Re: selinux training
Thomas Kern píše v Út 01. 02. 2011 v 23:09 -0500: > We don't use selinux because none of us understand it nor have the time to > read up on it > in our copious free time. But if there were a class about implementing > selinux then I > might be able to get my company to cut loose with some of the training money. > > Does anyone teach selinux implementation? Fundamentals? Red Hat provides SELinux trainings, see https://www.redhat.com/courses/rhs429_red_hat_enterprise_selinux_policy_administration/ Blog of one the major SELinux engineer containing a lot of useful information and tips&tricks is at http://danwalsh.livejournal.com/ And an official SELinux guide for RHEL 6 is at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html Dan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
selinux training
We don't use selinux because none of us understand it nor have the time to read up on it in our copious free time. But if there were a class about implementing selinux then I might be able to get my company to cut loose with some of the training money. Does anyone teach selinux implementation? Fundamentals? /Tom Kern -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
On 2/1/11 6:48 PM, "Alan Altmark" wrote: >Ah, so these UUIDs are not the builtin UUIDs of the DASD devices? E.g. >IBM.3390.274.04E kinds of things. No, they're created with pvcreate when you prep the minidisks for LVM. You'd only get the physical UUIDs if you handed the physical disk to LVM (thus the fullpack -1 setup). -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
pvcreate/pvchange sticks them on there. You can choose your own too or change one. Might be useful if you've cloned. Marcy -Original Message- From: Linux on 390 Port [mailto:LINUX-390@vm.marist.edu] On Behalf Of Alan Altmark Sent: Tuesday, February 01, 2011 3:48 PM To: LINUX-390@vm.marist.edu Subject: Re: [LINUX-390] LVM, PAVs, and cloning On Tuesday, 02/01/2011 at 06:35 EST, Mark Post wrote: > >>> On 2/1/2011 at 06:07 PM, Alan Altmark wrote: > > We're making progress! Thanks, everyone! If I flash the VG to another > > set of dasd, do I have to do something to get the new UUIDs recognized? > > This was my point about recovering a vg onto a different set of disks. > > There won't be any new UUIDs, since the process of flashing the DASD volumes > will copy all the metadata as well. Ah, so these UUIDs are not the builtin UUIDs of the DASD devices? E.g. IBM.3390.274.04E kinds of things. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
You wish You'll find them scattered hither and yon - especiallly with LVM faking a(nother) block device layer. And, as you've already discovered, the second U is a lie. Sometimes ... Shane ... On Wed, Feb 2nd, 2011 at 10:48 AM, Alan Altmark wrote: > Ah, so these UUIDs are not the builtin UUIDs of the DASD devices? E.g. > IBM.3390.274.04E kinds of things. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
>>> On 2/1/2011 at 06:48 PM, Alan Altmark wrote: > Ah, so these UUIDs are not the builtin UUIDs of the DASD devices? E.g. > IBM.3390.274.04E kinds of things. No. They are LVM-generated strings that look like: S0Td1s-1Bbh-BGVf-Ryvr-Rltr-ftZS-Smtq0P Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
On Tuesday, 02/01/2011 at 06:35 EST, Mark Post wrote: > >>> On 2/1/2011 at 06:07 PM, Alan Altmark wrote: > > We're making progress! Thanks, everyone! If I flash the VG to another > > set of dasd, do I have to do something to get the new UUIDs recognized? > > This was my point about recovering a vg onto a different set of disks. > > There won't be any new UUIDs, since the process of flashing the DASD volumes > will copy all the metadata as well. Ah, so these UUIDs are not the builtin UUIDs of the DASD devices? E.g. IBM.3390.274.04E kinds of things. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
>>> On 2/1/2011 at 06:07 PM, Alan Altmark wrote: > We're making progress! Thanks, everyone! If I flash the VG to another > set of dasd, do I have to do something to get the new UUIDs recognized? > This was my point about recovering a vg onto a different set of disks. There won't be any new UUIDs, since the process of flashing the DASD volumes will copy all the metadata as well. This is one reason why I tell people that if they want to have a "rescue system" that will mount other guest's mindisks that are PVs, you want to: 1. Not have the same UUIDs that you normally get when you clone systems, so don't create your rescue system by cloning. 2. Not have the same VG names on your rescue system. 3. If you do use the same VG name, use different LV names. (But see #2, because doing vgextends and then afterwards vgreduces is a bit of a pain when you're in emergency mode.) So, if you clone the system, or restore it from backup to another system, you'll want to make sure that /etc/lvm/ and /etc/multipath.conf go along for the ride. But, LVM should reassemble the VG and activate the LVs with no problem. If you did a logical backup, and not a physical volume backup, then everything changes because the LVM metadata won't be there. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Hipersockets Not working z/Linux to z/VM & z/OS
On Tuesday, 02/01/2011 at 06:06 EST, Mark Post wrote: > What do the US and UH flags mean? What's the reason for the host route to > 10.90.3.20? U = Up (if interface is down, flag not set, route won't be used) S = Static (i.e. human-induced config somewhere) H = Host route Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
On Tuesday, 02/01/2011 at 05:11 EST, Mark Post wrote: > If you get things set up properly, multipathd will be only process that cares > about how many paths to what volumes are available. Multipathd will be > responsible for generating the proper device names for LVM to use. LVM will > only look at those device names that it is allowed to by the filter specified > in /etc/lvm/lvm.conf. If you don't get that filter right, or your storage > admin creates some devices for you that (for whatever reason) appear to have > the same device naming convention, LVM will spit out warnings about "duplicate > UUIDs" found, and it will pick one of them to use. Of course Murphy dictates > that is likely to be the non-multipath name. But, LVM will continue to work. > All it cares about is that it can find all the physical volumes (PVs) that it > put its stamp on for any particular volume group (VG). We're making progress! Thanks, everyone! If I flash the VG to another set of dasd, do I have to do something to get the new UUIDs recognized? This was my point about recovering a vg onto a different set of disks. > > I do understand that I cannot change the number of base volumes unless I > > create a new vg and copy one logical volume to the other. > > Why is that? The normal vgextend stuff should still work just fine if you get > the multipath configuration done first. vgreduce should work as well. Of course, but you have to have all 60 volumes when you start. THEN you can add or delete. I was just trying to let folks know that I wasn't expecting to get data out of thin air. (Linux-managed RAID striping excluded from the discussion.) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Hipersockets Not working z/Linux to z/VM & z/OS
>>> On 1/31/2011 at 01:49 PM, Kyle Stewart >>> wrote: > Mark, > > Here is what we have: > > The hsi0 is a real hipersocket > > Linux netstat > > [z034876@UTLZ0002 ~]$ netstat -r > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt > Iface > > 10.90.3.0 * 255.255.255.0 U 0 0 0 > hsi0 > > 10.90.30.0 * 255.255.255.0 U 0 0 0 > eth0 > > 169.254.0.0 * 255.255.0.0 U 0 0 0 > hsi0 > > default 10.90.30.1 0.0.0.0 UG0 0 0 > eth0 This looks fine so far. -snip- > z/VM netstat gate > > Known IPv4 gateways: > > Subnet Address Subnet Mask FirstHopFlgs PktSz Metric Link > -- --- - -- -- > Default10.90.1.1 UG 1500 11 OSD2 > Default10.90.1.1 UG 1500 11 OSD0 > 10.90.1.0 255.255.255.0U1500 10 OSD0 > 10.90.1.0 255.255.255.0U1500 10 OSD2 > 10.90.3.0 255.255.255.0US 16384 HIPERLFA > 10.90.11.0 255.255.255.010.90.1.12 UG 1500 20 OSD2 I don't know what effect the lack of a metric on your 10.90.3.0 route will have, but the fact that this is the network you're having problems with makes me wonder if it's related. -snip- > z/VM netstat home > > netstat home > VM TCP/IP Netstat Level 610 TCP/IP Server Name: TCPIP > > IPv4 Home address entries: > > Address Subnet Mask Link VSWITCH > --- --- ----- > 10.90.25.1 255.255.255.0VC1LVIPA > 10.90.1.14 255.255.255.0OSD2 > 10.90.1.13 255.255.255.0OSD0 > 10.90.3.60 255.255.255.0HIPERLFA I note that your z/VM OSAs are not on the same subnet as the VSWITCH your Linux systems are on. While not necessarily a problem, it's something that may have an impact on your firewall rules, if you're running any. > Test z/OS LPAR: -snip- > EZA0611I The following IP addresses correspond to TCP Host Name: ZSJES2 > EZA0612I 10.90.21.1 > > EZA0614I The following IP addresses are the HOME IP addresses defined in > PROFILE.TCPIP: > > EZA0615I 10.90.21.1 > EZA0615I 10.90.1.19 > EZA0615I 10.90.1.20 > EZA0615I 10.90.21.10 > EZA0615I 10.90.21.90 > EZA0615I 10.90.3.20 > EZA0615I 127.0.0.1 Same note here about z/OS being on a different subnet than the VSWITCH. > EZA0618I All IP addresses for ZSJES2 are in the HOME list! > EZA0622I Hometest was successful - all Tests Passed! > > > NETSTAT ROUTE > MVS TCP/IP NETSTAT CS V1R11 TCPIP Name: TCPIP 18:41:28 > DestinationGateway FlagsRefcnt Interface > ------ --- - > Default10.90.1.1 UGO 05 OSD0 > Default10.90.1.1 UGO 00 OSD2 -snip- > 10.90.3.0/24 0.0.0.0 US 00 HYPERLFA > 10.90.3.20/32 0.0.0.0 UH 00 HYPERLFA What do the US and UH flags mean? What's the reason for the host route to 10.90.3.20? As Alan mentioned, it might be interesting to see what tcpdump running on both hsi0 and eth0 shows when packets arrive and leave for the pings from z/VM and z/OS. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: selinux question
Neale Ferguson writes:
> Thanks. I used the chcon command to change the context but am still having
> problems and seeing this in the audit log:
>
> type=AVC msg=audit(1296596790.809:1547): avc: denied { execute } ...
Now it's complaining about execute whereas before it was only
complaining about read. I'm no expert here, but I believe the types
of object are in general different from the types of subjects for
Type Enforcement which is the usual SELinux policy.
If you look in the selinux-policy SRPM (just do a build-prepare with
rpmbuild -bp), you'll find the source for the snmpd policy in
directory serefpolicy-3.7.19/policy/modules/services in files snmp.fc,
snmp.if and snmp.te for, respectively, the contexts for particular
directory names (for use with restorecon), the interfaces and the
underlying types. I'm looking at Fedora 13 but it's probably close.
I see stuff in there for it reading lib files and executing init
scripts and so on but I see nothing for loading dynamic modules.
If you want to solve this properly rather than using a blunt hammer
then you could maybe look at the apache.* policy files in the same
directory and see how the httpd_modules_t type is implemented there
to handle Apache DSOs and use similar type and interface definitions
for snmpd.
--Malcolm
--
Malcolm Beattie
IBM Mainframe Systems and Software Business, Europe
IBM UK
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
>>> On 2/1/2011 at 04:18 PM, Alan Altmark wrote: -snip- > I have 60 volumes covered by an additional 480 (static) PAVs. The volume > group is fixed at 60. If the stg admin messes with my PAV allocation, I > want to be sure that the volume group will not be affected, as the number > of volumes will not change. Only the number of paths to the volume will > change. So if I remove a PAV, I need to change the multipath config. But > the logical volume should not be affected by that, right? If you get things set up properly, multipathd will be only process that cares about how many paths to what volumes are available. Multipathd will be responsible for generating the proper device names for LVM to use. LVM will only look at those device names that it is allowed to by the filter specified in /etc/lvm/lvm.conf. If you don't get that filter right, or your storage admin creates some devices for you that (for whatever reason) appear to have the same device naming convention, LVM will spit out warnings about "duplicate UUIDs" found, and it will pick one of them to use. Of course Murphy dictates that is likely to be the non-multipath name. But, LVM will continue to work. All it cares about is that it can find all the physical volumes (PVs) that it put its stamp on for any particular volume group (VG). > I do understand that I cannot change the number of base volumes unless I > create a new vg and copy one logical volume to the other. Why is that? The normal vgextend stuff should still work just fine if you get the multipath configuration done first. vgreduce should work as well. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: selinux question
Thanks. I used the chcon command to change the context but am still having
problems and seeing this in the audit log:
type=AVC msg=audit(1296596790.809:1547): avc: denied { execute } for
pid=14580 comm="snmpd" path="/usr/lib64/snmp/dlmod/dynamo.so" dev=dm-3
ino=45864 scontext=unconfined_u:system_r:snmpd_t:s0
tcontext=unconfined_u:system_r:snmpd_t:s0 tclass=file
type=SYSCALL msg=audit(1296596790.809:1547): arch=8016 syscall=90
per=40 success=no exit=-13 a0=3b17160 a1=6650 a2=5 a3=802 items=0
ppid=1 pid=14580 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=183 comm="snmpd" exe="/usr/sbin/snmpd"
subj=unconfined_u:system_r:snmpd_t:s0 key=(null)
ls -RlZ /usr/lib64/snmp/
/usr/lib64/snmp/:
drwxr-xr-x. root root unconfined_u:system_r:snmpd_t:s0 dlmod
/usr/lib64/snmp/dlmod:
-rwxr-xr-x. root root unconfined_u:system_r:snmpd_t:s0 dynamo.so
I am probably being naïve in believing that if the scontext and tcontext match
above then permission should be granted. I'll do some more reading but I
thought I'd report back.
On 2/1/11 4:25 PM, "Dan Horák" wrote:
you need this
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html
and for the right value of the context I would check other files from
the net-snmp package and/or the selinux policy sources
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
Re: selinux question
Neale Ferguson píše v Út 01. 02. 2011 v 15:02 -0600:
> I am playing with some snmpd stuff and on my Fedora 14 system I have
> the daemon up and running and want it to load a shared object. Without
> selinux it works but with it I get the following messages in the audit
> log file:
>
> type=AVC msg=audit(1296592954.939:1511): avc: denied { read } for
> pid=14084 comm="snmpd" name="dynamo.so" dev=dm-3 ino=45864
> scontext=unconfined_u:system_r:snmpd_t:s0
> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> type=SYSCALL msg=audit(1296592954.939:1511): arch=8016 syscall=5
> per=40 success=no exit=-13 a0=2ccf290 a1=0 a2=2028a88 a3=0
> items=0 ppid=1 pid=14084 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=183 comm="snmpd"
> exe="/usr/sbin/snmpd" subj=unconfined_u:system_r:snmpd_t:s0 key=(null)
>
> What do I need to do to that file and/or to selinux to set the context
> correctly so that the process can read/load the file?
you need this
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html
and for the right value of the context I would check other files from
the net-snmp package and/or the selinux policy sources
Dan
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
On Tuesday, 02/01/2011 at 10:26 EST, Patrick Spinler wrote: > On 1/31/11 3:27 PM, Mark Post wrote: > > > > If I'm remembering correctly, and z/VM does do all the work with PAV for > minidisks, then 3-4 should be completely transparent to Linux. > > > > I thought I recalled reading that z/VM only used PAV's for access from > multiple guests, that each guest only had a single pending I/O to each > minidisk. :-( Hope I'm wrong. If you have PAVs attached to SYSTEM, then CP will transparently use an available PAV for a *different* minidisk on the same volume (if there is an I/O queue, of course) OR when a guest is PAV-aware and has defined a virtual PAV on the minidisk. In my case, there is only one minidisk (1-END), so CP can't help me. The guest is pre-RHEL 6 with PAV awareness and so requires manual multipath configuration. I have 60 volumes covered by an additional 480 (static) PAVs. The volume group is fixed at 60. If the stg admin messes with my PAV allocation, I want to be sure that the volume group will not be affected, as the number of volumes will not change. Only the number of paths to the volume will change. So if I remove a PAV, I need to change the multipath config. But the logical volume should not be affected by that, right? I do understand that I cannot change the number of base volumes unless I create a new vg and copy one logical volume to the other. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
1. Haven't done that due to other i/o things we got going on, but have the HW ready to try it 2. ok 3. On the same server or to a different server? We clone LVM's all the time to new servers. What do you mean by recover? 4. I would think it would be 5. We do that on bunches of 54s too. We haven't found any UCB queuing yet. Most of the things we use LVM with are big enough that they have most of the vol all for themselves so I wouldn't expect much of any. Marcy -Original Message- From: Linux on 390 Port [mailto:LINUX-390@vm.marist.edu] On Behalf Of Alan Altmark Sent: Monday, January 31, 2011 1:07 PM To: LINUX-390@vm.marist.edu Subject: [LINUX-390] LVM, PAVs, and cloning My turn to ask a question :-) I have a bunch of Model 54 disk volumes that contain not-quite-fullpack n-minus-1-cyl minidisks. Some have 8 static PAVs, some have only 2. 1. I want to exploit virtual PAVs (MINIOPT/DEFINE PAVALIAS), as a lot of I/O will be done to these volumes (multiple of them per guest). 2. I want to set up LVM to use those PAVs. 3. I want to be able to clone or recover the LVM to other volumes 4. I want LVM to be insensitive to the number of PAVs, it being just a performance improvement mechanism 5. These are not-quite-fullpack n-minus-1-cyl minidisks Are there issues that will inhibit me from reaching my goal? Regards, Alan z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
selinux question
I am playing with some snmpd stuff and on my Fedora 14 system I have the daemon
up and running and want it to load a shared object. Without selinux it works
but with it I get the following messages in the audit log file:
type=AVC msg=audit(1296592954.939:1511): avc: denied { read } for pid=14084
comm="snmpd" name="dynamo.so" dev=dm-3 ino=45864
scontext=unconfined_u:system_r:snmpd_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1296592954.939:1511): arch=8016 syscall=5 per=40
success=no exit=-13 a0=2ccf290 a1=0 a2=2028a88 a3=0 items=0 ppid=1
pid=14084 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=183 comm="snmpd" exe="/usr/sbin/snmpd"
subj=unconfined_u:system_r:snmpd_t:s0 key=(null)
What do I need to do to that file and/or to selinux to set the context
correctly so that the process can read/load the file?
Neale
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
SLES 11 strange behavior network
Guys, i get another ghost on my enviroment... i set up my vswitch to use port group, and give grant permission to guest sles 11 Sp1.. all works okay, but if i give LOGOUT on machine, network not comes back, until i give some network request FROM this machine.. this request can be a ping for example... instantly i give a ping, the nework wake up... anybody already see this behavior ? any clue? this behavior not happens if i give a simple reboot command :-/ here is my definitions of vswitch and port group: 00242 VMLAN MACPREF 026101 00243 MOD PORT GROUP GRPSRV01 JOIN 1D00.P0 1E00.P0 00244 DEFINE VSWITCH VSWSVC01 ETHERNET RDEV 0800.P0 GROUP GRPSRV01 00245 00246 MODIFY VSWITCH VSWSVC01 GRANT DB2P101 on linux, we are currentily using vlan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
PAV can be defined at the minidisk level (any size minidisk) by adding a MINIOPT PAVALIAS statement after the MDISK statement... Example: MDISK 200 3390 2500 50 LX0001 MR MINIOPT PAVALIAS 1200 2200 3200 The virtual machine will now have a 200,1200,2200,3200 all pointing to the same physical disk and each of which can have a single pending i/o. For grins - you can do this with a CMS disk -- but I would not access more than one of the disks at a time. (I'm ignoring the Linux end of this thing with device mapper and multipath support and how it actually makes use of these base and alias addresses - I'm just talking at the virtual guest level here). Scott Rohling On Tue, Feb 1, 2011 at 8:26 AM, Patrick Spinler wrote: > On 1/31/11 3:27 PM, Mark Post wrote: > > > > If I'm remembering correctly, and z/VM does do all the work with PAV for > minidisks, then 3-4 should be completely transparent to Linux. > > > > I thought I recalled reading that z/VM only used PAV's for access from > multiple guests, that each guest only had a single pending I/O to each > minidisk. :-( Hope I'm wrong. > > -- Pat > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LVM, PAVs, and cloning
On 1/31/11 3:27 PM, Mark Post wrote: > > If I'm remembering correctly, and z/VM does do all the work with PAV for > minidisks, then 3-4 should be completely transparent to Linux. > I thought I recalled reading that z/VM only used PAV's for access from multiple guests, that each guest only had a single pending I/O to each minidisk. :-( Hope I'm wrong. -- Pat -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Hipersockets Not working z/Linux to z/VM & z/OS
Kyle, please try to add line ARP=no to your /etc/sysconfig/network-scripts/ifcfg-hsi0 configuration file. Regards, Ursula -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
