelude.te: logging_send_syslog_msg(prewikka_script_t)
prelude.te: apache_search_sys_content(prewikka_script_t)
prelude.te: mysql_stream_connect(prewikka_script_t)
prelude.te: mysql_tcp_connect(prewikka_script_t)
prelude.te: postgresql_stream_connect(prewikka_script_t)
prelude.te: postgresql_tcp_connect(prewikka_script_t)
semodule -l | grep prelude
On 09/25/2015 06:51 PM, Paolo Galtieri
wrote:
Daniel,
on the machine on which things work there is a prewikka.pp file,
but on the one that fails there isn't. On the system
that fails I have the following prewikka policy file
(prewikkapol.te):
module prewikka 1.0;
require {
type tmp_t;
type init_var_run_t;
type httpd_prewikka_script_t;
type sysfs_t;
class dir { read search };
}
#============= httpd_prewikka_script_t ==============
allow httpd_prewikka_script_t init_var_run_t:dir search;
allow httpd_prewikka_script_t sysfs_t:dir read;
allow httpd_prewikka_script_t tmp_t:dir read;
and the corresponding prewikkapol.pp file.
On the system that works I have the following prewikka policy file
(prewikka.te):
module prewikka 1.0;
require {
type tmp_t;
type init_var_run_t;
type httpd_prewikka_script_t;
type sysfs_t;
class dir { read search };
}
#============= httpd_prewikka_script_t ==============
allow httpd_prewikka_script_t init_var_run_t:dir search;
allow httpd_prewikka_script_t sysfs_t:dir read;
allow httpd_prewikka_script_t tmp_t:dir read;
and the corresponding prewikka.pp file. So as far as I know the
prewikka policy files are present, and neither says
anything about httpd_prewikka_rw_content_t.
Also if I run
semodule -l
the appropriate policy file is shown.
I tried disabling the module:
sudo semodule -d prewikkapol
[sudo] password for pgaltieri:
libsepol.context_from_record: type httpd_prewikka_rw_content_t is
not defined (No such file or directory).
libsepol.context_from_record: could not create context structure
(Invalid argument).
libsemanage.validate_handler: invalid context
system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for
/usr/share/prewikka/htdocs/generated_images [all files] (Invalid
argument).
libsemanage.dbase_llist_iterate: could not iterate over records
(Invalid argument).
semodule: Failed!
I tried to remove the module:
sudo semodule -r prewikkapol
libsepol.context_from_record: type httpd_prewikka_rw_content_t is
not defined (No such file or directory).
libsepol.context_from_record: could not create context structure
(Invalid argument).
libsemanage.validate_handler: invalid context
system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for
/usr/share/prewikka/htdocs/generated_images [all files] (Invalid
argument).
libsemanage.dbase_llist_iterate: could not iterate over records
(Invalid argument).
semodule: Failed!
It does appear though that setsebool still works despite the
errors.
Still confused though why I'm seeing the error.
Thanks for the help,
Paolo
On 09/25/2015 12:26 PM, Daniel J Walsh wrote:
Looks like you might have a prewikka
policy around?
locate prewikka.pp
Did you build a custom policy module?
On 09/25/2015 02:30 PM, Paolo Galtieri wrote:
Folks,
I got an SElinux alert this morning. The suggestion to
correct the
problem was to do:
setsebool -P unconfined_mozilla_plugin_transition 0
When I did this I got the following response:
libsepol.context_from_record: type httpd_prewikka_rw_content_t
is not
defined
libsepol.context_from_record: could not create context
structure
libsepol.context_from_string: could not create context
structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
invalid context
system_u:object_r:httpd_prewikka_rw_content_t:s0
libsepol.context_from_record: type httpd_prewikka_rw_content_t
is not
defined
libsepol.context_from_record: could not create context
structure
libsepol.context_from_string: could not create context
structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
invalid context
system_u:object_r:httpd_prewikka_rw_content_t:s0
I have 2 systems running F22, I got this response on one of
the
systems, but not the other. When I was running F19 on the
affected
system (prior to upgrading to F22) I did have the prewikka
packages
installed, but I have since removed them. However, it appears
that
some remnants of those packages remain.
How do I fix this issue? I looked in the httpd config files
and
couldn't find any reference.
Any help is appreciated.
Paolo
|
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
