Re: Docker storage on Fedora 25?

[Daniel J Walsh]

On 12/27/2016 10:55 AM, Dave Johansen wrote:
> On Tue, Dec 27, 2016 at 5:16 AM, Daniel J Walsh  <mailto:dwa...@redhat.com>> wrote:
>
>
>
> On 12/26/2016 08:39 PM, Matthew Miller wrote:
> > On Mon, Dec 26, 2016 at 12:37:46PM -0700, Dave Johansen wrote:
> >>
> 
> http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/
> 
> <http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/>
> >> Does the above recommendation still hold true with Fedora
> 25/Docker 1.12.5?
> >> If so, is the configuration the same?
> > Quick glance, yeah, looks still basically right. You have a new
> option,
> > overlay2, which is a newer Docker driver for OverlayFS and generally
> > preferred. See
> >
> https://docs.docker.com/engine/userguide/storagedriver/selectadriver/
> <https://docs.docker.com/engine/userguide/storagedriver/selectadriver/>
>
>  
> F25 now uses docker-storage-setup, so the right way to select the
> driver was a bit different, but this instructions showed how to do it:
> https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/7/paged/managing-containers/chapter-1-managing-storage-with-docker-formatted-containers#overlay_graph_driver
>
> > *But*, I'm not sure offhand if SELinux support is complete -- I
> know it
> > *was being worked on.
> >
> SELinux should work fine on F25.  We are working to change the default
> in F26 to the overlay2 driver.
>
>
> That's good to hear. Do I need to add the :z or :Z when mounting a
> host directory for SELinux to work? If so, will that cause any
> problems when running on Mac/Windows?
>
If you want to share the volume on an SELinux system then you need :z
and :Z, on a non SELinux system these options will be ignored.  If you
are using a docker client on Mac/Windows and a docker daemon on an
SELinux system, then these options should work fine.
> Thanks for the help,
> Dave
>
>
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Docker storage on Fedora 25?

[Daniel J Walsh]

On 12/26/2016 08:39 PM, Matthew Miller wrote:
> On Mon, Dec 26, 2016 at 12:37:46PM -0700, Dave Johansen wrote:
>> http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/
>> Does the above recommendation still hold true with Fedora 25/Docker 1.12.5?
>> If so, is the configuration the same?
> Quick glance, yeah, looks still basically right. You have a new option,
> overlay2, which is a newer Docker driver for OverlayFS and generally
> preferred. See
> https://docs.docker.com/engine/userguide/storagedriver/selectadriver/
>
> *But*, I'm not sure offhand if SELinux support is complete -- I know it
> *was being worked on.
>
SELinux should work fine on F25.  We are working to change the default
in F26 to the overlay2 driver.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Apache Authentication with System Accounts?

[Daniel J Walsh]

On 12/23/2016 05:38 PM, Aero Maxx D wrote:
>> On 23 Dec 2016, at 21:19, Matthew Miller  wrote:
>>
>> Oh, just to check -- any SELinux AVC logged? From the mod_authnz_pam
>> page, you need to do `sudo setsebool -P allow_httpd_mod_auth_pam 1`.
>>
>> Other than that, anything at all else logged?
> Yeah I've done that still the same as before.
>
> mod_authnz_pam: PAM authentication failed for user <>: 
> Authentication failure
>
> user <>: authentication failure for "/": Password Mismatch.
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
If you put SELinux in permissive mode does it work?  If not, then it
most likely NOT an
SELinux issue.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: SELinux forces Fedora 25 upgrade into a reboot loop

[Daniel J Walsh]

On 11/25/2016 01:28 PM, Sam Varshavchik wrote:
> Patrick O'Callaghan writes:
>
>> On Fri, 2016-11-25 at 11:08 -0500, Sam Varshavchik wrote:
>> > Wondering if all upgrades with selinux enabled are broken, or just
>> something 
>> > with this particular laptop. This doesn't look like a system-specific 
>> > failure to me, but if all upgrades with enforcing selinux blow up
>> like this, 
>> > I would've expected a lot of noise in here, by now… More details in
>> bug 
>> > 1398696.
>>
>> My system has been enforcing for at least the last 5 versions (possibly
>> more), and I had no problem with this.
>
> What output do you get from:
>
> ls -alZd /var/lib/dnf/system-upgrade
>
> On the one with the problem I get:
>
> drwxr-xr-x. 2 root root unconfined_u:object_r:user_tmp_t:s0 233472 Nov
> 25 10:31 /var/lib/dnf/system-upgrade
>
user_tmp_t means that it was created by a user process in a /tmp or
/var/tmp and then mv'd to /var/lib/dnf. 

> Now, another one of my laptops shows:
>
> drwxr-xr-x. 2 root root unconfined_u:object_r:rpm_var_lib_t:s0 221184
> Nov 23 16:09 system-upgrade
>
> However that laptop was already running in permissive mode. Still,
> according to rpm:
>
> file /var/lib/dnf/system-upgrade is not owned by any package
>
> After rmdir-ing and mkdir-ing /var/lib/dnf/system-upgrade its selinux
> context is changed to unconfined_u:object_r:rpm_var_lib_t:s0, so I
> think that's where the problem was. Unclear how the former selinux
> context was what it was.
>
Just running
restorecon -R -v /var/lib/dnf

Would have fixed the problem.
>
>
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Running docker images crashing F25?

[Daniel J Walsh]

On 09/16/2016 11:22 PM, Philip Rhoades wrote:
> People,
>
> I couldn't find a specific docker Fedora list so I am posting here -
> feel free to tell me a more appropriate list . .
>
> I decided to live on the edge and did a bare-metal install of F25
> x86_64 a little while ago - it has been going pretty smoothly but in
> the last few days I have been playing around with docker again
> (specifically: cprogrammer/indimail:fedora-23 ie a qmail server) and I
> have had a few spontaneous reboots - one that locked up at a BIOS
> splash screen.
>
> Is this something I should be helping to debug somehow?  I just did a
> full "dnf update" before the last couple of crashes . .
>
> Thanks,
>
> Phil.
I have no idea why docker would be causing this, seems like a bad kernel
or this is a very evil docker image.  :^)

I run Rawhide and have been having no problems.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

FYI: systemd as pid one on an unprivileged container.

[Daniel J Walsh]

http://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Fedora 23 Server: can't startx

[Daniel J Walsh]

On 03/30/2016 12:06 PM, Braden McDaniel wrote:

I have a fresh, updated install of Fedora 23 Server.  After
installation, I installed the "Basic Desktop" group.  Now, when I try to
run startx, it fails with the error:

 xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)

Where should I look to diagnose/resolve this?  Could this be related to
the fact that my home directories are NFS mounted?  (I have set the
use_nfs_home_dirs SELinux setting to "on".)


What AVC's are you seeing?

ausearch -m avc -ts recent


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: PulseAudio

[Daniel J Walsh]

On 03/25/2016 12:49 PM, Joe Zeff wrote:

On 03/25/2016 06:58 AM, Richard Ibbotson wrote:

On Friday 25 March 2016 09:41:05 Daniel J Walsh wrote:

What avcs are you seeing

ausearch -m avc -ts recent






Well, that just about proves that SELinux isn't involved, doesn't it?
Well maybe.  Could you get this error to happen again, and then run the 
ausearch

command. you could also check to see if it happens with setenforce 0.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: PulseAudio

[Daniel J Walsh]

On 03/25/2016 09:20 AM, Richard Ibbotson wrote:

Hi

I know a lot of people don't like PulseAudio but that's what comes
with Fedora 23. My problem is this. After a dnf update I find that
selinux has done something it didn't do before. PulseAudio has ceased
to work properly. I'm looking at a dummy output the sound card is not
found by PulseAudio in my workstation.

I've tried to set permissions for PulseAudio in selinux. This allowed
the sound server to start up when I did 'service pulseaudio restart' .
Then there was some kind of error message about some keys not being
created. Still no sound.

I've seen this somewhere before but can't find it on the internet with
a search. Tried the PulseAudio site. Can anyone point me in the right
direction with this ? Also tried man pulseaudio. Nothing useful there


What avcs are you seeing

ausearch -m avc -ts recent


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Discourse - DeviceMapper causing corruption?

[Daniel J Walsh]

Do we have bugzillas with these Spectacular failures?

On 03/21/2016 03:03 PM, Philip Rhoades wrote:

People,

I had a couple of issues to sort out with installing the Docker 
Discourse app and while that was being done people made these comments:


"Devicemapper is non starter, fails spectacularly under load and 
causes corruption. We block setup if we detect devicemapper. You need 
aufs or another better supported docker filesystem."


- which was not true - it did install without resorting to aufs.

also:

"Redhat team get very upset when we mention that it just does not work 
for us, but release after release they say there are no bugs left, and 
each time we keep seeing Discourse users complain about corruption due 
to device mapper."


Any comments?

Thanks,

Phil.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing rsyslogd from getattr access on the file

[Daniel J Walsh]

Looks like it wants you to fix your labels on /var/log

restorecon -R -v /var/log


On 10/22/2015 11:00 AM, Neal Becker wrote:
> Oct 22 10:59:22 nbecker2 setroubleshoot: Plugin Exception restorecon_source
> Oct 22 10:59:22 nbecker2 setroubleshoot: SELinux is preventing rsyslogd from 
> getattr access on the file 
> /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~. For complete SELinux messages. run sealert -l 
> e90ea6c1-782b-49f6-8eee-23d630f05551
> Oct 22 10:59:22 nbecker2 python: SELinux is preventing rsyslogd from getattr 
> access on the file 
> /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~.#012#012*  Plugin restorecon (94.8 confidence) 
> suggests   #012#012If you want to fix the label. 
> #012/var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~ default label should be var_log_t.#012Then you can 
> run restorecon.#012Do#012# /sbin/restorecon -v 
> /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~#012#012*  Plugin catchall_labels (5.21 
> confidence) suggests   ***#012#012If you want to allow 
> rsyslogd to have getattr access on the user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~ file#012Then you need to change the label on 
> /var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~#012Do#012# semanage fcontext -a -t FILE_TYPE 
> '/var/log/journal/fccec5c8cc894bf498ba8ffed7383cd0/user-1000@000522048e0844a5-
> c0bb6e169852fd4d.journal~'#012where FILE_TYPE is one of the following: 
> NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, 
> abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, 
> acct_data_t, admin_crontab_tmp_t, afs_logfile_t, aide_log_t, alsa_tmp_t, 
> amanda_log_t, amanda_tmp_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, 
> apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, 
> asterisk_tmp_t, auditadm_sudo_tmp_t, auth_cache_t, automount_tmp_t, 
> awstats_tmp_t, bacula_log_t, bacula_tmp_t, bin_t, bitlbee_log_t, 
> bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, 
> bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, 
> boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, calamaris_log_t, 
> callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, 
> ccs_var_log_t, cdcc_tmp_t, cert_t, certmaster_var_log_t, cfengine_log_t, 
> cgred_log_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_var_log_t, 
> cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, 
> cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, 
> cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, 
> cobbler_tmp_t, cobbler_var_log_t, cockpit_tmp_t, collectd_script_tmp_t, 
> colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, 
> condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, 
> consolekit_log_t, couchdb_log_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, 
> cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, 
> cups_pdf_tmp_t, cupscloudprint_log_t, cupsd_log_t, cupsd_lpd_tmp_t, 
> cupsd_tmp_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, 
> dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, 
> dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, 
> deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, 
> devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, 
> dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, 
> dkim_milter_tmp_t, dlm_controld_var_log_t, dnsmasq_var_log_t, 
> dnssec_trigger_tmp_t, docker_log_t, docker_tmp_t, dovecot_auth_tmp_t, 
> dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, 
> dspam_log_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_log_t, 
> exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, fail2ban_var_lib_t, faillog_t, 
> fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, file_context_t, 
> fingerd_log_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_tmp_t, 
> foghorn_var_log_t, fonts_cache_t, fonts_t, fsadm_log_t, fsadm_tmp_t, 
> fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, 
> gconf_tmp_t, gear_log_t, geoclue_tmp_t, getty_log_t, getty_tmp_t, 
> gfs_controld_var_log_t, git_script_tmp_t, gkeyringd_tmp_t, glance_log_t, 
> glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, 
> gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, 
> groupd_var_log_t, gssd_tmp_t, haproxy_var_log_t, hostname_etc_t, 
> httpd_log_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, 
> icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, 
> initrc_tmp_t, initrc_var_log_t, initrc_var_ru

Re: Copying files without losing selinux context

[Daniel J Walsh]

On 10/10/2015 05:07 AM, Suvayu Ali wrote:
> Hi Rejy,
>
> On Sat, Oct 10, 2015 at 12:31:59PM +0530, Rejy M Cyriac wrote:
>> On 10/08/2015 06:35 PM, Suvayu Ali wrote:
>>> Yesterday I installed a new SSD in my laptop.  I moved all my files
>>> (/home, /var, /opt) with rsync and rebooted.  However I see the selinux
>>> filecontexts are wrong, and many services are failing because of that,
>>> e.g. the user crontab doesn't load.
>>>
>>>   # ls -Z /var/spool/cron/user
>>>   unconfined_u:object_r:var_spool_t:s0 /var/spool/cron/user
>>>
>>> I did an autorelabel on boot, I also ran `restorecon -p -r /var',
>>> neither helped.  To get the crontab working, I had to change the context
>>> by hand.
>>>
>>>   # chcon --reference=/old/part/spool/cron/user /var/spool/cron/user
>>>   # ls -Z /var/spool/cron/user 
>>>   unconfined_u:object_r:user_cron_spool_t:s0 /var/spool/cron/user
>>>
>>> I would like to know how I can fix the rest, and what I should have used
>>> to do the copy in the first place.  I guess `cp -c' would work, but then
>>> I wouldn't have the ability to resume the transfer.
>> The following would have retained the SELinux contexts
>>
>> rsync with the --xattrs option
>> tar with the --selinux or --xattrs option
> Thanks a lot!  I'll remember this for the future.  Is there any simple
> way to restore the contexts now, after the fact?  If not, maybe
> something like the command below?
>
>   # cd /old && find . -exec chcon --reference=\{\} /var/\{\} \;
>
> Cheers,
>
If you are moving content around you should reset the default labeling. 
In this case you could do something like

# semanage fcontext -a -e /var /old
# restorecon -R -v /old

Which would make your labels survive a relabel

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SElinux issue

[Daniel J Walsh]

Looks like prelude.te provides the prewikka code.

grep prew *
prelude.fc:/usr/share/*prew*ikka/cgi-bin(/.*)?  
gen_context(system_u:object_r:*prew*ikka_script_exec_t,s0)
prelude.te: apache_content_template(*prew*ikka)
prelude.te: apache_content_alias_template(*prew*ikka, *prew*ikka)
prelude.te: can_exec(*prew*ikka_script_t, *prew*ikka_script_exec_t)
prelude.te: files_search_tmp(*prew*ikka_script_t)
prelude.te: kernel_read_sysctl(*prew*ikka_script_t)
prelude.te: kernel_search_network_sysctl(*prew*ikka_script_t)
prelude.te: auth_use_nsswitch(*prew*ikka_script_t)
prelude.te: logging_send_syslog_msg(*prew*ikka_script_t)
prelude.te: apache_search_sys_content(*prew*ikka_script_t)
prelude.te: mysql_stream_connect(*prew*ikka_script_t)
prelude.te: mysql_tcp_connect(*prew*ikka_script_t)
prelude.te: postgresql_stream_connect(*prew*ikka_script_t)
prelude.te: postgresql_tcp_connect(*prew*ikka_script_t)

semodule -l | grep prelude





On 09/25/2015 06:51 PM, Paolo Galtieri wrote:
> Daniel,
>   on the machine on which things work there is a prewikka.pp file, but
> on the one that fails there isn't.  On the system
> that fails I have the following prewikka policy file (prewikkapol.te):
>
> module prewikka 1.0;
>
> require {
>
> type tmp_t;
>
> type init_var_run_t;
>
> type httpd_prewikka_script_t;
>
> type sysfs_t;
>
> class dir { read search };
>
> }
>
> #= httpd_prewikka_script_t ==
>
> allow httpd_prewikka_script_t init_var_run_t:dir search;
>
> allow httpd_prewikka_script_t sysfs_t:dir read;
>
> allow httpd_prewikka_script_t tmp_t:dir read;
>
> and the corresponding prewikkapol.pp file.
>
> On the system that works I have the following prewikka policy file
> (prewikka.te):
>
> module prewikka 1.0;
>
> require {
>
> type tmp_t;
>
> type init_var_run_t;
>
> type httpd_prewikka_script_t;
>
> type sysfs_t;
>
> class dir { read search };
>
> }
>
> #= httpd_prewikka_script_t ==
>
> allow httpd_prewikka_script_t init_var_run_t:dir search;
>
> allow httpd_prewikka_script_t sysfs_t:dir read;
>
> allow httpd_prewikka_script_t tmp_t:dir read;
>
> and the corresponding prewikka.pp file.  So as far as I know the
> prewikka policy files are present, and neither says
> anything about httpd_prewikka_rw_content_t.
>
> Also if I run
>
> semodule -l
>
> the appropriate policy file is shown.
>
> I tried disabling the module:
>
> sudo semodule -d prewikkapol
> [sudo] password for pgaltieri:
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined (No such file or directory).
> libsepol.context_from_record: could not create context structure
> (Invalid argument).
> libsemanage.validate_handler: invalid context
> system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for
> /usr/share/prewikka/htdocs/generated_images [all files] (Invalid
> argument).
> libsemanage.dbase_llist_iterate: could not iterate over records
> (Invalid argument).
> semodule:  Failed!
>
> I tried to remove the module:
>
> sudo semodule -r prewikkapol
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined (No such file or directory).
> libsepol.context_from_record: could not create context structure
> (Invalid argument).
> libsemanage.validate_handler: invalid context
> system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for
> /usr/share/prewikka/htdocs/generated_images [all files] (Invalid
> argument).
> libsemanage.dbase_llist_iterate: could not iterate over records
> (Invalid argument).
> semodule:  Failed!
>
> It does appear though that setsebool still works despite the errors.
>
> Still confused though why I'm seeing the error.
>
> Thanks for the help,
>
> Paolo
>
>
> On 09/25/2015 12:26 PM, Daniel J Walsh wrote:
>> Looks like you might have a prewikka policy around?
>>
>> locate prewikka.pp
>>
>> Did you build a custom policy module?
>>
>> On 09/25/2015 02:30 PM, Paolo Galtieri wrote:
>>> Folks,
>>>I got an SElinux alert this morning.  The suggestion to correct the
>>> problem was to do:
>>>
>>> setsebool -P unconfined_mozilla_plugin_transition 0
>>>
>>> When I did this I got the following response:
>>>
>>> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
>>> defined
>>> libsepol.context_from_record: could not create context structure
>>> libsepol.context_from_string: could not create context structure
>>> libsepol.se

Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window

[Daniel J Walsh]

On 09/25/2015 03:55 PM, jd1008 wrote:
>
>
> On 09/25/2015 01:26 PM, Daniel J Walsh wrote:
>>
>> On 09/25/2015 01:54 PM, jd1008 wrote:
>>>
>>> On 09/25/2015 11:28 AM, Daniel J Walsh wrote:
>>>> mount the directory there directly
>>> You mean mount a partition as /home?
>>> I do not have that.
>>>
>> Anyways where are your homedirs?
> Went ahead and did a bind in /etc/fstab
> and it is working OK.
> I hope next relabel will not miss anything :)
>
Well the problem with just a bind is that the code now exists in two
places, and
a full relabel could cause the labels to revert to the alternate label.

Which is why it is still good to put in the semange fcontext -a -e /home
/PATH

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window

[Daniel J Walsh]

On 09/25/2015 01:54 PM, jd1008 wrote:
>
>
> On 09/25/2015 11:28 AM, Daniel J Walsh wrote:
>> mount the directory there directly
> You mean mount a partition as /home?
> I do not have that.
>
Anyways where are your homedirs?
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SElinux issue

[Daniel J Walsh]

Looks like you might have a prewikka policy around? 

locate prewikka.pp

Did you build a custom policy module?

On 09/25/2015 02:30 PM, Paolo Galtieri wrote:
> Folks,
>   I got an SElinux alert this morning.  The suggestion to correct the
> problem was to do:
>
> setsebool -P unconfined_mozilla_plugin_transition 0
>
> When I did this I got the following response:
>
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
> invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
> invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0
>
> I have 2 systems running F22, I got this response on one of the
> systems, but not the other.  When I was running F19 on the affected
> system (prior to upgrading to F22) I did have the prewikka packages
> installed, but I have since removed them.  However, it appears that
> some remnants of those packages remain.
>
> How do I fix this issue?  I looked in the httpd config files and
> couldn't find any reference.
>
> Any help is appreciated.
>
> Paolo

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window

[Daniel J Walsh]

Why use symlinks versus bind mounts?  Or mount the directory there directly.

On 09/24/2015 07:20 PM, jd1008 wrote:
>
>
> On 09/24/2015 04:54 PM, Rahul Sundaram wrote:
>> Hi
>>
>> On Thu, Sep 24, 2015 at 4:20 PM, jd1008 wrote:
>>
>> But /home is a symlink to /home on  another mount point.
>> Would not selinux be "savvy" enough to follow symlinks???
>>
>>
>> Following symlinks can be a security problem.  It is pretty common
>> for that to be restricted by default
>>
>> Rahul
>>
>>
> Agreed.
> Thanks for the heads up.
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window

[Daniel J Walsh]

On 09/24/2015 03:15 PM, jd1008 wrote:
>
>
> On 09/24/2015 12:58 PM, Daniel J Walsh wrote:
>> What AVC are you seeing?
>>
>> On 09/24/2015 01:58 PM, jd1008 wrote:
>>> After getting AVC denial, I touched /.autorelabel and rebooted.
>>> Took about 5 minutes to finish re-labeling.
>>> Then, I started to ge more AVC denials.
>>> I clicked on the denial icon and read the details.
>>>
>>> Could someone please explain the argument in the suggested "solution" :
>>> restorecon -v '#SharedObjects'
>>>
>>> What in tarnation is '#SharedObjects'
>>>
>>> The man page for semanage and for restorcon do not even
>>> make use of such notation.
>>>
>>> So, how is a user going to correctly interpret the meaning
>>> of such an opaque item as '#SharedObjects' ?
>>>
>>> The selinux troubleshoot says: (but does not explain where the
>>> #SharedObjects directory is )
>>>
>>>
>>> If you want to allow plugin-containe to have read access on the
>>> #SharedObjects directory
>>> Then you need to change the label on #SharedObjects
>>> Do
>>> # semanage fcontext -a -t FILE_TYPE '#SharedObjects'
>>> where FILE_TYPE is one of the following: NetworkManager_etc_rw_t,
>>> NetworkManager_etc_t, abrt_etc_t, admin_home_t, aiccu_etc_t,
>>> alsa_etc_rw_t, alsa_home_t, antivirus_conf_t, antivirus_home_t,
>>> asterisk_etc_t, audio_home_t, auth_home_t, bin_t, bitlbee_conf_t,
>>> bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t,
>>> cgconfig_etc_t, cgrules_etc_t, chrome_sandbox_home_t, cluster_conf_t,
>>> cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t,
>>> couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t,
>>> cupsd_rw_etc_t, cvs_home_t, data_home_t, dbus_home_t, dbusd_etc_t,
>>> ddclient_etc_t, device_t, devpts_t, dhcp_etc_t, dictd_etc_t,
>>> dnsmasq_etc_t, docker_config_t, docker_home_t, dosfs_t, dovecot_etc_t,
>>> etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t,
>>> fetchmail_home_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t,
>>> firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t,
>>> gconf_home_t, gdomap_conf_t, getty_etc_t, git_user_content_t,
>>> gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gpm_conf_t,
>>> gstreamer_home_t, hddtemp_etc_t, home_bin_t, home_cert_t, home_root_t,
>>> hostname_etc_t, httpd_config_t, httpd_modules_t, httpd_user_content_t,
>>> httpd_user_htaccess_t, httpd_user_ra_content_t,
>>> httpd_user_rw_content_t, httpd_user_script_exec_t, hugetlbfs_t,
>>> icc_data_home_t, iceauth_home_t, innd_etc_t, irc_conf_t, irc_home_t,
>>> irc_tmp_t, irssi_etc_t, irssi_home_t, kdump_etc_t, kismet_home_t,
>>> kmscon_conf_t, krb5_conf_t, krb5_home_t, krb5kdc_conf_t, l2tp_conf_t,
>>> lib_t, likewise_etc_t, lircd_etc_t, local_login_home_t, locale_t,
>>> lvm_etc_t, machineid_t, mail_home_rw_t, mail_home_t, man_cache_t,
>>> man_t, mandb_home_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t,
>>> minissdpd_conf_t, mnt_t, mock_etc_t, modules_conf_t, mozilla_conf_t,
>>> mozilla_home_t, mozilla_plugin_rw_t, mozilla_plugin_tmp_t,
>>> mozilla_plugin_tmpfs_t, mpd_etc_t, mpd_home_t, mpd_user_data_t,
>>> mplayer_etc_t, mplayer_home_t, mrtg_etc_t, mscan_etc_t, munin_etc_t,
>>> mysqld_etc_t, mysqld_home_t, nagios_etc_t, named_conf_t, net_conf_t,
>>> nrpe_etc_t, nscd_var_run_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t,
>>> nut_conf_t, openshift_var_lib_t, openvpn_etc_rw_t, openvpn_etc_t,
>>> openvswitch_rw_t, pads_config_t, pegasus_conf_t, pingd_etc_t,
>>> piranha_etc_rw_t, piranha_web_conf_t, polipo_cache_home_t,
>>> polipo_config_home_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t,
>>> postgresql_etc_t, postgrey_etc_t, pppd_etc_t,
>>> prelude_correlator_config_t, printconf_t, proc_t, procmail_home_t,
>>> psad_etc_t, ptal_etc_t, pulseaudio_home_t, puppet_etc_t, qmail_etc_t,
>>> radiusd_etc_t, radvd_etc_t, rhnsd_conf_t, rlogind_home_t, root_t,
>>> rssh_ro_t, rssh_rw_t, rsync_etc_t, samba_etc_t, sandbox_file_t,
>>> sanlock_conf_t, screen_home_t, shell_exec_t, shorewall_etc_t,
>>> slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamc_home_t,
>>> spamd_etc_t, speech-dispatcher_home_t, squid_conf_t, src_t,
>>> ssh_home_t, sssd_conf_t, sssd_public_t, stunnel_etc_t, svc_conf_t,
>>> svirt_home_t, sysctl_fs_t, sysctl_t, sysfs_t, syslog_conf_t,
>>> system_conf_t, syste

Re: AVC denial and the suggested actio to take (by the setroubleshoot details) window

[Daniel J Walsh]

What AVC are you seeing?

On 09/24/2015 01:58 PM, jd1008 wrote:
> After getting AVC denial, I touched /.autorelabel and rebooted.
> Took about 5 minutes to finish re-labeling.
> Then, I started to ge more AVC denials.
> I clicked on the denial icon and read the details.
>
> Could someone please explain the argument in the suggested "solution" :
> restorecon -v '#SharedObjects'
>
> What in tarnation is '#SharedObjects'
>
> The man page for semanage and for restorcon do not even
> make use of such notation.
>
> So, how is a user going to correctly interpret the meaning
> of such an opaque item as '#SharedObjects' ?
>
> The selinux troubleshoot says: (but does not explain where the
> #SharedObjects directory is )
>
>
> If you want to allow plugin-containe to have read access on the
> #SharedObjects directory
> Then you need to change the label on #SharedObjects
> Do
> # semanage fcontext -a -t FILE_TYPE '#SharedObjects'
> where FILE_TYPE is one of the following: NetworkManager_etc_rw_t,
> NetworkManager_etc_t, abrt_etc_t, admin_home_t, aiccu_etc_t,
> alsa_etc_rw_t, alsa_home_t, antivirus_conf_t, antivirus_home_t,
> asterisk_etc_t, audio_home_t, auth_home_t, bin_t, bitlbee_conf_t,
> bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t,
> cgconfig_etc_t, cgrules_etc_t, chrome_sandbox_home_t, cluster_conf_t,
> cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t,
> couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t,
> cupsd_rw_etc_t, cvs_home_t, data_home_t, dbus_home_t, dbusd_etc_t,
> ddclient_etc_t, device_t, devpts_t, dhcp_etc_t, dictd_etc_t,
> dnsmasq_etc_t, docker_config_t, docker_home_t, dosfs_t, dovecot_etc_t,
> etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t,
> fetchmail_home_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t,
> firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t,
> gconf_home_t, gdomap_conf_t, getty_etc_t, git_user_content_t,
> gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gpm_conf_t,
> gstreamer_home_t, hddtemp_etc_t, home_bin_t, home_cert_t, home_root_t,
> hostname_etc_t, httpd_config_t, httpd_modules_t, httpd_user_content_t,
> httpd_user_htaccess_t, httpd_user_ra_content_t,
> httpd_user_rw_content_t, httpd_user_script_exec_t, hugetlbfs_t,
> icc_data_home_t, iceauth_home_t, innd_etc_t, irc_conf_t, irc_home_t,
> irc_tmp_t, irssi_etc_t, irssi_home_t, kdump_etc_t, kismet_home_t,
> kmscon_conf_t, krb5_conf_t, krb5_home_t, krb5kdc_conf_t, l2tp_conf_t,
> lib_t, likewise_etc_t, lircd_etc_t, local_login_home_t, locale_t,
> lvm_etc_t, machineid_t, mail_home_rw_t, mail_home_t, man_cache_t,
> man_t, mandb_home_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t,
> minissdpd_conf_t, mnt_t, mock_etc_t, modules_conf_t, mozilla_conf_t,
> mozilla_home_t, mozilla_plugin_rw_t, mozilla_plugin_tmp_t,
> mozilla_plugin_tmpfs_t, mpd_etc_t, mpd_home_t, mpd_user_data_t,
> mplayer_etc_t, mplayer_home_t, mrtg_etc_t, mscan_etc_t, munin_etc_t,
> mysqld_etc_t, mysqld_home_t, nagios_etc_t, named_conf_t, net_conf_t,
> nrpe_etc_t, nscd_var_run_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t,
> nut_conf_t, openshift_var_lib_t, openvpn_etc_rw_t, openvpn_etc_t,
> openvswitch_rw_t, pads_config_t, pegasus_conf_t, pingd_etc_t,
> piranha_etc_rw_t, piranha_web_conf_t, polipo_cache_home_t,
> polipo_config_home_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t,
> postgresql_etc_t, postgrey_etc_t, pppd_etc_t,
> prelude_correlator_config_t, printconf_t, proc_t, procmail_home_t,
> psad_etc_t, ptal_etc_t, pulseaudio_home_t, puppet_etc_t, qmail_etc_t,
> radiusd_etc_t, radvd_etc_t, rhnsd_conf_t, rlogind_home_t, root_t,
> rssh_ro_t, rssh_rw_t, rsync_etc_t, samba_etc_t, sandbox_file_t,
> sanlock_conf_t, screen_home_t, shell_exec_t, shorewall_etc_t,
> slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamc_home_t,
> spamd_etc_t, speech-dispatcher_home_t, squid_conf_t, src_t,
> ssh_home_t, sssd_conf_t, sssd_public_t, stunnel_etc_t, svc_conf_t,
> svirt_home_t, sysctl_fs_t, sysctl_t, sysfs_t, syslog_conf_t,
> system_conf_t, system_db_t, systemd_home_t, systemd_logind_sessions_t,
> telepathy_cache_home_t, telepathy_data_home_t,
> telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t,
> telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t,
> telepathy_mission_control_data_home_t,
> telepathy_mission_control_home_t, telepathy_sunshine_home_t,
> texlive_home_t, textrel_shlib_t, tftpd_etc_t, thumb_home_t, tmp_t,
> tmpfs_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, tvtime_home_t,
> udev_etc_t, udev_var_run_t, ulogd_etc_t, uml_ro_t, uml_rw_t,
> user_fonts_cache_t, user_fonts_config_t, user_fonts_t,
> user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t,
> var_lib_t, var_run_t, varnishd_etc_t, virt_content_t, virt_etc_t,
> virt_home_t, vmware_conf_t, vmware_file_t, vmware_sys_conf_t,
> webalizer_etc_t, wine_home_t, wireshark_home_t, xauth_home_t,
> xdm_etc_t, xdm_home_t, xdm_rw_etc_t, xserver_etc_t, ypserv_conf_t,
> zarafa_etc_t, zebra_conf_t.
> Then execut

Re: doing docker build, "SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.", kills wireless

[Daniel J Walsh]

You have a bad label on /etc/resolv.conf.

restorecon -v /etc/resolv.conf

I have no idea how this is getting mislabeled.  Are you doing anything
special with /etc/resolv.conf?

Also turn on the cups_execmem boolean

setsebool -P cups_execmem 1


On 08/19/2015 10:10 AM, Robert P. J. Day wrote:
> On Wed, 19 Aug 2015, Rick Stevens wrote:
>
>> On 08/19/2015 08:41 AM, Robert P. J. Day wrote:
>>> On Wed, 19 Aug 2015, Daniel J Walsh wrote:
>>>
>>>>
>>>> On 08/19/2015 07:36 AM, Robert P. J. Day wrote:
>>>>> On Wed, 19 Aug 2015, Daniel J Walsh wrote:
>>>>>
>>>>>> On 08/19/2015 02:43 AM, Robert P. J. Day wrote:
>>>>>>> On Tue, 18 Aug 2015, Robert P. J. Day wrote:
>>>>>>>
>>>>>>>>by now, i'm getting *really* good at debugging. was doing a simple
>>>>>>>> docker build (docker-1.8.1) with first few lines of Dockerfile (which
>>>>>>>> worked fine not that long ago):
>>>>>>>>
>>>>>>>>FROM ubuntu:14.04
>>>>>>>>MAINTAINER Robert P. J. Day
>>>>>>>>ENV REFRESHED_AT 2015-08-18
>>>>>>>>
>>>>>>>>RUN apt-get -y -q update && apt-get -y -q install nginx
>>>>>>>>... snip ...
>>>>>>>>
>>>>>>>> and it was *entirely* reproducible that the instant docker started to
>>>>>>>> process that "RUN apt-get" command, the wireless connection on my
>>>>>>>> Fedora 22 laptop was blown away. grabbed this from SELinux:
>>>>>>>>
>>>>>>>> = start =
>>>>>>>>
>>>>>>>> SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the
>> sigchld access on a process.
>>>>>>>> *  Plugin catchall (100. confidence) suggests
>> **
>>>>>>>> If you believe that abrt-hook-ccpp should be allowed sigchld access on
>> processes labeled kernel_t by default.
>>>>>>>> Then you should report this as a bug.
>>>>>>>> You can generate a local policy module to allow this access.
>>>>>>>> Do
>>>>>>>> allow this access for now by executing:
>>>>>>>> # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
>>>>>>>> # semodule -i mypol.pp
>>>>>>>>
>>>>>>>> Additional Information:
>>>>>>>> Source Contextsystem_u:system_r:NetworkManager_t:s0
>>>>>>>> Target Contextsystem_u:system_r:kernel_t:s0
>>>>>>>> Target ObjectsUnknown [ process ]
>>>>>>>> Sourceabrt-hook-ccpp
>>>>>>>> Source Path   /usr/libexec/abrt-hook-ccpp
>>>>>>>> Port  
>>>>>>>> Host  localhost.localdomain
>>>>>>>> Source RPM Packages
>> abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64
>>>>>>>> Target RPM Packages
>>>>>>>> Policy RPMselinux-policy-3.13.1-128.10.fc22.noarch
>>>>>>>> Selinux Enabled   True
>>>>>>>> Policy Type   targeted
>>>>>>>> Enforcing ModePermissive
>>>>>>>> Host Name localhost.localdomain
>>>>>>>> Platform  Linux localhost.localdomain
>> 4.1.5-200.fc22.x86_64
>>>>>>>>#1 SMP Mon Aug 10 23:38:23 UTC 2015
>> x86_64 x86_64
>>>>>>>> Alert Count   1
>>>>>>>> First Seen2015-08-18 12:57:36 EDT
>>>>>>>> Last Seen 2015-08-18 12:57:36 EDT
>>>>>>>> Local ID  523c8bed-7428-49e7-b301-3a932852b135
>>>>>>>>
>>>>>>>> Raw Audit Messages
>>>>>>>> type=AVC msg=audit(1439917056.327:640): avc:  denied  { sigchld } for
>> pid=4555 comm="abrt-hook-ccpp" scontext=system_u:system_r:NetworkManager_t:s0
>> tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
>>>>

Re: doing docker build, "SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.", kills wireless

[Daniel J Walsh]

On 08/19/2015 08:03 AM, Robert P. J. Day wrote:
> On Wed, 19 Aug 2015, Daniel J Walsh wrote:
>
>> With SELinux disabled you should not be getting any AVC's
>>
>> If you turn SELInux back on and do a full relabel, I think the problem
>> will go away.
>>
>> Something is crashing though which is causing the AVC
>   as in, enabled and not just permissive?
>
> rday
>
Either way.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: doing docker build, "SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.", kills wireless

[Daniel J Walsh]

On 08/19/2015 07:36 AM, Robert P. J. Day wrote:
> On Wed, 19 Aug 2015, Daniel J Walsh wrote:
>
>> On 08/19/2015 02:43 AM, Robert P. J. Day wrote:
>>> On Tue, 18 Aug 2015, Robert P. J. Day wrote:
>>>
>>>>   by now, i'm getting *really* good at debugging. was doing a simple
>>>> docker build (docker-1.8.1) with first few lines of Dockerfile (which
>>>> worked fine not that long ago):
>>>>
>>>>   FROM ubuntu:14.04
>>>>   MAINTAINER Robert P. J. Day
>>>>   ENV REFRESHED_AT 2015-08-18
>>>>
>>>>   RUN apt-get -y -q update && apt-get -y -q install nginx
>>>>   ... snip ...
>>>>
>>>> and it was *entirely* reproducible that the instant docker started to
>>>> process that "RUN apt-get" command, the wireless connection on my
>>>> Fedora 22 laptop was blown away. grabbed this from SELinux:
>>>>
>>>> = start =
>>>>
>>>> SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld 
>>>> access on a process.
>>>>
>>>> *  Plugin catchall (100. confidence) suggests   
>>>> **
>>>>
>>>> If you believe that abrt-hook-ccpp should be allowed sigchld access on 
>>>> processes labeled kernel_t by default.
>>>> Then you should report this as a bug.
>>>> You can generate a local policy module to allow this access.
>>>> Do
>>>> allow this access for now by executing:
>>>> # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
>>>> # semodule -i mypol.pp
>>>>
>>>> Additional Information:
>>>> Source Contextsystem_u:system_r:NetworkManager_t:s0
>>>> Target Contextsystem_u:system_r:kernel_t:s0
>>>> Target ObjectsUnknown [ process ]
>>>> Sourceabrt-hook-ccpp
>>>> Source Path   /usr/libexec/abrt-hook-ccpp
>>>> Port  
>>>> Host  localhost.localdomain
>>>> Source RPM Packages   
>>>> abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64
>>>> Target RPM Packages
>>>> Policy RPMselinux-policy-3.13.1-128.10.fc22.noarch
>>>> Selinux Enabled   True
>>>> Policy Type   targeted
>>>> Enforcing ModePermissive
>>>> Host Name localhost.localdomain
>>>> Platform  Linux localhost.localdomain 
>>>> 4.1.5-200.fc22.x86_64
>>>>   #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 
>>>> x86_64
>>>> Alert Count   1
>>>> First Seen2015-08-18 12:57:36 EDT
>>>> Last Seen 2015-08-18 12:57:36 EDT
>>>> Local ID  523c8bed-7428-49e7-b301-3a932852b135
>>>>
>>>> Raw Audit Messages
>>>> type=AVC msg=audit(1439917056.327:640): avc:  denied  { sigchld } for  
>>>> pid=4555 comm="abrt-hook-ccpp" 
>>>> scontext=system_u:system_r:NetworkManager_t:s0 
>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
>>>>
>>>>
>>>> type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 
>>>> success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 
>>>> pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
>>>> fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp 
>>>> exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 
>>>> key=(null)
>>>>
>>>> Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld
>>>>
>>>> = end =
>>>   followup to the above ... i ran the suggested selinux-related
>>> commands, but that had no apparent effect, so i'm still stuck. for
>>> people who know docker, you'll recognize that the error occurred at
>>> the first instruction in the Dockerfile that requires network access,
>>> the "RUN apt-get ..." command (i already have the ubuntu base image on
>>> my system).
>>>
>>>   i grabbed a few hundred lines from "journalctl" and stuck them here:
>>> http://pastebin.com/KzrYMFvC. you can see the very first command there
>>> i

Re: doing docker build, "SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.", kills wireless

[Daniel J Walsh]

On 08/19/2015 02:43 AM, Robert P. J. Day wrote:
> On Tue, 18 Aug 2015, Robert P. J. Day wrote:
>
>>   by now, i'm getting *really* good at debugging. was doing a simple
>> docker build (docker-1.8.1) with first few lines of Dockerfile (which
>> worked fine not that long ago):
>>
>>   FROM ubuntu:14.04
>>   MAINTAINER Robert P. J. Day
>>   ENV REFRESHED_AT 2015-08-18
>>
>>   RUN apt-get -y -q update && apt-get -y -q install nginx
>>   ... snip ...
>>
>> and it was *entirely* reproducible that the instant docker started to
>> process that "RUN apt-get" command, the wireless connection on my
>> Fedora 22 laptop was blown away. grabbed this from SELinux:
>>
>> = start =
>>
>> SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld 
>> access on a process.
>>
>> *  Plugin catchall (100. confidence) suggests   
>> **
>>
>> If you believe that abrt-hook-ccpp should be allowed sigchld access on 
>> processes labeled kernel_t by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
>> # semodule -i mypol.pp
>>
>> Additional Information:
>> Source Contextsystem_u:system_r:NetworkManager_t:s0
>> Target Contextsystem_u:system_r:kernel_t:s0
>> Target ObjectsUnknown [ process ]
>> Sourceabrt-hook-ccpp
>> Source Path   /usr/libexec/abrt-hook-ccpp
>> Port  
>> Host  localhost.localdomain
>> Source RPM Packages   abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64
>> Target RPM Packages
>> Policy RPMselinux-policy-3.13.1-128.10.fc22.noarch
>> Selinux Enabled   True
>> Policy Type   targeted
>> Enforcing ModePermissive
>> Host Name localhost.localdomain
>> Platform  Linux localhost.localdomain 
>> 4.1.5-200.fc22.x86_64
>>   #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 
>> x86_64
>> Alert Count   1
>> First Seen2015-08-18 12:57:36 EDT
>> Last Seen 2015-08-18 12:57:36 EDT
>> Local ID  523c8bed-7428-49e7-b301-3a932852b135
>>
>> Raw Audit Messages
>> type=AVC msg=audit(1439917056.327:640): avc:  denied  { sigchld } for  
>> pid=4555 comm="abrt-hook-ccpp" 
>> scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
>>
>>
>> type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 
>> success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 
>> pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
>> fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp 
>> exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null)
>>
>> Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld
>>
>> = end =
>
>   followup to the above ... i ran the suggested selinux-related
> commands, but that had no apparent effect, so i'm still stuck. for
> people who know docker, you'll recognize that the error occurred at
> the first instruction in the Dockerfile that requires network access,
> the "RUN apt-get ..." command (i already have the ubuntu base image on
> my system).
>
>   i grabbed a few hundred lines from "journalctl" and stuck them here:
> http://pastebin.com/KzrYMFvC. you can see the very first command there
> is the docker invocation:
>
> Aug 19 05:24:35 localhost.localdomain sudo[4190]:   rpjday : TTY=pts/0
> ; PWD=/home/rpjday/docker/TDB/sample ; USER=root ; COMMAND=/bin/docker
> build -t jamtur01/nginx .
>
>   thoughts? is it bugzilla time?
>
> rday
>
Yes open a bugzilla, although this is a very strange AVC.  It basically
shows abrt-hook-ccpp executing under networkmanager domain and sending
sigchld to kernel_t.

Why would networkmanager execed processes be sending a sigchld to a
kernel process?
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: current/proposed docker-related packages?

[Daniel J Walsh]

On 08/17/2015 08:06 AM, Daniel J Walsh wrote:
>
> On 08/16/2015 05:04 AM, Robert P. J. Day wrote:
>> On Sat, 15 Aug 2015, Kenneth Wolcott wrote:
>>
>>> I have a related question about Fedora docker packages.  There seems
>>> to be a docker-engine at version 1.8.1 and docker at version 1.7.1.
>>> I'd like to have docker AND docker engine at the same version,
>>> preferably at 1.8.1.  I don't mind having to get docker-compose and
>>> docker-machine via the docker website directly, but it would also be
>>> nice to get them via the normal Fedora repositories.  Even though
>>> docker-machine appears to be broken for all Linux distributions that
>>> I've tried when running with a local vm (VirtualBox) rather than a
>>> cloud (AWS).  docker-swarm is still considered beta, so I could see
>>> why that might not be provided via a Fedora repository.
>>   you've summed up my wish list nicely ... i'm just trying to make a
>> list of where to get all the cool stuff in the docker ecosystem,
>> either as an official fedora package or, if not, then from docker.com
>> directly.
>>
>>   as i read it (and i'm willing to be corrected), there will be some
>> package renaming in the near future, either synchronized with when
>> docker 1.8 gets packaged with fedora, or with f23, or maybe both. i
>> found this page of docker-related fedora packages:
>>
>> https://admin.fedoraproject.org/pkgdb/packages/docker*/
>>
>> and i know what *was* docker-io is now docker, and that's going to
>> become docker-engine, is it not? oddly, that list includes
>> docker-compose as being approved in f22, but i don't yet see it in
>> "dnf search", so i can only assume it's coming. same thing with
>> docker-client? docker-machine? etc, etc.
>>
>>   regarding other possible packages, i ran across this page at
>> docker.com, talking about kitematic:
>>
>>   http://docs.docker.com/kitematic/
>>
>> which refers to something called the "docker toolbox", but it looks
>> like all that is windows/mac only:
>>
>>   https://www.docker.com/toolbox
>>
>> and as d walsh(?) mentioned recently, the improved builder "dock" has
>> been renamed to "atomic-reactor". like i said, i'm just trying to keep
>> up.
>>
>> rday
>>
> docker-1.8.1 (docker-engine) should be out soon.  I believe lokesh is
> working on packaging up the other docker content for Fedora.
> I am not a big fan of changing the name of docker to docker-engine at
> this time. (We just changed it from docker-io to docker, and would
> probably have to alias it anyways.)
>
> Lokesh can you add a provides docker-engine to docker package.
>
Looks like docker-1.8.1-1.git9281dc3.fc22 is in updates-testing?
docker-1.8.1-1.git3c1d7c8.fc23
<http://koji.fedoraproject.org/koji/buildinfo?buildID=677363> is also
built and I believe movind along.

docker-1.9.0-2.gitf8950e0.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=677354> is in Rawhide.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: current/proposed docker-related packages?

[Daniel J Walsh]

On 08/16/2015 05:04 AM, Robert P. J. Day wrote:
> On Sat, 15 Aug 2015, Kenneth Wolcott wrote:
>
>> I have a related question about Fedora docker packages.  There seems
>> to be a docker-engine at version 1.8.1 and docker at version 1.7.1.
>> I'd like to have docker AND docker engine at the same version,
>> preferably at 1.8.1.  I don't mind having to get docker-compose and
>> docker-machine via the docker website directly, but it would also be
>> nice to get them via the normal Fedora repositories.  Even though
>> docker-machine appears to be broken for all Linux distributions that
>> I've tried when running with a local vm (VirtualBox) rather than a
>> cloud (AWS).  docker-swarm is still considered beta, so I could see
>> why that might not be provided via a Fedora repository.
>   you've summed up my wish list nicely ... i'm just trying to make a
> list of where to get all the cool stuff in the docker ecosystem,
> either as an official fedora package or, if not, then from docker.com
> directly.
>
>   as i read it (and i'm willing to be corrected), there will be some
> package renaming in the near future, either synchronized with when
> docker 1.8 gets packaged with fedora, or with f23, or maybe both. i
> found this page of docker-related fedora packages:
>
> https://admin.fedoraproject.org/pkgdb/packages/docker*/
>
> and i know what *was* docker-io is now docker, and that's going to
> become docker-engine, is it not? oddly, that list includes
> docker-compose as being approved in f22, but i don't yet see it in
> "dnf search", so i can only assume it's coming. same thing with
> docker-client? docker-machine? etc, etc.
>
>   regarding other possible packages, i ran across this page at
> docker.com, talking about kitematic:
>
>   http://docs.docker.com/kitematic/
>
> which refers to something called the "docker toolbox", but it looks
> like all that is windows/mac only:
>
>   https://www.docker.com/toolbox
>
> and as d walsh(?) mentioned recently, the improved builder "dock" has
> been renamed to "atomic-reactor". like i said, i'm just trying to keep
> up.
>
> rday
>
docker-1.8.1 (docker-engine) should be out soon.  I believe lokesh is
working on packaging up the other docker content for Fedora.
I am not a big fan of changing the name of docker to docker-engine at
this time. (We just changed it from docker-io to docker, and would
probably have to alias it anyways.)

Lokesh can you add a provides docker-engine to docker package.

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedora-dockerfiles: "LABEL" lines in cockpit-ws sample file look weird

[Daniel J Walsh]

Wow, we removed this command a while ago and I guess forgot to remove
the man page.

atomic info

Will show you the labels.

Latest atomic has added --display command

atomic install imagename --display

Will show the command that will be executed without executing it.



On 08/10/2015 02:53 PM, Robert P. J. Day wrote:
> On Mon, 10 Aug 2015, Daniel J Walsh wrote:
>
>> Here are a couple of blogs on the atomic command
>>
>> http://developerblog.redhat.com/2015/04/21/introducing-the-atomic-command/
>> http://www.projectatomic.io/blog/2015/04/using-environment-substitution-with-the-atomic-command/
>>
>> atomic command is available for both fedora and fedora atomic host.
>   hmm ... didn't take long to run into issues:
>
> $ man atomic-defaults
>
> ATOMIC(1)   January 2015  
> ATOMIC(1)
>
> NAME
>atomic - List default commands
>
> SYNOPSIS
>atomic defaults [-h] IMAGE
>
> DESCRIPTION
>atomic defaults list default commands with which atomic will 
> RUN/INSTALL/REMOVE containers.
> ... snip ...
>
>   ok, then:
>
> $ atomic defaults fedora
> /usr/bin/atomic: invalid choice: 'defaults' (choose from 'info',
> 'install', 'images', 'mount', 'stop', 'run', 'uninstall', 'unmount',
> 'update', 'upload', 'version', 'verify')
> Try 'atomic --help' for more information.
> $
>
>   the list in that error message isn't even complete (it's missing
> "atomic host"), but why does the "atomic" command not accept the
> "defaults" subcommand?
>
> rday
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedora-dockerfiles: "LABEL" lines in cockpit-ws sample file look weird

[Daniel J Walsh]

Here are a couple of blogs on the atomic command

http://developerblog.redhat.com/2015/04/21/introducing-the-atomic-command/
http://www.projectatomic.io/blog/2015/04/using-environment-substitution-with-the-atomic-command/

atomic command is available for both fedora and fedora atomic host.

On 08/10/2015 08:43 AM, Daniel J Walsh wrote:
>
> On 08/10/2015 08:31 AM, Robert P. J. Day wrote:
>> On Mon, 10 Aug 2015, Daniel J Walsh wrote:
>>
>>> On 08/10/2015 05:43 AM, Robert P. J. Day wrote:
>>>>   brief digression from my discussion of docker roadmap and stuff like
>>>> that ... i'm using the sample Dockerfiles from the
>>>> "fedora-dockerfiles" package to demonstrate various Dockerfile
>>>> instructions in an upcoming course, and i ran across this:
>>>>
>>>> cockpit-ws/Dockerfile:LABEL INSTALL /usr/bin/docker run -ti --rm 
>>>> --privileged -v /:/host IMAGE /container/atomic-install
>>>> cockpit-ws/Dockerfile:LABEL UNINSTALL /usr/bin/docker run -ti --rm 
>>>> --privileged -v /:/host IMAGE /cockpit/atomic-uninstall
>>>> cockpit-ws/Dockerfile:LABEL RUN /usr/bin/docker run -d --privileged 
>>>> --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh
>>>>
>>>> i have no idea what those lines mean, they don't even seem valid as
>>>> the documentation suggests the proper form of a Dockerfile LABEL
>>>> instruction requires an "=" sign.
>>>>
>>>>   what does the above mean, if anything?
>>>>
>>>> rday
>>>>
>>> I think the = sign is optional.
>>   ah, "man Dockerfile" doesn't mention that -- bugzilla time?
>>
>>> Although I would prefer it in the form of
>>>
>>> LABEL INSTALL="/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE 
>>> /container/atomic-install"
>>   as would i. by the way, i'm assuming there's nothing magical about
>> the labels INSTALL, UNINSTALL or RUN, right? they're simply being
>> added as metadata to the image as documentation that someone can dig
>> out later with "docker inspect"? beyond that, they have no special
>> power, is that correct?
> The special power it the "atomic run|install|uninstall" command will
> automatically use them
>
> atomic install cockpit-ws
>
> Does a
>
> docker pull cockpit-ws
>
> Then docker inspect to get the INSTALL label,
> then it executes the INSTALL label substituting environment variables
> like ${NAME} and ${IMAGE}
>
> Do a man atomic.
>
>>> And with the latest atomic we now support
>>>
>>> LABEL INSTALL="/usr/bin/docker run -ti --rm --privileged -v /:/host 
>>> \${IMAGE} /container/atomic-install"
>>   just to clarify these two uses of IMAGE, the first one will simply
>> keep the literal string "IMAGE", correct? while the second will use
>> escaping so that the label saved will incorporate the literal string
>> "$(IMAGE}" -- i'm assuming to show the reader that that is supposed to
>> represent an image name?
>>
>> rday
>>
> No in either case IMAGE will be substituted with the image specified on the
> atomic install command.
>
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedora-dockerfiles: "LABEL" lines in cockpit-ws sample file look weird

[Daniel J Walsh]

On 08/10/2015 08:31 AM, Robert P. J. Day wrote:
> On Mon, 10 Aug 2015, Daniel J Walsh wrote:
>
>>
>> On 08/10/2015 05:43 AM, Robert P. J. Day wrote:
>>>   brief digression from my discussion of docker roadmap and stuff like
>>> that ... i'm using the sample Dockerfiles from the
>>> "fedora-dockerfiles" package to demonstrate various Dockerfile
>>> instructions in an upcoming course, and i ran across this:
>>>
>>> cockpit-ws/Dockerfile:LABEL INSTALL /usr/bin/docker run -ti --rm 
>>> --privileged -v /:/host IMAGE /container/atomic-install
>>> cockpit-ws/Dockerfile:LABEL UNINSTALL /usr/bin/docker run -ti --rm 
>>> --privileged -v /:/host IMAGE /cockpit/atomic-uninstall
>>> cockpit-ws/Dockerfile:LABEL RUN /usr/bin/docker run -d --privileged 
>>> --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh
>>>
>>> i have no idea what those lines mean, they don't even seem valid as
>>> the documentation suggests the proper form of a Dockerfile LABEL
>>> instruction requires an "=" sign.
>>>
>>>   what does the above mean, if anything?
>>>
>>> rday
>>>
>> I think the = sign is optional.
>   ah, "man Dockerfile" doesn't mention that -- bugzilla time?
>
>> Although I would prefer it in the form of
>>
>> LABEL INSTALL="/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE 
>> /container/atomic-install"
>   as would i. by the way, i'm assuming there's nothing magical about
> the labels INSTALL, UNINSTALL or RUN, right? they're simply being
> added as metadata to the image as documentation that someone can dig
> out later with "docker inspect"? beyond that, they have no special
> power, is that correct?
The special power it the "atomic run|install|uninstall" command will
automatically use them

atomic install cockpit-ws

Does a

docker pull cockpit-ws

Then docker inspect to get the INSTALL label,
then it executes the INSTALL label substituting environment variables
like ${NAME} and ${IMAGE}

Do a man atomic.

>> And with the latest atomic we now support
>>
>> LABEL INSTALL="/usr/bin/docker run -ti --rm --privileged -v /:/host 
>> \${IMAGE} /container/atomic-install"
>   just to clarify these two uses of IMAGE, the first one will simply
> keep the literal string "IMAGE", correct? while the second will use
> escaping so that the label saved will incorporate the literal string
> "$(IMAGE}" -- i'm assuming to show the reader that that is supposed to
> represent an image name?
>
> rday
>
No in either case IMAGE will be substituted with the image specified on the
atomic install command.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedora-dockerfiles: "LABEL" lines in cockpit-ws sample file look weird

[Daniel J Walsh]

On 08/10/2015 05:43 AM, Robert P. J. Day wrote:
>   brief digression from my discussion of docker roadmap and stuff like
> that ... i'm using the sample Dockerfiles from the
> "fedora-dockerfiles" package to demonstrate various Dockerfile
> instructions in an upcoming course, and i ran across this:
>
> cockpit-ws/Dockerfile:LABEL INSTALL /usr/bin/docker run -ti --rm --privileged 
> -v /:/host IMAGE /container/atomic-install
> cockpit-ws/Dockerfile:LABEL UNINSTALL /usr/bin/docker run -ti --rm 
> --privileged -v /:/host IMAGE /cockpit/atomic-uninstall
> cockpit-ws/Dockerfile:LABEL RUN /usr/bin/docker run -d --privileged 
> --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh
>
> i have no idea what those lines mean, they don't even seem valid as
> the documentation suggests the proper form of a Dockerfile LABEL
> instruction requires an "=" sign.
>
>   what does the above mean, if anything?
>
> rday
>
I think the = sign is optional.  Although I would prefer it in the form of

LABEL INSTALL="/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE 
/container/atomic-install"

And with the latest atomic we now support


LABEL INSTALL="/usr/bin/docker run -ti --rm --privileged -v /:/host \${IMAGE} 
/container/atomic-install"




-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SE alert

[Daniel J Walsh]

You can just run

# restorecon -R -v /

From the booted machine.

On 07/20/2015 03:49 PM, jd1008 wrote:
>
>
> On 07/20/2015 01:42 PM, Martin Cigorraga wrote:
>> Hi,
>>
>> ~ getenforce
>> Enforcing
>>
>> Please be aware that setenforce will only change the mode SELinux is
>> running in. For a permanent change, you have to edit the
>> configuration file.
>>
>
> I already stated that /etc/sysconfig/selinux says (and did say when my
> system was in permissive mode):
>
> #
> $ sudo cat /etc/sysconfig/selinux
>
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=enforcing
> # SELINUXTYPE= can take one of these two values:
> # targeted - Targeted processes are protected,
> # minimum - Modification of targeted policy. Only selected
> processes are protected.
> # mls - Multi Level Security protection.
> SELINUXTYPE=targeted
>
> Thus going into permissive mode was not done by me.
> As I also stated, this is a fresh install since mid-day, yesterday,
> with only yum update bringing in new versions of packages.
>
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: which images is "docker pull" supposed to pull by default?

[Daniel J Walsh]

Please open a bugzilla with the docker package to fix the man page.

On 07/19/2015 05:05 AM, Robert P. J. Day wrote:
>   more nitpicky pedantry regarding docker on fedora 22 ... if i read
> the man page for "docker-pull" on my f22 system, i see:
>
> "This command pulls down an image or a repository from a registry. If
> there is more than one image for a repository (e.g., fedora) then all
> images for that repository name are pulled down including any tags."
>
>   note the reference to "all images" being pulled down. and the
> example given seems to reinforce the notion that, if you specify
> simply a repository, you'll get all corresponding tagged images:
>
>   docker pull fedora
>   Pulling repository fedora
>   ad57ef8d78d7: Download complete
>   105182bb5e8b: Download complete
>   511136ea3c5a: Download complete
>   73bd853d2ea5: Download complete
>
>   Status: Downloaded newer image for fedora
>
>   docker images
>   REPOSITORY   TAG IMAGE IDCREATED  VIRTUAL 
> SIZE
>   fedora   rawhide ad57ef8d78d75 days ago   359.3 MB
>   fedora   20  105182bb5e8b5 days ago   372.7 MB
>   fedora   heisenbug   105182bb5e8b5 days ago   372.7 MB
>   fedora   latest  105182bb5e8b5 days ago   372.7 MB
>
>   *however*, the explanation of the "-a" option seems to disagree with
> that:
>
> OPTIONS
>-a, --all-tags=true|false
>   Download all tagged images in the repository. The default is false.
>
> which suggests that, by default, you *don't* get all tagged images
> unless you specify "-a".
>
>   and a quick test shows that, if i run "docker pull fedora", all i
> appear to get is:
>
> # docker images
> REPOSITORY  TAG IMAGE IDCREATED   
>   VIRTUAL SIZE
> docker.io/fedoralatest  ded7cd95e0597 weeks ago   
>   186.5 MB
> #
>
>   so ... what am i misreading here? the man page seems just a touch
> confusing and contradictory.
>
> rday
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: discrepancy in instructions to install docker on fedora 22

[Daniel J Walsh]

On 07/17/2015 12:59 PM, Robert P. J. Day wrote:
> On Fri, 17 Jul 2015, Daniel J Walsh wrote:
>
>>
>> On 07/17/2015 11:55 AM, Robert P. J. Day wrote:
>>> On Fri, 17 Jul 2015, Daniel J Walsh wrote:
>>>
>>>> docker-engine == docker from fedora point of view.
>>>>
>>>> Docker.io is trying to rebrand docker to docker-engine, so it
>>>> can differentiate docker-swarm, docker-registry, docker-engine ...
>>>   ok, so if i wanted to follow that path, would i simply download and
>>> install the docker-engine RPM on my f22 system, rather than the
>>> current docker and docker-selinux packages? would i add a new yum repo
>>> entry for it? just trying to keep up.
>>>
>>> rday
>>>
>> No just install docker package from the fedora repo, which will
>> bring in the updates.
>>
>> I have asked Lokesh Mandevekar to update the docker.spec to provide
>> docker-engine.
>   i did notice that the fedora docker package has a dependency on
> docker-selinux, while that docker-engine package didn't, so i'm
> assuming the repackaging will take care of the selinux component.
>
> rday
>
Yes.  We ship with a series of patches on the docker-engine/docker
package also.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: discrepancy in instructions to install docker on fedora 22

[Daniel J Walsh]

On 07/17/2015 11:55 AM, Robert P. J. Day wrote:
> On Fri, 17 Jul 2015, Daniel J Walsh wrote:
>
>> docker-engine == docker from fedora point of view.
>>
>> Docker.io is trying to rebrand docker to docker-engine, so it
>> can differentiate docker-swarm, docker-registry, docker-engine ...
>   ok, so if i wanted to follow that path, would i simply download and
> install the docker-engine RPM on my f22 system, rather than the
> current docker and docker-selinux packages? would i add a new yum repo
> entry for it? just trying to keep up.
>
> rday
>
No just install docker package from the fedora repo, which will bring in
the updates.

I have asked Lokesh Mandevekar to update the docker.spec to provide
docker-engine.

You should almost never download a package from the internet that exists
from the
distribution.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: discrepancy in instructions to install docker on fedora 22

[Daniel J Walsh]

docker-engine == docker from fedora point of view.

Docker.io is trying to rebrand docker to docker-engine, so it
can differentiate docker-swarm, docker-registry, docker-engine ...


On 07/17/2015 10:42 AM, Robert P. J. Day wrote:
>   been playing with docker for a few days now, then starting reading
> the docs over at docker.com, and here are the fedora installation
> instructions one finds there:
>
> https://docs.docker.com/installation/fedora/
>
> which refer to some RPM named "docker-engine", of which i am unaware.
>
>   all i've installed for a working docker setup is:
>
>   * docker
>   * docker-selinux
>   * fedora-dockerfiles
>
> so ... do i care about this "docker-engine" thingy?
>
> rday
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.

[Daniel J Walsh]

On 06/30/2015 07:57 AM, Ed Greshko wrote:
> On 06/30/15 19:31, Daniel J Walsh wrote:
>> On 06/29/2015 01:45 PM, Andras Simon wrote:
>>> [Sorry for the late answer, I was away from this machine.]
>>>
>>> 2015-06-28 1:01 GMT+02:00, Ed Greshko :
>>>> On 06/27/15 21:15, Andras Simon wrote:
>>>>> 2015-06-27 15:11 GMT+02:00, Andras Simon :
>>>>>> Should I be worried about the $subject?
>>>>> And there's also a "SELinux is preventing sh from execute access on
>>>>> the file /usr/sbin/ldconfig" which I've only just noticed. It sounds
>>>>> even scarier.
>>>>>
>>>> Does your output match these?
>>>>
>>>> [egreshko@meimei ~]$ ls -Z /bin/bash
>>>> system_u:object_r:shell_exec_t:s0 /bin/bash
>>>>
>>>> [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig
>>>> system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig
>>> Yes, I get the same result.
>>>
>>> Andras
>> Everything seems correct.
>>
>> But the AVC's indicate that firewalld was attempting to runldconfig...
>>
>> Which I believe should not happen normally.  The transactions at the
>> time of yum/rpm indicate
>> that the transaction or at least the post install sections were being
>> run as firewalld_t.
> Should that be BZ's to against firewalld?
>
Sure we should have this in a bugzilla, but not sure those guys will
figure it out either.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.

[Daniel J Walsh]

On 06/29/2015 01:45 PM, Andras Simon wrote:
> [Sorry for the late answer, I was away from this machine.]
>
> 2015-06-28 1:01 GMT+02:00, Ed Greshko :
>> On 06/27/15 21:15, Andras Simon wrote:
>>> 2015-06-27 15:11 GMT+02:00, Andras Simon :
 Should I be worried about the $subject?
>>> And there's also a "SELinux is preventing sh from execute access on
>>> the file /usr/sbin/ldconfig" which I've only just noticed. It sounds
>>> even scarier.
>>>
>> Does your output match these?
>>
>> [egreshko@meimei ~]$ ls -Z /bin/bash
>> system_u:object_r:shell_exec_t:s0 /bin/bash
>>
>> [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig
>> system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig
> Yes, I get the same result.
>
> Andras
Everything seems correct.

But the AVC's indicate that firewalld was attempting to runldconfig...

Which I believe should not happen normally.  The transactions at the
time of yum/rpm indicate
that the transaction or at least the post install sections were being
run as firewalld_t.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.

[Daniel J Walsh]

On 06/29/2015 06:13 AM, Ed Greshko wrote:
> On 06/29/15 18:09, Daniel J Walsh wrote:
>> On 06/28/2015 07:53 AM, Suvayu Ali wrote:
>>> On Sun, Jun 28, 2015 at 06:04:38AM -0400, Daniel J Walsh wrote:
>>>> On 06/27/2015 07:01 PM, Ed Greshko wrote:
>>>>> On 06/27/15 21:15, Andras Simon wrote:
>>>>>> 2015-06-27 15:11 GMT+02:00, Andras Simon :
>>>>>>> Should I be worried about the $subject?
>>>>>> And there's also a "SELinux is preventing sh from execute access on
>>>>>> the file /usr/sbin/ldconfig" which I've only just noticed. It sounds
>>>>>> even scarier.
>>>>>>
>>>>> Does your output match these?
>>>>>
>>>>> [egreshko@meimei ~]$ ls -Z /bin/bash
>>>>> system_u:object_r:shell_exec_t:s0 /bin/bash
>>>>>
>>>>> [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig
>>>>> system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig
>>>>>
>>>> Do you have the avc's?
>>>>
>>>> ausearch -m avc
>>> I also saw these alerts during a package update.
>>>
>>> time->Thu Jun 25 17:56:49 2015
>>> type=PROCTITLE msg=audit(1435247809.870:4079): 
>>> proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
>>> type=SYSCALL msg=audit(1435247809.870:4079): arch=c03e syscall=59 
>>> success=no exit=-13 a0=7f955d728b00 a1=7f955d728c00 a2=7f955d727c40 
>>> a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
>>> comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:firewalld_t:s0 
>>> key=(null)
>>> type=AVC msg=audit(1435247809.870:4079): avc:  denied  { execute } for  
>>> pid=30357 comm="sh" name="ldconfig" dev="sdb1" ino=450673 
>>> scontext=system_u:system_r:firewalld_t:s0 
>>> tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
>>> 
>>> time->Thu Jun 25 17:56:49 2015
>>> type=PROCTITLE msg=audit(1435247809.870:4080): 
>>> proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
>>> type=SYSCALL msg=audit(1435247809.870:4080): arch=c03e syscall=4 
>>> success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab9b0 a2=7fffc7dab9b0 
>>> a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
>>> comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:firewalld_t:s0 
>>> key=(null)
>>> type=AVC msg=audit(1435247809.870:4080): avc:  denied  { getattr } for  
>>> pid=30357 comm="sh" path="/usr/sbin/ldconfig" dev="sdb1" ino=450673 
>>> scontext=system_u:system_r:firewalld_t:s0 
>>> tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
>>> 
>>> time->Thu Jun 25 17:56:49 2015
>>> type=PROCTITLE msg=audit(1435247809.870:4081): 
>>> proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
>>> type=SYSCALL msg=audit(1435247809.870:4081): arch=c03e syscall=4 
>>> success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab990 a2=7fffc7dab990 
>>> a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
>>> comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:firewalld_t:s0 
>>> key=(null)
>>> type=AVC msg=audit(1435247809.870:4081): avc:  denied  { getattr } for  
>>> pid=30357 comm="sh" path="/usr/sbin/ldconfig" dev="sdb1" ino=450673 
>>> scontext=system_u:system_r:firewalld_t:s0 
>>> tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
>>>
>> This is very strange.  Doing ldconfig during a package update is
>> expected, but why would firewalld be executing it. 
>> ps -eZ | grep firewalld
>>
> [root@meimei ~]# ps -eZ | grep firewalld
> system_u:system_r:firewalld_t:s0  781 ?00:00:00 firewalld
>
>
Ok well I am stumped, one possible thing would be if firewalld somehow
caused an rpm/yum/dnf transaction to happen.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.

[Daniel J Walsh]

On 06/28/2015 07:53 AM, Suvayu Ali wrote:
> On Sun, Jun 28, 2015 at 06:04:38AM -0400, Daniel J Walsh wrote:
>>
>> On 06/27/2015 07:01 PM, Ed Greshko wrote:
>>> On 06/27/15 21:15, Andras Simon wrote:
>>>> 2015-06-27 15:11 GMT+02:00, Andras Simon :
>>>>> Should I be worried about the $subject?
>>>> And there's also a "SELinux is preventing sh from execute access on
>>>> the file /usr/sbin/ldconfig" which I've only just noticed. It sounds
>>>> even scarier.
>>>>
>>> Does your output match these?
>>>
>>> [egreshko@meimei ~]$ ls -Z /bin/bash
>>> system_u:object_r:shell_exec_t:s0 /bin/bash
>>>
>>> [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig
>>> system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig
>>>
>> Do you have the avc's?
>>
>> ausearch -m avc
> I also saw these alerts during a package update.
>
> time->Thu Jun 25 17:56:49 2015
> type=PROCTITLE msg=audit(1435247809.870:4079): 
> proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
> type=SYSCALL msg=audit(1435247809.870:4079): arch=c03e syscall=59 
> success=no exit=-13 a0=7f955d728b00 a1=7f955d728c00 a2=7f955d727c40 
> a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
> comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:firewalld_t:s0 key=(null)
> type=AVC msg=audit(1435247809.870:4079): avc:  denied  { execute } for  
> pid=30357 comm="sh" name="ldconfig" dev="sdb1" ino=450673 
> scontext=system_u:system_r:firewalld_t:s0 
> tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
> 
> time->Thu Jun 25 17:56:49 2015
> type=PROCTITLE msg=audit(1435247809.870:4080): 
> proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
> type=SYSCALL msg=audit(1435247809.870:4080): arch=c03e syscall=4 
> success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab9b0 a2=7fffc7dab9b0 
> a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
> comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:firewalld_t:s0 key=(null)
> type=AVC msg=audit(1435247809.870:4080): avc:  denied  { getattr } for  
> pid=30357 comm="sh" path="/usr/sbin/ldconfig" dev="sdb1" ino=450673 
> scontext=system_u:system_r:firewalld_t:s0 
> tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
> 
> time->Thu Jun 25 17:56:49 2015
> type=PROCTITLE msg=audit(1435247809.870:4081): 
> proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
> type=SYSCALL msg=audit(1435247809.870:4081): arch=c03e syscall=4 
> success=no exit=-13 a0=7f955d728b00 a1=7fffc7dab990 a2=7fffc7dab990 
> a3=7fffc7dab900 items=0 ppid=30356 pid=30357 auid=4294967295 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
> comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:firewalld_t:s0 key=(null)
> type=AVC msg=audit(1435247809.870:4081): avc:  denied  { getattr } for  
> pid=30357 comm="sh" path="/usr/sbin/ldconfig" dev="sdb1" ino=450673 
> scontext=system_u:system_r:firewalld_t:s0 
> tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
>
This is very strange.  Doing ldconfig during a package update is
expected, but why would firewalld be executing it. 
ps -eZ | grep firewalld

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing sh from getattr access on the file /usr/sbin/ldconfig.

[Daniel J Walsh]

On 06/27/2015 07:01 PM, Ed Greshko wrote:
> On 06/27/15 21:15, Andras Simon wrote:
>> 2015-06-27 15:11 GMT+02:00, Andras Simon :
>>> Should I be worried about the $subject?
>> And there's also a "SELinux is preventing sh from execute access on
>> the file /usr/sbin/ldconfig" which I've only just noticed. It sounds
>> even scarier.
>>
> Does your output match these?
>
> [egreshko@meimei ~]$ ls -Z /bin/bash
> system_u:object_r:shell_exec_t:s0 /bin/bash
>
> [egreshko@meimei ~]$ ls -Z /usr/sbin/ldconfig
> system_u:object_r:ldconfig_exec_t:s0 /usr/sbin/ldconfig
>
Do you have the avc's?

ausearch -m avc
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Disabling auditd on Fedora 22

[Daniel J Walsh]

On 06/23/2015 12:36 AM, Kevin Wilson wrote:
> Dan,
> Thanks a lot for your reply.
> In fact, I ran
> pm -e selinux-policy-targeted
> rpm -e selinux-policy
> And after reboot I got some message about freeze from systemd, I could
> not login (tried twice), so I reinstalled Linux on this machine.
> The question is: what do you mean by "If you disable SELinux".
>
> Does that mean adding "selinux=0" on command line?
> Or is it enough to set,  in /etc/selinux/config
>
> SELINUX=disabled
>
> (or maybe better is SELINUX=permissive, as Ali suggested ).
> Regards,
> Kevin
Either will work, although I advise against it...  :^)


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Disabling auditd on Fedora 22

[Daniel J Walsh]

On 06/22/2015 03:44 AM, Suvayu Ali wrote:
> On Mon, Jun 22, 2015 at 08:01:41AM +0300, Kevin Wilson wrote:
>> In /etc/selinux/config
>>
>> I set
>> SELINUX=disabled
>> Which means that I do not use in fact SElinux, so it seems to me.
> It is recommended to keep it permissive instead of disabled.
>
>> So will it be OK to run:
>> rpm -e selinux-policy-targeted
>> rpm -e selinux-policy
> I do not think this is possible.  SELinux support is in the kernel, many
> applications expect the libraries to be there, eventhough it is disabled
> or set to permissive.
>
> Hope this helps,
>
If you disable SELinux on your system you can remove those two packages,
you will not be able to remove
libselinux.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Problem with Python??

[Daniel J Walsh]

On 06/18/2015 11:46 AM, jd1008 wrote:
> selinux issues the following
> If you believe /usr/bin/bython2.7 tried to disable selinux
>
> you may be under attack by a hacker, since confined applications
> should never need this access.
> Contact your security administrator and report this issue.
>
> Is anyone else seeing this?
What avc did you see?  This should be some process trying to run
setenforce 0 from a python script.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

FYI: Is SELinux good anti-venom?

[Daniel J Walsh]

http://danwalsh.livejournal.com/71489.html
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux is preventing abrt-dump-journ from read access on the file /usr/lib64/libreport.so.0.

[Daniel J Walsh]

On 03/21/2015 02:03 PM, Lawrence E Graves wrote:
> SELinux is preventing abrt-dump-journ from read access on the file
> /usr/lib64/libreport.so.0.
>
> * Plugin restorecon (82.4 confidence) suggests
> 
>
> If you want to fix the label.
> /usr/lib64/libreport.so.0 default label should be lib_t.
> Then you can run restorecon.
> Do
> # /sbin/restorecon -v /usr/lib64/libreport.so.0
>
> * Plugin file (7.05 confidence) suggests
> **
>
> If you think this is caused by a badly mislabeled machine.
> Then you need to fully relabel.
> Do
> touch /.autorelabel; reboot
>
> * Plugin file (7.05 confidence) suggests
> **
>
> If you think this is caused by a badly mislabeled machine.
> Then you need to fully relabel.
> Do
> touch /.autorelabel; reboot
>
> * Plugin catchall_labels (4.59 confidence) suggests
> ***
>
> If you want to allow abrt-dump-journ to have read access on the
> libreport.so.0 file
> Then you need to change the label on /usr/lib64/libreport.so.0
> Do
> # semanage fcontext -a -t FILE_TYPE '/usr/lib64/libreport.so.0'
> where FILE_TYPE is one of the following: NetworkManager_tmp_t,
> abrt_dump_oops_exec_t, abrt_etc_t, abrt_helper_exec_t, abrt_tmp_t,
> abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_lib_t,
> abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t,
> amanda_tmp_t, anon_inodefs_t, antivirus_tmp_t, apcupsd_tmp_t,
> apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t,
> automount_tmp_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t,
> bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t,
> boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t,
> bugzilla_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t,
> chrome_sandbox_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t,
> cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t,
> cluster_tmp_t, cobbler_tmp_t, cockpit_tmp_t, collectd_script_tmp_t,
> colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t,
> condor_startd_tmp_t, conman_tmp_t, couchdb_tmp_t, cpu_online_t,
> crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t,
> cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t,
> dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t,
> dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, debugfs_t,
> deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t,
> dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t,
> dkim_milter_tmp_t, docker_tmp_t, dovecot_auth_tmp_t,
> dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, etc_runtime_t,
> etc_t, exim_tmp_t, fail2ban_tmp_t, fenced_tmp_t, firewalld_tmp_t,
> firewallgui_tmp_t, fonts_cache_t, fonts_t, fsadm_tmp_t,
> fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t,
> gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_script_tmp_t,
> gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t,
> gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t,
> gssd_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t,
> inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t,
> iptables_tmp_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t,
> kdumpgui_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t,
> klogd_tmp_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t,
> l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t,
> livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t,
> logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t,
> lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t,
> mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t,
> mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t,
> mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t,
> mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t,
> mozilla_tmp_t, mozilla_tmpfs_t, mpd_tmp_t, mplayer_tmpfs_t,
> mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_tmp_t,
> nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t,
> nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, netutils_tmp_t,
> neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t,
> nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t,
> nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t,
> nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t,
> ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t,
> nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t,
> openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t,
> openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t,
> pam_timestamp_tmp_t, passenger_tmp_t, pcp_tmp_t,
> pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t,
> pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t,
> podsleuth_tmpfs_t, policykit_tmp_t, portmap_tmp_t,
> postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t,
> postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_p

Re: swapping

[Daniel J Walsh]

On 02/17/2015 02:16 AM, Patrick Dupre wrote:
> It is very long.
> Just the end.
>
>
> time->Tue Feb 17 11:15:08 2015
> type=PROCTITLE msg=audit(1424168108.864:452969): 
> proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972
> type=SYSCALL msg=audit(1424168108.864:452969): arch=c03e syscall=9 
> success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25724 
> auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
> sgid=1000 fsgid=1000 tty=(none) ses=916 comm="plugin-containe" 
> exe="/usr/lib64/firefox/plugin-container" 
> subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1424168108.864:452969): avc:  denied  { execute } for  
> pid=25724 comm="plugin-containe" 
> path="/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so" 
> dev="dm-0" ino=241943 
> scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0
> 
> time->Tue Feb 17 11:15:08 2015
> type=PROCTITLE msg=audit(1424168108.864:452970): 
> proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972
> type=SYSCALL msg=audit(1424168108.864:452970): arch=c03e syscall=9 
> success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25724 
> auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
> sgid=1000 fsgid=1000 tty=(none) ses=916 comm="plugin-containe" 
> exe="/usr/lib64/firefox/plugin-container" 
> subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1424168108.864:452970): avc:  denied  { execute } for  
> pid=25724 comm="plugin-containe" 
> path="/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so" 
> dev="dm-0" ino=241943 
> scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0
> 
> time->Tue Feb 17 11:15:08 2015
> type=PROCTITLE msg=audit(1424168108.915:452971): 
> proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972
> type=SYSCALL msg=audit(1424168108.915:452971): arch=c03e syscall=9 
> success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25730 
> auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
> sgid=1000 fsgid=1000 tty=(none) ses=916 comm="plugin-containe" 
> exe="/usr/lib64/firefox/plugin-container" 
> subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1424168108.915:452971): avc:  denied  { execute } for  
> pid=25730 comm="plugin-containe" 
> path="/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so" 
> dev="dm-0" ino=241943 
> scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0
> 
> time->Tue Feb 17 11:15:08 2015
> type=PROCTITLE msg=audit(1424168108.915:452972): 
> proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972
> type=SYSCALL msg=audit(1424168108.915:452972): arch=c03e syscall=9 
> success=no exit=-13 a0=0 a1=223800 a2=5 a3=802 items=0 ppid=16828 pid=25730 
> auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
> sgid=1000 fsgid=1000 tty=(none) ses=916 comm="plugin-containe" 
> exe="/usr/lib64/firefox/plugin-container" 
> subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1424168108.915:452972): avc:  denied  { execute } for  
> pid=25730 comm="plugin-containe" 
> path="/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so" 
> dev="dm-0" ino=241943 
> scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file permissive=0
> 
> time->Tue Feb 17 11:15:08 2015
> type=PROCTITLE msg=audit(1424168108.977:452973): 
> proctitle=2F7573722F6C696236342F66697265666F782F706C7567696E2D636F6E7461696E6572002F7573722F6C696236342F6D6F7A696C6C612F706C7567696E732D777261707065642F6E73777261707065725F33325F36342E6C6962666C617368706C617965722E736F002D6772656F6D6E69002F7573722F6C696236342F666972
> type=SYSCA

Re: swapping

[Daniel J Walsh]

On 02/12/2015 06:42 AM, Patrick Dupre wrote:
> Hello,
>
> I did both. Unfortunately, sometimes, like today I have to kill 
> the setroubleshootd process all the times without much success at the end!
>
> Any suggestion?
>
> ===
>  Patrick DUPRÉ | | email: pdu...@gmx.com
>  Laboratoire de Physico-Chimie de l'Atmosphère | |
>  Université du Littoral-Côte d'Opale   | |
>  Tel.  (33)-(0)3 28 23 76 12   | | Fax: 03 28 65 82 44
>  189A, avenue Maurice Schumann | | 59140 Dunkerque, France
> ===
>
>
>> Sent: Friday, January 16, 2015 at 4:24 AM
>> From: "Michael Cronenworth" 
>> To: "Community support for Fedora users" 
>> Subject: Re: swapping
>>
>> On 01/15/2015 04:15 PM, Daniel J Walsh wrote:
>>> Usually if you are in this situation, you have a bad labeling problem.
>>>
>>> touch /.autorelabel; reboot
>>>
>>> Will fix the labels, or you could just do
>>>
>>> restorecon -R /
>> Except that is not the case in this instance.
>> -- 
>> users mailing list
>> users@lists.fedoraproject.org
>> To unsubscribe or change subscription options:
>> https://admin.fedoraproject.org/mailman/listinfo/users
>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
>> Have a question? Ask away: http://ask.fedoraproject.org
>>
Could you attach the current list of AVC's you are receiving?
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Removing obsolete selinux setup

[Daniel J Walsh]

On 01/18/2015 04:58 PM, Pete Stieber wrote:
> I received an answer that worked on the fedora forums.
>
> 1. Edit the file
> /etc/selinux/targeted/modules/active/file_contexts.local and
> comment/fix the wrong contexts.
>
> In my case this meant changing httpd_mediawiki_rw_content_t to
> mediawiki_rw_content_t.  Then I used
>
> # semanage fcontext -a -t httpd_sys_rw_content_t '/etc/dokuwiki'
> # semanage fcontext -a -t httpd_sys_rw_content_t
> '/etc/dokuwiki/users.auth.php'
> # semanage fcontext -a -t httpd_sys_rw_content_t
> '/etc/dokuwiki/local.php'
> # restorecon -R /etc/dokuwiki
>
> to get the files setup properly.
>
> Seems like the dokuwiki selinux package should be setup to do
> something similar.
>
> Pete
A better label should have been

semanage fcontext -a -t httpd_sys_rw_content_t '/etc/dokuwiki(/.*?)'

This would allow apache processes to write to any file/directory under
/etc/dokuwiki.

I would argue this is might be a bad design of dokuwiki, applictions
should not be writing their config files.
If these are not config files, they should be in /var/lib/dokuwiki.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: swapping

[Daniel J Walsh]

On 01/16/2015 03:45 PM, poma wrote:
> On 16.01.2015 20:35, Daniel J Walsh wrote:
>> On 01/16/2015 01:57 PM, poma wrote:
>>> On 16.01.2015 19:47, Daniel J Walsh wrote:
>>>> On 01/16/2015 07:47 AM, Patrick O'Callaghan wrote:
>>>>> On Fri, 2015-01-16 at 08:28 +0100, Heinz Diehl wrote:
>>>>>> On 16.01.2015, Tim wrote: 
>>>>>>
>>>>>>> Of course *you* do not *use* it, it's there as a protective device
>>>>>>> against *things* on your system.
>>>>>> Any recent Linux distribution can be secured without using selinux.
>>>>>> Selinux requires at least basic knowledge and administration. Most of
>>>>>> the people I installed Linux for didn't even know it was there or what
>>>>>> it's good for.
>>>>> You mean like the fuses in your house or the airbag in your car? When
>>>>> Selinux is working you don't know it's there. When it alerts you it
>>>>> means there's something wrong. I agree that the alerts are not always as
>>>>> clear as they might be, but it's a fallacy to suggest that it doesn't
>>>>> provide benefit.
>>>>>
>>>>> poc
>>>>>
>>>> Here is a case of SELinux protecting your house.
>>>>
>>>> http://danwalsh.livejournal.com/71122.html
>>>>
>>> Not to fall to false sense of security, does SElinux need SElinux?
>>>
>>>
>> SELinux is the kernel, so does the Kernel need the kernel.
>>
> You've probably wanted to write, SELinux is a Linux(kernel) feature.
> But in some another context, the kernel needs the kernel, and not only.
>
>> But theoretically SELinux/Kernel can protect itself.  We can prevent
>> privileged processes (root) from manipulating the SELinux settings.
>>
> Can SELinux, AppArmor and Grsecurity perform together, to achieve an even 
> greater level of security?
>
>
SELinux and AppArmor can not, although there was some effort to allow
multiple LSM's.  Check out discussion on the selinux upstream list.

I have no idea whether Grsecurity and SELinux can run on the same
kernel.  Grsecurity has never been upstreamed.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: swapping

[Daniel J Walsh]

On 01/16/2015 01:57 PM, poma wrote:
> On 16.01.2015 19:47, Daniel J Walsh wrote:
>> On 01/16/2015 07:47 AM, Patrick O'Callaghan wrote:
>>> On Fri, 2015-01-16 at 08:28 +0100, Heinz Diehl wrote:
>>>> On 16.01.2015, Tim wrote: 
>>>>
>>>>> Of course *you* do not *use* it, it's there as a protective device
>>>>> against *things* on your system.
>>>> Any recent Linux distribution can be secured without using selinux.
>>>> Selinux requires at least basic knowledge and administration. Most of
>>>> the people I installed Linux for didn't even know it was there or what
>>>> it's good for.
>>> You mean like the fuses in your house or the airbag in your car? When
>>> Selinux is working you don't know it's there. When it alerts you it
>>> means there's something wrong. I agree that the alerts are not always as
>>> clear as they might be, but it's a fallacy to suggest that it doesn't
>>> provide benefit.
>>>
>>> poc
>>>
>> Here is a case of SELinux protecting your house.
>>
>> http://danwalsh.livejournal.com/71122.html
>>
> Not to fall to false sense of security, does SElinux need SElinux?
>
>
SELinux is the kernel, so does the Kernel need the kernel.

But theoretically SELinux/Kernel can protect itself.  We can prevent
privileged processes (root) from manipulating the SELinux settings.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Removing obsolete selinux setup

[Daniel J Walsh]

On 01/16/2015 12:19 PM, Pete Stieber wrote:
> I have a machine that has dokuwiki loaded.  In order to get it to work
> with selinux, I followed some advice that was on:
>
> https://www.dokuwiki.org/install:fedora
>
> to allow apache to edit some files:
>
> semanage fcontext -a -t httpd_mediawiki_rw_content_t '/etc/dokuwiki'
> restorecon -v '/etc/dokuwiki'
> semanage fcontext -a -t httpd_mediawiki_rw_content_t
> '/etc/dokuwiki/users.auth.php'
> restorecon -v '/etc/dokuwiki/users.auth.php'
> semanage fcontext -a -t httpd_mediawiki_rw_content_t
> '/etc/dokuwiki/local.php'
> restorecon -v '/etc/dokuwiki/local.php'
>
> This worked on 19 and 20, but when I upgraded the machine to Fedora 21
> and the httpd_mediawiki_rw_content_t no longer exists.  I tried
>
> semanage fcontext -d -t httpd_mediawiki_rw_content_t '/etc/dokuwiki'
>
> but I get complaints about the media wiki context being invalid.
>
> How do I remove these obsolete entries from the selinux database?
>
> Pete
semanage fcontext -d '/etc/dokuwiki/users.auth.php'

Although I am surprised they do not work.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: swapping

[Daniel J Walsh]

On 01/16/2015 07:47 AM, Patrick O'Callaghan wrote:
> On Fri, 2015-01-16 at 08:28 +0100, Heinz Diehl wrote:
>> On 16.01.2015, Tim wrote: 
>>
>>> Of course *you* do not *use* it, it's there as a protective device
>>> against *things* on your system.
>> Any recent Linux distribution can be secured without using selinux.
>> Selinux requires at least basic knowledge and administration. Most of
>> the people I installed Linux for didn't even know it was there or what
>> it's good for.
> You mean like the fuses in your house or the airbag in your car? When
> Selinux is working you don't know it's there. When it alerts you it
> means there's something wrong. I agree that the alerts are not always as
> clear as they might be, but it's a fallacy to suggest that it doesn't
> provide benefit.
>
> poc
>
Here is a case of SELinux protecting your house.

http://danwalsh.livejournal.com/71122.html
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: swapping

[Daniel J Walsh]

Usually if you are in this situation, you have a bad labeling problem.

touch /.autorelabel; reboot

Will fix the labels, or you could just do

restorecon -R /

On 01/15/2015 08:15 AM, Michael Cronenworth wrote:
> On 01/15/2015 06:06 AM, Patrick Dupre wrote:
>> Very often I reach a situation where I cannot work because fedora
>> is swapping permanently.
>> I attach the top file.
>>
>> I need to restart the machine to have it fix!
>
> I've seen this on my box, too, but only once. Kill the setroubleshoot
> process and it will return to "normal." I've filed a bug.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1175827

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: "Cannot contact any KDC for realm" since upgrading to Fedora 21

[Daniel J Walsh]

On 12/17/2014 10:19 AM, Braden McDaniel wrote:
> On 2014-12-17 09:37, fedora wrote:
>> selinux?
>
> It's set to "permissive" on the F21 (server) box; shouldn't that be
> sufficient? Or do I need to disable it completely to make sure it
> isn't interfering?
>
If it is in permissive then SELinux is not the issue.  Would prefer that
you ran in enforcing mode though.  :^)
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: selinux relabel at boot

[Daniel J Walsh]

I will schedule a relabel and take a look at my box.  ssd relabel is
pretty quick.

On 12/16/2014 06:07 PM, Tom Horsley wrote:
> On Tue, 16 Dec 2014 16:58:41 -0500
> Daniel J Walsh wrote:
>
>> What version of Fedora was this?
> A brand new fedora 21 workstation install.
>
>> restorecon -p -R /
>> 7.4%^C
>>
>> Shows Percent done now.
> I'm not sure the actual percentage makes it through
> systemd though to the messages I was looking at during
> boot (I had rhgb turned off, so I was booting in
> text mode). I'm really not sure though if the percent
> was there and I just didn't notice it.

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: selinux relabel at boot

[Daniel J Walsh]

What version of Fedora was this?

restorecon -p -R /
7.4%^C

Shows Percent done now.

On 12/16/2014 02:03 PM, Tom Horsley wrote:
> On Tue, 16 Dec 2014 13:36:08 -0500
> Daniel J Walsh wrote:
>
>> There should be an indicator on the screen telling you the progress of
>> the relabel.
> I don't remember for sure, but I think there was just a cylon eyeball
> bouncing asterisks, not anything telling me about progress.
>
>> DId this machine have a HUGE number of files on it?  SELinux should take
>> about as much
>> time as a find /  on a system.
> It was a copy of a virtual disk image that had the fedora workstation
> ISO installed on it, so how ever many files that is :-). All I did
> was edit a few UUID and msdosNN partition identifiers in grub.cfg
> and fstab, then booted into it via configfile from a functioning grub.

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: selinux relabel at boot

[Daniel J Walsh]

On 12/13/2014 11:42 AM, Marko Vojinovic wrote:
> On Sat, 13 Dec 2014 09:52:35 -0500
> Tom Horsley  wrote:
>> Just a note for someone who might care about this:
>>
>> I foolishly forgot to disable selinux in a system
>> I created by copying all the files from a virtual image.
>>
>> When it booted, it said "I've got to relabel everything,
>> this may take a while."
>>
>> So I figured I'd just wait for it, then a few minutes
>> later a message came up about a watchdog expiring
>> and it rebooted the system.
>>
>> What fun :-). I assume it could have done that all day,
>> but I took advantage of the reboot to disable selinux.
> I'm curious --- after the reboot, selinux should continue
> relabeling remaining files, right? So I assume that after a certain
> numbers of reboots it would eventually finish and continue booting?
>
> Or not?
>
> Though I agree that selinux should somehow inform the watchdog that a
> global relabel is in progress and that it may take more time than
> usual...
>
> Best, :-)
> Marko
>
There should be an indicator on the screen telling you the progress of
the relabel.

DId this machine have a HUGE number of files on it?  SELinux should take
about as much
time as a find /  on a system.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

SELinux and the bash exploit.

[Daniel J Walsh]

https://danwalsh.livejournal.com/71122.html
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Heads up: possible BASH security vulnerability

[Daniel J Walsh]

On 09/24/2014 08:27 PM, Chris Adams wrote:
> Once upon a time, jd1008  said:
>> So, is this one of the ways javascripts exec bash to install malware
>> or do other nasty stuff?
> This has nothing to do with Javascript.  It is probably more serious to
> servers, such as web servers, than to desktops.
>
> On a web server, let's say you have some PHP or perl CGI code, and it
> needs to call out to an external program.  Depending on how the code is
> written, the PHP/perl interpreter may run the external program via
> /bin/sh (which is bash on many systems, especially Linux systems).  Now,
> if the web client has set some specific variables that get put into
> environment variables that get passed on to /bin/sh, bash will execute
> the arbitrary shell code as the web server user (e.g. Apache).
>
> At that point, it can get full remote access, which can then often see
> database credentials and such, accessing a lot of potentially secure
> data.  Even on RHEL/CentOS/Fedora systems, SELinux probably won't help
> much (since the web user already has access to read that information).
This is wrong.  SELinux would help in the situation of a confined
application, if an application is running as httpd_sys_script_t or
httpd_t it would only be allowed to do what apache or a cgi script is
allowed to do.

SELinux would block it from reading random parts of the OS.  For example
if I had  a world readable file container
credit card data in my home directory and I had a faulty bash being run
by a cgi script on apache, SELinux would block
the bash/cgi script from reading the world readable file.

Now if you were running as unconfined_t or running in permissive mode or
disabled, then you would not get the protections.
> On a client system, there are some potential routes to exploiting this
> as well.  For example, I think the DHCP and PPP clients will run
> external scripts to configure things (such as DNS, NTP, etc.), using
> environment variables to pass information, so a malicious server could
> potentially get full root access to a vulnerable client system.  In most
> cases though, I don't think bash or /bin/sh get passed arbitrary remote
> data in environment variables on a client system (e.g. desktop).
>
> I could be missing some things (I'm not entirely familiar with the
> complexity added by modern desktop environments), but I don't think this
> is probably a huge deal for desktop Linux; I think the biggest impact
> would be on web servers with PHP/perl that calls out to external
> programs.
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: SELinux contexts

[Daniel J Walsh]

On 07/31/2014 01:52 PM, Paolo Galtieri wrote:
> On 07/31/2014 09:51 AM, Michael Cronenworth wrote:
>> On 07/31/2014 10:54 AM, pgaltieri . wrote:
>>> sudo semanage fcontext -a -t var_log_t 'logs'
>> [snip]
>>
>> You need to pass the full path here.
>>
>> # semanage fcontext -a -t var_log_t /media/NSM/NSM-SENSOR-2/logs
>>
> I tried that and the restorecon and the file type is still file_t
> instead of var_log_t.
>
> Paolo
# semanage fcontext -a -t var_log_t '/media/NSM/NSM-SENSOR-2/logs(/.*)?'
# restorecon -R -v /media/NSM/NSM-SENSOR-2

Should change labels. 

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: CPU/Memory

[Daniel J Walsh]

I would bet you have a mislabeled machine that is generating hundreds of
AVC's.

ausearch -m avc -ts today

If the system is mislabeled, the easiest thing to do would be

touch /.autorelabel; reboot

On 07/22/2014 07:02 PM, Rick Stevens wrote:
> On 07/22/2014 01:23 PM, Patrick Dupre issued this missive:
>> Hello,
>>
>> I have 2 machines running fedora 20, one from 2007 with a dual processor
>> and 3 Go, and a recent one (2013) with a quad processor an 8 Go.
>> But it is a lot more convenient to use the old machine!!!
>> The recent one is always busy, 4 processors running
>> 53.1 55.9 /usr/bin/python -Es /usr/sbin/setroublesootd -f
>>   and the memory becomes full quickly requiring swapping!!
>> 8 Go for the OS and firefox! Something is wrong.
>>
>> Should I kill setroublesootd?
>
> The first thing is to see why you're getting AVC denials from SELinux
> in the first place. setroubleshootd should only fire if it's getting
> denials. Try running "sealert -b" and see if you're getting denials and
> what you can do about them.
>
> --
> - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
> - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
> --
> -   To err is human, to moo bovine.  -
> --

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Selinux Packaging [WAS: Wifi connection issues with Intel?]

[Daniel J Walsh]

On 06/16/2014 02:15 PM, Richard Shaw wrote:
> On Mon, Jun 16, 2014 at 1:08 PM, Daniel J Walsh  <mailto:dwa...@redhat.com>> wrote:
>
>
> On 06/16/2014 01:35 PM, Richard Shaw wrote:
>> On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh
>> mailto:dwa...@redhat.com>> wrote:
>>
>>
>> On 06/12/2014 10:14 AM, Richard Shaw wrote:
>>> On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh
>>> mailto:dwa...@redhat.com>> wrote:
>>>
>>>> The full unifi software is java with a mongodb database
>>>> backend and works fine. I have a RPM I created, the
>>>> only problem I haven't been able to fix is the selinux
>>>> issues, one for the private mongodb instance, and then
>>>> the ports it binds to. 
>>> Please open a bugzilla for the SELinux issues.
>>>
>>>
>>> Before I open a BZ, here's what I have in my spec file which
>>> from what I understand should be persistent...
>>>
>>> %posttrans
>>> /usr/sbin/semanage fcontext -e /var/lib/mongod
>>> "/var/lib/unifi/logs(/.*)?"
>>> /usr/sbin/semanage fcontext -e /var/lib/mongod
>>> "/var/lib/unifi/data(/.*)?"
>>> /usr/sbin/semanage port -m -t mongod_port_t 27117
>>>
>>> Or should this be handled in a policy?
>>>
>>> Thanks,
>>> Richard
>>>
>>>
>> I think your post install should look like.
>>
>> /usr/sbin/semanage fcontext -e /var/log/mongod
>> "/var/lib/unifi/logs"
>> /usr/sbin/semanage fcontext -e /var/lib/mongod
>> "/var/lib/unifi/data"
>> /usr/sbin/semanage port -m -t mongod_port_t 27117
>>
>> Don't use the regex. Also I would figure the logs should be
>> labeled mongod_log_t rather then mongod_lib_t.
>>
>>
>> What is the concern with regex?
>
>> It is specific to packaging? Most of the examples I found online
>> used that method... As far as the label, since everything is
>> getting dumped in /var/lib I figured that would be OK. 
>>
>
> Not a concern with regex. it just will not work.  The examples you
> have seen on line, were not using equivalence.  They were using
> generic labelling.
>
> Equivalence tells SELinux to swap the second part of the path with
> the first.  You code would only match file paths that began with
> /var/lib/unifi/logs(/.*?)  Not /var/lib/unifi/logs/foobar.log
>>
>> If this is a standard location for this code, we should put
>> it into the base package.
>>
>>
>> There is not a standard install location, the install will "work"
>> as long as everything stays in the same relative location (the
>> unifi directory). Since it writes a lot of stuff I figured /var
>> was the best (only?) real option. 
>>
> Yes
>
>> Following the example of a draft wiki I can't find anymore I had
>> modified the scripts to this instead of using %posttrans:
>> %post
>> semanage fcontext -a -t mongod_var_lib_t \
>> "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
>> semanage fcontext -a -t mongod_var_lib_t \
>> "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
>> restorecon -R %{_sharedstatedir}/unifi/logs || :
>> restorecon -R %{_sharedstatedir}/unifi/data || :
>> semanage port -m -t mongod_port_t 27117 || :
>>
>> %postun
>> if [ $1 -eq 0 ] ; then  # final removal
>> semanage fcontext -d -t mongod_var_lib_t \
>> "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
>> semanage fcontext -d -t mongod_var_lib_t \
>> "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
>> fi
>>
>>
> That should work.  You could speed it up by combining both semange
> fcontext lines into a single transaction. Something like.
>
> semanage -S targeted -i - << _EOF
>
> fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/logs(/.*)?"
> fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/data(/.*)?"
> _EOF 2>/dev/null || :
>
>
> Ok, just to be clear, I still need to remove the (/.*)? parts? I found
> the packaging draft I referred to:
>
&

Re: Wifi connection issues with Intel?

[Daniel J Walsh]

On 06/16/2014 01:35 PM, Richard Shaw wrote:
> On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh  <mailto:dwa...@redhat.com>> wrote:
>
>
> On 06/12/2014 10:14 AM, Richard Shaw wrote:
>> On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh
>> mailto:dwa...@redhat.com>> wrote:
>>
>>> The full unifi software is java with a mongodb database
>>> backend and works fine. I have a RPM I created, the only
>>> problem I haven't been able to fix is the selinux issues,
>>> one for the private mongodb instance, and then the ports it
>>> binds to. 
>> Please open a bugzilla for the SELinux issues.
>>
>>
>> Before I open a BZ, here's what I have in my spec file which from
>> what I understand should be persistent...
>>
>> %posttrans
>> /usr/sbin/semanage fcontext -e /var/lib/mongod
>> "/var/lib/unifi/logs(/.*)?"
>> /usr/sbin/semanage fcontext -e /var/lib/mongod
>> "/var/lib/unifi/data(/.*)?"
>> /usr/sbin/semanage port -m -t mongod_port_t 27117
>>
>> Or should this be handled in a policy?
>>
>> Thanks,
>> Richard
>>
>>
> I think your post install should look like.
>
> /usr/sbin/semanage fcontext -e /var/log/mongod "/var/lib/unifi/logs"
> /usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data"
> /usr/sbin/semanage port -m -t mongod_port_t 27117
>
> Don't use the regex. Also I would figure the logs should be
> labeled mongod_log_t rather then mongod_lib_t.
>
>
> What is the concern with regex?

> It is specific to packaging? Most of the examples I found online used
> that method... As far as the label, since everything is getting dumped
> in /var/lib I figured that would be OK. 
>

Not a concern with regex. it just will not work.  The examples you have
seen on line, were not using equivalence.  They were using generic
labelling.

Equivalence tells SELinux to swap the second part of the path with the
first.  You code would only match file paths that began with
/var/lib/unifi/logs(/.*?)  Not /var/lib/unifi/logs/foobar.log
>
> If this is a standard location for this code, we should put it
> into the base package.
>
>
> There is not a standard install location, the install will "work" as
> long as everything stays in the same relative location (the unifi
> directory). Since it writes a lot of stuff I figured /var was the best
> (only?) real option. 
>
Yes
> Following the example of a draft wiki I can't find anymore I had
> modified the scripts to this instead of using %posttrans:
> %post
> semanage fcontext -a -t mongod_var_lib_t \
> "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
> semanage fcontext -a -t mongod_var_lib_t \
> "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
> restorecon -R %{_sharedstatedir}/unifi/logs || :
> restorecon -R %{_sharedstatedir}/unifi/data || :
> semanage port -m -t mongod_port_t 27117 || :
>
> %postun
> if [ $1 -eq 0 ] ; then  # final removal
> semanage fcontext -d -t mongod_var_lib_t \
> "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
> semanage fcontext -d -t mongod_var_lib_t \
> "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
> fi
>
> Thanks,
> Richard
>
>
That should work.  You could speed it up by combining both semange
fcontext lines into a single transaction. Something like.

semanage -S targeted -i - << _EOF
fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/logs(/.*)?"
fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/data(/.*)?"
_EOF 2>/dev/null || :

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Wifi connection issues with Intel?

[Daniel J Walsh]

On 06/12/2014 10:14 AM, Richard Shaw wrote:
> On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh  <mailto:dwa...@redhat.com>> wrote:
>
>> The full unifi software is java with a mongodb database backend
>> and works fine. I have a RPM I created, the only problem I
>> haven't been able to fix is the selinux issues, one for the
>> private mongodb instance, and then the ports it binds to. 
> Please open a bugzilla for the SELinux issues.
>
>
> Before I open a BZ, here's what I have in my spec file which from what
> I understand should be persistent...
>
> %posttrans
> /usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/logs(/.*)?"
> /usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data(/.*)?"
> /usr/sbin/semanage port -m -t mongod_port_t 27117
>
> Or should this be handled in a policy?
>
> Thanks,
> Richard
>
>
I think your post install should look like.

/usr/sbin/semanage fcontext -e /var/log/mongod "/var/lib/unifi/logs"
/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data"
/usr/sbin/semanage port -m -t mongod_port_t 27117

Don't use the regex. Also I would figure the logs should be labeled
mongod_log_t rather then mongod_lib_t.

If this is a standard location for this code, we should put it into the
base package.


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: google-chrome + selinux + ecryptfs

[Daniel J Walsh]

How is ecryptfs supposed to work?

On 06/12/2014 03:13 PM, Pal, Laszlo wrote:
> node= type=SYSCALL msg=audit(1402610675.802:3612): arch=c03e
> syscall=47 success=yes exit=1 a0=12 a1=7f4cb29bb490 a2=40 a3=2 items=0
> ppid=8 pid=13635 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2
> comm="Chrome_ChildIOT" exe="/opt/google/chrome/chrome"
> subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
> key=(null)
> node=tohuvabohu.balabit type=AVC msg=audit(1402610675.802:3613): avc:
> denied  { write } for  pid=13634 comm="chrome"
> path="/home/.ecryptfs/vlad/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gSom1uZp3eGnWRADC8b67AE--/ECRYPTFS_FNEK_ENCRYPTED.FXbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gTtA3nsOQygKTjpvYs63foAeJEpmcXUfgP6gU.7wmAuY-/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7g5coEDCbOTnV-amR0ZN6y1---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gT3djTOmDHoPUHtuBzF97EU--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7geU1qaFnPHLsuy1RmqbGnBE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7glEd5RSiZ49p5vw44TzFM3E--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gKBDK1Q1GxCxyo3TiIlYCnE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gmuai.t4ZEmP-LatO12SQ.E--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gIB221z5L1BsC-c-sHPGaQ---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gqsU3WtY8FrzmtcENIeC0CE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gt-ZfSVe491Z7eplRchJ3qE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gSHKUZ6b8Mf6vlIo3pRzAj---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gC2jhQP5bAQcJMOMBLlUW1U--"
> dev="dm-2" ino=16123428
> scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:ecryptfs_t:s0 tclass=file

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Wifi connection issues with Intel?

[Daniel J Walsh]

On 06/11/2014 01:48 PM, Richard Shaw wrote:
> On Wed, Jun 11, 2014 at 3:31 PM, poma  > wrote:
>
> There are four "indoor" models, and basic one ain't 5 GHz.
>
>
> Yes, I have the basic one, so it does support "n" but in 2.4GHz only.
>
>  
>
> Besides there is no soft for the linux distros.
>
>  
> The discovery software is java based and does run, but I couldn't get
> it to work.
>
> The full unifi software is java with a mongodb database backend and
> works fine. I have a RPM I created, the only problem I haven't been
> able to fix is the selinux issues, one for the private mongodb
> instance, and then the ports it binds to. 
>
> Richard
>
>
Please open a bugzilla for the SELinux issues.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Problem with selinux and milter-greylist

[Daniel J Walsh]

On 05/27/2014 01:35 PM, arag...@dcsnow.com wrote:
> > Looks like the milter-greylist.sock is mislabeled. What directory is it
> > in? Why isn't it in /run?
>
> Well, see, I was following a guide (probably old) that pointed
> Sendmail to /var/milter-greylist so I just changed the greylist.conf
> file instead of changing the semdial.mc file.
>
> Now that you mentioned that, I switched them and it works fine. 
> However, I'm still a bit confused why I was not able to just add a
> rule to get Selinux to allow the access.  It just seemed confused as
> to what needed done.
>
You could either adjust SELinux or adjust the App.  If the app is doing
the wrong thing, I would prefer to fix the app.
> ---
> Will Y.
> -- 
> This message has been scanned for viruses and
> dangerous content by *MailScanner* , and is
> believed to be clean.
>
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Problem with selinux and milter-greylist

[Daniel J Walsh]

On 05/27/2014 12:55 PM, arag...@dcsnow.com wrote:
>
> Hi,
>
> So I'm trying to get milter-greylist working with
> selinux
> and I seem to have a problem.  It doesn't seem to know
> what
> milter-greylist is trying to access so I can't add a rule to fix
> it. 
> Here is what I see in /var/log/message when I try to run
> systemctl start
> milter-greylist
>
> May 27 12:47:07 dcsnow
> setroubleshoot: SELinux
> is preventing /usr/sbin/milter-greylist from
> remove_name access on the
> directory . For complete SELinux messages.
> run sealert -l
> f008afda-b837-4a7a-ad4e-80562d4ef31c
> May 27
> 12:47:07 dcsnow python:
> SELinux is preventing
> /usr/sbin/milter-greylist from remove_name access on
> the directory
> .
>
> *Â  Plugin catchall_labels (83.8
> confidence)
> suggests   ***
>
> If you
> want to
> allow milter-greylist to have remove_name access on the 
> directory
> Then you need to change the label on
> $FIX_TARGET_PATH/>Do
> # semanage fcontext -a -t FILE_TYPE
> '$FIX_TARGET_PATH'/>where FILE_TYPE is one of the following:
> greylist_milter_data_t,
> var_run_t.
> Then execute:
> restorecon
> -v '$FIX_TARGET_PATH'/>
>
> *Â  Plugin catchall (17.1
> confidence)
> suggests   **
>
> If you believe
> that milter-greylist should be allowed remove_name
> access on the 
> directory by default.
> Then you should report
> this as a bug.
> You
> can generate a local policy module to allow
> this access.
> Do/>allow this access for now by executing:
> #
> grep milter-greylist
> /var/log/audit/audit.log | audit2allow -M
> mypol
> # semodule -i
> mypol.pp
>
>
> In audit.log I
> see:
>
> type=AVC
> msg=audit(1401209226.129:1909): avc:Â 
> denied  { remove_name }
> for  pid=8467
> comm="milter-greylist"
> name="milter-greylist.sock" dev="sda6" ino=652403
> scontext=system_u:system_r:greylist_milter_t:s0
> tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
>
> Any ideas
> on
> how I go about finding out what needs to happen here?
>
> Thanks in
> advance for your help.
>
> ---
> Will Y.
>
>
>
Looks like the milter-greylist.sock is mislabeled.  What directory is it
in?  Why isn't it in /run?


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Set SELinux to allow only httpd daemon to use specific tty device

[Daniel J Walsh]

On 05/06/2014 12:03 AM, Emmanuel Noobadmin wrote:
> On 5/5/14, Daniel J Walsh  wrote:
>> Simplest would be to just use
>> # grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp
>> # semodule -i myhttp.pp
>>
>> This would allot httpd_t processes the ability to use usb_device_t.
>> If you really wanted to tighten it up, you could build a custom policy
>> that put a different label on /dev/usbDataCollector and allow httpd_t
>> access to this device.
>>
>> Something like
>>
>> # cat myhttp.te
>> policy_module(myhttp, 1.0)
>> gen_require(`
>> type httpd_t;
>> ')
>>
>> type httpd_device_t;
>> dev_node(httpd_device_t)
>>
>> allow httpd_t httpd_device_t:chr_file rw_chr_file_perms;
>>
>> # cat myhttpd.fc
>> /dev/usbDataCollector-c
>> gen_context(system_u:object_r:httpd_device_t,s0)
>>
>> # make -f /usr/share/selinux/devel/Makefile
>> # semodule -i myhttp.pp
>> # restorecon -v /dev/usbDataCollector
> Thanks for the reply, I'll keep this in mind for the next machine.
> Currently, I'm unable to test it out since F20 stopped booting (for no
> reason I could figure out) on the laptop and I had to resort to
> another distribution.
I wrote a blog on this discussion.

https://danwalsh.livejournal.com/69221.html
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Set SELinux to allow only httpd daemon to use specific tty device

[Daniel J Walsh]

On 05/04/2014 12:22 AM, Emmanuel Noobadmin wrote:
> Using Fedora 20 3.11.10-301.fc20.x86_64 and selinux targeted policy.29
>
> I've a PHP application that sends data to a USB tty device e.g.
> /dev/usbDataCollector
>
> Unfortunately selinux is blocking this action. When set to permissive,
> the alert browser suggests the command: setsebool -P daemons_use_tty 1
>
> The documentation says Allow all daemons the ability to use
> unallocated ttys. This naturally doesn't sound like a good idea
> although admittedly it probably won't hurt in this particular
> installation. However, I thought it would be good to find the
> 'correct' solution to this.
>
> But I am unable to find a more fine grain SELinux control for this,
> Fedora 20 has no documentation and the only vaguely relevant one I
> could find elsewhere is httpd_tty_com which appears unrelated as it is
> about allow httpd to communicate with terminal.
>
> So the question is whether there is any way to do this or is allowing
> all daemons the only option?
Simplest would be to just use
# grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp
# semodule -i myhttp.pp

This would allot httpd_t processes the ability to use usb_device_t. 
If you really wanted to tighten it up, you could build a custom policy
that put a different label on /dev/usbDataCollector and allow httpd_t
access to this device.

Something like

# cat myhttp.te
policy_module(myhttp, 1.0)
gen_require(`
type httpd_t;
')

type httpd_device_t;
dev_node(httpd_device_t)

allow httpd_t httpd_device_t:chr_file rw_chr_file_perms;

# cat myhttpd.fc
/dev/usbDataCollector-c   
gen_context(system_u:object_r:httpd_device_t,s0)

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myhttp.pp
# restorecon -v /dev/usbDataCollector



-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: cups-pdf

[Daniel J Walsh]

On 05/04/2014 06:27 PM, Patrick Dupre wrote:
>
>> - Original Message -
>> From: Steven Stern
>> Sent: 05/05/14 12:03 AM
>> To: Community support for Fedora users
>> Subject: Re: cups-pdf
>>
>> On 05/04/2014 04:57 PM, Patrick Dupre wrote:
>>>
 - Original Message -
 From: Steven Stern
 Sent: 05/04/14 11:53 PM
 To: Community support for Fedora users
 Subject: Re: cups-pdf

 On 05/04/2014 04:48 PM, Patrick Dupre wrote:
>>> When I try to use cups-pdf to generate pdf file, I have no output.
>>> /var/log//cups/cups-pdf_log
>>> shows an error:
>>>
>>> Sun May 4 23:22:44 2014 [ERROR] ghostscript reported an error (256)
>>> Sun May 4 23:22:44 2014 [ERROR] failed to set file mode for PDF file 
>>> (non fatal) (/home/pdupre/Desktop/NICE-OHMS_v2.pdf)
>>>
>>> I did not find the solution on internet!
>>>
>>> Thank for your help.
>>>
>> Is SELinux in enforcing mode?
> Yes, If I switch to permissive then the pdf file is generated.
>
> But on another machine, the file generation is OK even in enforced mode!
> (BOTH fc20).
 Well, there you go! Either you once created an overriding policy or...

>>> How do I do this?
>> sealert should offer to show you how to create a policy to allow it. Do
>> you have the setroubleshootd daemon running?
> Yes, I think so.
> It is running, but it does not report any alert!
>
> Now it works,
> Thank.
>
>> sealert -a /var/log/audit
>>
>> or
>>
>> sudo grep pdf /var/log/audit/audit.log | audit2allow -M mypol
>> sudo semodule -i mypol.pp
>>
>>
>> -- 
>> -- Steve
>> -- 
>> users mailing list
>> users@lists.fedoraproject.org
>> To unsubscribe or change subscription options:
>> https://admin.fedoraproject.org/mailman/listinfo/users
>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
>> Have a question? Ask away: http://ask.fedoraproject.org
>
> ===
>  Patrick DUPRÉ | | email: pdu...@gmx.com
>  Laboratoire de Physico-Chimie de l'Atmosphère | |
>  Université du Littoral-Côte d'Opale   | |
>  Tel.  (33)-(0)3 28 23 76 12   | | Fax: 03 28 65 82 44
>  189A, avenue Maurice Schumann | | 59140 Dunkerque, France
> ===

After cups-pdf is denied execute

audit2allow -m avc -ts recent -i

If this does not generate any AVC's then try with "semodule -DB" then
run the test again.

semodule -DB will disable dontaudit rules.

semodule -B will turn them back on.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trouble starting webex in F20

[Daniel J Walsh]

On 05/02/2014 01:19 PM, Chris Kottaridis wrote:
>
> On 05/02/2014 12:07 PM, Daniel J Walsh wrote:
>>
>> On 05/01/2014 06:26 PM, Chris Kottaridis wrote:
>>>
>>> On 05/01/2014 05:08 PM, Rick Stevens wrote:
>>>> On 05/01/2014 01:40 PM, Andrew Azores issued this missive:
>>>>> On 05/01/2014 04:27 PM, Chris Kottaridis wrote:
>>>>>>
>>>>>> On 05/01/2014 02:11 PM, Deepak Bhole wrote:
>>>>>>> * Chris Kottaridis  [2014-05-01 13:25]:
>>>>>>>> I have an F19 and an F20 host and when I try to start a webex
>>>>>>>> on the
>>>>>>>> F20 host it doesn't work right. It works fine on the F19 machine.
>>>>>>>>
>>>>>>>> The symptom is that when I start the webex in F20 it sends up a
>>>>>>>> message about wanting to run an applet and I tell it yes it's
>>>>>>>> OK to
>>>>>>>> run the applet. That doesn't come up on the F19 host. On the
>>>>>>>> F19 the
>>>>>>>> icedtea icon pops up for a short time and then I get connected. I
>>>>>>>> don't see the icedtea icon pop up in F20.
>>>>>>>>
>>>>>>>> I did notice that icedtea is at 1.5 in F20, but at 1.4 for F19 and
>>>>>>>> there is some policy control added in 1.5. I set the policy to
>>>>>>>> allow
>>>>>>>> all applets to do everything for the time being in the
>>>>>>>> .config/icedtea-web/security/java.policy file which the
>>>>>>>> icedtea-web
>>>>>>>> man page says is the default policy file.
>>>>>>>>
>>>>>>>> Any ideas on what the difference might be between F19 and F20
>>>>>>>> would
>>>>>>>> be appreciated or pointer to a different group that could help.
>>>>>>>>
>>>>>>>> Sorry that I only have rather high level usage info, but so far
>>>>>>>> other then this issue with starting a webex everything seems OK
>>>>>>>> that
>>>>>>>> I have tried so far.
>>>>>>>>
>>>>>>> Hi Chris,
>>>>>>>
>>>>>>> Is it possible for us to reproduce this? If so, what are the steps?
>>>>>> You'd need a webex account.
>>>>>
>>>>> Hmm, there's no way to reproduce it with the test meeting [0] ?
>>>>>
>>>>>>
>>>>>> After some more playing it seems the issue is when I try to share my
>>>>>> desktop it doesn't get shared in F20, but does in F19.
>>>>>
>>>>> So the Webex applet is successfully starting with both, then?
>>>>>
>>>>>>
>>>>>> That is what's so weird is it works like a champ in F19. I assume
>>>>>> there is just something missing, maybe something I need to
>>>>>> install or
>>>>>> some permission or configuration setting. I haven't found
>>>>>> anything in
>>>>>> any log files yet to help point to what the problem might be.
>>>>>>
>>>>>> When I connect to webex to start a session if I click on
>>>>>> Activities I
>>>>>> see a webex icon of a ball that is half green and half blue and the
>>>>>> name is "sun-applet-PluginMain" on the activites list. After I click
>>>>>> on share desktop I see a second icon like that which says Atasjni on
>>>>>> the F19, but still only have the one on F20. So, it seems some
>>>>>> app is
>>>>>> having trouble getting started when I click to share desktop. So,
>>>>>> far
>>>>>> I haven't found any complaint in any log file though.
>>>>>>
>>>>>> Thanks
>>>>>> Chris Kottaridis
>>>>>
>>>>> Do you have any log files at all to share? You can also try launching
>>>>> your browser from terminal (assuming this is starting through a
>>>>> browser
>>>>> at all), and capture the output with a redirect or tee there.
>>>>>
>>>>> Also, just a note that IcedTea-Web 1.5 is available for Fedora 19 as
>>>>&

Re: Trouble starting webex in F20

[Daniel J Walsh]

On 05/01/2014 06:26 PM, Chris Kottaridis wrote:
>
> On 05/01/2014 05:08 PM, Rick Stevens wrote:
>> On 05/01/2014 01:40 PM, Andrew Azores issued this missive:
>>> On 05/01/2014 04:27 PM, Chris Kottaridis wrote:

 On 05/01/2014 02:11 PM, Deepak Bhole wrote:
> * Chris Kottaridis  [2014-05-01 13:25]:
>> I have an F19 and an F20 host and when I try to start a webex on the
>> F20 host it doesn't work right. It works fine on the F19 machine.
>>
>> The symptom is that when I start the webex in F20 it sends up a
>> message about wanting to run an applet and I tell it yes it's OK to
>> run the applet. That doesn't come up on the F19 host. On the F19 the
>> icedtea icon pops up for a short time and then I get connected. I
>> don't see the icedtea icon pop up in F20.
>>
>> I did notice that icedtea is at 1.5 in F20, but at 1.4 for F19 and
>> there is some policy control added in 1.5. I set the policy to allow
>> all applets to do everything for the time being in the
>> .config/icedtea-web/security/java.policy file which the icedtea-web
>> man page says is the default policy file.
>>
>> Any ideas on what the difference might be between F19 and F20 would
>> be appreciated or pointer to a different group that could help.
>>
>> Sorry that I only have rather high level usage info, but so far
>> other then this issue with starting a webex everything seems OK that
>> I have tried so far.
>>
> Hi Chris,
>
> Is it possible for us to reproduce this? If so, what are the steps?
 You'd need a webex account.
>>>
>>> Hmm, there's no way to reproduce it with the test meeting [0] ?
>>>

 After some more playing it seems the issue is when I try to share my
 desktop it doesn't get shared in F20, but does in F19.
>>>
>>> So the Webex applet is successfully starting with both, then?
>>>

 That is what's so weird is it works like a champ in F19. I assume
 there is just something missing, maybe something I need to install or
 some permission or configuration setting. I haven't found anything in
 any log files yet to help point to what the problem might be.

 When I connect to webex to start a session if I click on Activities I
 see a webex icon of a ball that is half green and half blue and the
 name is "sun-applet-PluginMain" on the activites list. After I click
 on share desktop I see a second icon like that which says Atasjni on
 the F19, but still only have the one on F20. So, it seems some app is
 having trouble getting started when I click to share desktop. So, far
 I haven't found any complaint in any log file though.

 Thanks
 Chris Kottaridis
>>>
>>> Do you have any log files at all to share? You can also try launching
>>> your browser from terminal (assuming this is starting through a browser
>>> at all), and capture the output with a redirect or tee there.
>>>
>>> Also, just a note that IcedTea-Web 1.5 is available for Fedora 19 as
>>> well. Although if you appear to be having problems after the 1.5
>>> update,
>>> I wouldn't recommend you update to it yet - not until we figure out
>>> what's going on here! With 1.5 on both Fedora 19 (native) and 20 (VM),
>>> Webex works fine, but I haven't tried this 'share desktop'
>>> functionality.
>>>
>>> [0] http://www.webex.com/test-meeting.html
>>
>> Also check to see if there's perhaps a SELinux alert going along with
>> this. There may be changes to selinux configs that block sharing the
>> desktop.
>
> I don't know a lot about selinux, but I used the SELinux management
> tool to just disable SELinux.
>
>
>
> So, I assume SELinux is out of the picture for now.
>
> But, I think it is probably some local configuration issue like that.
>
> Thanks
> Chris Kottaridis
>> --
>> - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
>> - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
>> --
>> - We have enough youth, how about a fountain of SMART?   -
>> --
>
>
>
Putting SELinux into permissive mode, would have been plenty.  Setting
the machine to disabled will only take place on the next reboot.

If SELinux is blocking the web browser from sharing desktop you could
turn off one of these booleans, which would probably fix your problem.

unconfined_chrome_sandbox_transition --> on
unconfined_mozilla_plugin_transition --> on
setsebool -P unconfined_chrome_sandbox_transition 0
setsebool -P unconfined_mozilla_plugin_transition 0

You would need to restart the browser.

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedorapro

Re: Two SELinux-related things

[Daniel J Walsh]

On 04/24/2014 04:56 PM, Mark Brader wrote:
>> # semanage fcontext -a -e /home /u
>> # restorecon -R -v /u
>>
>> Should fix you up.
> Bingo.  Thanks for your time.
>
> I did wonder if this was the cause of the problem, but (1) it didn't happen
> with the previous Linux configuration I had, and (2) I actually write
> remounting the filesystem as /home before I wrote to you.  But (I now
> realize) I left /u as a symlink to /home instead of changing my actual
> home directory, so that didn't cover it.
>
>
> This still leaves me with two questions.
>
> [1] What about the way the message from SELinux failed to name a
> directory?  That made it impossible for me to see what was actually
> going on.  It seems to me like a bug in the alert reporting.
http://danwalsh.livejournal.com/34903.html?thread=220247
> [2] How do I reach the fedora-devel people you mentioned, to ask them
> my other question?
Just send a question to the Community support for Fedora users
 list
and with information about what you are trying to do, meantion SELinux
in the message or CC me, and I will follow the discussion.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedup 19=>20 hangs: selinux

[Daniel J Walsh]

Strange, if selinux-policy-targeted is not installed SELinux is disabled. 
On 04/09/2014 08:31 PM, Sean Darcy wrote:
> On 04/09/2014 06:01 PM, Daniel J Walsh wrote:
>> So this looks like selinux-policy-targeted got removed during the
>> update?
>>
>> On 04/09/2014 04:21 PM, Sean Darcy wrote:
>>> On 04/08/2014 11:54 AM, Daniel J Walsh wrote:
>>>> This usually means there is no /etc/selinux/targeted/policy/policy.*
>>>> file.
>>>>
>>>> If you run semodule -B  Does one get created?
>>>> On 04/08/2014 10:59 AM, Sean Darcy wrote:
>>>>> Trying to upgrade F19 to F20 using fedup. On the upgrade reboot it
>>>>> hangs:
>>>>>
>>>>> 
>>>>> Reached target Initrd Default Target
>>>>> systemd-journal1d166]: Received SIGTERM
>>>>> systemd[1]: Failed to initialize SELinux context: no such file or
>>>>> directory
>>>>>
>>>>>
>>>>> selinux is set to permissive. F19 works fine.
>>>>>
>>>>> I suppose I could set selinux=0 , but then none of the contexts would
>>>>> be set. Correct?
>>>>>
>>>>> sean
>>>>>
>>>>>
>>>>
>>>   No. There's no such file:
>>> ls /etc/selinux/targeted
>>> contexts  modules  seusers.rpmnew  seusers.rpmsave
>>>
>>> But:
>>>
>>> semodule -B
>>> libsemanage.semanage_link_sandbox: Could not access sandbox base file
>>> /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
>>> semodule:  Failed!
>>>
>>> sean
>>>
>>
>
> selinux-policy-targeted was never installed.
>
> There a bugzilla entry on this:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1044484
>
> It seems fedup requires selinux-policy-targeted, even if the policy is
> permissive. And better yet, fedup doesn't check to see if it's installed.
>
> So the drill seems to be
>
> 1. install selinux-policy-targeted
>
> 2. reboot to change all the contexts
>
> 3. retry fedup.
>
> It'll fail. I got about 600 dupes. And there's no log, so you won't
> find out what's wrong.
>
> fedup --clean
>
> And try again.
>
> Sigh.
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedup 19=>20 hangs: selinux

[Daniel J Walsh]

So this looks like selinux-policy-targeted got removed during the update? 

On 04/09/2014 04:21 PM, Sean Darcy wrote:
> On 04/08/2014 11:54 AM, Daniel J Walsh wrote:
>> This usually means there is no /etc/selinux/targeted/policy/policy.*
>> file.
>>
>> If you run semodule -B  Does one get created?
>> On 04/08/2014 10:59 AM, Sean Darcy wrote:
>>> Trying to upgrade F19 to F20 using fedup. On the upgrade reboot it
>>> hangs:
>>>
>>> 
>>> Reached target Initrd Default Target
>>> systemd-journal1d166]: Received SIGTERM
>>> systemd[1]: Failed to initialize SELinux context: no such file or
>>> directory
>>>
>>>
>>> selinux is set to permissive. F19 works fine.
>>>
>>> I suppose I could set selinux=0 , but then none of the contexts would
>>> be set. Correct?
>>>
>>> sean
>>>
>>>
>>
>  No. There's no such file:
> ls /etc/selinux/targeted
> contexts  modules  seusers.rpmnew  seusers.rpmsave
>
> But:
>
> semodule -B
> libsemanage.semanage_link_sandbox: Could not access sandbox base file
> /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
> semodule:  Failed!
>
> sean
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedup 19=>20 hangs: selinux

[Daniel J Walsh]

This usually means there is no /etc/selinux/targeted/policy/policy.* file.

If you run semodule -B  Does one get created?
On 04/08/2014 10:59 AM, Sean Darcy wrote:
> Trying to upgrade F19 to F20 using fedup. On the upgrade reboot it hangs:
>
> 
> Reached target Initrd Default Target
> systemd-journal1d166]: Received SIGTERM
> systemd[1]: Failed to initialize SELinux context: no such file or
> directory
>
>
> selinux is set to permissive. F19 works fine.
>
> I suppose I could set selinux=0 , but then none of the contexts would
> be set. Correct?
>
> sean
>
>

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: new SELinux error

[Daniel J Walsh]

ausearch -m avc,user_avc -i

Or just attach the full output of the sealert command. 

The AVC's are at the bottom.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: new SELinux error

[Daniel J Walsh]

What was the AVC that you got?
On 03/27/2014 04:58 PM, Paul Cartwright wrote:
> I am not sure what to do..
>
> I got this error message:
> # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
> where FILE_TYPE is one of the following: NetworkManager_log_t,
> NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t,
> abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t,
> abrt_var_run_t, acct_data_t, admin_crontab_tmp_t, admin_home_t,
> afs_logfile_t, aide_log_t, alsa_home_t, alsa_tmp_t, amanda_log_t,
> amanda_tmp_t, antivirus_home_t, antivirus_log_t, antivirus_tmp_t,
> apcupsd_log_t, apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t,
> asterisk_log_t, asterisk_tmp_t, audio_home_t, auditadm_sudo_tmp_t,
> auth_cache_t, auth_home_t, automount_tmp_t, awstats_tmp_t, bacula_log_t,
> bin_t, bitlbee_log_t, bitlbee_tmp_t, bluetooth_helper_tmp_t,
> bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t,
> bootloader_tmp_t, cache_home_t, calamaris_log_t, callweaver_log_t,
> canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t,
> cdcc_tmp_t, cert_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t,
> cgroup_t, checkpc_log_t, chrome_sandbox_exec_t, chrome_sandbox_home_t,
> chrome_sandbox_nacl_exec_t, chrome_sandbox_tmp_t,
> chrome_sandbox_tmpfs_t, chronyd_var_log_t, cloud_init_tmp_t,
> cloud_log_t, cluster_tmp_t, cluster_var_log_t, cobbler_tmp_t,
> cobbler_var_log_t, colord_tmp_t, comsat_tmp_t, condor_log_t,
> condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t,
> config_home_t, conman_log_t, consolekit_log_t, couchdb_log_t,
> couchdb_tmp_t, cpu_online_t, crack_tmp_t, cron_log_t, crond_tmp_t,
> crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t,
> cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_home_t, cvs_tmp_t, cyphesis_log_t,
> cyphesis_tmp_t, cyrus_tmp_t, data_home_t, dbadm_sudo_tmp_t,
> dbskkd_tmp_t, dbus_home_t, dcc_client_tmp_t, dcc_dbclean_tmp_t,
> dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t,
> deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t,
> devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t,
> dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t,
> dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t,
> dlm_controld_var_log_t, dnsmasq_var_log_t, docker_log_t, docker_tmp_t,
> dosfs_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t,
> dovecot_var_log_t, dspam_log_t, etc_t, evtchnd_var_log_t, exim_log_t,
> exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, faillog_t, fenced_tmp_t,
> fenced_var_log_t, fetchmail_home_t, fetchmail_log_t, fingerd_log_t,
> firewalld_tmp_t, firewalld_var_log_t, firewallgui_tmp_t,
> foghorn_var_log_t, fonts_cache_t, fonts_t, fsadm_log_t, fsadm_tmp_t,
> fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, gconf_home_t,
> gconf_tmp_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t,
> git_user_content_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t,
> glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t,
> glusterd_tmp_t, gnome_home_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t,
> gpg_secret_t, gpm_tmp_t, groupd_var_log_t, gssd_tmp_t, gstreamer_home_t,
> haproxy_var_log_t, home_bin_t, home_cert_t, httpd_bugzilla_tmp_t,
> httpd_collectd_script_tmp_t, httpd_log_t, httpd_mojomojo_tmp_t,
> httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t,
> httpd_tmp_t, httpd_user_content_t, httpd_user_htaccess_t,
> httpd_user_ra_content_t, httpd_user_rw_content_t,
> httpd_user_script_exec_t, httpd_w3c_validator_tmp_t, hugetlbfs_t,
> icc_data_home_t, iceauth_home_t, icecast_log_t, inetd_child_tmp_t,
> inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t,
> innd_log_t, ipsec_log_t, ipsec_tmp_t, iptables_tmp_t, irc_home_t,
> irc_tmp_t, irssi_home_t, iscsi_log_t, iscsi_tmp_t, iwhd_log_t,
> jetty_log_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t,
> kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_log_t, keystone_tmp_t,
> kismet_home_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t,
> krb5_home_t, krb5_host_rcache_t, krb5kdc_log_t, krb5kdc_tmp_t,
> ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t,
> ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t,
> local_login_home_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t,
> logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t,
> lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_home_rw_t, mail_home_t,
> mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t,
> mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t,
> mandb_cache_t, mandb_home_t, mcelog_log_t, mock_tmp_t, mongod_log_t,
> mongod_tmp_t, motion_log_t, mount_tmp_t, mozilla_home_t,
> mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_home_t, mpd_log_t, mpd_tmp_t,
> mpd_user_data_t, mplayer_home_t, mrtg_log_t, mscan_tmp_t, munin_log_t,
> munin_tmp_t, mysqld_home_t, mysqld_log_t, mysqld_tmp_t,
> mythtv_var_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t,
> nagios_openshift_plugin_tmp_t, nagios_system_plugi

Re: after upgrading fedora rawhide this morning, no graphical desktop

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/13/2014 02:58 PM, Robert P. J. Day wrote:
> On Thu, 13 Mar 2014, Kevin Martin wrote:
> 
>> On 03/13/2014 07:57 AM, Robert P. J. Day wrote:
>>> 
>>> recently, i upgraded my ASUS G74S laptop to fedora rawhide and it was
>>> running nicely. then this morning, i did another "yum update", which
>>> appeared to update well over 200 packages (including a slightly newer
>>> kernel), after which, when i booted, i had no graphical desktop 
>>> anymore, just the little blue and white fedora logo.
>>> 
>>> i can still switch to VC2 and log in at the command line (where i am 
>>> now), so i can certainly check log files, but i don't see anything 
>>> immediately amiss.
>>> 
>>> i rebooted both to the earlier rawhide kernel, and even back to the 
>>> latest fedora 20 official kernel -- same result, the fedora logo in the
>>> middle of the screen on VC1, but the ability to log in on another 
>>> virtual console.
>>> 
>>> has anyone else run into this? i have an nvidia graphics card, and am
>>> running the nouveau driver. i'll keep poking around the log files, and
>>> if you have any suggestions, i'm all ears.
>>> 
>>> rday
>>> 
>> Hmm, sounds similar to what I'm experiencing.  When you go into VC2 what
>> does "lsmod | grep nouveau" show?  I've found that I've been having to
>> manually "modprobe nouveau modeset=1" since doing my update about 4 days
>> ago.  I'm not sure why nouveau won't load and I find that if I don't set
>> the modeset=1 when I do the manual modprobe that I still can't get X.
> 
> h ... it's possible this is not related to rawhide at all, and is due
> to something silly i did earlier this morning. could the following be the
> cause?
> 
> in order to install drupal 8.x on my fedora (rawhide) system, i had to
> disable selinux ("setenforce 0"). i *think* that while selinux was thus
> disabled, i may have done "yum update", which would have of course updated
> those 200+ packages while my system was in permissive mode. once i saw i
> had a new kernel due to the update, i of course rebooted, which rebooted
> with selinux back in enforcing mode, and the problems started. simply
> putting selinux back into permissive mode fixed everything.
> 
> i'm by no means an selinux expert -- is that how i caused my problem?
> 
> rday
> 
What AVC messages are you getting?

ausearch -m avc -ts today


-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMjB30ACgkQrlYvE4MpobPkTwCfS2ZwxCYQVkgnLwrjKAn0yYct
MR8AoNH1bSq3XdCM/rELRPB5zAL3KZTO
=tLQG
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: google-chrome not displaying text with selinux enforcing

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/27/2014 02:38 PM, Ed K. wrote:
> On Thu, 27 Feb 2014, Dale Dellutri wrote:
> 
>>> On 02/27/14 05:50, Dale Dellutri wrote:
 I did this and set selinux back to enforcing.  google-chrome is now
 working as it should.
>>> 
>>> Good to see it is OK now.  FWIW, I have a fully updated F20 system.
>>> I'm using KDE and google chrome and I am not seeing any problems when I
>>> visit your website.
>> 
>> Yes, it's fixed now.  The original problem occurred because I added a
>> directory of private fonts to /usr/share/fonts/, but I did not adjust
>> the selinux context for that directory.  The ausearch suggested by Daniel
>> Walsh discovered the problem.
>> 
>> I really must learn more about the care and feeding of selinux if I'm
>> going to use it.
>> 
> 
> Dale, I've been having the same problem. But with $HOME/.fonts
> 
> What chcon command did you use to permit chrome to read the fonts
> directory?
> 
> ed
Should be allowed, restorecon -R -v ~/

Should fix any labels.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMPpd0ACgkQrlYvE4MpobOIGgCeLalpj8AmzDHNVeAzWqbmV3ZX
lP0AmgIuaUZRFHGyo2Ji7c4Ozv212QOE
=Ych2
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: google-chrome not displaying text with selinux enforcing

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/26/2014 02:00 PM, Dale Dellutri wrote:
> I've got a Fedora 20 XFCE desktop.  I installed google-chrome. It fails to
> display some text on many web sites if selinux is set to enforcing, but
> shows the text with selinux set to permissive.
> 
> For example, with selinux set to enforcing, my web site: 
> http://www.DaleDellutri.com only shows the icon image in the upper left
> corner, an empty box, and the bluish outer color, but does not show any of
> the text on the page.  If I do # setenforce 0 and re-start google-chrome,
> then the page is displayed properly.
> 
> Firefox shows the page properly no matter how selinux is set.
> 
> With selinux enforcing, when I start google-chrome from the command line,
> it does not provide any error messages, and I don't see any error messages
> from selinux.
> 
> Where are the selinux logs?  I've used # journalctl | grep -i selinux but
> there are no errors or warnings.
> 
> What could cause this problem?
> 
> Do you have any suggestions for debugging?
> 
> -- Dale Dellutri
> 
> 
Are you seeing any AVCs?

ausearch -m avc -ts recent

You can turn off SELinux confinement of chrome sandbox, with

setsebool -P unconfined_chrome_sandbox_transition=0


-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMOWjcACgkQrlYvE4MpobNTaQCdElyQpDTq4A2Ylz4NixKXV8OS
gZAAn2PA9exYIGt/v4cvNsLq9za5cQUE
=QI7q
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: policycoreutils packaging bug?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/17/2014 10:14 AM, Jon Ingason wrote:
> 2014-02-17 15:56, Suvayu Ali skrev:
>> install policycoreutils-sandbox
> I have two machines, both x86_64. On does have 
> policycoreutils-sandbox-2.2.5-3.fc20.x86_64 installed while the other
> don't.
> 
> I get exactly same result as you with yum when I try to install 
> policycoreutils-sandbox! So there are a bug in teh.
> 
> $ sudo yum install policycoreutils-sandbox Inlästa insticksmoduler:
> langpacks, refresh-packagekit Löser upp beroenden --> Kör
> transaktionskontroll ---> Paket policycoreutils-sandbox.x86_64
> 0:2.2.2-3.fc20 blir installerat --> Bearbetar beroende:
> policycoreutils-python = 2.2.2-3.fc20 för paket: 
> policycoreutils-sandbox-2.2.2-3.fc20.x86_64 ...
> 
> --> Avslutade beroendeupplösning Fel: Paket:
> policycoreutils-sandbox-2.2.2-3.fc20.x86_64 (fedora) Behöver:
> policycoreutils-python = 2.2.2-3.fc20 Installerade:
> policycoreutils-python-2.2.5-3.fc20.x86_64 (@updates) 
> policycoreutils-python = 2.2.5-3.fc20 Tillgängliga:
> policycoreutils-python-2.2.2-2.fc20.x86_64 (updates) policycoreutils-python
> = 2.2.2-2.fc20 Tillgängliga: policycoreutils-python-2.2.2-3.fc20.x86_64
> (fedora) policycoreutils-python = 2.2.2-3.fc20 Du kan försöka använda
> --skip-broken för att gå runt problemet Du kan försöka köra: rpm -Va
> --nofiles --nodigest
> 
> And $ yum info policycoreutils-sandbox Inlästa insticksmoduler: langpacks,
> refresh-packagekit Tillgängliga paket Namn:
> policycoreutils-sandbox Arkitektur  : x86_64 Version : 2.2.2 Utgåva
> : 3.fc20 Storlek : 163 k Förråd  : fedora/20/x86_64 Sammandrag  :
> SELinux sandbox utilities URL : http://www.selinuxproject.org 
> Licens  : GPLv2 Beskrivning : The policycoreutils-sandbox package
> contains the scripts to create : graphical sandboxes
> 
> 
Could you try to update policycoreutils first?

yum -y update policycoreutils

-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMCNnAACgkQrlYvE4MpobPvUwCgslPzfdjGEXuc0FigurVARFQ3
7lEAnRvDAVHbODmzy3iOvmsb2Ee2MreM
=X8Tp
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: logwatch error messages

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/23/2014 01:54 PM, Robert Moskowitz wrote:
> 
> On 01/23/2014 08:38 AM, Daniel J Walsh wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>> 
>> On 01/22/2014 11:07 PM, Robert Moskowitz wrote:
>>> I am seeing the following errors via "journalctl |grep logwatch":
>>> 
>>> I had performed the following selinux policy:
>>> 
>>> On 01/06/2014 08:14 AM, Daniel J Walsh wrote:
>>>> Create a file mylogwatch.te with the following content.
>>>> 
>>>> policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t;
>>>> ')
>>>> 
>>>> mta_filetrans_admin_home_content(logwatch_mail_t)
>>>> 
>>>> Now execute this command to compile the policy and load it into the 
>>>> kernel
>>>> 
>>>> # make -f /usr/share/selinux/devel/Makefile # semodule -i
>>>> mylogwatch.pp
>>>> 
>>>> Now you should be allowed to run logwatch_mail_t in enforcing mode.
>>>> 
>>> What do these messages mean?
>>> 
>>> 
>> They mean that logwatch is not allowed to execute the procmail program.
>> 
>> You could add policy for it.
> 
> Obvious.  hindsight is just great!
> 
>> procmail_domtrans(logwatch_t)
> 
> I am looking at what you gave me before:
> 
> #cat mylogwatch.te policy_module(mylogwatch, 1.0) gen_require(` type
> logwatch_mail_t; ')
> 
> mta_filetrans_admin_home_content(logwatch_mail_t)
> 
> 
> 
> Would mylogwprocmail.te contain:
> 
> policy_module(mylogwprocmail, 1.0) gen_require(` type logwatch_t; ')
> 
> procmail_domtrans(logwatch_t)
> 
> 
> 
> ???
> 
> 
Yes basically.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLhZZoACgkQrlYvE4MpobN43QCg6ooHByLX265OJlYWdQOcSp63
KJAAn3I6AaBpOoaqEjm8/O3gjVpJYdH7
=7Wpk
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: logwatch error messages

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/22/2014 11:07 PM, Robert Moskowitz wrote:
> I am seeing the following errors via "journalctl |grep logwatch":
> 
> Jan 22 03:37:14 lx120e.htt-consult.com setroubleshoot[11102]: dbus 
> avc(node=lx120e.htt-consult.com type=AVC msg=audit(1390390627.456:1007):
> avc: denied  { execute } for pid=11100 comm="logwatch" name="procmail"
> dev="sda3" ino=1187050
> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:procmail_exec_t:s0 tclass=file 
> node=lx120e.htt-consult.com type=SYSCALL msg=audit(1390390627.456:1007): 
> arch=c03e syscall=59 success=no exit=-13 a0=d13ad0 a1=d13a50 a2=d137c0
> a3=8 items=0 ppid=11013 pid=11100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 ses=16 tty=(none) comm="logwatch"
> exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023
> key=(null) Jan 22 03:37:14 lx120e.htt-consult.com setroubleshoot[11102]: 
> AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com
> type=AVC msg=audit(1390390627.456:1007): avc:  denied  { execute } for
> pid=11100 comm="logwatch" name="procmail" dev="sda3" ino=1187050 
> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:procmail_exec_t:s0 tclass=file Jan 22 03:37:14
> lx120e.htt-consult.com setroubleshoot[11102]: 
> AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com 
> type=SYSCALL msg=audit(1390390627.456:1007): arch=c03e syscall=59
> success=no exit=-13 a0=d13ad0 a1=d13a50 a2=d137c0 a3=8 items=0 ppid=11013
> pid=11100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> ses=16 tty=(none) comm="logwatch" exe="/usr/bin/perl" 
> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Jan 22 03:37:14
> lx120e.htt-consult.com setroubleshoot[11102]: analyze_avc() 
> avc=scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:procmail_exec_t:s0 access=['execute']
> tclass=file tpath=procmail
> 
> 
> I had performed the following selinux policy:
> 
> On 01/06/2014 08:14 AM, Daniel J Walsh wrote:
>> 
>> Create a file mylogwatch.te with the following content.
>> 
>> policy_module(mylogwatch, 1.0) gen_require(` type logwatch_mail_t; ')
>> 
>> mta_filetrans_admin_home_content(logwatch_mail_t)
>> 
>> Now execute this command to compile the policy and load it into the
>> kernel
>> 
>> # make -f /usr/share/selinux/devel/Makefile # semodule -i mylogwatch.pp
>> 
>> Now you should be allowed to run logwatch_mail_t in enforcing mode.
>> 
> 
> What do these messages mean?
> 
> 
They mean that logwatch is not allowed to execute the procmail program.

You could add policy for it.

procmail_domtrans(logwatch_t)



-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLhG0cACgkQrlYvE4MpobP1gQCg1SkBm1tHzCGpLV89R+CdDq0f
/PMAn3UQmCO4ubKl2QonXSarQt/R6H9t
=/HFU
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: update partially fails

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/18/2014 12:15 PM, antonio montagnani wrote:
> Patrick Dupre ha scritto / said the followingil giorno/on 18/01/2014
> 17:59:
>> Hello,
>> 
>> The last update did not go very well. I got: Failed: bind.i686
>> 32:9.9.4-8.fc20 bind.i686 32:9.9.4-11.P2.fc20 firefox.i686 0:26.0-3.fc20 
>> firewalld.noarch 0:0.3.9-1.fc20 initscripts.i686 0:9.50-1.fc20 
>> initscripts.i686 0:9.51-1.fc20 nfs-utils.i686 1:1.2.8-6.0.fc20 
>> nfs-utils.i686 1:1.2.9-2.1.fc20 selinux-policy-targeted.noarch
>> 0:3.12.1-116.fc20 selinux-policy-targeted.noarch 0:3.12.1-117.fc20 
>> tcpdump.i686 14:4.5.0-1.20131108gitb07944a.fc20 tcpdump.i686
>> 14:4.5.1-1.fc20 yum.noarch 0:3.4.3-129.fc20
>> 
>> 
>> then rpm -q yum yum-3.4.3-129.fc20.noarch yum-3.4.3-130.fc20.noarch
>> 
>> yum remove yum-3.4.3-129.fc20.noarch Loaded plugins: langpacks,
>> refresh-packagekit Resolving Dependencies --> Running transaction check 
>> ---> Package yum.noarch 0:3.4.3-129.fc20 will be erased --> Finished
>> Dependency Resolution
>> 
>> Dependencies Resolved
>> 
>> 
>>
>> 
Package  ArchVersion   Repository Size
>> 
>>
>> 
Removing:
>> yum  noarch  3.4.3-129.fc20@updates
>> 5.4 M
>> 
>> Transaction Summary 
>> 
>>
>> 
Remove  1 Package
>> 
>> Installed size: 5.4 M Is this ok [y/N]: y Downloading packages: Running
>> transaction check Running transaction test Transaction test succeeded 
>> Running transaction error: %preun(yum-3.4.3-129.fc20.noarch) scriptlet
>> failed, exit status 127 Error in PREUN scriptlet in rpm package
>> yum-3.4.3-129.fc20.noarch Verifying  : yum-3.4.3-129.fc20.noarch
>> 1/1
>> 
>> Failed: yum.noarch 0:3.4.3-129.fc20
>> 
>> Complete!
>> 
>> ===
>>
>> 
Patrick DUPRÉ | | email: pdu...@gmx.com
>> Laboratoire de Physico-Chimie de l'Atmosphère | | Université du
>> Littoral-Côte d'Opale   | | Tel.  (33)-(0)3 28 23 76 12
>> | | Fax: 03 28 65 82 44 189A, avenue Maurice Schumann | |
>> 59140 Dunkerque, France 
>> ===
>>
>
>> 
> it is a common bug since yesterday. Please check in the mail archive about
> failed scripts.
> 
> Anyway the easiest way is to set Selinux to permissive, perform update and
> back to enforcing.
> 
> Hope it can help
> 

There is a big bug in selinux-policy.

You need to install selinux-policy-targeted.noarch 0:3.12.1-117.fc20 in
permissive mode if you ended up with 116 installed

Since you have 117 installed, you can just do

# semodule -B

Which should update the selinux-policy and fix your problem.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLdNEgACgkQrlYvE4MpobOAFgCfTE+vBzmDOm2D9KVSMGfkBY7g
TbEAoLg57bLkfg0Ee6nmY+8owq3Wz0X/
=sJ04
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trying to use mailx for logwatch

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/07/2014 11:44 AM, Robert Moskowitz wrote:
> getting closer.  I am running a new install.  So a fresh start on this...
> 
> On 01/06/2014 11:14 AM, Daniel J Walsh wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>> 
>> On 01/03/2014 12:25 PM, Robert Moskowitz wrote:
>>> On 01/03/2014 12:03 PM, Daniel J Walsh wrote:
>>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>>>> 
>>>> On 01/03/2014 11:34 AM, Robert Moskowitz wrote:
>>>>> On 01/03/2014 11:21 AM, Daniel J Walsh wrote:
>>>>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>>>>>> 
>>>>>> On 01/02/2014 05:29 PM, Robert Moskowitz wrote:
>>>>>>> And the mail is failing.  Here is what I have done:
>>>>>>> 
>>>>>>> I determined that in: 
>>>>>>> /usr/share/logwatch/default.conf/logwatch.conf mailer = 
>>>>>>> "/usr/sbin/sendmail -t"
>>>>>>> 
>>>>>>> so in: /etc/logwatch/conf/logwatch.conf mailer =
>>>>>>> "/usr/bin/mailx -t"
>>>>>>> 
>>>>>>> In /etc/aliases I have:
>>>>>>> 
>>>>>>> # Person who should get root's mail root:rgm
>>>>>>> 
>>>>>>> and I ran newaliases
>>>>>>> 
>>>>>>> 'journalctl |grep -i logwatch' shows the following (along with 
>>>>>>> other lines):
>>>>>>> 
>>>>>>> Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]: 
>>>>>>> (/etc/cron.daily) starting 0logwatch Jan 02 03:32:12 
>>>>>>> lx120e.htt-consult.com run-parts[16429]: (/etc/cron.daily) 
>>>>>>> finished 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com 
>>>>>>> setroubleshoot[16427]: dbus avc(node=lx120e.htt-consult.com 
>>>>>>> type=AVC msg=audit(1388651532.024:734): avc: denied  { write }
>>>>>>> for pid=16425 comm="mailx" name="root" dev="dm-0" ino=1308161 
>>>>>>> scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
>>>>>>> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
>>>>>>> node=lx120e.htt-consult.com type=SYSCALL 
>>>>>>> msg=audit(1388651532.024:734): arch=4003 syscall=5
>>>>>>> success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c
>>>>>>> items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0
>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm="mailx"
>>>>>>> exe="/usr/bin/mailx" 
>>>>>>> subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
>>>>>>> key=(null) Jan 02 03:32:16 lx120e.htt-consult.com
>>>>>>> setroubleshoot[16427]: 
>>>>>>> AuditRecordReceiver.add_record_to_cache(): 
>>>>>>> node=lx120e.htt-consult.com type=AVC
>>>>>>> msg=audit(1388651532.24:734): avc:  denied  { write } for
>>>>>>> pid=16425 comm="mailx" name="root" dev="dm-0" ino=1308161 
>>>>>>> scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
>>>>>>> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02 
>>>>>>> 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
>>>>>>> AuditRecordReceiver.add_record_to_cache(): 
>>>>>>> node=lx120e.htt-consult.com type=SYSCALL 
>>>>>>> msg=audit(1388651532.24:734): arch=4003 syscall=5
>>>>>>> success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c
>>>>>>> items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0
>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm="mailx"
>>>>>>> exe="/usr/bin/mailx" 
>>>>>>> subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
>>>>>>> key=(null) Jan 02 03:32:16 lx120e.htt-consult.com
>>>>>>> setroubleshoot[16427]: analyze_avc() 
>>>>>>> avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
>>>>>>> tcontext=system_u:object_r:admin_home_t:s0 access=['write'] 
>>>>>>> tclass=dir tpath=/root
>>>>>>> 
>>>>>>> 

Re: Trying to use mailx for logwatch

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/03/2014 12:25 PM, Robert Moskowitz wrote:
> 
> On 01/03/2014 12:03 PM, Daniel J Walsh wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>> 
>> On 01/03/2014 11:34 AM, Robert Moskowitz wrote:
>>> On 01/03/2014 11:21 AM, Daniel J Walsh wrote:
>>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>>>> 
>>>> On 01/02/2014 05:29 PM, Robert Moskowitz wrote:
>>>>> And the mail is failing.  Here is what I have done:
>>>>> 
>>>>> I determined that in:
>>>>> /usr/share/logwatch/default.conf/logwatch.conf mailer =
>>>>> "/usr/sbin/sendmail -t"
>>>>> 
>>>>> so in: /etc/logwatch/conf/logwatch.conf mailer = "/usr/bin/mailx
>>>>> -t"
>>>>> 
>>>>> In /etc/aliases I have:
>>>>> 
>>>>> # Person who should get root's mail root:rgm
>>>>> 
>>>>> and I ran newaliases
>>>>> 
>>>>> 'journalctl |grep -i logwatch' shows the following (along with
>>>>> other lines):
>>>>> 
>>>>> Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]: 
>>>>> (/etc/cron.daily) starting 0logwatch Jan 02 03:32:12 
>>>>> lx120e.htt-consult.com run-parts[16429]: (/etc/cron.daily)
>>>>> finished 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com
>>>>> setroubleshoot[16427]: dbus avc(node=lx120e.htt-consult.com
>>>>> type=AVC msg=audit(1388651532.024:734): avc: denied  { write } for
>>>>> pid=16425 comm="mailx" name="root" dev="dm-0" ino=1308161 
>>>>> scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
>>>>> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
>>>>> node=lx120e.htt-consult.com type=SYSCALL 
>>>>> msg=audit(1388651532.024:734): arch=4003 syscall=5 success=no 
>>>>> exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1
>>>>> pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>>> fsgid=0 ses=15 tty=(none) comm="mailx" exe="/usr/bin/mailx" 
>>>>> subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null)
>>>>> Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
>>>>> AuditRecordReceiver.add_record_to_cache():
>>>>> node=lx120e.htt-consult.com type=AVC msg=audit(1388651532.24:734):
>>>>> avc:  denied  { write } for pid=16425 comm="mailx" name="root"
>>>>> dev="dm-0" ino=1308161 
>>>>> scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
>>>>> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02
>>>>> 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
>>>>> AuditRecordReceiver.add_record_to_cache():
>>>>> node=lx120e.htt-consult.com type=SYSCALL
>>>>> msg=audit(1388651532.24:734): arch=4003 syscall=5 success=no
>>>>> exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1
>>>>> pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
>>>>> fsgid=0 ses=15 tty=(none) comm="mailx" exe="/usr/bin/mailx" 
>>>>> subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null)
>>>>> Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
>>>>> analyze_avc() 
>>>>> avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
>>>>> tcontext=system_u:object_r:admin_home_t:s0 access=['write']
>>>>> tclass=dir tpath=/root
>>>>> 
>>>>> oh, here are the mail files:
>>>>> 
>>>>> # ls -ls /var/spool/mail/ total 8 0 -rw-rw. 1 rgm  mail0
>>>>> Jan 2 16:47 rgm 8 -rw---. 1 root mail 5886 Dec 31 12:27 root 0 
>>>>> -rw-rw. 1 rpc  mail0 Dec 25 13:27 rpc
>>>>> 
>>>>> The content in root mail is from when I had postfix installed.  I
>>>>> have since deleted it to work on getting mailx to work instead.
>>>>> 
>>>>> =
>>>>> 
>>>>> 
>>>>> perhaps /var/spool/mail/root needs 660 permissions?
>>>>> 
>>>>> 
>>>> Do you know what mailx is trying to write into the /root directory?
>>> The output of logwatch.  I edited 

Re: GCL get killed everytime I try to execute it

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/05/2014 09:21 PM, Rex Dieter wrote:
> Isaac Cortés González wrote:
> 
>> Ok here's my problem: I'm trying to learn (Common) Lisp, so I installed 
>> GCL, to compile or run the scripts that I'm making for practice; but I'm 
>> having problems to run GCL itself, each time I try to run it it get
>> killed and I get an alert of SELinux, I try to solved by one of the
>> solutions that it suggests; but it can't find a command named
>> checkmodule.
>> 
>> So if anyone knows how to solve any of the two issues, please let me
>> know it.
> 
> Is gcl-selinux installed? If not, does installing it help?
> 
> -- rex
> 
What AVC are you getting?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEUEARECAAYFAlLK1PEACgkQrlYvE4MpobMZbgCYu46+G0K9e5evATWe62xVu4q0
rwCfSbk5rEB4XXr29ZhFXuYRKBADp8c=
=XetF
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trying to use mailx for logwatch

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/03/2014 11:34 AM, Robert Moskowitz wrote:
> 
> On 01/03/2014 11:21 AM, Daniel J Walsh wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>> 
>> On 01/02/2014 05:29 PM, Robert Moskowitz wrote:
>>> And the mail is failing.  Here is what I have done:
>>> 
>>> I determined that in: /usr/share/logwatch/default.conf/logwatch.conf
>>> mailer = "/usr/sbin/sendmail -t"
>>> 
>>> so in: /etc/logwatch/conf/logwatch.conf mailer = "/usr/bin/mailx -t"
>>> 
>>> In /etc/aliases I have:
>>> 
>>> # Person who should get root's mail root:rgm
>>> 
>>> and I ran newaliases
>>> 
>>> 'journalctl |grep -i logwatch' shows the following (along with other 
>>> lines):
>>> 
>>> Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]:
>>> (/etc/cron.daily) starting 0logwatch Jan 02 03:32:12
>>> lx120e.htt-consult.com run-parts[16429]: (/etc/cron.daily) finished
>>> 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]:
>>> dbus avc(node=lx120e.htt-consult.com type=AVC 
>>> msg=audit(1388651532.024:734): avc: denied  { write } for pid=16425 
>>> comm="mailx" name="root" dev="dm-0" ino=1308161 
>>> scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
>>> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
>>> node=lx120e.htt-consult.com type=SYSCALL
>>> msg=audit(1388651532.024:734): arch=4003 syscall=5 success=no
>>> exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1 pid=16425
>>> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=15
>>> tty=(none) comm="mailx" exe="/usr/bin/mailx"
>>> subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02
>>> 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
>>> AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com 
>>> type=AVC msg=audit(1388651532.24:734): avc:  denied  { write } for 
>>> pid=16425 comm="mailx" name="root" dev="dm-0" ino=1308161 
>>> scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
>>> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02 03:32:16 
>>> lx120e.htt-consult.com setroubleshoot[16427]: 
>>> AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com 
>>> type=SYSCALL msg=audit(1388651532.24:734): arch=4003 syscall=5 
>>> success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0
>>> ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>> fsgid=0 ses=15 tty=(none) comm="mailx" exe="/usr/bin/mailx" 
>>> subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan
>>> 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]:
>>> analyze_avc() 
>>> avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
>>> tcontext=system_u:object_r:admin_home_t:s0 access=['write'] tclass=dir 
>>> tpath=/root
>>> 
>>> oh, here are the mail files:
>>> 
>>> # ls -ls /var/spool/mail/ total 8 0 -rw-rw. 1 rgm  mail0 Jan
>>> 2 16:47 rgm 8 -rw---. 1 root mail 5886 Dec 31 12:27 root 0
>>> -rw-rw. 1 rpc  mail0 Dec 25 13:27 rpc
>>> 
>>> The content in root mail is from when I had postfix installed.  I have 
>>> since deleted it to work on getting mailx to work instead.
>>> 
>>> =
>>> 
>>> 
>>> perhaps /var/spool/mail/root needs 660 permissions?
>>> 
>>> 
>> Do you know what mailx is trying to write into the /root directory?
> 
> The output of logwatch.  I edited /etc/logwatch/conf/logwatch.conf
> 
> with the line:
> 
> mailer = "/usr/bin/mailx -t"
> 
> To override /usr/share/logwatch/default.conf/logwatch.conf
> 
> mailer = "/usr/sbin/sendmail -t"
> 
> 
Ok I just added a patch to git to allow logwatch_mail_t to write to the /root
directory certain files.

sesearch -T -s logwatch_mail_t | grep mail_home_rw_t
type_transition logwatch_mail_t admin_home_t : dir mail_home_rw_t ".maildir";
type_transition logwatch_mail_t user_home_dir_t : dir mail_home_rw_t ".maildir";
type_transition logwatch_mail_t admin_home_t : file mail_home_rw_t
".esmtp_queue";
type_transition logwatch_mail_t admin_home_t : dir mail_home_rw_t "Maildir";
type_transition logwatch_mail_t user_home_dir_

Re: Trying to use mailx for logwatch

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/02/2014 05:29 PM, Robert Moskowitz wrote:
> And the mail is failing.  Here is what I have done:
> 
> I determined that in: /usr/share/logwatch/default.conf/logwatch.conf mailer
> = "/usr/sbin/sendmail -t"
> 
> so in: /etc/logwatch/conf/logwatch.conf mailer = "/usr/bin/mailx -t"
> 
> In /etc/aliases I have:
> 
> # Person who should get root's mail root:rgm
> 
> and I ran newaliases
> 
> 'journalctl |grep -i logwatch' shows the following (along with other
> lines):
> 
> Jan 02 03:32:01 lx120e.htt-consult.com run-parts[16112]: (/etc/cron.daily) 
> starting 0logwatch Jan 02 03:32:12 lx120e.htt-consult.com run-parts[16429]:
> (/etc/cron.daily) finished 0logwatch Jan 02 03:32:16 lx120e.htt-consult.com
> setroubleshoot[16427]: dbus avc(node=lx120e.htt-consult.com type=AVC
> msg=audit(1388651532.024:734): avc: denied  { write } for pid=16425
> comm="mailx" name="root" dev="dm-0" ino=1308161 
> scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
> node=lx120e.htt-consult.com type=SYSCALL msg=audit(1388651532.024:734): 
> arch=4003 syscall=5 success=no exit=-13 a0=9b15128 a1=8441 a2=1b6
> a3=809134c items=0 ppid=1 pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 ses=15 tty=(none) comm="mailx"
> exe="/usr/bin/mailx" subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
> key=(null) Jan 02 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: 
> AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com
> type=AVC msg=audit(1388651532.24:734): avc:  denied  { write } for
> pid=16425 comm="mailx" name="root" dev="dm-0" ino=1308161 
> scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Jan 02 03:32:16
> lx120e.htt-consult.com setroubleshoot[16427]: 
> AuditRecordReceiver.add_record_to_cache(): node=lx120e.htt-consult.com 
> type=SYSCALL msg=audit(1388651532.24:734): arch=4003 syscall=5
> success=no exit=-13 a0=9b15128 a1=8441 a2=1b6 a3=809134c items=0 ppid=1
> pid=16425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> ses=15 tty=(none) comm="mailx" exe="/usr/bin/mailx" 
> subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Jan 02
> 03:32:16 lx120e.htt-consult.com setroubleshoot[16427]: analyze_avc() 
> avc=scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:admin_home_t:s0 access=['write'] tclass=dir
> tpath=/root
> 
> oh, here are the mail files:
> 
> # ls -ls /var/spool/mail/ total 8 0 -rw-rw. 1 rgm  mail0 Jan  2
> 16:47 rgm 8 -rw---. 1 root mail 5886 Dec 31 12:27 root 0 -rw-rw. 1
> rpc  mail0 Dec 25 13:27 rpc
> 
> The content in root mail is from when I had postfix installed.  I have
> since deleted it to work on getting mailx to work instead.
> 
> =
> 
> 
> perhaps /var/spool/mail/root needs 660 permissions?
> 
> 
Do you know what mailx is trying to write into the /root directory?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLG44wACgkQrlYvE4MpobNKRQCg5TNJQb4NzrXV/gwM9spZ2bbv
y+gAmwRHRrWywHHQqy/IymmHNIlHvGgH
=5RhR
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Different actions on different passwords?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/30/2013 08:09 PM, Robert Moskowitz wrote:
> 
> On 12/30/2013 08:03 PM, Bill Oliver wrote:
>> On Tue, 31 Dec 2013, Patrick O'Callaghan wrote:
>> 
>>> 
>>> On Mon, Dec 30, 2013 at 11:25 PM, Bill Oliver 
>>> wrote:
>>> 
>>> In linux, is it possible to dictate two different actions upon login 
>>> with different passwords?
>>> 
>>> 
>>> 
>>> Short answer: no.
>>> 
>>> Longer answer: in computing almost anything is possible if you really
>>> want to achieve it. Given that on Unix-style systems, including Linux,
>>> the login program can be changed, you can modify the source to do what
>>> you want. Of course you'll need to have superuser privileges to install
>>> it in place of the system standard. Note that doing this may well open
>>> a can of worms, e.g. you might have to modify the format of the
>>> password file (and hence the library routines that access it), possibly
>>> fiddle with SElinux settings, etc. etc.
>>> 
>>> If the conditions are relaxed slightly you can get a partial solution
>>> using the standard login: write a Shell startup script (.profile or
>>> whatever) that allows the user to discriminate between the two modes,
>>> e.g. by using a timeout, detecting the initial state of the Shift (or 
>>> Control or whatever) key etc., in a way that is hopefully non-obvious
>>> to an observer. Probably not reliable enough for serious use.
>>> 
>>> Conclusion: better look for some other way to cover your tracks, and
>>> note that a forensic investigation can be carried out without having
>>> you log in at all.
>>> 
>>> poc
>>> 
>>> 
> 
You could setup a pam module that would work with the login shell to do
different things based on the password.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLFkWIACgkQrlYvE4MpobNKdgCgsHU+cA1GPVOWe7UVgVAeImE6
YZ4AnAixcwOhNrKpR6Fw8PfpBx4lfph8
=tjXd
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Why did SELinux relable my filesystem?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/25/2013 06:25 AM, Steven P. Ulrick wrote:
> Hello, Everyone During my most recent re-boot, SELinux relabled my entire
> filesystem. Which would be fine, except for the fact that I have SELinux
> disabled on my system:
> 
>> # This file controls the state of SELinux on the system. # SELINUX= can
>> take one of these three values: # enforcing - SELinux security policy
>> is enforced. # permissive - SELinux prints warnings instead of
>> enforcing. # disabled - No SELinux policy is loaded. 
>> SELINUX=disabled # SELINUXTYPE= can take one of these two values: #
>> targeted - Targeted processes are protected, # minimum - Modification
>> of targeted policy. Only selected processes are protected. # mls -
>> Multi Level Security protection. SELINUXTYPE=targeted
> 
> Why did SELinux, which is disabled on my system, spend all that time
> re-labeling my filesystem?
> 
> Steven P. Ulrick
> 
There was a bug in libselinux update that caused this problem, it should now
be fixed in libselinux-2.2.1-6.fc20

-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLFiE8ACgkQrlYvE4MpobPA4QCfV6DSX1UEgeFOYJpXmFw7uTnN
AMYAn2HhQxpKtKapSGXm5RjZW0lnNqNF
=JBIW
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: fedup and selinux

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I blogged on SELinux blocking stuff in permissive mode.

http://danwalsh.livejournal.com/67855.html

I think fedup putting the machine into permissive mode during the update is
the sane thing to do, and since it should be doing this without services
running, it should be relatively safe.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLFhvYACgkQrlYvE4MpobN/nwCgxIvYzgMw6sA4s5K4uvzrcEmR
AcgAnjNjSCG5EvDX8EXbrUR5+pGjJ2O6
=fSw8
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: failed to ..

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/31/2013 12:20 PM, Chris Murphy wrote:
> 
> On Dec 31, 2013, at 8:57 AM, Daniel J Walsh  wrote:
> 
>> THere was a bug in libselinux which is  now fixed, that was causing the
>> problem.
> 
> Right, but I thought that the bug caused the setting in /etc/selinux/config
> being ignored, while selinux=0 and enforcing=0 still worked?
> 
> Chris Murphy
> 
Just back from break, and I believe that is the case.   I am just beginning to
dig into the problem.

selinux=0 should cause the kernel to not load SELinux LSM, which should keep
selinux disabled.  I guess the libselinux could still lie to the init and
cause it to attempt a relabel.

Adam Williamson has put out a fixed libselinux-2.2.1-6.fc20, which should fix
the problem.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLFbO0ACgkQrlYvE4MpobPeUwCeL1//E9TEd/o4lzt6tcdgHrEd
fQUAn2/eA+YY6TdW9r9c8HCsTQaZc6Gt
=2JON
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: failed to ..

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/30/2013 11:11 AM, Chris Murphy wrote:
> 
> On Dec 29, 2013, at 11:37 PM, Ralf Corsepius  wrote:
> 
>> On 12/30/2013 07:01 AM, Chris Murphy wrote:
>>> 
>>> On Dec 28, 2013, at 8:15 PM, Patrick Dupre  wrote:
>>> 
 Hello,
 
 I tried to set relabel by using system-config-selinux, but nothing
 happens I have to keep selinux=0 to be able to boot!
>>> 
>>> Try autorelabel=1, and in the future if you have selinux problems you
>>> don't want to troubeleshoot use enforcing=0. Disabling selinux is a
>>> hammer and eventually causes more problems.
>> With all due respect, disabling SELinux *must not cause problems*.
> 
> The instant you disable SELinux, labeling is no longer being done at all,
> so any software updates while disabled lack labeling. Upon intentional or
> inadvertent re-enabling of SELinux, there will be problems due to that.
> This is why disabling isn't a good idea, and isn't necessary. Use
> enforcing=0 instead.
> 
> 
>> If it does, somebody is critically broken and needs to be fixed, ASAP.
> 
> Feel free to rebuild your kernel ASAP, and actually disable SELinux at the
> source.
> 
> 
> Chris Murphy
> 
THere was a bug in libselinux which is  now fixed, that was causing the problem.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLC6W0ACgkQrlYvE4MpobOV8QCgn1e4OH13MaUnwjnhDmYhfdNB
cZ4AnjozfgzZ5ppxSBL7y/jV+qxTzFiO
=3tNQ
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: selinux=0

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/29/2013 10:31 AM, Patrick Dupre wrote:
> 
> Thank, It works.
> 
>> 
>> On Sun, 29 Dec 2013 14:40:26 +0100, Patrick Dupre wrote:
>> 
>>> Hello,
>>> 
>>> After cloning a distribution fedora 19, I have to set selinux=0 to be
>>> able to boot. How can I do to avoid this option? I tried: fixfiles
>>> relabel system-config-selinux
>>> 
>>> But I never get a relabelling!
>>> 
>>> What should I do?
>> 
>> Have you tried booting with "enforcing=0" instead of "selinux=0" yet? If
>> you disable SELinux completing, you cannot hope that anything will work
>> related to file labelling. -- users mailing list 
>> users@lists.fedoraproject.org To unsubscribe or change subscription
>> options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora
>> Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines:
>> http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question?
>> Ask away: http://ask.fedoraproject.org
> 
> 
> ===
>
> 
Patrick DUPRÉ | | email: pdu...@gmx.com
> Laboratoire de Physico-Chimie de l'Atmosphère | | Université du
> Littoral-Côte d'Opale   | | Tel.  (33)-(0)3 28 23 76 12
> | | Fax: 03 28 65 82 44 189A, avenue Maurice Schumann | |
> 59140 Dunkerque, France 
> ===
>
> 
What AVC's are you seeing when booting in permissive mode?  When you say
SELinux would not work, does that mean it would not boot to the login prompt?
 You could not login after booting?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLC6QYACgkQrlYvE4MpobPf+ACg3QmL35tHcDy+yq/1IXzcBXW9
K1kAn39rG8qO3DiI7pf/eZ/Vf1yWT872
=QPig
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: sharing /boot among multible Linux distros

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/09/2013 11:17 AM, D. Hugh Redelmeier wrote:
> | From: Daniel J Walsh 
> 
> | On 12/08/2013 01:11 AM, D. Hugh Redelmeier wrote:
> 
> | > <https://bugzilla.redhat.com/show_bug.cgi?id=882568> Fedora could not
> mount | > the Ubuntu partition for examination because it wasn't SELinux
> labelled. | > Of course requiring a Ubuntu partition to be labelled for
> Fedora isn't | > reasonable.
> 
> | Do you have the SELinux AVC messages that was blocking this?
> 
> I don't have anything left but the bug report.
> 
> I did include the output of "ausearch -m avc -ts recent" in that report.
> 
Ok I missed the bug report.  Anyways it appears it has been fixed since F18.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKnHUMACgkQrlYvE4MpobOLVQCfeqHjweFGN7FStRASQAZIdbpM
sB8Amwawq/9sBvO58yBGNdZsh2OEZtAr
=63PJ
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: [GW-C] Re: sharing /boot among multible Linux distros

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/08/2013 01:11 AM, D. Hugh Redelmeier wrote:
> | From: Joe Zeff 
> 
> | On 11/26/2013 02:00 PM, Javier Perez wrote: | > For some reason, Ubuntu
> does not find out Fedora unless I mount the disk | > each time I update
> ubuntu kernel. | | How do you expect Ubuntu to find a kernel on an
> unmounted partition?
> 
> It is supposed to find it.  There is a bug in Ubuntu 12.04:
> 
> 
> 
> This was reported more than a year ago.
> 
> That bugs.Launchpad notes an upstream fix a year ago, so the bug was marked
> as "Fix Released" almost a year ago.
> 
> But no update to 12.04 has been issued.
> 
> This is an example of why I am less comfortable with Ubuntu.
> 
> 
> I had similar problems with Fedora that were resolved more quickly:
> 
>  Fedora could not mount
> the Ubuntu partition for examination because it wasn't SELinux labelled.
> Of course requiring a Ubuntu partition to be labelled for Fedora isn't
> reasonable.
> 
Do you have the SELinux AVC messages that was blocking this?
>  Not a Fedora bug.
> Fedora could not mount the Ubuntu partition because Ubuntu didn't cleanly
> unmount it.  An fsck was required.
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKlzD4ACgkQrlYvE4MpobN2RACeOlgitT+iPpvgVczsjHOdrbDp
fRAAoLrnfr+y0ea0dYv5fK10aVvdhED1
=n6cU
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: rsync errors (selinux?)

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/25/2013 02:54 PM, Wolfgang S. Rupprecht wrote:
> 
> Daniel J Walsh  writes:
>> ausearch -m avc -ts recent
> 
> local host (source of rsync):
> 
> [root@arbol audit]# ausearch -m avc -ts recent  [root@arbol
> audit]#
> 
> remote host (destination or rsync):
> 
> [root@capsicum audit]# ausearch -m avc -ts recent  
> [root@capsicum audit]#
> 
> also a tail -f on /var/log/audit/audit.log on both machines while the 
> errors were spewing on the screen showed no corresponding errors (or other
> output for that matter) in audit.log.
> 
> -wolfgang
> 
Do you have the audit daemon running?

service auditd status

If you run setenforce 0 to the errors stop?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKTvkwACgkQrlYvE4MpobOpMACeIpHZzap/wFpM7aGnpdh+/bpm
pK0An2faK6ZZZUtMkywFBn2TMzK+ojk0
=vJN/
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: rsync errors (selinux?)

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/25/2013 07:51 AM, poma wrote:
> On 24.11.2013 19:03, Wolfgang S. Rupprecht wrote:
>> 
>> For several years I've been doing an rsync across-the-lan backup for home
>> directories.  All has worked well until recently (well, since the fedup
>> to f20 last night).  Now backups are failing with an inscrutable rsync
>> error.  While the errors mention selinux, I don't see any errors in
>> either the sending or receiving machines /var/log/secure logfiles.
> ..
>> Any ideas what's up and what I need to do to get this working again?
> 
> You should know better after all these years of use. F20 ain't an official,
> so https://admin.fedoraproject.org/mailman/listinfo/test
> 
> 
> poma
> 
> 
Look in /var/log/audit/audit.log

ausearch -m avc -ts recent

After failure.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKTV3QACgkQrlYvE4MpobP5YACfaUmLw5sslHZ2ATsMH+sBrBu+
o/gAoJ8Cb7syeKxl1+HiDmbOLtaUt+WK
=Zvw2
-END PGP SIGNATURE-
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org