Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts??
Actually, that brings up another point, that I don't know if it's still the case. When you write a file to a specific place, the SELinux contexts are set for what's usually expected at that file path. e.g. Write a page.html file in your homespace, and it'll get general context that won't be readable by a webserver. If you copied that file to another place, the copy will be written with the expected contexts for that new place. e.g. If you copied that page.html to your webserver serving path, the copy will get contexts that allow it to be web served. If you moved a file to another place, the original contexts went with the file. e.g. Your page.html in your homespace with general purpose contexts ends up in your webserver serving path still with general purpose contexts that don't allow it to be served. That kind of thing caused problems for people who migrated various kinds of data from one point to another, instead of copying it, or creating it in the right place to start with. Yup. In the video I linked to earlier, I talk about that problem. It's an easy mistake to make. Almost always, the solution is to just restorecon -vR the parent directory and you'll see what it was, and what it was changed to. Then it starts working. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts??
On Sun, 2023-12-10 at 17:07 -0600, Thomas Cameron via users wrote: > The files should inherit either the label of the directory they're > created in, or if a specific context has been set for a filename, it > should get that context. > > Normally, if something's incorrectly labeled, you can just restorecon -v > the file to see what it was changed to. In this example, I created an > index.html in root's home directory and them moved it to /var/www/html. Actually, that brings up another point, that I don't know if it's still the case. When you write a file to a specific place, the SELinux contexts are set for what's usually expected at that file path. e.g. Write a page.html file in your homespace, and it'll get general context that won't be readable by a webserver. If you copied that file to another place, the copy will be written with the expected contexts for that new place. e.g. If you copied that page.html to your webserver serving path, the copy will get contexts that allow it to be web served. If you moved a file to another place, the original contexts went with the file. e.g. Your page.html in your homespace with general purpose contexts ends up in your webserver serving path still with general purpose contexts that don't allow it to be served. That kind of thing caused problems for people who migrated various kinds of data from one point to another, instead of copying it, or creating it in the right place to start with. -- NB: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the list. The following system info data is generated fresh for each post: uname -rsvp Linux 6.2.15-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 11 16:51:53 UTC 2023 x86_64 -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts??
On 12/9/23 07:36, Michael D. Setzer II via users wrote: On 9 Dec 2023 at 18:02, Tim wrote: Subject:Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts?? From: Tim To: mi...@guam.net, Community support for Fedora users Date sent: Sat, 09 Dec 2023 18:02:43 +1030 Did a dnf reinstall * to see if maybe somethings had installed before something else. Then reenabled selinux and rebooted. Originally go then 50 messages again that seemed to be same. Unfortunately, the setrouble browser has a option to show the 50 messages summary, but I can do a ctrl-a to highlight them all but ctrl-C does not work to copy them.. Deleted them all. They didn't immediately come back. Did just get 12 pop up, and these are for sshd and mandb? last one is mandb setattr index.db SELINUX Alert browser doesn't let on copy top part or if you were trying part? also doesn't let copy the list of all info?? Does let one copy this part, but have no clue what FILE_TYPE would be used, or where this index.db file is located? First 3 are sshd with read, open, getattr all with inactive.mod Then 9 with mandb with create, write, ioctl, read, open, rename, unlink, lock, setattr. with 29605, 29605, xscreensaver.1.gz (3 times), 29605, index.db, 29605, index.db. Did have 2 earlier ones that were with boinc, and talked about missing selinux type boinc_t?? Since can't copy stuff from here is what would copy for last one? You need to change the label on index.db # semanage fcontext -a -t FILE_TYPE 'index.db' where FILE_TYPE is one of the following: boot_t, cert_t, device_t, dhcpc_state_t, etc_aliases_t, etc_mail_t, etc_runtime_t, faillog_t, fonts_t, getty_lock_t, httpd_lock_t, initrc_state_t, initrc_tmp_t, initrc_var_log_t, initrc_var_run_t, ipsec_mgmt_lock_t, ipsec_var_run_t, iptables_lock_t, krb5_host_rcache_t, krb5kdc_lock_t, lastlog_t, local_login_lock_t, locale_t, lvm_lock_t, mnt_t, net_conf_t, postgresql_db_t, postgresql_lock_t, semanage_read_lock_t, semanage_trans_lock_t, sshd_key_t, sysctl_fs_t, sysctl_t, system_conf_t, system_dbusd_var_lib_t, systemd_passwd_var_run_t, udev_rules_t, udev_var_run_t, user_home_dir_t, user_home_t, var_lib_t, var_lock_t, var_log_t, var_spool_t, wtmp_t, xdm_lock_t. Then execute: restorecon -v 'index.db' The files should inherit either the label of the directory they're created in, or if a specific context has been set for a filename, it should get that context. Normally, if something's incorrectly labeled, you can just restorecon -v the file to see what it was changed to. In this example, I created an index.html in root's home directory and them moved it to /var/www/html. When I restorecon -vR /var/www it shows me what it WAS labeled, and what it was changed to: [root@haproxy ~]# restorecon -vR /var/www/ Relabeled /var/www/html/index.html from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 So if you're getting errors on mislabeled files, the first bet is to just do a restorecon -v on it, or restorecon -vR on the parent directory. https://www.youtube.com/watch?v=_WOKRaM-HI4 for a less than 45 minute lesson on the basics of SELinux. If you're running something which was compiled from source, for instance, it may not understand what SELinux label it's supposed to have, or even just not understand SELinux. You might want to set the app to run unconfined. Description on how to do this is here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes Hope this is helpful. Thomas -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts??
On 9 Dec 2023 at 18:02, Tim wrote: Subject:Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts?? From: Tim To: mi...@guam.net, Community support for Fedora users Date sent: Sat, 09 Dec 2023 18:02:43 +1030 Did a dnf reinstall * to see if maybe somethings had installed before something else. Then reenabled selinux and rebooted. Originally go then 50 messages again that seemed to be same. Unfortunately, the setrouble browser has a option to show the 50 messages summary, but I can do a ctrl-a to highlight them all but ctrl-C does not work to copy them.. Deleted them all. They didn't immediately come back. Did just get 12 pop up, and these are for sshd and mandb? last one is mandb setattr index.db SELINUX Alert browser doesn't let on copy top part or if you were trying part? also doesn't let copy the list of all info?? Does let one copy this part, but have no clue what FILE_TYPE would be used, or where this index.db file is located? First 3 are sshd with read, open, getattr all with inactive.mod Then 9 with mandb with create, write, ioctl, read, open, rename, unlink, lock, setattr. with 29605, 29605, xscreensaver.1.gz (3 times), 29605, index.db, 29605, index.db. Did have 2 earlier ones that were with boinc, and talked about missing selinux type boinc_t?? Since can't copy stuff from here is what would copy for last one? You need to change the label on index.db # semanage fcontext -a -t FILE_TYPE 'index.db' where FILE_TYPE is one of the following: boot_t, cert_t, device_t, dhcpc_state_t, etc_aliases_t, etc_mail_t, etc_runtime_t, faillog_t, fonts_t, getty_lock_t, httpd_lock_t, initrc_state_t, initrc_tmp_t, initrc_var_log_t, initrc_var_run_t, ipsec_mgmt_lock_t, ipsec_var_run_t, iptables_lock_t, krb5_host_rcache_t, krb5kdc_lock_t, lastlog_t, local_login_lock_t, locale_t, lvm_lock_t, mnt_t, net_conf_t, postgresql_db_t, postgresql_lock_t, semanage_read_lock_t, semanage_trans_lock_t, sshd_key_t, sysctl_fs_t, sysctl_t, system_conf_t, system_dbusd_var_lib_t, systemd_passwd_var_run_t, udev_rules_t, udev_var_run_t, user_home_dir_t, user_home_t, var_lib_t, var_lock_t, var_log_t, var_spool_t, wtmp_t, xdm_lock_t. Then execute: restorecon -v 'index.db' ++ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mi...@guam.net mailto:msetze...@gmail.com mailto:msetze...@gmx.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ ++ -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts??
On Fri, 2023-12-08 at 23:42 +1000, Michael D. Setzer II: > Problem was a bunch of the selinux errors it was showing talked > about resetting things but it mentions FILETYPE and then gave a > ton of options for that value, and I had no clue which one should be > applied. Generally, if it's just that the SELinux contexts are missing, restorecon along with the filepath sets them to what they need to be (most contexts are based on file location, your files in home should normally get a certain type of context, a web server's files in the standard location should get a web serving type of context, etc). If someone's developed a new type of context, it ought to get applied in the same way (automatically when created, or when restorecon is used, based on the filepath). And relabelling does that. After installing some new SELinux rules, the procedure sets a flag to cause relabelling, and that'll take done after the next boot. Exceptions occur when you want a different type of context in an usual place. Such as you might be serving web pages from a different file path. You need to create your own rules so files get given the necessary contexts automatically, and you need to set the contexts on any existing files (there). Alerts about things are (allegedly) faults. Such as right now I have an alert that: The source process: cups-pk-helper- (with a truncated name, grrr!) Attempted this access: read On this sock_file: cups.sock If I look more into the logs the full name is listed: comm=cups-pk-helper- exe=/usr/libexec/cups-pk-helper-mechanism So... Is it supposed to be able to read that file? My guess would be yes, based on the names. Why isn't it getting it right by itself? Dunno, my guess would be a bug. Can I fix it? Perhaps. The file could be randomly stuffed due to a crash, or power outage. But if it keeps creating it wrong, perhaps not. Does it matter? Dunno, printing was working last time I tried it. But printing is always fickle. -- uname -rsvp Linux 3.10.0-1160.102.1.el7.x86_64 #1 SMP Tue Oct 17 15:42:21 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts??
On 8 Dec 2023 at 23:16, Tim via users wrote: Subject:Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts?? To: mi...@guam.net, Community support for Fedora users , Samuel Sieb Date sent: Fri, 08 Dec 2023 23:16:42 +1030 Send reply to: Community support for Fedora users From: Tim via users Copies to: Tim > On Fri, 2023-12-08 at 17:28 +1000, Michael D. Setzer II: > > Will try turning selinux back on at some point, and see if it comes > > back or not. Just working fine with the selinux disabled. Wish the > > messages actually gave more info. > > Once you've run with SELinux off, you then have to do a lot of SELinux > context restorecons to set the contexts of any files that have been > written to what they need to be, if you turn it back on later. > > If you can run with it set to permissive (SELinux is running, but not > disallowing things), files will get written with the right contexts, > and you'll have less homework to fix things up. > > Moral of the story - if you intend to re-enable SELinux, the sooner you > do it the less work you have to do. Problem was a bunch of the selinux errors it was showing talked about resetting things but it mentions FILETYPE and then gave a ton of options for that value, and I had no clue which one should be applied. I currently have 6 Fedora machines at home, so time isn't an issue. 4 are running Fedora 38 and this notebook and and ancient Lenovo R60 are both running Fedora 39. Strange the Lenovo has had no selinux issue, and is set to enforce and targetted?? > > -- > > uname -rsvp > Linux 3.10.0-1160.102.1.el7.x86_64 #1 SMP Tue Oct 17 15:42:21 UTC 2023 x86_64 > > Boilerplate: All unexpected mail to my mailbox is automatically deleted. > I will only get to see the messages that are posted to the mailing list. > > -- > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue ++ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mi...@guam.net mailto:msetze...@gmail.com mailto:msetze...@gmx.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ ++ -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts??
On Fri, 2023-12-08 at 17:28 +1000, Michael D. Setzer II: > Will try turning selinux back on at some point, and see if it comes > back or not. Just working fine with the selinux disabled. Wish the > messages actually gave more info. Once you've run with SELinux off, you then have to do a lot of SELinux context restorecons to set the contexts of any files that have been written to what they need to be, if you turn it back on later. If you can run with it set to permissive (SELinux is running, but not disallowing things), files will get written with the right contexts, and you'll have less homework to fix things up. Moral of the story - if you intend to re-enable SELinux, the sooner you do it the less work you have to do. -- uname -rsvp Linux 3.10.0-1160.102.1.el7.x86_64 #1 SMP Tue Oct 17 15:42:21 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts??
On 7 Dec 2023 at 23:06, Samuel Sieb wrote: Date sent: Thu, 7 Dec 2023 23:06:08 -0800 Subject:Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts?? To: users@lists.fedoraproject.org From: Samuel Sieb Send reply to: Community support for Fedora users > On 12/7/23 00:22, Michael D. Setzer II via users wrote: > > Got frustrated and ended up just disabling the selinux completely. > > Seems strange that it starts reporting all this issues, and option to > > fix them are almost all to add selinux exceptions? > > I think it will always give you an option to add exceptions, but that's > not necessarily the only or best option. > > Are the errors from Fedora packages or from things you've done? > > Do you have examples? There were 50 of them, and most seemed to be linux files. Only exception was some were about files in my users BOINC directory for files in einstein directory. Had enforcing set, so changed it to permissive, but same things after reboot. Then tried changing the targetted to minimal, and again they kept coming back after deleting. Looked at my other machine with Fedora 39, and it has enforcing and Targetted as status with no issues. It is an ancient Lenovo R60 with 4G ram, but can only see 3G, but selinux doesn't have any issues. Did a dnf update to see if that might have been something, but it continued with no messages after reboot. Some messages talked about need to do restorecon and did those, but those messages came back saying to do it again. So, ended up just disabling the selinux completely. Also, noticed that CPU temp seems about 30 degrees lower than with the selinux runing, but might have nothing to do with it. Have Boinc running on 8 threads and with the nvidia GPU on the Dell. Never had issues with selinux with few exceptions. Think I've done two exceptions in past just to see. Most times, deleting and they don't come back. Will try turning selinux back on at some point, and see if it comes back or not. Just working fine with the selinux disabled. Wish the messages actually gave more info. Thanks for reply. > -- > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue ++ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mi...@guam.net mailto:msetze...@gmail.com mailto:msetze...@gmx.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ ++ -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts??
On 12/7/23 00:22, Michael D. Setzer II via users wrote: Got frustrated and ended up just disabling the selinux completely. Seems strange that it starts reporting all this issues, and option to fix them are almost all to add selinux exceptions? I think it will always give you an option to add exceptions, but that's not necessarily the only or best option. Are the errors from Fedora packages or from things you've done? Do you have examples? -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts??
... > > Got frustrated and ended up just disabling the selinux completely. > Seems strange that it starts reporting all this issues, and option to > fix them are almost all to add selinux exceptions? > sudo fixfiles -B onboot OR sudo touch /.autorelabel and reboot -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Clean install of Fedora 39 on Dell notebook was working, but recent update not getting 50 selerts??
Did a clean install of Fedora 39 on a Dell Latitude 5580 and was working fine. After a recent updated started have it get like 50 alerts that almost all were to add exceptions. tried changing it from enforcing to permissive but no change then changed targetted to minimum and no change. Go thru the alerts and delete all, and they just popped up again and again. Tried to report, but it would except my login and password? Ended up disabling selinux to get machine to not have alerts. Tried to login to the bugzillia with my id on main machine, and it would not accept password. Did the change option, and entered new password that showed as Good, but then it came with message that some system is being used, and Good wasn't good enough. Had to use one of those generated passwords to get it to show strong, and then it changed password?? All my Fedora 38 machines are working fine. Have another machine that I upgraded from 38 to 39, and it seems to have no problems. Got frustrated and ended up just disabling the selinux completely. Seems strange that it starts reporting all this issues, and option to fix them are almost all to add selinux exceptions? Thanks. ++ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mi...@guam.net mailto:msetze...@gmail.com mailto:msetze...@gmx.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ ++ -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue