Re: selinux question(s) (/home really = /n/home..)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Nicholson wrote: output from /var/log/messages as I try to login as guest user: (xguest): Nov 4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused subsystem ns Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting (version 2.22.0), pid 3121 user 'xguest' Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration source at position 0 Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readwrite:/home/xguest/.gconf to a writable configuration source at position 1 Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration source at position 2 Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400 audit(1225825996.389:5): avc: denied { read write } for pid=3148 comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602 scontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit RLIMIT_CORE: Permission denied Nov 4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from 3229[0:0] Nov 4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd000) is not aligned on a size(0x3e8) boundary Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting (version 2.22.0), pid 3258 user 'gdm' Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration source at position 0 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.system to a read-only configuration source at position 1 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/var/lib/gdm/.gconf.mandatory to a read-only configuration source at position 2 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readwrite:/var/lib/gdm/.gconf to a writable configuration source at position 3 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration source at position 4 Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite existing read-only value: Value for `/apps/gnome-screensaver/power_management_delay' set in a read-only source at the front of your configuration path Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite existing read-only value: Value for `/apps/gnome-screensaver/power_management_delay' set in a read-only source at the front of your configuration path Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot set UID on session object. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called SUID root and real-time/high-priority scheduling was requested in the configuration. However, we lack the necessary priviliges: Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are not in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping SUID again. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For enabling real-time scheduling please acquire the appropriate PolicyKit priviliges, or become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c: Device front:0 doesn't support 44100 Hz, changed to 44099 Hz. Obviously, the things that stick out in there are the : Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400 audit(1225825996.389:5): avc: denied { read write } for pid=3148 comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602 scontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit RLIMIT_CORE: Permission denied and: Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused subsystem ns more specifically, the sealert says: SELinux is preventing dbus-daemon (xguest_dbusd_t) read write to socket (xguest_t). On Tue, Nov 4, 2008 at 2:03 PM, Matt Nicholson [EMAIL PROTECTED] wrote: yes, all upto date. a new
Re: selinux question(s) (/home really = /n/home..)
Right, but I'm on a fully updated F9. I got the F10 libxcb package updated/installed, and all seems to be well. kinda a bit hack-y to add to my image/kickstart, but, if it works, it works, and I'll be rebuilding a F10 version as soon as its out I'm sure. Thanks for the help! Matt On Wed, Nov 5, 2008 at 8:44 AM, Daniel J Walsh [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Nicholson wrote: output from /var/log/messages as I try to login as guest user: (xguest): Nov 4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused subsystem ns Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting (version 2.22.0), pid 3121 user 'xguest' Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration source at position 0 Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readwrite:/home/xguest/.gconf to a writable configuration source at position 1 Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration source at position 2 Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400 audit(1225825996.389:5): avc: denied { read write } for pid=3148 comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602 scontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit RLIMIT_CORE: Permission denied Nov 4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from 3229[0:0] Nov 4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd000) is not aligned on a size(0x3e8) boundary Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting (version 2.22.0), pid 3258 user 'gdm' Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration source at position 0 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.system to a read-only configuration source at position 1 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/var/lib/gdm/.gconf.mandatory to a read-only configuration source at position 2 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readwrite:/var/lib/gdm/.gconf to a writable configuration source at position 3 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration source at position 4 Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite existing read-only value: Value for `/apps/gnome-screensaver/power_management_delay' set in a read-only source at the front of your configuration path Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite existing read-only value: Value for `/apps/gnome-screensaver/power_management_delay' set in a read-only source at the front of your configuration path Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot set UID on session object. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called SUID root and real-time/high-priority scheduling was requested in the configuration. However, we lack the necessary priviliges: Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are not in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping SUID again. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For enabling real-time scheduling please acquire the appropriate PolicyKit priviliges, or become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c: Device front:0 doesn't support 44100 Hz, changed to 44099 Hz. Obviously, the things that stick out in there are the : Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400 audit(1225825996.389:5): avc: denied { read write } for pid=3148 comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602 scontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0
selinux question(s) (/home really = /n/home..)
So, I have an environment, where we pull user data/auth from ldap/kerberos for a bunch of fedora workstations. I would love to have selinux turned on on these, but, right now it jsut doesn't work with our setup. See, your users home directories are in a few different places. for the most part, LDAP think their home is at /n/home, or /n/data/home. So, i have /home bind mounted to those locations, and, sith selinux off, its all nice and happy. Another weird thing, is that /home is local on these workstations, so when a user sits at a workstation for the first time, an empty homedir must be created. We hope to move to nfs /home soon, but not yet. once i turn it on, however, users cannot log in, and the home directoies cannot be created. I get selinux messages like: Summary: SELinux is preventing sshd (sshd_t) create to ./nichols2 (home_root_t). Detailed Description: SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./nichols2, restorecon -v './nichols2' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextsystem_u:system_r:sshd_t:s0-s0:c0.c1023 Target Contextsystem_u:object_r:home_root_t:s0 Target Objects./nichols2 [ dir ] Sourcesshd Source Path /usr/sbin/sshd Port Unknown Host dhcp-0016533596-c5-74 Source RPM Packages openssh-server-5.1p1-2.fc9 Target RPM Packages Policy RPMselinux-policy-3.3.1-103.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall_file Host Name dhcp-0016533596-c5-74 Platform Linux dhcp-0016533596-c5-74 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count 1 First SeenTue Nov 4 10:49:41 2008 Last Seen Tue Nov 4 10:49:41 2008 Local ID 803e925f-1d6e-4473-9054-dbaf0c0f3abd Line Numbers Raw Audit Messages host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc: denied { create } for pid=4956 comm=sshd name=nichols2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89): arch=4003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4 a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Thats for an ssh login attempt. I get the same for one via GDM. I've tried adding context=system_r:object_r:home_root_t when i bind mount the /home on /n/home etc, and no luck so far. do I need to relabel /n ? what/how should I? any help would be awesome. Thanks, Matt -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux question(s) (/home really = /n/home..)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Nicholson wrote: So, I have an environment, where we pull user data/auth from ldap/kerberos for a bunch of fedora workstations. I would love to have selinux turned on on these, but, right now it jsut doesn't work with our setup. See, your users home directories are in a few different places. for the most part, LDAP think their home is at /n/home, or /n/data/home. So, i have /home bind mounted to those locations, and, sith selinux off, its all nice and happy. Another weird thing, is that /home is local on these workstations, so when a user sits at a workstation for the first time, an empty homedir must be created. We hope to move to nfs /home soon, but not yet. Can you look at using pam_oddjob_mkhomedir rather then pam_mkhomedir yum install oddjob\* Should fix the problem. once i turn it on, however, users cannot log in, and the home directoies cannot be created. I get selinux messages like: Summary: SELinux is preventing sshd (sshd_t) create to ./nichols2 (home_root_t). Detailed Description: SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./nichols2, restorecon -v './nichols2' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextsystem_u:system_r:sshd_t:s0-s0:c0.c1023 Target Contextsystem_u:object_r:home_root_t:s0 Target Objects./nichols2 [ dir ] Sourcesshd Source Path /usr/sbin/sshd Port Unknown Host dhcp-0016533596-c5-74 Source RPM Packages openssh-server-5.1p1-2.fc9 Target RPM Packages Policy RPMselinux-policy-3.3.1-103.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall_file Host Name dhcp-0016533596-c5-74 Platform Linux dhcp-0016533596-c5-74 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count 1 First SeenTue Nov 4 10:49:41 2008 Last Seen Tue Nov 4 10:49:41 2008 Local ID 803e925f-1d6e-4473-9054-dbaf0c0f3abd Line Numbers Raw Audit Messages host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc: denied { create } for pid=4956 comm=sshd name=nichols2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89): arch=4003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4 a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Thats for an ssh login attempt. I get the same for one via GDM. I've tried adding context=system_r:object_r:home_root_t when i bind mount the /home on /n/home etc, and no luck so far. do I need to relabel /n ? what/how should I? any help would be awesome. Thanks, Matt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkQdnUACgkQrlYvE4MpobPlnQCeI054kP0QjzCP1u4X5mr1yD9v /jgAoJLJ3lfNDoBwnlk4CcyLyw0s3qdh =Ly01 -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux question(s) (/home really = /n/home..)
Right, that did it (after i started the oddjobd service, that is). Now, the original reason i turned selinux back on was to use xguestsaddly, this isn't working still... On Tue, Nov 4, 2008 at 11:21 AM, Daniel J Walsh [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Nicholson wrote: So, I have an environment, where we pull user data/auth from ldap/kerberos for a bunch of fedora workstations. I would love to have selinux turned on on these, but, right now it jsut doesn't work with our setup. See, your users home directories are in a few different places. for the most part, LDAP think their home is at /n/home, or /n/data/home. So, i have /home bind mounted to those locations, and, sith selinux off, its all nice and happy. Another weird thing, is that /home is local on these workstations, so when a user sits at a workstation for the first time, an empty homedir must be created. We hope to move to nfs /home soon, but not yet. Can you look at using pam_oddjob_mkhomedir rather then pam_mkhomedir yum install oddjob\* Should fix the problem. once i turn it on, however, users cannot log in, and the home directoies cannot be created. I get selinux messages like: Summary: SELinux is preventing sshd (sshd_t) create to ./nichols2 (home_root_t). Detailed Description: SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./nichols2, restorecon -v './nichols2' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report ( http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextsystem_u:system_r:sshd_t:s0-s0:c0.c1023 Target Contextsystem_u:object_r:home_root_t:s0 Target Objects./nichols2 [ dir ] Sourcesshd Source Path /usr/sbin/sshd Port Unknown Host dhcp-0016533596-c5-74 Source RPM Packages openssh-server-5.1p1-2.fc9 Target RPM Packages Policy RPMselinux-policy-3.3.1-103.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall_file Host Name dhcp-0016533596-c5-74 Platform Linux dhcp-0016533596-c5-74 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count 1 First SeenTue Nov 4 10:49:41 2008 Last Seen Tue Nov 4 10:49:41 2008 Local ID 803e925f-1d6e-4473-9054-dbaf0c0f3abd Line Numbers Raw Audit Messages host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc: denied { create } for pid=4956 comm=sshd name=nichols2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89): arch=4003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4 a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Thats for an ssh login attempt. I get the same for one via GDM. I've tried adding context=system_r:object_r:home_root_t when i bind mount the /home on /n/home etc, and no luck so far. do I need to relabel /n ? what/how should I? any help would be awesome. Thanks, Matt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkQdnUACgkQrlYvE4MpobPlnQCeI054kP0QjzCP1u4X5mr1yD9v /jgAoJLJ3lfNDoBwnlk4CcyLyw0s3qdh =Ly01 -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: selinux question(s) (/home really = /n/home..)
yes, all upto date. a new build from my kickstart is finishing updating right now (had to add oddjob/turn it on by default). Once its done I'll send what info I can. Before i was getting an selinux alert/error, but i generated and loaded a local policy, which took care of the selinux alert, but still didn't fix xguest (it just bouces back out to GDM). More coming soon. Thanks for all the help! On Tue, Nov 4, 2008 at 1:54 PM, Daniel J Walsh [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Nicholson wrote: Right, that did it (after i started the oddjobd service, that is). Now, the original reason i turned selinux back on was to use xguestsaddly, this isn't working still... Why not? Are you fully up2date? xguest should be working on F9 and F10 right now. SNIP -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkQmlkACgkQrlYvE4MpobNXvwCeK5prZkPCBNDq3cYprnuwkJOZ JaQAnRpM41iDhoQ0AWeTmmqYAqrpLLLI =rAZp -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux question(s) (/home really = /n/home..)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Nicholson wrote: Right, that did it (after i started the oddjobd service, that is). Now, the original reason i turned selinux back on was to use xguestsaddly, this isn't working still... Why not? Are you fully up2date? xguest should be working on F9 and F10 right now. SNIP -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkQmlkACgkQrlYvE4MpobNXvwCeK5prZkPCBNDq3cYprnuwkJOZ JaQAnRpM41iDhoQ0AWeTmmqYAqrpLLLI =rAZp -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux question(s) (/home really = /n/home..)
output from /var/log/messages as I try to login as guest user: (xguest): Nov 4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused subsystem ns Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting (version 2.22.0), pid 3121 user 'xguest' Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration source at position 0 Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readwrite:/home/xguest/.gconf to a writable configuration source at position 1 Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration source at position 2 Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400 audit(1225825996.389:5): avc: denied { read write } for pid=3148 comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602 scontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit RLIMIT_CORE: Permission denied Nov 4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from 3229[0:0] Nov 4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd000) is not aligned on a size(0x3e8) boundary Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting (version 2.22.0), pid 3258 user 'gdm' Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration source at position 0 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.system to a read-only configuration source at position 1 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/var/lib/gdm/.gconf.mandatory to a read-only configuration source at position 2 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readwrite:/var/lib/gdm/.gconf to a writable configuration source at position 3 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration source at position 4 Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite existing read-only value: Value for `/apps/gnome-screensaver/power_management_delay' set in a read-only source at the front of your configuration path Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite existing read-only value: Value for `/apps/gnome-screensaver/power_management_delay' set in a read-only source at the front of your configuration path Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot set UID on session object. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called SUID root and real-time/high-priority scheduling was requested in the configuration. However, we lack the necessary priviliges: Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are not in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping SUID again. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For enabling real-time scheduling please acquire the appropriate PolicyKit priviliges, or become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c: Device front:0 doesn't support 44100 Hz, changed to 44099 Hz. Obviously, the things that stick out in there are the : Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400 audit(1225825996.389:5): avc: denied { read write } for pid=3148 comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602 scontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit RLIMIT_CORE: Permission denied and: Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused subsystem ns more specifically, the sealert says: SELinux is preventing dbus-daemon (xguest_dbusd_t) read write to socket (xguest_t). On Tue, Nov 4, 2008 at 2:03 PM, Matt Nicholson [EMAIL PROTECTED] wrote: yes, all upto date. a new build from my kickstart is finishing updating right now (had to add oddjob/turn it on by default). Once its done I'll send what info I can. Before i was getting an
Re: selinux question(s) (/home really = /n/home..)
So, after finding a similar sounding bug, I upgraded libxcb to the version from rawhide, and everything is working nowtime to go file a bug/comment on one... On Tue, Nov 4, 2008 at 2:22 PM, Matt Nicholson [EMAIL PROTECTED] wrote: output from /var/log/messages as I try to login as guest user: (xguest): Nov 4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused subsystem ns Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting (version 2.22.0), pid 3121 user 'xguest' Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration source at position 0 Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readwrite:/home/xguest/.gconf to a writable configuration source at position 1 Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration source at position 2 Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400 audit(1225825996.389:5): avc: denied { read write } for pid=3148 comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602 scontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit RLIMIT_CORE: Permission denied Nov 4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from 3229[0:0] Nov 4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd000) is not aligned on a size(0x3e8) boundary Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting (version 2.22.0), pid 3258 user 'gdm' Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration source at position 0 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.system to a read-only configuration source at position 1 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/var/lib/gdm/.gconf.mandatory to a read-only configuration source at position 2 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readwrite:/var/lib/gdm/.gconf to a writable configuration source at position 3 Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration source at position 4 Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite existing read-only value: Value for `/apps/gnome-screensaver/power_management_delay' set in a read-only source at the front of your configuration path Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite existing read-only value: Value for `/apps/gnome-screensaver/power_management_delay' set in a read-only source at the front of your configuration path Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot set UID on session object. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called SUID root and real-time/high-priority scheduling was requested in the configuration. However, we lack the necessary priviliges: Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are not in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping SUID again. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For enabling real-time scheduling please acquire the appropriate PolicyKit priviliges, or become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user. Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c: Device front:0 doesn't support 44100 Hz, changed to 44099 Hz. Obviously, the things that stick out in there are the : Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400 audit(1225825996.389:5): avc: denied { read write } for pid=3148 comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602 scontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit RLIMIT_CORE: Permission denied and: Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused subsystem ns more specifically, the sealert says: SELinux is preventing dbus-daemon