-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Chapman wrote: > Hi again Daniel > > Here is some more info on this problem - which may be significant... > After checking the link from my last email again I tried: > [root@C5 ~]# fixfiles relabel > > Files in the /tmp directory may be labeled incorrectly, this command > can remove all files in /tmp. If you choose to remove files from /tmp, > a reboot will be required after completion. > Do you wish to clean out the /tmp directory [N]? y > Cleaning out /tmp > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 18 > has invalid context user_u:object_r:user_mozilla_home_t:s0 > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 19 > has invalid context user_u:object_r:user_mozilla_home_t:s0 > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 20 > has invalid context user_u:object_r:user_mozilla_home_t:s0 > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21 > has invalid context user_u:object_r:user_mozilla_home_t:s0 > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 23 > has invalid context user_u:object_r:user_mozilla_home_t:s0 > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 40 > has invalid context root:object_r:user_mozilla_home_t:s0 > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 41 > has invalid context root:object_r:user_mozilla_home_t:s0 > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 42 > has invalid context root:object_r:user_mozilla_home_t:s0 > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 43 > has invalid context root:object_r:user_mozilla_home_t:s0 > Exiting after 10 errors. > [root@C5 ~]# > > Looks like there is a problem with the policy? Any suggestions how to > resolve this? > > > Richard. > > > Richard Chapman wrote: >> Thanks Daniel >> >> I'm pretty sure you are right - that there is something wrong with the >> labelling - but >> >> touch /.autorelabel; reboot >> >> Doesn't seem to cause the relabelling. >> I was a bit suspicious that the relabelling didn't work the first time >> - because I also did a touch /forcefsck at the boot when I was >> expecting relabelling - and it seemed to do 3 fscks - but no obvious >> relabelling. I assumed one of the fscks must have really been a >> relabel - but maybe not.... Now wehn I do the touch and reboot - there >> is no delay in the reboot messages on the system console. >> >> I have found this thread - which seem to describe a similar lack of >> relabelling - but doesn't offer a solution: >> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=60859 >> <http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=60859> >> >> >> I haven't tried the 5.3 policy preview yet. Might that help me with >> the relabelling? >> >> Thanks again >> >> Richard. >> >> >> >> >> Daniel J Walsh wrote: > Richard Chapman wrote: > >>>>> Hi.. When I first installed Centos 5.0 - I disabled SELinux at the >>>>> first >>>>> sign of trouble. I have now seen the light - and have enabled SELinux >>>>> on the system which is now updated to Centos 5.2 with Kernel Linux >>>>> 2.6.18-92.1.22.el5 on x86_64. I initially enabled Selinux in permissive >>>>> mode - and tried looking at the GUI SELinux Troubleshooter - but it >>>>> shows no problems. This may be OK - because there are no "type=avc" >>>>> messages in the audit.log file. However there are thousands of "type= >>>>> user_avc". Here are the last 20 while in permissive mode: >>>>> >>>>> type=USER_AVC msg=audit(1231052785.984:833): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.984:834): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.985:835): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device >>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.986:836): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820 >>>>> scontext=system_u:system_r:init_t:s0 >>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.987:837): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.987:838): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.987:839): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.988:840): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device >>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.989:841): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820 >>>>> scontext=system_u:system_r:init_t:s0 >>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.990:842): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.990:843): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.990:844): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.991:845): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device >>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.991:846): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820 >>>>> scontext=system_u:system_r:init_t:s0 >>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.992:847): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.992:848): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.992:849): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.992:850): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device >>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.993:851): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820 >>>>> scontext=system_u:system_r:init_t:s0 >>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> type=USER_AVC msg=audit(1231052785.994:852): user pid=2489 uid=81 >>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { >>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus >>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820 >>>>> scontext=user_u:system_r:initrc_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus : >>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' >>>>> >>>>> >>>>> If I set the system to Enforcing mode - and log out and log back in - >>>>> the login seems to run very slowly. If I try to run the gui SELinux >>>>> Troubleshooter - the application window doesn't come up - but I see the >>>>> following errors in the boot.log file. >>>>> >>>>> Jan 3 16:55:54 C5 dbus: avc: received setenforce notice (enforcing=1) >>>>> Jan 3 16:56:23 C5 userhelper[24703]: running >>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py' >>>>> with system_u:system_r:unconfined_t context Jan 3 16:56:23 C5 >>>>> userhelper[24703]: running >>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py' >>>>> with root privileges on behalf of 'root' >>>>> Jan 3 16:58:02 C5 gconfd (root-21790): Exiting >>>>> Jan 3 16:58:02 C5 sshd[21044]: pam_unix(sshd:session): session closed >>>>> for user nx >>>>> Jan 3 16:58:02 C5 su: pam_unix(su-l:session): session closed for >>>>> user root >>>>> Jan 3 16:58:23 C5 sshd[24747]: Accepted publickey for nx from >>>>> 192.168.0.2 port 33869 ssh2 >>>>> Jan 3 16:58:23 C5 sshd[24747]: pam_unix(sshd:session): session opened >>>>> for user nx by (uid=0) >>>>> Jan 3 16:58:25 C5 su: pam_unix(su-l:session): session opened for user >>>>> root by (uid=102) >>>>> Jan 3 16:58:28 C5 dovecot: IMAP(tim): Disconnected: Logged out >>>>> Jan 3 16:58:30 C5 gconfd (root-25493): starting (version 2.14.0), pid >>>>> 25493 user 'root' >>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address >>>>> "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only >>>>> configuration source at position 0 >>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address >>>>> "xml:readwrite:/root/.gconf" to a writable configuration source at >>>>> position 1 >>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address >>>>> "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only >>>>> configuration source at position 2 >>>>> Jan 3 16:58:33 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate >>>>> 0 0 >>>>> Not Found >>>>> Jan 3 16:58:33 C5 last message repeated 4 times >>>>> Jan 3 16:58:33 C5 gconfd (root-25493): Resolved address >>>>> "xml:readwrite:/root/.gconf" to a writable configuration source at >>>>> position 0 >>>>> Jan 3 16:59:46 C5 gdm[4045]: pam_unix(gdm:session): session opened for >>>>> user root by (uid=0) >>>>> Jan 3 16:59:59 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate >>>>> 0 0 >>>>> Not Found >>>>> Jan 3 16:59:59 C5 last message repeated 4 times >>>>> Jan 3 17:00:01 C5 crond[25738]: (root) CMD (/var/www/sarg/sarg.cron > >>>>> /dev/null 2>&1) >>>>> Jan 3 17:00:01 C5 crond[25740]: (root) CMD >>>>> (/etc/webmin/webalizer/webalizer.pl /var/log/squid/access.log) >>>>> Jan 3 17:00:01 C5 crond[25742]: (root) CMD >>>>> (/etc/webmin/status/monitor.pl) >>>>> Jan 3 17:00:01 C5 crond[25743]: (root) CMD >>>>> (/etc/webmin/fetchmail/check.pl --mail rchapman\@aardvark\.com\.au >>>>> --errors) >>>>> Jan 3 17:00:01 C5 su: pam_unix(su:session): session opened for user >>>>> richard by (uid=0) >>>>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session opened for user >>>>> postgres by (uid=0) >>>>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session closed for user >>>>> postgres >>>>> Jan 3 17:00:13 C5 su: pam_unix(su:session): session closed for user >>>>> richard >>>>> Jan 3 17:01:01 C5 crond[25911]: (root) CMD (run-parts /etc/cron.hourly) >>>>> Jan 3 17:01:15 C5 userhelper[25928]: running >>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py' >>>>> with system_u:system_r:unconfined_t context Jan 3 17:01:15 C5 >>>>> userhelper[25928]: running >>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py' >>>>> with root privileges on behalf of 'root' >>>>> Jan 3 17:02:18 C5 setroubleshoot: [dbus.ERROR] could not start dbus: >>>>> Did >>>>> not receive a reply. Possible causes include: the remote application >>>>> did >>>>> not send a reply, the message bus security policy blocked the reply, >>>>> the >>>>> reply timeout expired, or the network connection was broken. >>>>> Jan 3 17:03:06 C5 dovecot: imap-login: Login: user=<tim>, method=PLAIN, >>>>> rip=192.168.0.199, lip=192.168.0.201 >>>>> Jan 3 17:03:37 C5 dovecot: IMAP(tim): Disconnected: Logged out >>>>> Jan 3 17:04:14 C5 setroubleshoot: [dbus.ERROR] could not start dbus: >>>>> Did >>>>> not receive a reply. Possible causes include: the remote application >>>>> did >>>>> not send a reply, the message bus security policy blocked the reply, >>>>> the >>>>> reply timeout expired, or the network connection was broken. >>>>> >>>>> I have also tried the comand line sealert application - which runs fine >>>>> - but shows no problems: >>>>> >>>>> [root@C5 <mailto:root@C5> ~]# sealert -a /var/log/audit/audit.log >>>>> 100% donefound 0 alerts in /var/log/audit/audit.log >>>>> [root@C5 <mailto:root@C5> ~]# >>>>> It looks to me as if there is some problem (possibly a policy issue) >>>>> with my dbus connection. and this is preventing the selinux >>>>> troubleshooter operating in enforcing mode - and also probably causing >>>>> some other problems in enforcing mode - though no "type-avc" problems >>>>> show up int eh audit logs. >>>>> >>>>> Can anyone explain to me what "type=user_avc" messages are - and why >>>>> they are not reported by teh gui SELinux troubleshooter or sealert? How >>>>> should I debug the remainig issues in theis system? >>>>> >>>>> All adice appreciated. >>>>> >>>>> Richard. >>>>> >>>>> >>>>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list@xxxxxxxxxx >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> > Please make sure your labeling is correct. > > touch /.autorelabel; reboot > > Looks like the entire system is running with a signal context which is > causing you your problems. > > You might also want to grab the 5.3 policy, a preview is currently > available on > > http://people.redhat.com/dwalsh/SELinux/RHEL5 >>> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Upgrade to the 5.3 policy and see if the problem goes away. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkllFbEACgkQrlYvE4MpobPrLgCgv/4rm8ybxO3TfRKjRlXtj9M9 ryIAnRpcVUZgeIGvO2E4g6XYhpb3JUQ3 =QxJn -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
