trying to understand SELinux message
Hello: I just upgraded two of my systems to latest yum update (2.6.30.9-96.fc11.i686.PAE) with the hopes that the CD and DVD issues have been resolved (they have, almost, but thats a separate bugzilla report). What I am querying about in this email is a message that I am seeing when I log in as root (yes, I know the caveats and try to respect, but I always make sure the ability is there if I need it). I log in from the start page GUI and there are no problems until, after a couple of seconds later, a pop-up from the "star icon in the upper right" says I got problems. I open it up and it says: "SELinux is preventing the gdm-session-wor from using potentially mislabeled files (/root)." Okay, that's nice to know, but I have no idea what it is trying to tell me needs to be fixed. I've got a couple files in the home directory but nothing looks funny about them (*.txt cut-and-paste of yum update/installs and an html of "how-to-install f11 from scratch"). I have edited both /etc/pam.d/gdm and /etc/pam.d/gdm-password per Fedora website instructions to allow root access. Closer inspection says that I first began getting this message on 20jun09 after a yum update (I did original f11 install at the beginning of June). I just hadn't noticed it since I don't often log in as root, though I do remember seeing something in the summer and figuring it was a glip that would get fixed in future updates). Any suggestions as to what I should be looking for to get rid of this message ... if I do indeed actually need to pay attention to it. If there is more info I can provide, please let me know what it is and how to get it and I will gladly post such. Thanks in advance, Paul -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On Mon, Nov 16, 2009 at 1:09 PM, Paul Allen Newell wrote: > Hello: > > I just upgraded two of my systems to latest yum update > (2.6.30.9-96.fc11.i686.PAE) with the hopes that the CD and DVD issues have > been resolved (they have, almost, but thats a separate bugzilla report). > > What I am querying about in this email is a message that I am seeing when I > log in as root (yes, I know the caveats and try to respect, but I always > make sure the ability is there if I need it). I log in from the start page > GUI and there are no problems until, after a couple of seconds later, a > pop-up from the "star icon in the upper right" says I got problems. I open > it up and it says: > > "SELinux is preventing the gdm-session-wor from using potentially mislabeled > files (/root)." > > Okay, that's nice to know, but I have no idea what it is trying to tell me > needs to be fixed. I've got a couple files in the home directory but nothing > looks funny about them (*.txt cut-and-paste of yum update/installs and an > html of "how-to-install f11 from scratch"). > > I have edited both /etc/pam.d/gdm and /etc/pam.d/gdm-password per Fedora > website instructions to allow root access. > > Closer inspection says that I first began getting this message on 20jun09 > after a yum update (I did original f11 install at the beginning of June). I > just hadn't noticed it since I don't often log in as root, though I do > remember seeing something in the summer and figuring it was a glip that > would get fixed in future updates). > > Any suggestions as to what I should be looking for to get rid of this > message ... if I do indeed actually need to pay attention to it. If there is > more info I can provide, please let me know what it is and how to get it and > I will gladly post such. > > Thanks in advance, > Paul > > > -- > fedora-list mailing list > fedora-list@redhat.com > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > You can try to disable SELinux in /etc/selinux/config or in /boot/grub/grub.conf. In /etc/selinux/config, change SELinux to DISABLED. OR In /boot/grub/grub.conf, add selinux=0 to the kernel line. E.g. kernel /vmlinuz ro root=/dev/sda2 selinux=0 You shouldn't start X server or login to GNOME as root. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics) BEng(Hons)(Mechanical Engineering) Alma Maters: (1) Singapore Polytechnic (2) National University of Singapore My Primary Blog: http://teo-en-ming-aka-zhang-enming.blogspot.com My Secondary Blog: http://enmingteo.wordpress.com My Youtube videos: http://www.youtube.com/user/enmingteo Email: space.time.unive...@gmail.com Mobile Phone (Starhub Prepaid): +65-8369-2618 Street: Bedok Reservoir Road Country: Singapore -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
Mr. Teo En Ming (Zhang Enming) wrote: On Mon, Nov 16, 2009 at 1:09 PM, Paul Allen Newell wrote: Hello: I just upgraded two of my systems to latest yum update (2.6.30.9-96.fc11.i686.PAE) with the hopes that the CD and DVD issues have been resolved (they have, almost, but thats a separate bugzilla report). What I am querying about in this email is a message that I am seeing when I log in as root (yes, I know the caveats and try to respect, but I always make sure the ability is there if I need it). I log in from the start page GUI and there are no problems until, after a couple of seconds later, a pop-up from the "star icon in the upper right" says I got problems. I open it up and it says: "SELinux is preventing the gdm-session-wor from using potentially mislabeled files (/root)." Okay, that's nice to know, but I have no idea what it is trying to tell me needs to be fixed. I've got a couple files in the home directory but nothing looks funny about them (*.txt cut-and-paste of yum update/installs and an html of "how-to-install f11 from scratch"). I have edited both /etc/pam.d/gdm and /etc/pam.d/gdm-password per Fedora website instructions to allow root access. Closer inspection says that I first began getting this message on 20jun09 after a yum update (I did original f11 install at the beginning of June). I just hadn't noticed it since I don't often log in as root, though I do remember seeing something in the summer and figuring it was a glip that would get fixed in future updates). Any suggestions as to what I should be looking for to get rid of this message ... if I do indeed actually need to pay attention to it. If there is more info I can provide, please let me know what it is and how to get it and I will gladly post such. Thanks in advance, Paul -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines You can try to disable SELinux in /etc/selinux/config or in /boot/grub/grub.conf. In /etc/selinux/config, change SELinux to DISABLED. OR In /boot/grub/grub.conf, add selinux=0 to the kernel line. E.g. kernel /vmlinuz ro root=/dev/sda2 selinux=0 You shouldn't start X server or login to GNOME as root. My thanks for the prompt reply. I am not certain why I would want to disable SELinux as it clearly is part of the Fedora package and is trying to tell me that something isn't right. Yes, I know I should not start X server or login as root ... and that is not my normal work habit. But I would expect that I should still be able to do such and not have SELinux bark unless there was something wrong. It is the "what is wrong" that I am trying to understand and correct. Paul -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On Mon, Nov 16, 2009 at 1:47 PM, Paul Allen Newell wrote: > Mr. Teo En Ming (Zhang Enming) wrote: >> >> On Mon, Nov 16, 2009 at 1:09 PM, Paul Allen Newell >> wrote: >> >>> >>> Hello: >>> >>> I just upgraded two of my systems to latest yum update >>> (2.6.30.9-96.fc11.i686.PAE) with the hopes that the CD and DVD issues >>> have >>> been resolved (they have, almost, but thats a separate bugzilla report). >>> >>> What I am querying about in this email is a message that I am seeing when >>> I >>> log in as root (yes, I know the caveats and try to respect, but I always >>> make sure the ability is there if I need it). I log in from the start >>> page >>> GUI and there are no problems until, after a couple of seconds later, a >>> pop-up from the "star icon in the upper right" says I got problems. I >>> open >>> it up and it says: >>> >>> "SELinux is preventing the gdm-session-wor from using potentially >>> mislabeled >>> files (/root)." >>> >>> Okay, that's nice to know, but I have no idea what it is trying to tell >>> me >>> needs to be fixed. I've got a couple files in the home directory but >>> nothing >>> looks funny about them (*.txt cut-and-paste of yum update/installs and an >>> html of "how-to-install f11 from scratch"). >>> >>> I have edited both /etc/pam.d/gdm and /etc/pam.d/gdm-password per Fedora >>> website instructions to allow root access. >>> >>> Closer inspection says that I first began getting this message on 20jun09 >>> after a yum update (I did original f11 install at the beginning of June). >>> I >>> just hadn't noticed it since I don't often log in as root, though I do >>> remember seeing something in the summer and figuring it was a glip that >>> would get fixed in future updates). >>> >>> Any suggestions as to what I should be looking for to get rid of this >>> message ... if I do indeed actually need to pay attention to it. If there >>> is >>> more info I can provide, please let me know what it is and how to get it >>> and >>> I will gladly post such. >>> >>> Thanks in advance, >>> Paul >>> >>> >>> -- >>> fedora-list mailing list >>> fedora-list@redhat.com >>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list >>> Guidelines: >>> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines >>> >>> >> >> You can try to disable SELinux in /etc/selinux/config or in >> /boot/grub/grub.conf. >> >> In /etc/selinux/config, change SELinux to DISABLED. >> >> OR >> >> In /boot/grub/grub.conf, add selinux=0 to the kernel line. >> >> E.g. kernel /vmlinuz ro root=/dev/sda2 selinux=0 >> >> You shouldn't start X server or login to GNOME as root. >> >> >> > > My thanks for the prompt reply. I am not certain why I would want to disable > SELinux as it clearly is part of the Fedora package and is trying to tell me > that something isn't right. > > Yes, I know I should not start X server or login as root ... and that is not > my normal work habit. But I would expect that I should still be able to do > such and not have SELinux bark unless there was something wrong. It is the > "what is wrong" that I am trying to understand and correct. > > Paul > > -- > fedora-list mailing list > fedora-list@redhat.com > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > Well, for home or personal use systems, you don't really need SELinux. SELinux is for mission critical servers. Or unless you work for defense or intelligence agencies, then your laptop needs to be secured with SELinux and high grade encryption. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics) BEng(Hons)(Mechanical Engineering) Alma Maters: (1) Singapore Polytechnic (2) National University of Singapore My Primary Blog: http://teo-en-ming-aka-zhang-enming.blogspot.com My Secondary Blog: http://enmingteo.wordpress.com My Youtube videos: http://www.youtube.com/user/enmingteo Email: space.time.unive...@gmail.com Mobile Phone (Starhub Prepaid): +65-8369-2618 Street: Bedok Reservoir Road Country: Singapore -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
Mr. Teo En Ming (Zhang Enming) wrote: On Mon, Nov 16, 2009 at 1:47 PM, Paul Allen Newell wrote: Mr. Teo En Ming (Zhang Enming) wrote: You can try to disable SELinux in /etc/selinux/config or in /boot/grub/grub.conf. In /etc/selinux/config, change SELinux to DISABLED. OR In /boot/grub/grub.conf, add selinux=0 to the kernel line. E.g. kernel /vmlinuz ro root=/dev/sda2 selinux=0 You shouldn't start X server or login to GNOME as root. My thanks for the prompt reply. I am not certain why I would want to disable SELinux as it clearly is part of the Fedora package and is trying to tell me that something isn't right. Yes, I know I should not start X server or login as root ... and that is not my normal work habit. But I would expect that I should still be able to do such and not have SELinux bark unless there was something wrong. It is the "what is wrong" that I am trying to understand and correct. Paul -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines Well, for home or personal use systems, you don't really need SELinux. SELinux is for mission critical servers. Or unless you work for defense or intelligence agencies, then your laptop needs to be secured with SELinux and high grade encryption. I have to deal with NDAs and those organizations don't like to hear "I don't use SELinux". Mission critical is not an issue, but doing the proper steps to show I am not disabling security is a necessary. Plus, an error is an error and I personally don't like pop-ups telling me there is something wrong (smile) Thanks, Paul -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On Mon, Nov 16, 2009 at 2:01 PM, Paul Allen Newell wrote: > Mr. Teo En Ming (Zhang Enming) wrote: >> >> On Mon, Nov 16, 2009 at 1:47 PM, Paul Allen Newell >> wrote: >> >>> >>> Mr. Teo En Ming (Zhang Enming) wrote: >>> You can try to disable SELinux in /etc/selinux/config or in /boot/grub/grub.conf. In /etc/selinux/config, change SELinux to DISABLED. OR In /boot/grub/grub.conf, add selinux=0 to the kernel line. E.g. kernel /vmlinuz ro root=/dev/sda2 selinux=0 You shouldn't start X server or login to GNOME as root. >>> >>> My thanks for the prompt reply. I am not certain why I would want to >>> disable >>> SELinux as it clearly is part of the Fedora package and is trying to tell >>> me >>> that something isn't right. >>> >>> Yes, I know I should not start X server or login as root ... and that is >>> not >>> my normal work habit. But I would expect that I should still be able to >>> do >>> such and not have SELinux bark unless there was something wrong. It is >>> the >>> "what is wrong" that I am trying to understand and correct. >>> >>> Paul >>> >>> -- >>> fedora-list mailing list >>> fedora-list@redhat.com >>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list >>> Guidelines: >>> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines >>> >>> >> >> Well, for home or personal use systems, you don't really need SELinux. >> SELinux is for mission critical servers. >> >> Or unless you work for defense or intelligence agencies, then your >> laptop needs to be secured with SELinux and high grade encryption. >> >> > > I have to deal with NDAs and those organizations don't like to hear "I don't > use SELinux". Mission critical is not an issue, but doing the proper steps > to show I am not disabling security is a necessary. > > Plus, an error is an error and I personally don't like pop-ups telling me > there is something wrong (smile) > > Thanks, > Paul > > -- > fedora-list mailing list > fedora-list@redhat.com > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > Hi Paul, Summary: SELinux is preventing the gdm-session-wor from using potentially mislabeled files (.dmrc). Detailed Description: SELinux has denied gdm-session-wor access to potentially mislabeled file(s) (.dmrc). This means that SELinux will not allow gdm-session-wor to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want gdm-session-wor to access this files, you need to relabel them using restorecon -v '.dmrc'. You might want to relabel the entire directory using restorecon -R -v ''. Link: http://osdir.com/ml/fedora-selinux/2009-02/msg00111.html You can execute the following command as root to solve your problem. # restorecon -R -v /root It should stop the AVC messages from popping up. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics) BEng(Hons)(Mechanical Engineering) Alma Maters: (1) Singapore Polytechnic (2) National University of Singapore My Primary Blog: http://teo-en-ming-aka-zhang-enming.blogspot.com My Secondary Blog: http://enmingteo.wordpress.com My Youtube videos: http://www.youtube.com/user/enmingteo Email: space.time.unive...@gmail.com Mobile Phone (Starhub Prepaid): +65-8369-2618 Street: Bedok Reservoir Road Country: Singapore -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
Mr. Teo En Ming (Zhang Enming) wrote: On Mon, Nov 16, 2009 at 2:01 PM, Paul Allen Newell wrote: Hi Paul, Summary: SELinux is preventing the gdm-session-wor from using potentially mislabeled files (.dmrc). Detailed Description: SELinux has denied gdm-session-wor access to potentially mislabeled file(s) (.dmrc). This means that SELinux will not allow gdm-session-wor to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want gdm-session-wor to access this files, you need to relabel them using restorecon -v '.dmrc'. You might want to relabel the entire directory using restorecon -R -v ''. Link: http://osdir.com/ml/fedora-selinux/2009-02/msg00111.html You can execute the following command as root to solve your problem. # restorecon -R -v /root It should stop the AVC messages from popping up. Thank you very much for finding this. That being said, my head hurts after reading it as I am not certain what a large part of it means. But I do know that I probably moved at least one file in from my personal account and so it kinda makes sense. Let me re-read after a night's sleep and see if this, plus your link, makes more sense then. That being said, what the "word-of-your-choice" is "gdm-session-wor" ??? Paul -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On Mon, Nov 16, 2009 at 2:20 PM, Paul Allen Newell wrote: > Mr. Teo En Ming (Zhang Enming) wrote: >> >> On Mon, Nov 16, 2009 at 2:01 PM, Paul Allen Newell >> wrote: >> >>> >> >> Hi Paul, >> >> >> Summary: >> >> SELinux is preventing the gdm-session-wor from using potentially >> mislabeled >> files (.dmrc). >> >> Detailed Description: >> >> SELinux has denied gdm-session-wor access to potentially mislabeled >> file(s) >> (.dmrc). This means that SELinux will not allow gdm-session-wor to use >> these >> files. It is common for users to edit files in their home directory or tmp >> directories and then move (mv) them to system directories. The problem is >> that >> the files end up with the wrong file context which confined applications >> are not >> allowed to access. >> >> Allowing Access: >> >> If you want gdm-session-wor to access this files, you need to relabel them >> using >> restorecon -v '.dmrc'. You might want to relabel the entire directory >> using >> restorecon -R -v ''. >> >> >> >> Link: http://osdir.com/ml/fedora-selinux/2009-02/msg00111.html >> >> >> You can execute the following command as root to solve your problem. >> >> # restorecon -R -v /root >> >> It should stop the AVC messages from popping up. >> >> > > Thank you very much for finding this. That being said, my head hurts after > reading it as I am not certain what a large part of it means. But I do know > that I probably moved at least one file in from my personal account and so > it kinda makes sense. > > Let me re-read after a night's sleep and see if this, plus your link, makes > more sense then. > > That being said, what the "word-of-your-choice" is "gdm-session-wor" ??? > > Paul > > -- > fedora-list mailing list > fedora-list@redhat.com > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > >From Wikipedia: “...given the threat models and capabilities of the adversaries involved, that's probably appropriate... But that’s not necessarily appropriate for all users. SELINUX is so horrible to use, that after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” — Theodore Ts’o :-) -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics) BEng(Hons)(Mechanical Engineering) Alma Maters: (1) Singapore Polytechnic (2) National University of Singapore My Primary Blog: http://teo-en-ming-aka-zhang-enming.blogspot.com My Secondary Blog: http://enmingteo.wordpress.com My Youtube videos: http://www.youtube.com/user/enmingteo Email: space.time.unive...@gmail.com Mobile Phone (Starhub Prepaid): +65-8369-2618 Street: Bedok Reservoir Road Country: Singapore -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
Mr. Teo En Ming (Zhang Enming) wrote: On Mon, Nov 16, 2009 at 2:20 PM, Paul Allen Newell wrote: Mr. Teo En Ming (Zhang Enming) wrote: >From Wikipedia: “...given the threat models and capabilities of the adversaries involved, that's probably appropriate... But that’s not necessarily appropriate for all users. SELINUX is so horrible to use, that after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” — Theodore Ts’o :-) Touché -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On Mon, 2009-11-16 at 13:56 +0800, Mr. Teo En Ming (Zhang Enming) wrote: > Well, for home or personal use systems, you don't really need SELinux. > SELinux is for mission critical servers. Until you do something that SELinux would have protected you from... People do actually do things that need securing, on home computers (do their banking, etc.). Just browsing the internet and reading your mail are the two major points of breakdown on the Windows world, and I'd like it if that problem doesn't migrate over to Linux, as well. I can't say that I've had mammoth problems with SELinux. I've had occasional glitches, but then the errant program usually gets *fixed* up quite promptly, so it stops trying to do things that it shouldn't be doing. Using very strict SELinux rules on test machines, ones that test packages before release, could only be a good thing for everybody else. Of course there are some people who insist that there should be no restrictions, and that any file should be readable by any person, and any program able to do whatever it wants. I tend to think of those people as clueless, or suspect that they are trying to advocate something that aids them in hacking other people's computers. -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
Tim writes: > I can't say that I've had mammoth problems with SELinux. I've had > occasional glitches, but then the errant program usually gets *fixed* up > quite promptly, so it stops trying to do things that it shouldn't be > doing. I've been running selinux on f12(beta+) and things look pretty good. The default yum-installed policy is starting to shape up nicely, with virtually no more noise in my /var/log/messages and /var/log/audit/audit.log files. (I only see one daily gripe for asterisk, but that should be cleaned up in the next policy version.) -wolfgang -- Wolfgang S. Rupprecht If the airwaves belong to the public why does the public only get 3 non-overlapping WIFI channels? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On Monday 16 November 2009 05:22:34 Mr. Teo En Ming (Zhang Enming) wrote: > You can try to disable SELinux in /etc/selinux/config or in > /boot/grub/grub.conf. > [snip] > > You shouldn't start X server or login to GNOME as root. Logging as root in X is certainly a bad idea, mainly for security reasons. Disabling SELinux is an equally bad idea, also for those same security reasons. Why do you advise for one and against the other? It looks inconsistent to me. The fact that OP broke one rule and logged in a GUI as root made the other protection layer yell at him about that. And when he asks what is going on, your advice is to shut down that other layer. But given that the OP is apparently a newbie and is not aware of good security practices, this is quite a Bad Idea, since it opens a door for him to break his system even more. My advice would be to keep SELinux on, and refrain from using X as root. That provides good system security (both from others and yourself). Best, :-) Marko -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On Monday 16 November 2009 05:47:43 Paul Allen Newell wrote: > I am not certain why I would want to > disable SELinux as it clearly is part of the Fedora package and is > trying to tell me that something isn't right. Good thinking. You definitely do not want to disable SELinux. It is there for a good reason, even if one doesn't know the details of what that reason is. > Yes, I know I should not start X server or login as root ... So why did you do it then? Disabled root GUI is also the default for a reason, just as SELinux. They are multiple protective layers that try to secure your system from any malicious activity, including your own. > and that is > not my normal work habit. But I would expect that I should still be able > to do such and not have SELinux bark unless there was something wrong. > It is the "what is wrong" that I am trying to understand and correct. What is wrong (technically) is you moving files across directories without changing their SELinux context appropriately. At least that appears so based on the info you provided. However... What is wrong (essentially) is precisely logging in as root in a GUI. This is disabled by default in Fedora, and SELinux policy assumes you run the default configuration. Once you enabled root GUI and started poking around in it, it was just a matter of time before SELinux starts yelling at you doing this or that wrong. I cannot tell exactly what SELinux is complaining about until you provide some setroubleshoot info, but it is definitely because you logged in a GUI as root, played around with things and then did something SELinux doesn't like. And it will keep happening over and over unless you stop using root GUI. If you are more familiar with Windows world, this would be like logging in with admin privileges, disabling antivirus software and automatic updates, and then asking "why does the system keep alerting me that security might be compromised?". Well, you compromised it. So much for understanding. As for correcting the error, I can advise the following: 1) Find all files that you have been mv-ing as root, and move them back to their original location. 2) Stop using root GUI. 3) Learn that mv keeps SELinux labels in contrast to cp which changes them appropriately. Understand that this is intentional feature of mv and cp. The file and directory labels are displayed by "ll -Z". 4) Whenever you need root access use "su -" to log in as root, or learn to configure and use sudo. Use only your normal user account for GUI. 5) For regular system administration you don't even need to use su and sudo, because the system should ask you for the root password whenever you start a GUI app that needs elevated privileges. 6) If SELinux keeps complaining more, learn how to use setroubleshoot utility and post the output here on the list. People will help you correct it all, but only after you make sure not to produce any more problems by using root GUI. HTH. Best, :-) Marko -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On Monday 16 November 2009 06:27:27 Mr. Teo En Ming (Zhang Enming) wrote: > From Wikipedia: > > “...given the threat models and capabilities of the adversaries > involved, that's probably appropriate... But that’s not necessarily > appropriate for all users. SELINUX is so horrible to use, that after > wasting a large amount of time enabling it and then watching all of my > applications die a horrible death since they didn't have the > appropriate hand-crafted security policy, caused me to swear off of > it. For me, given my threat model and how much my time is worth, life > is too short for SELinux.” — Theodore Ts’o This is utter bullshit. I wonder why nobody edited this out of Wikipedia by now... Yes, in the early days SELinux was rough around the edges here and there, but not today. And yes, SELinux does have a learning curve, but by now there are plenty of nice GUI tools that help people deal with it without actually having to learn the internals, changing the policy manually, etc. This is FUD, please stop spreading it. Best, :-) Marko -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On Mon, Nov 16, 2009 at 13:56:15 +0800, "Mr. Teo En Ming (Zhang Enming)" wrote: > > Well, for home or personal use systems, you don't really need SELinux. > SELinux is for mission critical servers. MAC is very useful for home users that run programs that process data from untrusted sources. This includes web browsers and mail readers. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On 11/16/2009 12:56 AM, Mr. Teo En Ming (Zhang Enming) wrote: > On Mon, Nov 16, 2009 at 1:47 PM, Paul Allen Newell wrote: >> Mr. Teo En Ming (Zhang Enming) wrote: >> >> My thanks for the prompt reply. I am not certain why I would want to disable >> SELinux as it clearly is part of the Fedora package and is trying to tell me >> that something isn't right. >> >> Yes, I know I should not start X server or login as root ... and that is not >> my normal work habit. But I would expect that I should still be able to do >> such and not have SELinux bark unless there was something wrong. It is the >> "what is wrong" that I am trying to understand and correct. >> >> Paul > > Well, for home or personal use systems, you don't really need SELinux. > SELinux is for mission critical servers. > > Or unless you work for defense or intelligence agencies, then your > laptop needs to be secured with SELinux and high grade encryption. Hmm... Build a house. Add locks to all the doors and windows so that the contents of the house can be kept secure. Then disable the locks and leave the doors and windows wide open. Makes *perfect* sense. :-) -- David signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On 11/16/2009 12:09 AM, Paul Allen Newell wrote: > Hello: > > I just upgraded two of my systems to latest yum update > (2.6.30.9-96.fc11.i686.PAE) with the hopes that the CD and DVD issues > have been resolved (they have, almost, but thats a separate bugzilla > report). > > What I am querying about in this email is a message that I am seeing > when I log in as root (yes, I know the caveats and try to respect, but I > always make sure the ability is there if I need it). I log in from the > start page GUI and there are no problems until, after a couple of > seconds later, a pop-up from the "star icon in the upper right" says I > got problems. I open it up and it says: > > "SELinux is preventing the gdm-session-wor from using potentially > mislabeled files (/root)." > > Okay, that's nice to know, but I have no idea what it is trying to tell > me needs to be fixed. I've got a couple files in the home directory but > nothing looks funny about them (*.txt cut-and-paste of yum > update/installs and an html of "how-to-install f11 from scratch"). > > I have edited both /etc/pam.d/gdm and /etc/pam.d/gdm-password per Fedora > website instructions to allow root access. > > Closer inspection says that I first began getting this message on > 20jun09 after a yum update (I did original f11 install at the beginning > of June). I just hadn't noticed it since I don't often log in as root, > though I do remember seeing something in the summer and figuring it was > a glip that would get fixed in future updates). > > Any suggestions as to what I should be looking for to get rid of this > message ... if I do indeed actually need to pay attention to it. If > there is more info I can provide, please let me know what it is and how > to get it and I will gladly post such. > > Thanks in advance, > Paul > > Paul SELinux policy can not be written in such a way to allow you to run X Windows as root. The problem is too many Applications require rights to write to the homedir and we want to treat /root differently then /home. Allow an confined application to write to /root would allow it to do evil stuff by replacing /root/.bashrc for example. And the next time an admin logged in the script would run. If you require running X as root then you will need to put SELinux into permissive mode. In F12 we are now preventing users from logging in as root from GDM because it is so dangerous from a security point of view. Imagine running firefox as root and what problems it can cause. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
Marko Vojinovic wrote: On Monday 16 November 2009 05:47:43 Paul Allen Newell wrote: I am not certain why I would want to disable SELinux as it clearly is part of the Fedora package and is trying to tell me that something isn't right. Good thinking. You definitely do not want to disable SELinux. It is there for a good reason, even if one doesn't know the details of what that reason is. Yes, I know I should not start X server or login as root ... So why did you do it then? Disabled root GUI is also the default for a reason, just as SELinux. They are multiple protective layers that try to secure your system from any malicious activity, including your own. and that is not my normal work habit. But I would expect that I should still be able to do such and not have SELinux bark unless there was something wrong. It is the "what is wrong" that I am trying to understand and correct. What is wrong (technically) is you moving files across directories without changing their SELinux context appropriately. At least that appears so based on the info you provided. However... What is wrong (essentially) is precisely logging in as root in a GUI. This is disabled by default in Fedora, and SELinux policy assumes you run the default configuration. Once you enabled root GUI and started poking around in it, it was just a matter of time before SELinux starts yelling at you doing this or that wrong. I cannot tell exactly what SELinux is complaining about until you provide some setroubleshoot info, but it is definitely because you logged in a GUI as root, played around with things and then did something SELinux doesn't like. And it will keep happening over and over unless you stop using root GUI. If you are more familiar with Windows world, this would be like logging in with admin privileges, disabling antivirus software and automatic updates, and then asking "why does the system keep alerting me that security might be compromised?". Well, you compromised it. So much for understanding. As for correcting the error, I can advise the following: 1) Find all files that you have been mv-ing as root, and move them back to their original location. 2) Stop using root GUI. 3) Learn that mv keeps SELinux labels in contrast to cp which changes them appropriately. Understand that this is intentional feature of mv and cp. The file and directory labels are displayed by "ll -Z". 4) Whenever you need root access use "su -" to log in as root, or learn to configure and use sudo. Use only your normal user account for GUI. 5) For regular system administration you don't even need to use su and sudo, because the system should ask you for the root password whenever you start a GUI app that needs elevated privileges. 6) If SELinux keeps complaining more, learn how to use setroubleshoot utility and post the output here on the list. People will help you correct it all, but only after you make sure not to produce any more problems by using root GUI. HTH. Best, :-) Marko Marko: Appreciate the reply. The information provided about SELinux context is what I was trying to understand. I am sufficiently newbie to not really understand what SELinux is doing and, given your info and the post about "SELinux is preventing the gdm-session-wor from using potentially mislabeled files (.dmrc)." make it very obvious what I did to incur the warnings. I now can backtrack my actions and see what I did wrong. Lesson learned regarding SELinux labels. This upcoming weekend, I will go back and su to root to correct using the suggestions you provided. There is a strong temptation to defend my logging in as root just like a child defends an indefensible action. So, to you and everyone who said "don't do it", I have no defense. I'm not from a Windows world, I'm old-school Unix where the only way some things could be fixed was to su to root and it was just easier for big tasks to log in as root. No excuse for that now, but old habits die hard. Once again, no defense on my part ... I've offered my lame reason just to show its lame. Thanks, Paul -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
Daniel J Walsh wrote: On 11/16/2009 12:09 AM, Paul Allen Newell wrote: Paul SELinux policy can not be written in such a way to allow you to run X Windows as root. The problem is too many Applications require rights to write to the homedir and we want to treat /root differently then /home. Allow an confined application to write to /root would allow it to do evil stuff by replacing /root/.bashrc for example. And the next time an admin logged in the script would run. If you require running X as root then you will need to put SELinux into permissive mode. In F12 we are now preventing users from logging in as root from GDM because it is so dangerous from a security point of view. Imagine running firefox as root and what problems it can cause. Daniel: This is a very good explanation of why I should not be logging in and running X Windows as root. I obviously needed a few lectures on this forum to help beat it in and I am glad I got them. Paul -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On Mon, 2009-11-16 at 20:21 -0800, Paul Allen Newell wrote: > I'm old-school Unix where the only way some things could be fixed was > to su to root and it was just easier for big tasks to log in as root. As has been pointed out, it's rarely necessary. There's one area where I a graphical root user is useful, mass file managing where you can't use wild cards to do the job. But you don't need to log in graphically as root to do these things. Find a decent file manager, not Nautilus, then just start it off from the command line. -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
2009/11/16 Tim : > On Mon, 2009-11-16 at 13:56 +0800, Mr. Teo En Ming (Zhang Enming) wrote: >> Well, for home or personal use systems, you don't really need SELinux. >> SELinux is for mission critical servers. > > Until you do something that SELinux would have protected you from... > > People do actually do things that need securing, on home computers (do > their banking, etc.). Just browsing the internet and reading your mail > are the two major points of breakdown on the Windows world, and I'd like > it if that problem doesn't migrate over to Linux, as well. > SELinux is not going to protect you from phishing or cross site scripting attacks. It's not going to offer much protection for just browsing the internet. On the other hand, disabling it is often part of my troubleshooting process and I've had times (even with F11) when that has been necessary just to get a working system. I'll aim to get things working 'properly' (i.e. with it on) again, but to see disabling SELinux equated with running as root elsewhere in this thread is a bit surprising. -- imalone -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On Tuesday 17 November 2009 06:02:05 Tim wrote: > On Mon, 2009-11-16 at 20:21 -0800, Paul Allen Newell wrote: > > I'm old-school Unix where the only way some things could be fixed was > > to su to root and it was just easier for big tasks to log in as root. > > As has been pointed out, it's rarely necessary. There's one area where > I a graphical root user is useful, mass file managing where you can't > use wild cards to do the job. But you don't need to log in graphically > as root to do these things. Find a decent file manager, not Nautilus, > then just start it off from the command line. I use krusader for file management (two-panel, midnight-commander-like style...). It has a "run as root" option somewhere in the menus, if I really need root privileges. However, I don't remember when was the last time I needed them. :-) Best, :-) Marko -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On 11/17/2009 03:05 AM, Ian Malone wrote: > 2009/11/16 Tim : >> On Mon, 2009-11-16 at 13:56 +0800, Mr. Teo En Ming (Zhang Enming) wrote: >>> Well, for home or personal use systems, you don't really need SELinux. >>> SELinux is for mission critical servers. >> >> Until you do something that SELinux would have protected you from... >> >> People do actually do things that need securing, on home computers (do >> their banking, etc.). Just browsing the internet and reading your mail >> are the two major points of breakdown on the Windows world, and I'd like >> it if that problem doesn't migrate over to Linux, as well. >> > > SELinux is not going to protect you from phishing or cross site > scripting attacks. It's not going to offer much protection for just > browsing the internet. > > On the other hand, disabling it is often part of my troubleshooting > process and I've had times (even with F11) when that has been > necessary just to get a working system. I'll aim to get things > working 'properly' (i.e. with it on) again, but to see disabling > SELinux equated with running as root elsewhere in this thread is a bit > surprising. > I don't want to get embroiled in the debate. I would like to point out a little paper I wrote call SELinux four things. Where I try to describe the 4 things that can cause SELinux to complain, and how to remedy them. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf SELinux has many ways that can fairly easily be customized to reach your security goals, if you understand what SELinux is doing. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
