[Spacewalk-devel] Spacewalk and SELinux: progress status
Hello, I've committed a couple more changes to the SELinux policy modules I've been working on, and they seem to give reasonable results now. You are welcome to change Permissive to Enforcing and give Spacewalk with SELinux a try. Some quotes from https://fedorahosted.org/spacewalk/wiki/Features/SELinuxNotes : Currently, with spacewalk-selinux-0.4.1-5.el5 and other current packages built from master, it is possible to * install Spacewalk * configure Spacewalk (spacewalk-setup) * run Spacewalk: o use its WebUI o restart it via WebUI o run rhnpush and satellite-sync o register clients to the Spacewalk server o use yum and rhn_check on the client, including kickstarting them With the oracle-xe-selinux-10.2-5.el5, it is possible to run Oracle XE with SELinux targeted in enforcing. However, it is necessary to run # /usr/sbin/groupadd -r dba # /usr/sbin/useradd -r -M -g dba -d /usr/lib/oracle/xe \ -s /bin/bash oracle before installing the oracle-xe-univ package to create the oracle user as system user (with uid < 500). Both the oracle-xe configure and creating the database user via the web interface can be done under Enforcing. You can report problems either to spacewalk-devel@redhat.com or to bugzilla and you can report successes to spacewalk-devel@redhat.com or to the SELinuxNotes wiki page, especially if you find out that with Enforcing, some other functionality not mentioned in the list above just works fine as well, without any AVC denials in /var/log/audit/audit.log. Yours, -- Jan Pazdziora Satellite Engineering, Red Hat ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Spacewalk and SELinux: progress status
Jan Pazdziora wrote: Hello, I've committed a couple more changes to the SELinux policy modules I've been working on, and they seem to give reasonable results now. You are welcome to change Permissive to Enforcing and give Spacewalk with SELinux a try. Some quotes from https://fedorahosted.org/spacewalk/wiki/Features/SELinuxNotes : Currently, with spacewalk-selinux-0.4.1-5.el5 and other current packages built from master, it is possible to * install Spacewalk * configure Spacewalk (spacewalk-setup) * run Spacewalk: o use its WebUI o restart it via WebUI o run rhnpush and satellite-sync o register clients to the Spacewalk server o use yum and rhn_check on the client, including kickstarting them With the oracle-xe-selinux-10.2-5.el5, it is possible to run Oracle XE with SELinux targeted in enforcing. However, it is necessary to run # /usr/sbin/groupadd -r dba # /usr/sbin/useradd -r -M -g dba -d /usr/lib/oracle/xe \ -s /bin/bash oracle before installing the oracle-xe-univ package to create the oracle user as system user (with uid < 500). Both the oracle-xe configure and creating the database user via the web interface can be done under Enforcing. You can report problems either to spacewalk-devel@redhat.com or to bugzilla and you can report successes to spacewalk-devel@redhat.com or to the SELinuxNotes wiki page, especially if you find out that with Enforcing, some other functionality not mentioned in the list above just works fine as well, without any AVC denials in /var/log/audit/audit.log. Yours, nice work ... will give it a try next time I install spacewalk. -- Mike McCune mmccune AT redhat.com Engineering | Portland, OR RHN Satellite | 650.567.9039x79248 ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Spacewalk and SELinux: progress status
Mike McCune wrote: Jan Pazdziora wrote: Hello, I've committed a couple more changes to the SELinux policy modules I've been working on, and they seem to give reasonable results now. You are welcome to change Permissive to Enforcing and give Spacewalk with SELinux a try. Some quotes from https://fedorahosted.org/spacewalk/wiki/Features/SELinuxNotes : Currently, with spacewalk-selinux-0.4.1-5.el5 and other current packages built from master, it is possible to * install Spacewalk * configure Spacewalk (spacewalk-setup) So I'm testing the latest spacewalk-setup on a box that already had a manually upgraded 0.4 on it and got pages and pages of: /sbin/restorecon set context /var/satellite/redhat/1/f34/gnumeric-plugins-extras/1.8.2-2.fc9/x86_64/f34dbff4e83106d619f7398c5f1e8561->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/f34/gnumeric-plugins-extras/1.8.2-2.fc9/x86_64/f34dbff4e83106d619f7398c5f1e8561/gnumeric-plugins-extras-1.8.2-2.fc9.x86_64.rpm->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/openser->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/openser/1.3.1-3.fc9->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/openser/1.3.1-3.fc9/x86_64->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/openser/1.3.1-3.fc9/x86_64/469878ca7e03e64e578100b52799a509->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/openser/1.3.1-3.fc9/x86_64/469878ca7e03e64e578100b52799a509/openser-1.3.1-3.fc9.x86_64.rpm->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/gallery2-ajaxian->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/gallery2-ajaxian/2.2.4-3.fc9->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/gallery2-ajaxian/2.2.4-3.fc9/noarch->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/gallery2-ajaxian/2.2.4-3.fc9/noarch/469cc7afec31571ad4070a19679881e9->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/gallery2-ajaxian/2.2.4-3.fc9/noarch/469cc7afec31571ad4070a19679881e9/gallery2-ajaxian-2.2.4-3.fc9.noarch.rpm->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/gnome-applet-sensors->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/gnome-applet-sensors/1.8.2-2.fc9->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/gnome-applet-sensors/1.8.2-2.fc9/x86_64->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/gnome-applet-sensors/1.8.2-2.fc9/x86_64/469e2324986724a19e8fad28b940f2b6->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/gnome-applet-sensors/1.8.2-2.fc9/x86_64/469e2324986724a19e8fad28b940f2b6/gnome-applet-sensors-1.8.2-2.fc9.x86_64.rpm->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/mythes-en->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/mythes-en/3.0-1.fc9->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/469/mythes-en/3.0-1.fc9/noarch->system_u:object_r:var_t:s0 failed:'Operation not supported' I don't have selinux on. Is this expected? it took almost 10 minutes and I eventually just CTRL+C-ed it. Mike -- Mike McCune mmccune AT redhat.com Engineering | Portland, OR RHN Satellite | 650.567.9039x79248 ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Spacewalk and SELinux: progress status
On Tue, Dec 16, 2008 at 01:39:02PM -0800, Mike McCune wrote: > Mike McCune wrote: >> Jan Pazdziora wrote: >>> Hello, >>> >>> I've committed a couple more changes to the SELinux policy modules >>> I've been working on, and they seem to give reasonable results now. >>> You are welcome to change Permissive to Enforcing and give Spacewalk >>> with SELinux a try. >>> >>> Some quotes from >>> https://fedorahosted.org/spacewalk/wiki/Features/SELinuxNotes : >>> >>> Currently, with spacewalk-selinux-0.4.1-5.el5 and other >>> current packages built from master, it is possible to >>> >>> * install Spacewalk >>> * configure Spacewalk (spacewalk-setup) > > So I'm testing the latest spacewalk-setup on a box that already had a > manually upgraded 0.4 on it and got pages and pages of: > > /sbin/restorecon set context > /var/satellite/redhat/1/f34/gnumeric-plugins-extras/1.8.2-2.fc9/x86_64/f34dbff4e83106d619f7398c5f1e8561->system_u:object_r:var_t:s0 > > failed:'Operation not supported' > /sbin/restorecon set context > /var/satellite/redhat/1/f34/gnumeric-plugins-extras/1.8.2-2.fc9/x86_64/f34dbff4e83106d619f7398c5f1e8561/gnumeric-plugins-extras-1.8.2-2.fc9.x86_64.rpm->system_u:object_r:var_t:s0 > > failed:'Operation not supported' By any chance, is the /var/satellite mounted read-only, possibly NFS mounted? > I don't have selinux on. Is this expected? it took almost 10 minutes > and I eventually just CTRL+C-ed it. Well yes, we run restorecon on /var/satellite to set correct context, even if you are not in Enforcing. It is not expected to fail thou. -- Jan Pazdziora | adelton at #satellite*, #brno Satellite Engineering, Red Hat ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Spacewalk and SELinux: progress status
I don't have selinux on. Is this expected? it took almost 10 minutes and I eventually just CTRL+C-ed it. Well yes, we run restorecon on /var/satellite to set correct context, even if you are not in Enforcing. It is not expected to fail thou. Also calling restorecon with selinux disabled probably won't work. Cobbler makes sure it doesn't bother with restorecon in those instances. Enable in /etc/selinux, touch /.autorelabel, and reboot? You'd want to strive for 100% clean runs in setroubleshoot. FYI -- Recently Dan Walsh recommended I /not/ support SELinux on EL 4, and only do EL 5 since it was more manageable (supports public_content_t).Seeing this impacts spacewalk, I would suggest spacewalk take the same position. --Michael ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Spacewalk and SELinux: progress status
Jan Pazdziora wrote: On Tue, Dec 16, 2008 at 01:39:02PM -0800, Mike McCune wrote: Mike McCune wrote: Jan Pazdziora wrote: Hello, I've committed a couple more changes to the SELinux policy modules I've been working on, and they seem to give reasonable results now. You are welcome to change Permissive to Enforcing and give Spacewalk with SELinux a try. Some quotes from https://fedorahosted.org/spacewalk/wiki/Features/SELinuxNotes : Currently, with spacewalk-selinux-0.4.1-5.el5 and other current packages built from master, it is possible to * install Spacewalk * configure Spacewalk (spacewalk-setup) So I'm testing the latest spacewalk-setup on a box that already had a manually upgraded 0.4 on it and got pages and pages of: /sbin/restorecon set context /var/satellite/redhat/1/f34/gnumeric-plugins-extras/1.8.2-2.fc9/x86_64/f34dbff4e83106d619f7398c5f1e8561->system_u:object_r:var_t:s0 failed:'Operation not supported' /sbin/restorecon set context /var/satellite/redhat/1/f34/gnumeric-plugins-extras/1.8.2-2.fc9/x86_64/f34dbff4e83106d619f7398c5f1e8561/gnumeric-plugins-extras-1.8.2-2.fc9.x86_64.rpm->system_u:object_r:var_t:s0 failed:'Operation not supported' By any chance, is the /var/satellite mounted read-only, possibly NFS mounted? yes :-) I don't have selinux on. Is this expected? it took almost 10 minutes and I eventually just CTRL+C-ed it. Well yes, we run restorecon on /var/satellite to set correct context, even if you are not in Enforcing. It is not expected to fail thou. Ok... ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Spacewalk and SELinux: progress status
Well, we could check sestatus for disabled. FWIW, a bit easier: /usr/sbin/selinuxenabled returns 0 if enabled. Just found out about that recently :) ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Spacewalk and SELinux: progress status
On Tue, Dec 16, 2008 at 07:28:17PM -0500, Michael DeHaan wrote: > >> Well yes, we run restorecon on /var/satellite to set correct context, >> even if you are not in Enforcing. It is not expected to fail thou. > > Also calling restorecon with selinux disabled probably won't work. Well, we could check sestatus for disabled. But in this case the problem was more related to the mount point (/var/satellite) being NFS. > Cobbler makes sure it doesn't bother with restorecon in those instances. > > Enable in /etc/selinux, touch /.autorelabel, and reboot? > > You'd want to strive for 100% clean runs in setroubleshoot. Right. > FYI -- Recently Dan Walsh recommended I /not/ support SELinux on EL 4, > and only do EL 5 since it was more manageable (supports > public_content_t).Seeing this impacts spacewalk, I would suggest > spacewalk take the same position. Yes, I used to be taking the same position. -- Jan Pazdziora Satellite Engineering, Red Hat ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Spacewalk and SELinux: progress status
On Wednesday 17 December 2008 02:43:49 pm Michael DeHaan wrote: > > Well, we could check sestatus for disabled. > > FWIW, a bit easier: /usr/sbin/selinuxenabled returns 0 if enabled. > > Just found out about that recently :) or /usr/sbin/getenforce will tell you if its in enforcing, permissive or disabled Dennis ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Spacewalk and SELinux: progress status
Dennis Gilmore wrote: On Wednesday 17 December 2008 02:43:49 pm Michael DeHaan wrote: Well, we could check sestatus for disabled. FWIW, a bit easier: /usr/sbin/selinuxenabled returns 0 if enabled. Just found out about that recently :) or /usr/sbin/getenforce will tell you if its in enforcing, permissive or disabled Dennis ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel Yeah what I meant was the software needs to know when to apply context based on whether it's enabled/disabled, not whether it's enforcing, to cover use cases of "trying out in permissive, now switch it". ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Spacewalk and SELinux: progress status
On Tue, Dec 16, 2008 at 07:39:37PM -0800, Mike McCune wrote: > Jan Pazdziora wrote: >>> So I'm testing the latest spacewalk-setup on a box that already had a >>> manually upgraded 0.4 on it and got pages and pages of: >>> >>> /sbin/restorecon set context >>> /var/satellite/redhat/1/f34/gnumeric-plugins-extras/1.8.2-2.fc9/x86_64/f34dbff4e83106d619f7398c5f1e8561->system_u:object_r:var_t:s0 >>> >>> failed:'Operation not supported' >>> /sbin/restorecon set context >>> /var/satellite/redhat/1/f34/gnumeric-plugins-extras/1.8.2-2.fc9/x86_64/f34dbff4e83106d619f7398c5f1e8561/gnumeric-plugins-extras-1.8.2-2.fc9.x86_64.rpm->system_u:object_r:var_t:s0 >>> >>> failed:'Operation not supported' >> >> By any chance, is the /var/satellite mounted read-only, possibly NFS >> mounted? > > yes :-) The new spacewalk-setup-0.4.20-1.el5 which is currently being built will not bother trying to relabel NFS-mounted directory and it will set the spacewalk_nfs_mountpoint to true. You can do this yourself as well if you do not plan to rerun spacewalk-setup. It needs the new spacewalk-selinux-0.4.1-7.el5 (which is also being built) with will then allow operations on NFS /var/satellite. -- Jan Pazdziora | adelton at #satellite*, #brno Satellite Engineering, Red Hat ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
