On Sun, Apr 6, 2008 at 10:37 AM, Valent Turkovic
<valent.turkovic@xxxxxxxxx> wrote:
>
> On Sat, Apr 5, 2008 at 9:21 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Valent Turkovic wrote:
> > > On Sat, Mar 29, 2008 at 6:55 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > >> -----BEGIN PGP SIGNED MESSAGE-----
> > >> Hash: SHA1
> > >>
> > >> Valent Turkovic wrote:
> > >>
> > >>> On Thu, Mar 27, 2008 at 6:36 PM, John Dennis <jdennis@xxxxxxxxxx> wrote:
> > >> >> Valent Turkovic wrote:
> > >> >> > I'm creating live cds under rawhide and I have selinux in permissive
> > >> >> > mode, could that be reason I'm seeing these hundreds of alerts?
> > >> >>
> > >> >> https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00130.html
> > >> >>
> > >> >> --
> > >> >> John Dennis <jdennis@xxxxxxxxxx>
> > >> >>
> > >> >
> > >> > Ok, I'm an idiot :) I got so much going on at once (work, moving to
> > >> > new apartment, etc...) that I totally forgot I got this replied
> > >> > already.
> > >> >
> > >> > But I want to keep in permissive an not enforcing mode so is just
> > >> > "load_policy" enough ?
> > >> >
> > >> > Cheers,
> > >> > Valent.
> > >> >
> > >> load_policy and you might need to kill any processes that are running as
> > >> unlabeled_t. Potentially you could have files that are mislabeled.
> > >
> > >
> > >
> > > I made several load_policy and relabels with reboot ans I still see
> > > these errors!
> > > Do you have any idea why?
> > >
> > > Cheers,
> > > Valent
> > > .
> > >
> > >
> > Do you have two policy files in /etc/selinux/targeted/policy?
>
> # ls -al /etc/selinux/targeted/policy
> total 4056
> drwxr-xr-x 2 root root 4096 2008-04-03 23:05 .
> drwxr-xr-x 5 root root 4096 2008-04-03 23:05 ..
> -rw-r--r-- 1 root root 4128435 2008-04-03 23:05 policy.21
>
> as you can see I have only on file in policy directory
>
>
> > If you do, remove the lower version and then execute load_policy,
> > Relabel the file in question and you should not have a problem. If the
> > file is in /tmp you can remove it or set its label to tmp_t.
>
> I'm going now to move all files from /tmp to another folder and then
> if reboot succeeds I'll delete those files and see if I still see
> selinux alerts.
>
> So you haven't seen this kind of error? Nobody has reported anything similar?
>
>
>
> Valent.
>
> --
> http://kernelreloaded.blog385.com/
> linux, blog, anime, spirituality, windsurf, wireless
> registered as user #367004 with the Linux Counter, http://counter.li.org.
> ICQ: 2125241, Skype: valent.turkovic
>
Even after deleting all files in /tmp folder I still see these two
alerts (in attachemen).
I investigated alert about saved_state.tmp file and with locate file
command I found this:
/home/valentt/.gconfd/saved_state
does that give you any more clues why I'm seeing these alerts? I'm now
in Fedora 8 not in Rawhide but in Rawhide I see same alerts.
Is it possible that livecd-creator does some things and breaks selinux
in some way that you still aren't aware of?
Valent.
--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic
Sažetak:
SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.
Detaljan opis:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.
Dopuštanje pristupa:
Use a command like "cp -P" to preserve all permissions except SELinux context.
Dodatni podaci:
Izvorni kontekst unconfined_u:object_r:unlabeled_t:s0
Ciljani kontekst system_u:object_r:fs_t:s0
Ciljani objekti .testing.writeability [ filesystem ]
Source gconfd-2
Source Path /usr/libexec/gconfd-2
Port <Nepoznato>
Host valent.oswireless
Source RPM Packages GConf2-2.20.1-1.fc8
Target RPM Packages
RPM pravila selinux-policy-3.0.8-95.fc8
Selinux je omoguÄ?en True
Vrsta pravila targeted
MLS je omoguÄ?en True
NaÄ?in prisile Permissive
Naziv dodatka filesystem_associate
Naziv raÄ?unala valent.oswireless
Platforma Linux valent.oswireless 2.6.24.4-64.fc8 #1 SMP Sat
Mar 29 09:54:46 EDT 2008 i686 i686
Broj uzbuna 2
First Seen Ned 06 Tra 2008 10:45:05
Last Seen Ned 06 Tra 2008 10:45:06
Local ID a8146644-9f87-4a21-a503-44839f130435
Brojevi redaka
Sirova poruke revizije
host=valent.oswireless type=AVC msg=audit(1207471506.417:34): avc: denied { associate } for pid=3289 comm="gconfd-2" name=".testing.writeability" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
host=valent.oswireless type=SYSCALL msg=audit(1207471506.417:34): arch=40000003 syscall=5 success=yes exit=35 a0=88c4818 a1=41 a2=1c0 a3=88c4818 items=0 ppid=1 pid=3289 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Sažetak:
SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.
Detaljan opis:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.
Dopuštanje pristupa:
Use a command like "cp -P" to preserve all permissions except SELinux context.
Dodatni podaci:
Izvorni kontekst unconfined_u:object_r:unlabeled_t:s0
Ciljani kontekst system_u:object_r:fs_t:s0
Ciljani objekti saved_state.tmp [ filesystem ]
Source gconfd-2
Source Path /usr/libexec/gconfd-2
Port <Nepoznato>
Host valent.oswireless
Source RPM Packages GConf2-2.20.1-1.fc8
Target RPM Packages
RPM pravila selinux-policy-3.0.8-95.fc8
Selinux je omoguÄ?en True
Vrsta pravila targeted
MLS je omoguÄ?en True
NaÄ?in prisile Permissive
Naziv dodatka filesystem_associate
Naziv raÄ?unala valent.oswireless
Platforma Linux valent.oswireless 2.6.24.4-64.fc8 #1 SMP Sat
Mar 29 09:54:46 EDT 2008 i686 i686
Broj uzbuna 1
First Seen Ned 06 Tra 2008 10:45:35
Last Seen Ned 06 Tra 2008 10:45:35
Local ID dc68311c-e8e2-409c-96a1-de04d58f95b3
Brojevi redaka
Sirova poruke revizije
host=valent.oswireless type=AVC msg=audit(1207471535.121:37): avc: denied { associate } for pid=3289 comm="gconfd-2" name="saved_state.tmp" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
host=valent.oswireless type=SYSCALL msg=audit(1207471535.121:37): arch=40000003 syscall=5 success=yes exit=14 a0=88c2440 a1=241 a2=1c0 a3=8663230 items=0 ppid=1 pid=3289 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
