Re: Selinux problems
Yes, it seems to have worked, thank you! James 2009/12/9 Wolfgang S. Rupprecht wolfgang.ruppre...@gmail.com James Allsopp jamesaalls...@googlemail.com writes: I keep getting this SELinux issue, This is a new install of Fedora 12, and I just copied all of my home directory back to this machine from an external after install. I've tried running restorecon /home but no change. ... You can execute the following command as root to relabel your computer system: touch /.autorelabel; reboot Did you read the above? Did you do it? -wolfgang -- Wolfgang S. Rupprecht If the airwaves belong to the public why does the public only get 3 non-overlapping WIFI channels? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux problems
James Allsopp jamesaalls...@googlemail.com writes: Yes, it seems to have worked, thank you! Good to hear it was something simple like that. (I'm still breaking selinux permissions all the time here, so I'm becoming very familiar with using relabel or restorecon -rv /. It takes a while to get used to walking around the filesystem delicately.) -wolfgang -- Wolfgang S. Rupprecht If the airwaves belong to the public why does the public only get 3 non-overlapping WIFI channels? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Selinux problems
Hi,
I keep getting this SELinux issue, This is a new install of Fedora 12, and I
just copied all of my home directory back to this machine from an external
after install. I've tried running restorecon /home but no change.
Any ideas,
James
Summary:
SELinux is preventing access to files with the label, file_t.
Detailed Description:
[gdm-session-wor has a permissive type (xdm_t). This access was not denied.]
SELinux permission checks on files labeled file_t are being denied. file_t
is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever
be
labeled file_t. If you have just added a new disk drive to the system you
can
relabel it using the restorecon command. Otherwise you should relabel the
entire
file system.
Allowing Access:
You can execute the following command as root to relabel your computer
system:
touch /.autorelabel; reboot
Additional Information:
Source Contextsystem_u:system_r:xdm_t:s0-s0:c0.c1023
Target Contextunconfined_u:object_r:file_t:s0
Target Objects/home/ja [ dir ]
Sourcegdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port Unknown
Host Mexican
Source RPM Packages gdm-2.28.1-24.fc12
Target RPM Packages
Policy RPMselinux-policy-3.6.32-41.fc12
Selinux Enabled True
Policy Type targeted
Enforcing ModeEnforcing
Plugin Name file
Host Name Mexican
Platform Linux Mexican 2.6.31.5-127.fc12.x86_64 #1 SMP
Sat
Nov 7 21:11:14 EST 2009 x86_64 x86_64
Alert Count 30
First SeenSun 22 Nov 2009 11:33:30 AM GMT
Last Seen Sun 29 Nov 2009 10:42:34 AM GMT
Local ID 3f3896fb-4f17-4b2c-b276-038ede6488fa
Line Numbers
Raw Audit Messages
node=Mexican type=AVC msg=audit(1259491354.745:33799): avc: denied {
search } for pid=2090 comm=gdm-session-wor name=ja dev=dm-2 ino=57347
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
node=Mexican type=SYSCALL msg=audit(1259491354.745:33799): arch=c03e
syscall=4 success=yes exit=7301160 a0=7ebff0 a1=7fffbd93d460
a2=7fffbd93d460 a3=1 items=0 ppid=2072 pid=2090 auid=500 uid=500 gid=500
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux problems
2009/12/8 James Allsopp jamesaalls...@googlemail.com: Hi, I keep getting this SELinux issue, This is a new install of Fedora 12, and I just copied all of my home directory back to this machine from an external after install. I've tried running restorecon /home but no change. What about the following restorecon flag? -R -r change files and directories file labels recursively -- Sam -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux problems
James Allsopp jamesaalls...@googlemail.com writes: I keep getting this SELinux issue, This is a new install of Fedora 12, and I just copied all of my home directory back to this machine from an external after install. I've tried running restorecon /home but no change. ... You can execute the following command as root to relabel your computer system: touch /.autorelabel; reboot Did you read the above? Did you do it? -wolfgang -- Wolfgang S. Rupprecht If the airwaves belong to the public why does the public only get 3 non-overlapping WIFI channels? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
Jim wrote: Trying to Relabel my Laptop and if I do a touch / autorelabel in permissive mode. what does 'touch /.autorelabel' do? note /.a hth -- peace out. tc,hago. g . in a free world without fences, who needs gates. ** help microsoft stamp out piracy - give linux to a friend today. ** to mess up a linux box, you need to work at it. to mess up an ms windows box, you just need to *look* at it. ** learn linux: 'Rute User's Tutorial and Exposition' http://rute.2038bug.com/index.html 'The Linux Documentation Project' http://www.tldp.org/ 'LDP HOWTO-index' http://www.tldp.org/HOWTO/HOWTO-INDEX/index.html 'HowtoForge' http://howtoforge.com/ signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On 10/05/2009 05:27 PM, Paolo Galtieri wrote:
On Mon, Oct 5, 2009 at 2:13 PM, Daniel J Walsh dwa...@redhat.com wrote:
On 10/05/2009 03:22 PM, Paolo Galtieri wrote:
On Mon, Oct 5, 2009 at 11:11 AM, Daniel J Walsh dwa...@redhat.com
wrote:
On 10/05/2009 02:08 PM, Jim wrote:
FC11/Kde
Trying to print on a Samsung CLX-3175FN.
Selinux is playing havoc with printer drivers, these drivers are from
Samsung and I'm getting many Selinux Alerts, to many to keep running
Restorecon.
The printing is coming out with double columns with 1/8 white lines
down through text or pictures.
There are no GPL drivers for this printer, it's to New !
If I disable Selinux, the printer will print normal.
How do I relabel all the files on the computer ?
do I relabel from telinit 3 or what ?
Please show me the AVC's you are seeing. Or send me a compresses
/var/log/audit/audit.log
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines:
http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
I have seen the following SELinux alert:
SELinux is preventing hp (hplip_t) name_bind howl_port_t.
lpstat -t shows
printer HP_Color_LaserJet_2605dn disabled since Thu 01 Oct 2009 09:36:23
AM
MST -
/usr/lib/cups/backend/hp failed
If I change the URI associated with the printer config from
hp:/net/HP_Color_laserjet_2605dn?zc=hpcolorjet
to
hp:/net/HP_Color_laserjet_2605dn?ip=192.168.10.71
then the alerts go away.
The printer is an HP printer and was configured using hp-setup.
Paolo
Could you grep for howl_port_t and attach the output
grep howl_port_t /var/log/audit/audit.log
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines:
http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
type=AVC msg=audit(1254414474.185:50294): avc: denied { name_bind } for
pid=18462 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254414573.360:50295): avc: denied { name_bind } for
pid=18499 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254414980.894:50346): avc: denied { name_bind } for
pid=18699 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254415674.640:50382): avc: denied { name_bind } for
pid=18942 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254415783.474:50425): avc: denied { name_bind } for
pid=19012 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254415964.178:50441): avc: denied { name_bind } for
pid=19154 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
Paolo
I guess the question is why does the hplip want to listen on the Multicast DNS
port. If this is supposed to happen, we need to add it to policy.
You can add it for now using audit2allow
# grep hplip_t /var/log/audit/audit.log | audit2allow -M myhplip
# semodule -i myhplip.pp
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On Tue, 2009-10-06 at 10:56 -0400, Daniel J Walsh wrote: I guess the question is why does the hplip want to listen on the Multicast DNS port. If this is supposed to happen, we need to add it to policy. Please file a bug against HPLIP. The reason it wants to do that is that it is trying to resolve an mDNS name. What it ought to do, of course, is ask avahi to do that. Tim. */ signature.asc Description: This is a digitally signed message part -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On 10/06/2009 10:59 AM, Tim Waugh wrote: On Tue, 2009-10-06 at 10:56 -0400, Daniel J Walsh wrote: I guess the question is why does the hplip want to listen on the Multicast DNS port. If this is supposed to happen, we need to add it to policy. Please file a bug against HPLIP. The reason it wants to do that is that it is trying to resolve an mDNS name. What it ought to do, of course, is ask avahi to do that. Tim. */ Tim I have a problem with DNS in FC11, FC12 and in a file /etc/dhclient-eth0.conf I have the line; prepend domain-name-servers 127.0.0.1; And DNSmasq is enabled. And in Firefox config I have; network.dns.disableIPv6 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On 10/06/2009 10:56 AM, Daniel J Walsh wrote:
On 10/05/2009 05:27 PM, Paolo Galtieri wrote:
On Mon, Oct 5, 2009 at 2:13 PM, Daniel J Walshdwa...@redhat.com wrote:
On 10/05/2009 03:22 PM, Paolo Galtieri wrote:
On Mon, Oct 5, 2009 at 11:11 AM, Daniel J Walshdwa...@redhat.com
wrote:
On 10/05/2009 02:08 PM, Jim wrote:
FC11/Kde
Trying to print on a Samsung CLX-3175FN.
Selinux is playing havoc with printer drivers, these drivers are from
Samsung and I'm getting many Selinux Alerts, to many to keep running
Restorecon.
The printing is coming out with double columns with 1/8 white lines
down through text or pictures.
There are no GPL drivers for this printer, it's to New !
If I disable Selinux, the printer will print normal.
How do I relabel all the files on the computer ?
do I relabel from telinit 3 or what ?
Please show me the AVC's you are seeing. Or send me a compresses
/var/log/audit/audit.log
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines:
http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
I have seen the following SELinux alert:
SELinux is preventing hp (hplip_t) name_bind howl_port_t.
lpstat -t shows
printer HP_Color_LaserJet_2605dn disabled since Thu 01 Oct 2009 09:36:23
AM
MST -
/usr/lib/cups/backend/hp failed
If I change the URI associated with the printer config from
hp:/net/HP_Color_laserjet_2605dn?zc=hpcolorjet
to
hp:/net/HP_Color_laserjet_2605dn?ip=192.168.10.71
then the alerts go away.
The printer is an HP printer and was configured using hp-setup.
Paolo
Could you grep for howl_port_t and attach the output
grep howl_port_t /var/log/audit/audit.log
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines:
http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
type=AVC msg=audit(1254414474.185:50294): avc: denied { name_bind } for
pid=18462 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254414573.360:50295): avc: denied { name_bind } for
pid=18499 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254414980.894:50346): avc: denied { name_bind } for
pid=18699 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254415674.640:50382): avc: denied { name_bind } for
pid=18942 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254415783.474:50425): avc: denied { name_bind } for
pid=19012 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254415964.178:50441): avc: denied { name_bind } for
pid=19154 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
Paolo
I guess the question is why does the hplip want to listen on the Multicast DNS
port. If this is supposed to happen, we need to add it to policy.
You can add it for now using audit2allow
# grep hplip_t /var/log/audit/audit.log | audit2allow -M myhplip
# semodule -i myhplip.pp
I have a problem with DNS in FC11, FC12 and in a file
/etc/dhclient-eth0.conf I have the line;
prepend domain-name-servers 127.0.0.1;
And DNSmasq is enabled.
And in Firefox config I have;
network.dns.disableIPv6
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On Tue, 2009-10-06 at 11:42 -0400, Jim wrote: Please file a bug against HPLIP. The reason it wants to do that is that it is trying to resolve an mDNS name. What it ought to do, of course, is ask avahi to do that. Tim I have a problem with DNS in FC11, FC12 and in a file /etc/dhclient-eth0.conf I have the line; That's not related to this problem. Tim. */ signature.asc Description: This is a digitally signed message part -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On Tue, Oct 06, 2009 at 06:31:48 +, g gel...@bellsouth.net wrote: Jim wrote: Trying to Relabel my Laptop and if I do a touch / autorelabel in permissive mode. what does 'touch /.autorelabel' do? note /.a /.autorelabel is a magic name that is used during the boot process to determine whether or not a relabel should be done during the boot process. The touch command creates the file if it doesn't exist. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
Bruno Wolff III wrote: On Tue, Oct 06, 2009 at 06:31:48 +, g gel...@bellsouth.net wrote: Jim wrote: Trying to Relabel my Laptop and if I do a touch / autorelabel in permissive mode. what does 'touch /.autorelabel' do? note /.a /.autorelabel is a magic name that is used during the boot process to determine whether or not a relabel should be done during the boot process. The touch command creates the file if it doesn't exist. of this, i am aware. tho i would call it a *flag*, not a 'magic name'. be aware that jim shows touch / autorelabel, which is not same as *touch /.autorestore*. granted. he may have made a typo in his post by not showing '.'. if he left '.' out in his command line, it may be a reason for not triggering selinux to run a relabel during reboot. from 'man selinux'; +++ FILE LABELING All files, directories, devices ... have a security context/label asso- ciated with them. These context are stored in the extended attributes of the file system. Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non selinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling. The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-securitylevel, also has this capability. The restorcon/fixfiles commands are also available for relabeling files. +++ -- peace out. tc,hago. g . in a free world without fences, who needs gates. ** help microsoft stamp out piracy - give linux to a friend today. ** to mess up a linux box, you need to work at it. to mess up an ms windows box, you just need to *look* at it. ** learn linux: 'Rute User's Tutorial and Exposition' http://rute.2038bug.com/index.html 'The Linux Documentation Project' http://www.tldp.org/ 'LDP HOWTO-index' http://www.tldp.org/HOWTO/HOWTO-INDEX/index.html 'HowtoForge' http://howtoforge.com/ signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Selinux Problems
FC11/Kde Trying to print on a Samsung CLX-3175FN. Selinux is playing havoc with printer drivers, these drivers are from Samsung and I'm getting many Selinux Alerts, to many to keep running Restorecon. The printing is coming out with double columns with 1/8 white lines down through text or pictures. There are no GPL drivers for this printer, it's to New ! If I disable Selinux, the printer will print normal. How do I relabel all the files on the computer ? do I relabel from telinit 3 or what ? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On 10/05/2009 02:08 PM, Jim wrote: FC11/Kde Trying to print on a Samsung CLX-3175FN. Selinux is playing havoc with printer drivers, these drivers are from Samsung and I'm getting many Selinux Alerts, to many to keep running Restorecon. The printing is coming out with double columns with 1/8 white lines down through text or pictures. There are no GPL drivers for this printer, it's to New ! If I disable Selinux, the printer will print normal. How do I relabel all the files on the computer ? do I relabel from telinit 3 or what ? Please show me the AVC's you are seeing. Or send me a compresses /var/log/audit/audit.log -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On Mon, Oct 05, 2009 at 14:08:26 -0400, Jim mickey...@sbcglobal.net wrote: FC11/Kde Trying to print on a Samsung CLX-3175FN. Selinux is playing havoc with printer drivers, these drivers are from Samsung and I'm getting many Selinux Alerts, to many to keep running Restorecon. The printing is coming out with double columns with 1/8 white lines down through text or pictures. There are no GPL drivers for this printer, it's to New ! If I disable Selinux, the printer will print normal. How do I relabel all the files on the computer ? do I relabel from telinit 3 or what ? touch /.autorelabel and then reboot. However, restorecon -r will probably be easy enough as I suspect your driver only has put files under a few directories. Since it is unlikely that the relabel would affect the labels of long running processes, you could try restorecon -r / and skip the reboot if you can't limit the possible locations of files installed by the driver. Also note that if you actually disabled selinux and didn't just switch to permissive, you probably should do a full relabel since files created when selinux is disabled don't get labelled. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On Mon, Oct 05, 2009 at 14:08:26 -0400, Jim mickey...@sbcglobal.net wrote: FC11/Kde Trying to print on a Samsung CLX-3175FN. Selinux is playing havoc with printer drivers, these drivers are from Samsung and I'm getting many Selinux Alerts, to many to keep running Restorecon. The printing is coming out with double columns with 1/8 white lines down through text or pictures. There are no GPL drivers for this printer, it's to New ! If I disable Selinux, the printer will print normal. How do I relabel all the files on the computer ? do I relabel from telinit 3 or what ? touch /.autorelabel and then reboot. I usually start my fresh fedora install with SEL in permissive to catch all the AVC Denials then after i can run my machine with little to no denials i switch back to enforcing. However, restorecon -r will probably be easy enough as I suspect your driver only has put files under a few directories. Since it is unlikely that the relabel would affect the labels of long running processes, you could try restorecon -r / and skip the reboot if you can't limit the possible locations of files installed by the driver. Also note that if you actually disabled selinux and didn't just switch to permissive, you probably should do a full relabel since files created when selinux is disabled don't get labelled. If I am not mistaken once you disable SEL it requires a full relabel on turning it back on even if you have not changed anything since you turned it off. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On Mon, Oct 5, 2009 at 11:11 AM, Daniel J Walsh dwa...@redhat.com wrote: On 10/05/2009 02:08 PM, Jim wrote: FC11/Kde Trying to print on a Samsung CLX-3175FN. Selinux is playing havoc with printer drivers, these drivers are from Samsung and I'm getting many Selinux Alerts, to many to keep running Restorecon. The printing is coming out with double columns with 1/8 white lines down through text or pictures. There are no GPL drivers for this printer, it's to New ! If I disable Selinux, the printer will print normal. How do I relabel all the files on the computer ? do I relabel from telinit 3 or what ? Please show me the AVC's you are seeing. Or send me a compresses /var/log/audit/audit.log -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines I have seen the following SELinux alert: SELinux is preventing hp (hplip_t) name_bind howl_port_t. lpstat -t shows printer HP_Color_LaserJet_2605dn disabled since Thu 01 Oct 2009 09:36:23 AM MST - /usr/lib/cups/backend/hp failed If I change the URI associated with the printer config from hp:/net/HP_Color_laserjet_2605dn?zc=hpcolorjet to hp:/net/HP_Color_laserjet_2605dn?ip=192.168.10.71 then the alerts go away. The printer is an HP printer and was configured using hp-setup. Paolo -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On 10/05/2009 03:22 PM, Paolo Galtieri wrote: On Mon, Oct 5, 2009 at 11:11 AM, Daniel J Walsh dwa...@redhat.com wrote: On 10/05/2009 02:08 PM, Jim wrote: FC11/Kde Trying to print on a Samsung CLX-3175FN. Selinux is playing havoc with printer drivers, these drivers are from Samsung and I'm getting many Selinux Alerts, to many to keep running Restorecon. The printing is coming out with double columns with 1/8 white lines down through text or pictures. There are no GPL drivers for this printer, it's to New ! If I disable Selinux, the printer will print normal. How do I relabel all the files on the computer ? do I relabel from telinit 3 or what ? Please show me the AVC's you are seeing. Or send me a compresses /var/log/audit/audit.log -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines I have seen the following SELinux alert: SELinux is preventing hp (hplip_t) name_bind howl_port_t. lpstat -t shows printer HP_Color_LaserJet_2605dn disabled since Thu 01 Oct 2009 09:36:23 AM MST - /usr/lib/cups/backend/hp failed If I change the URI associated with the printer config from hp:/net/HP_Color_laserjet_2605dn?zc=hpcolorjet to hp:/net/HP_Color_laserjet_2605dn?ip=192.168.10.71 then the alerts go away. The printer is an HP printer and was configured using hp-setup. Paolo Could you grep for howl_port_t and attach the output grep howl_port_t /var/log/audit/audit.log -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On Mon, Oct 5, 2009 at 2:13 PM, Daniel J Walsh dwa...@redhat.com wrote:
On 10/05/2009 03:22 PM, Paolo Galtieri wrote:
On Mon, Oct 5, 2009 at 11:11 AM, Daniel J Walsh dwa...@redhat.com
wrote:
On 10/05/2009 02:08 PM, Jim wrote:
FC11/Kde
Trying to print on a Samsung CLX-3175FN.
Selinux is playing havoc with printer drivers, these drivers are from
Samsung and I'm getting many Selinux Alerts, to many to keep running
Restorecon.
The printing is coming out with double columns with 1/8 white lines
down through text or pictures.
There are no GPL drivers for this printer, it's to New !
If I disable Selinux, the printer will print normal.
How do I relabel all the files on the computer ?
do I relabel from telinit 3 or what ?
Please show me the AVC's you are seeing. Or send me a compresses
/var/log/audit/audit.log
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines:
http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
I have seen the following SELinux alert:
SELinux is preventing hp (hplip_t) name_bind howl_port_t.
lpstat -t shows
printer HP_Color_LaserJet_2605dn disabled since Thu 01 Oct 2009 09:36:23
AM
MST -
/usr/lib/cups/backend/hp failed
If I change the URI associated with the printer config from
hp:/net/HP_Color_laserjet_2605dn?zc=hpcolorjet
to
hp:/net/HP_Color_laserjet_2605dn?ip=192.168.10.71
then the alerts go away.
The printer is an HP printer and was configured using hp-setup.
Paolo
Could you grep for howl_port_t and attach the output
grep howl_port_t /var/log/audit/audit.log
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines:
http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
type=AVC msg=audit(1254414474.185:50294): avc: denied { name_bind } for
pid=18462 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254414573.360:50295): avc: denied { name_bind } for
pid=18499 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254414980.894:50346): avc: denied { name_bind } for
pid=18699 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254415674.640:50382): avc: denied { name_bind } for
pid=18942 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254415783.474:50425): avc: denied { name_bind } for
pid=19012 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1254415964.178:50441): avc: denied { name_bind } for
pid=19154 comm=hp src=5353
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
Paolo
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On 10/05/2009 02:11 PM, Daniel J Walsh wrote: On 10/05/2009 02:08 PM, Jim wrote: FC11/Kde Trying to print on a Samsung CLX-3175FN. Selinux is playing havoc with printer drivers, these drivers are from Samsung and I'm getting many Selinux Alerts, to many to keep running Restorecon. The printing is coming out with double columns with 1/8 white lines down through text or pictures. There are no GPL drivers for this printer, it's to New ! If I disable Selinux, the printer will print normal. How do I relabel all the files on the computer ? do I relabel from telinit 3 or what ? Trying to Relabel my Laptop and if I do a touch / autorelabel in permissive mode. Reboot and it doesn't do a relabel on boot startup. If I do a restorecon -r /I get a error; restorecon: unable to stat file /proc/2086/task/2086/fd/11: No such file or directory Read error on pipe. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On Tue, 2009-10-06 at 01:37 -0400, Jim wrote: Trying to Relabel my Laptop and if I do a touch / autorelabel in permissive mode. Reboot and it doesn't do a relabel on boot startup. You're touching (creating, or changing the timestamp) of the .autorelabel file in the root (signified by the / slash) of the filesystem. It's a (hidden) file that the system will look for at bootup, and then do relabelling if it finds it. So that command should be: touch /.autorelabel If I do a restorecon -r /I get a error; restorecon: unable to stat file /proc/2086/task/2086/fd/11: No such file or directory Read error on pipe. It mightn't be a good idea to try and restore the entire directory tree, the auto-relabelling probably omits some paths, or some things simply aren't yet set up at the time it does its trick. -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
SELinux problems after F10-F11 upgrade in x86_64 system
Hi all, there have been a lot (well over 100 during the 1st 12 hours) of dbusd-related SELinux denials after upgrading my x86_64 system from F10 to F11. In F10 and earlier SELinux problems were usually caused by various fail2ban operations but now these denials - probably due to updated fail2ban in F11 - are practically non-existent. In F10 (and earlier) it was possible to get rid of SELinux denials by compiling and installing a local module derived from either /var/log/messages or /var/log/audit/audit.log, as explained in SELinux FAQ. However, the local module method doesn't seem to be effective in the dbusd case - or I am doing something wrong. Compiling the local module doesn't report any errors but installing it results in: [r...@mybox ~]# semodule -i local.pp libsepol.print_missing_requirements: local's global requirements were not met: type/attribute unconfined_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! [r...@mybox ~]# After running 'touch /.autorelabel; reboot' I got rid of 'File label' denials but the 'dbusd' ones are still there. So what now? TIA, Antti -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
