Re: selinux question(s) (/home really = /n/home..)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Nicholson wrote:
output from /var/log/messages as I try to login as guest user: (xguest):
Nov 4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting
Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
subsystem ns
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting
(version 2.22.0), pid 3121 user 'xguest'
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration
source at position 0
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
xml:readwrite:/home/xguest/.gconf to a writable configuration source at
position 1
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration
source at position 2
Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
audit(1225825996.389:5): avc: denied { read write } for pid=3148
comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602
scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
RLIMIT_CORE: Permission denied
Nov 4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from 3229[0:0]
Nov 4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd000) is not
aligned on a size(0x3e8) boundary
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting (version
2.22.0), pid 3258 user 'gdm'
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration
source at position 0
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.system to a read-only configuration
source at position 1
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/var/lib/gdm/.gconf.mandatory to a read-only configuration
source at position 2
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readwrite:/var/lib/gdm/.gconf to a writable configuration source at
position 3
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration
source at position 4
Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value
for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
existing read-only value: Value for
`/apps/gnome-screensaver/power_management_delay' set in a read-only source
at the front of your configuration path
Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value
for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
existing read-only value: Value for
`/apps/gnome-screensaver/power_management_delay' set in a read-only source
at the front of your configuration path
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot set
UID on session object.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called SUID
root and real-time/high-priority scheduling was requested in the
configuration. However, we lack the necessary priviliges:
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are not
in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping
SUID again.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For enabling
real-time scheduling please acquire the appropriate PolicyKit priviliges, or
become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO
resource limits for this user.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c: Device
front:0 doesn't support 44100 Hz, changed to 44099 Hz.
Obviously, the things that stick out in there are the :
Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
audit(1225825996.389:5): avc: denied { read write } for pid=3148
comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602
scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
RLIMIT_CORE: Permission denied
and:
Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
subsystem ns
more specifically, the sealert says:
SELinux is preventing dbus-daemon (xguest_dbusd_t) read write to socket
(xguest_t).
On Tue, Nov 4, 2008 at 2:03 PM, Matt Nicholson [EMAIL PROTECTED] wrote:
yes, all upto date. a new
Re: selinux question(s) (/home really = /n/home..)
Right, but I'm on a fully updated F9. I got the F10 libxcb package
updated/installed, and all seems to be well. kinda a bit hack-y to add to my
image/kickstart, but, if it works, it works, and I'll be rebuilding a F10
version as soon as its out I'm sure.
Thanks for the help!
Matt
On Wed, Nov 5, 2008 at 8:44 AM, Daniel J Walsh [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Nicholson wrote:
output from /var/log/messages as I try to login as guest user: (xguest):
Nov 4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting
Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for
unused
subsystem ns
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting
(version 2.22.0), pid 3121 user 'xguest'
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
address
xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only
configuration
source at position 0
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
address
xml:readwrite:/home/xguest/.gconf to a writable configuration source at
position 1
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
address
xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration
source at position 2
Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
audit(1225825996.389:5): avc: denied { read write } for pid=3148
comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602
scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
RLIMIT_CORE: Permission denied
Nov 4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from
3229[0:0]
Nov 4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd000) is
not
aligned on a size(0x3e8) boundary
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting
(version
2.22.0), pid 3258 user 'gdm'
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only
configuration
source at position 0
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.system to a read-only configuration
source at position 1
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/var/lib/gdm/.gconf.mandatory to a read-only configuration
source at position 2
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readwrite:/var/lib/gdm/.gconf to a writable configuration source at
position 3
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration
source at position 4
Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
value
for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
existing read-only value: Value for
`/apps/gnome-screensaver/power_management_delay' set in a read-only
source
at the front of your configuration path
Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
value
for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
existing read-only value: Value for
`/apps/gnome-screensaver/power_management_delay' set in a read-only
source
at the front of your configuration path
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot
set
UID on session object.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called
SUID
root and real-time/high-priority scheduling was requested in the
configuration. However, we lack the necessary priviliges:
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are
not
in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping
SUID again.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For
enabling
real-time scheduling please acquire the appropriate PolicyKit priviliges,
or
become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO
resource limits for this user.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c:
Device
front:0 doesn't support 44100 Hz, changed to 44099 Hz.
Obviously, the things that stick out in there are the :
Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
audit(1225825996.389:5): avc: denied { read write } for pid=3148
comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602
scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
tcontext=xguest_u:xguest_r:xguest_t:s0
selinux question(s) (/home really = /n/home..)
So, I have an environment, where we pull user data/auth from ldap/kerberos
for a bunch of fedora workstations. I would love to have selinux turned on
on these, but, right now it jsut doesn't work with our setup.
See, your users home directories are in a few different places. for the most
part, LDAP think their home is at /n/home, or /n/data/home. So, i have /home
bind mounted to those locations, and, sith selinux off, its all nice and
happy. Another weird thing, is that /home is local on these workstations, so
when a user sits at a workstation for the first time, an empty homedir must
be created. We hope to move to nfs /home soon, but not yet.
once i turn it on, however, users cannot log in, and the home directoies
cannot be created. I get selinux messages like:
Summary:
SELinux is preventing sshd (sshd_t) create to ./nichols2 (home_root_t).
Detailed Description:
SELinux denied access requested by sshd. It is not expected that this access
is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./nichols2,
restorecon -v './nichols2'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access - see
FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Contextsystem_u:system_r:sshd_t:s0-s0:c0.c1023
Target Contextsystem_u:object_r:home_root_t:s0
Target Objects./nichols2 [ dir ]
Sourcesshd
Source Path /usr/sbin/sshd
Port Unknown
Host dhcp-0016533596-c5-74
Source RPM Packages openssh-server-5.1p1-2.fc9
Target RPM Packages
Policy RPMselinux-policy-3.3.1-103.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModeEnforcing
Plugin Name catchall_file
Host Name dhcp-0016533596-c5-74
Platform Linux dhcp-0016533596-c5-74
2.6.26.6-79.fc9.i686
#1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count 1
First SeenTue Nov 4 10:49:41 2008
Last Seen Tue Nov 4 10:49:41 2008
Local ID 803e925f-1d6e-4473-9054-dbaf0c0f3abd
Line Numbers
Raw Audit Messages
host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc:
denied { create } for pid=4956 comm=sshd name=nichols2
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89):
arch=4003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4
a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd
exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Thats for an ssh login attempt. I get the same for one via GDM. I've tried
adding context=system_r:object_r:home_root_t when i bind mount the /home
on /n/home etc, and no luck so far. do I need to relabel /n ? what/how
should I? any help would be awesome.
Thanks,
Matt
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux question(s) (/home really = /n/home..)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Nicholson wrote:
So, I have an environment, where we pull user data/auth from ldap/kerberos
for a bunch of fedora workstations. I would love to have selinux turned on
on these, but, right now it jsut doesn't work with our setup.
See, your users home directories are in a few different places. for the most
part, LDAP think their home is at /n/home, or /n/data/home. So, i have /home
bind mounted to those locations, and, sith selinux off, its all nice and
happy. Another weird thing, is that /home is local on these workstations, so
when a user sits at a workstation for the first time, an empty homedir must
be created. We hope to move to nfs /home soon, but not yet.
Can you look at using pam_oddjob_mkhomedir rather then pam_mkhomedir
yum install oddjob\*
Should fix the problem.
once i turn it on, however, users cannot log in, and the home directoies
cannot be created. I get selinux messages like:
Summary:
SELinux is preventing sshd (sshd_t) create to ./nichols2 (home_root_t).
Detailed Description:
SELinux denied access requested by sshd. It is not expected that this access
is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./nichols2,
restorecon -v './nichols2'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access - see
FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Contextsystem_u:system_r:sshd_t:s0-s0:c0.c1023
Target Contextsystem_u:object_r:home_root_t:s0
Target Objects./nichols2 [ dir ]
Sourcesshd
Source Path /usr/sbin/sshd
Port Unknown
Host dhcp-0016533596-c5-74
Source RPM Packages openssh-server-5.1p1-2.fc9
Target RPM Packages
Policy RPMselinux-policy-3.3.1-103.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModeEnforcing
Plugin Name catchall_file
Host Name dhcp-0016533596-c5-74
Platform Linux dhcp-0016533596-c5-74
2.6.26.6-79.fc9.i686
#1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count 1
First SeenTue Nov 4 10:49:41 2008
Last Seen Tue Nov 4 10:49:41 2008
Local ID 803e925f-1d6e-4473-9054-dbaf0c0f3abd
Line Numbers
Raw Audit Messages
host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc:
denied { create } for pid=4956 comm=sshd name=nichols2
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89):
arch=4003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4
a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd
exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Thats for an ssh login attempt. I get the same for one via GDM. I've tried
adding context=system_r:object_r:home_root_t when i bind mount the /home
on /n/home etc, and no luck so far. do I need to relabel /n ? what/how
should I? any help would be awesome.
Thanks,
Matt
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkQdnUACgkQrlYvE4MpobPlnQCeI054kP0QjzCP1u4X5mr1yD9v
/jgAoJLJ3lfNDoBwnlk4CcyLyw0s3qdh
=Ly01
-END PGP SIGNATURE-
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux question(s) (/home really = /n/home..)
Right, that did it (after i started the oddjobd service, that is).
Now, the original reason i turned selinux back on was to use
xguestsaddly, this isn't working still...
On Tue, Nov 4, 2008 at 11:21 AM, Daniel J Walsh [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Nicholson wrote:
So, I have an environment, where we pull user data/auth from
ldap/kerberos
for a bunch of fedora workstations. I would love to have selinux turned
on
on these, but, right now it jsut doesn't work with our setup.
See, your users home directories are in a few different places. for the
most
part, LDAP think their home is at /n/home, or /n/data/home. So, i have
/home
bind mounted to those locations, and, sith selinux off, its all nice and
happy. Another weird thing, is that /home is local on these workstations,
so
when a user sits at a workstation for the first time, an empty homedir
must
be created. We hope to move to nfs /home soon, but not yet.
Can you look at using pam_oddjob_mkhomedir rather then pam_mkhomedir
yum install oddjob\*
Should fix the problem.
once i turn it on, however, users cannot log in, and the home directoies
cannot be created. I get selinux messages like:
Summary:
SELinux is preventing sshd (sshd_t) create to ./nichols2 (home_root_t).
Detailed Description:
SELinux denied access requested by sshd. It is not expected that this
access
is
required by sshd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./nichols2,
restorecon -v './nichols2'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see
FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Contextsystem_u:system_r:sshd_t:s0-s0:c0.c1023
Target Contextsystem_u:object_r:home_root_t:s0
Target Objects./nichols2 [ dir ]
Sourcesshd
Source Path /usr/sbin/sshd
Port Unknown
Host dhcp-0016533596-c5-74
Source RPM Packages openssh-server-5.1p1-2.fc9
Target RPM Packages
Policy RPMselinux-policy-3.3.1-103.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModeEnforcing
Plugin Name catchall_file
Host Name dhcp-0016533596-c5-74
Platform Linux dhcp-0016533596-c5-74
2.6.26.6-79.fc9.i686
#1 SMP Fri Oct 17 14:52:14 EDT 2008 i686
i686
Alert Count 1
First SeenTue Nov 4 10:49:41 2008
Last Seen Tue Nov 4 10:49:41 2008
Local ID 803e925f-1d6e-4473-9054-dbaf0c0f3abd
Line Numbers
Raw Audit Messages
host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc:
denied { create } for pid=4956 comm=sshd name=nichols2
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89):
arch=4003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4
a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm=sshd
exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
key=(null)
Thats for an ssh login attempt. I get the same for one via GDM. I've
tried
adding context=system_r:object_r:home_root_t when i bind mount the
/home
on /n/home etc, and no luck so far. do I need to relabel /n ? what/how
should I? any help would be awesome.
Thanks,
Matt
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkQdnUACgkQrlYvE4MpobPlnQCeI054kP0QjzCP1u4X5mr1yD9v
/jgAoJLJ3lfNDoBwnlk4CcyLyw0s3qdh
=Ly01
-END PGP SIGNATURE-
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines:
http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: selinux question(s) (/home really = /n/home..)
yes, all upto date. a new build from my kickstart is finishing updating right now (had to add oddjob/turn it on by default). Once its done I'll send what info I can. Before i was getting an selinux alert/error, but i generated and loaded a local policy, which took care of the selinux alert, but still didn't fix xguest (it just bouces back out to GDM). More coming soon. Thanks for all the help! On Tue, Nov 4, 2008 at 1:54 PM, Daniel J Walsh [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Nicholson wrote: Right, that did it (after i started the oddjobd service, that is). Now, the original reason i turned selinux back on was to use xguestsaddly, this isn't working still... Why not? Are you fully up2date? xguest should be working on F9 and F10 right now. SNIP -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkQmlkACgkQrlYvE4MpobNXvwCeK5prZkPCBNDq3cYprnuwkJOZ JaQAnRpM41iDhoQ0AWeTmmqYAqrpLLLI =rAZp -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux question(s) (/home really = /n/home..)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Nicholson wrote: Right, that did it (after i started the oddjobd service, that is). Now, the original reason i turned selinux back on was to use xguestsaddly, this isn't working still... Why not? Are you fully up2date? xguest should be working on F9 and F10 right now. SNIP -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkQmlkACgkQrlYvE4MpobNXvwCeK5prZkPCBNDq3cYprnuwkJOZ JaQAnRpM41iDhoQ0AWeTmmqYAqrpLLLI =rAZp -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux question(s) (/home really = /n/home..)
output from /var/log/messages as I try to login as guest user: (xguest):
Nov 4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting
Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
subsystem ns
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting
(version 2.22.0), pid 3121 user 'xguest'
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration
source at position 0
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
xml:readwrite:/home/xguest/.gconf to a writable configuration source at
position 1
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration
source at position 2
Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
audit(1225825996.389:5): avc: denied { read write } for pid=3148
comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602
scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
RLIMIT_CORE: Permission denied
Nov 4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from 3229[0:0]
Nov 4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd000) is not
aligned on a size(0x3e8) boundary
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting (version
2.22.0), pid 3258 user 'gdm'
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration
source at position 0
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.system to a read-only configuration
source at position 1
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/var/lib/gdm/.gconf.mandatory to a read-only configuration
source at position 2
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readwrite:/var/lib/gdm/.gconf to a writable configuration source at
position 3
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration
source at position 4
Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value
for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
existing read-only value: Value for
`/apps/gnome-screensaver/power_management_delay' set in a read-only source
at the front of your configuration path
Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value
for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
existing read-only value: Value for
`/apps/gnome-screensaver/power_management_delay' set in a read-only source
at the front of your configuration path
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot set
UID on session object.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called SUID
root and real-time/high-priority scheduling was requested in the
configuration. However, we lack the necessary priviliges:
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are not
in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping
SUID again.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For enabling
real-time scheduling please acquire the appropriate PolicyKit priviliges, or
become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO
resource limits for this user.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c: Device
front:0 doesn't support 44100 Hz, changed to 44099 Hz.
Obviously, the things that stick out in there are the :
Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
audit(1225825996.389:5): avc: denied { read write } for pid=3148
comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602
scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
RLIMIT_CORE: Permission denied
and:
Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
subsystem ns
more specifically, the sealert says:
SELinux is preventing dbus-daemon (xguest_dbusd_t) read write to socket
(xguest_t).
On Tue, Nov 4, 2008 at 2:03 PM, Matt Nicholson [EMAIL PROTECTED] wrote:
yes, all upto date. a new build from my kickstart is finishing updating
right now (had to add oddjob/turn it on by default). Once its done I'll send
what info I can.
Before i was getting an
Re: selinux question(s) (/home really = /n/home..)
So, after finding a similar sounding bug, I upgraded libxcb to the version
from rawhide, and everything is working nowtime to go file a bug/comment
on one...
On Tue, Nov 4, 2008 at 2:22 PM, Matt Nicholson [EMAIL PROTECTED] wrote:
output from /var/log/messages as I try to login as guest user: (xguest):
Nov 4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting
Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
subsystem ns
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting
(version 2.22.0), pid 3121 user 'xguest'
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
address xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only
configuration source at position 0
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
address xml:readwrite:/home/xguest/.gconf to a writable configuration
source at position 1
Nov 4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
address xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only
configuration source at position 2
Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
audit(1225825996.389:5): avc: denied { read write } for pid=3148
comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602
scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
RLIMIT_CORE: Permission denied
Nov 4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from
3229[0:0]
Nov 4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd000) is not
aligned on a size(0x3e8) boundary
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting (version
2.22.0), pid 3258 user 'gdm'
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.mandatory to a read-only configuration
source at position 0
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.system to a read-only configuration
source at position 1
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/var/lib/gdm/.gconf.mandatory to a read-only configuration
source at position 2
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readwrite:/var/lib/gdm/.gconf to a writable configuration source at
position 3
Nov 4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
xml:readonly:/etc/gconf/gconf.xml.defaults to a read-only configuration
source at position 4
Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
existing read-only value: Value for
`/apps/gnome-screensaver/power_management_delay' set in a read-only source
at the front of your configuration path
Nov 4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
existing read-only value: Value for
`/apps/gnome-screensaver/power_management_delay' set in a read-only source
at the front of your configuration path
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot
set UID on session object.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called SUID
root and real-time/high-priority scheduling was requested in the
configuration. However, we lack the necessary priviliges:
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are not
in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping
SUID again.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For
enabling real-time scheduling please acquire the appropriate PolicyKit
priviliges, or become a member of 'pulse-rt', or increase the
RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user.
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted
Nov 4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c: Device
front:0 doesn't support 44100 Hz, changed to 44099 Hz.
Obviously, the things that stick out in there are the :
Nov 4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
audit(1225825996.389:5): avc: denied { read write } for pid=3148
comm=dbus-daemon path=socket:[37602] dev=sockfs ino=37602
scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
Nov 4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
RLIMIT_CORE: Permission denied
and:
Nov 4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
subsystem ns
more specifically, the sealert says:
SELinux is preventing dbus-daemon
