Re: F10 SElinux issues
On 08/04/2009 11:11 AM, Steve wrote: Daniel, Daniel J Walsh dwa...@redhat.com wrote: On 08/03/2009 10:50 AM, Steve Blackwell wrote: Ever since I upgraded from F9 to F10 when F9 went EOL I've been having lots of SElinux warnings. Here's one. I get at seemingly random times, ie not when I log in. Aug 3 09:06:50 steve setroubleshoot: SELinux is preventing polkit-read-aut (polkit_auth_t) write to /var/log/gdm/:0-greeter.log (xserver_log_t). For complete SELinux messages. run sealert -l a4a0ec72-1ae8-46af-a27c-441b4a5f1cdb This looks like a redirection of stdout to the log file. You can add this rule using # grep polkit-read-aut /var/log/audit/audit.log | audit2allow -M mypolkit # semodule -i mypolkit.pp I believe this is actually a bug in xdm. in that it should be passing append privs for its log versus write. I can, and will, try this but it seems to me I have a more fundamental problem. As I said, this is just one of many alerts. They come in bunches every half hour or so. The latest group were all SElinux is preventing certwatch from. 7 of them. Before that it was system-config-s and polkit, about 25 different ones of those, some with multiple instances. In F9, I would only occasionally get an alert. Also, if this is really a bug in xdm, can I really be the first one to find it? F10 has been out for 7 or 8 months. If a relabel caused you to loose labels, then you need to add the labels via semanage fcontext instead of just executing a chcon. For example, if I had web content under /myweb # semanage fcontext -a -t httpd_sys_content_t '/myweb(/.*)?' # restorecon -R -v /myweb Would tell the SELinux system about my alternative labeling. I don't really have alternative labelling. I just fixed a few of the things that got flagged. I guess a relabel put everything back to the default. IIUC what you are suggesting is to make those changes permanent. Would an rpm update to policy override that? Thanks, Steve No, that is what permanent means. RPM asks the SELinux libraries how to label the system. If you tell SELinux that /myweb needs to be labeled httpd_sys_content_t then RPM will honor that. Restorecon, udev, matchpathcon... and any other program that uses libselinux for labeling will also. Please send me a compressed /var/log/audit/audit.log off list if you would like me to look at why SELinux is complaining on your box. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F10 SElinux issues
2009/8/3 Steve zep...@cfl.rr.com: Frank Murphy frankl...@gmail.com wrote: On 03/08/09 15:50, Steve Blackwell wrote: Ever since I upgraded from F9 to F10 when F9 went EOL I've been having lots of SElinux warnings. Here's one. I get at seemingly random times, ie not when I log in. su touch ./autorelabel;reboot No luck. This actually made things worse because I had corrected some of the problems that had been reported and now those are back. Maybe try a yum reinstall selinux-policy-targeted? -- imalone -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F10 SElinux issues
On 03/08/09 19:26, Steve wrote: Frank Murphy frankl...@gmail.com wrote: On 03/08/09 15:50, Steve Blackwell wrote: Ever since I upgraded from F9 to F10 when F9 went EOL I've been having lots of SElinux warnings. Here's one. I get at seemingly random times, ie not when I log in. su touch ./autorelabel;reboot No luck. This actually made things worse because I had corrected some of the problems that had been reported and now those are back. Steve At this stage, I would recomment going to Fedoras selinux-list, as they would give more current\pertinent info. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F10 SElinux issues
On 08/03/2009 10:50 AM, Steve Blackwell wrote: Ever since I upgraded from F9 to F10 when F9 went EOL I've been having lots of SElinux warnings. Here's one. I get at seemingly random times, ie not when I log in. Aug 3 09:06:50 steve setroubleshoot: SELinux is preventing polkit-read-aut (polkit_auth_t) write to /var/log/gdm/:0-greeter.log (xserver_log_t). For complete SELinux messages. run sealert -l a4a0ec72-1ae8-46af-a27c-441b4a5f1cdb This looks like a redirection of stdout to the log file. You can add this rule using # grep polkit-read-aut /var/log/audit/audit.log | audit2allow -M mypolkit # semodule -i mypolkit.pp I believe this is actually a bug in xdm. in that it should be passing append privs for its log versus write. If a relabel caused you to loose labels, then you need to add the labels via semanage fcontext instead of just executing a chcon. For example, if I had web content under /myweb # semanage fcontext -a -t httpd_sys_content_t '/myweb(/.*)?' # restorecon -R -v /myweb Would tell the SELinux system about my alternative labeling. A blog I wrote about similar stuff. http://danwalsh.livejournal.com/28027.html setroubleshoot suggests restorecon -v '/var/log/gdm/:0-greeter.log' # ls -lZ /var/log/gdm/:0-greeter.log -rw-r--r-- gdm gdm system_u:object_r:xserver_log_t:s0 /var/log/gdm/:0-greeter.log # restorecon -v /var/log/gdm/:0-greeter.log ]# ls -lZ /var/log/gdm/:0-greeter.log -rw-r--r-- gdm gdm system_u:object_r:xserver_log_t:s0 /var/log/gdm/:0-greeter.log ie no change # tail /var/log/gdm/:0-greeter.log Warning: No symbols defined for I228 (keycode 228) Warning: No symbols defined for I230 (keycode 230) Warning: No symbols defined for I248 (keycode 248) Warning: No symbols defined for I249 (keycode 249) Warning: No symbols defined for I250 (keycode 250) Warning: No symbols defined for I251 (keycode 251) Warning: No symbols defined for I252 (keycode 252) Warning: No symbols defined for I253 (keycode 253) Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x1200022 (Login Wind) Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed. This computer is on a 2 machine home network, the other machine being a Vista laptop and I have them connected via Samba. Is some client trying to login from the laptop? # rpm -qa | grep selinux selinux-policy-3.5.13-67.fc10.noarch libselinux-devel-2.0.78-1.fc10.i386 selinux-policy-targeted-3.5.13-67.fc10.noarch libselinux-2.0.78-1.fc10.i386 libselinux-utils-2.0.78-1.fc10.i386 libselinux-python-2.0.78-1.fc10.i386 Any suggestions? Thanks, Steve -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F10 SElinux issues
Daniel, Daniel J Walsh dwa...@redhat.com wrote: On 08/03/2009 10:50 AM, Steve Blackwell wrote: Ever since I upgraded from F9 to F10 when F9 went EOL I've been having lots of SElinux warnings. Here's one. I get at seemingly random times, ie not when I log in. Aug 3 09:06:50 steve setroubleshoot: SELinux is preventing polkit-read-aut (polkit_auth_t) write to /var/log/gdm/:0-greeter.log (xserver_log_t). For complete SELinux messages. run sealert -l a4a0ec72-1ae8-46af-a27c-441b4a5f1cdb This looks like a redirection of stdout to the log file. You can add this rule using # grep polkit-read-aut /var/log/audit/audit.log | audit2allow -M mypolkit # semodule -i mypolkit.pp I believe this is actually a bug in xdm. in that it should be passing append privs for its log versus write. I can, and will, try this but it seems to me I have a more fundamental problem. As I said, this is just one of many alerts. They come in bunches every half hour or so. The latest group were all SElinux is preventing certwatch from. 7 of them. Before that it was system-config-s and polkit, about 25 different ones of those, some with multiple instances. In F9, I would only occasionally get an alert. Also, if this is really a bug in xdm, can I really be the first one to find it? F10 has been out for 7 or 8 months. If a relabel caused you to loose labels, then you need to add the labels via semanage fcontext instead of just executing a chcon. For example, if I had web content under /myweb # semanage fcontext -a -t httpd_sys_content_t '/myweb(/.*)?' # restorecon -R -v /myweb Would tell the SELinux system about my alternative labeling. I don't really have alternative labelling. I just fixed a few of the things that got flagged. I guess a relabel put everything back to the default. IIUC what you are suggesting is to make those changes permanent. Would an rpm update to policy override that? Thanks, Steve -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
F10 SElinux issues
Ever since I upgraded from F9 to F10 when F9 went EOL I've been having lots of SElinux warnings. Here's one. I get at seemingly random times, ie not when I log in. Aug 3 09:06:50 steve setroubleshoot: SELinux is preventing polkit-read-aut (polkit_auth_t) write to /var/log/gdm/:0-greeter.log (xserver_log_t). For complete SELinux messages. run sealert -l a4a0ec72-1ae8-46af-a27c-441b4a5f1cdb setroubleshoot suggests restorecon -v '/var/log/gdm/:0-greeter.log' # ls -lZ /var/log/gdm/:0-greeter.log -rw-r--r-- gdm gdm system_u:object_r:xserver_log_t:s0 /var/log/gdm/:0-greeter.log # restorecon -v /var/log/gdm/:0-greeter.log ]# ls -lZ /var/log/gdm/:0-greeter.log -rw-r--r-- gdm gdm system_u:object_r:xserver_log_t:s0 /var/log/gdm/:0-greeter.log ie no change # tail /var/log/gdm/:0-greeter.log Warning: No symbols defined for I228 (keycode 228) Warning: No symbols defined for I230 (keycode 230) Warning: No symbols defined for I248 (keycode 248) Warning: No symbols defined for I249 (keycode 249) Warning: No symbols defined for I250 (keycode 250) Warning: No symbols defined for I251 (keycode 251) Warning: No symbols defined for I252 (keycode 252) Warning: No symbols defined for I253 (keycode 253) Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x1200022 (Login Wind) Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed. This computer is on a 2 machine home network, the other machine being a Vista laptop and I have them connected via Samba. Is some client trying to login from the laptop? # rpm -qa | grep selinux selinux-policy-3.5.13-67.fc10.noarch libselinux-devel-2.0.78-1.fc10.i386 selinux-policy-targeted-3.5.13-67.fc10.noarch libselinux-2.0.78-1.fc10.i386 libselinux-utils-2.0.78-1.fc10.i386 libselinux-python-2.0.78-1.fc10.i386 Any suggestions? Thanks, Steve -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F10 SElinux issues
On 03/08/09 15:50, Steve Blackwell wrote: Ever since I upgraded from F9 to F10 when F9 went EOL I've been having lots of SElinux warnings. Here's one. I get at seemingly random times, ie not when I log in. su touch ./autorelabel;reboot -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F10 SElinux issues
Frank Murphy frankl...@gmail.com wrote: On 03/08/09 15:50, Steve Blackwell wrote: Ever since I upgraded from F9 to F10 when F9 went EOL I've been having lots of SElinux warnings. Here's one. I get at seemingly random times, ie not when I log in. su touch ./autorelabel;reboot No luck. This actually made things worse because I had corrected some of the problems that had been reported and now those are back. Steve -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines