Hi,
> There should be a file context equivalence mapping between /var/home and
> /home.
>
>
> matchpathcon /var/home/tob
> /var/home/tobunconfined_u:object_r:user_home_dir_t:s0
> It should definitely not be default_t.
# matchpathcon /var/home/tob
/var/home/tob unconfined_u:object_r
There should be a file context equivalence mapping between /var/home and
/home.
matchpathcon /var/home/tob
/var/home/tobunconfined_u:object_r:user_home_dir_t:s0
It should definitely not be default_t.
On 09/15/2015 10:39 AM, Tobias Florek wrote:
> Hi,
>
> after fixing the ostree-provided fs
Hi,
after fixing the ostree-provided fs labels, there seem to be additional
problems. E.g.:
# ls -Z /var/home/tob -d
unconfined_u:object_r:default_t:s0 /var/home/tob/
which should most likely be unconfined_u:object_r:user_home_dir_t:s0.
That's most likely the cause of many more ssh AVCs
On 09/15/2015 05:09 AM, Stef Walter wrote:
> On 15.09.2015 08:51, Tobias Florek wrote:
Try `ostree fsck`. If that gives you errors, `ostree fsck --delete; touch
/ostree/repo/transaction; atomic host upgrade` should reset things.
>>> Unfortunately that did not work (yet).
>> When an at
On 15.09.2015 08:51, Tobias Florek wrote:
>>> Try `ostree fsck`. If that gives you errors, `ostree fsck --delete; touch
>>> /ostree/repo/transaction; atomic host upgrade` should reset things.
>>
>> Unfortunately that did not work (yet).
>
> When an atomic host upgrade became available today, it
> > Try `ostree fsck`. If that gives you errors, `ostree fsck --delete; touch
> > /ostree/repo/transaction; atomic host upgrade` should reset things.
>
> Unfortunately that did not work (yet).
When an atomic host upgrade became available today, it worked perfectly.
Thank you for showing me the
> It seems likely that you (or some program) *did* relabel this machine.
> fixfiles and restorecon
> will still try to traverse out to the writable /sysroot and can corrupt things
> unfortunately.
>
> Try `ostree fsck`. If that gives you errors, `ostree fsck --delete; touch
> /ostree/repo/tran
On Mon, Sep 14, 2015, at 10:52 AM, Tobias Florek wrote:
>
> which is different from the other atomic hosts, which have
> system_u:object_r:sshd_exec_t:s0 as expected.
>
> > Should be running as sshd_t not kernel_t? Are you doing this into the
> > systemd-nspawn container, or
> > is the sshd_t nat
Hi,
> >> This looks like you have a /etc/resolv.conf from one machine leaking
> >> into another? Are you volume mounting in /etc/resolv.conf into containers?
> > I am not doing so directly. Might that be systemd-nspawn? I have
> > a container running that is invoked with
> >
> > /bin/systemd-
On 09/14/2015 09:11 AM, Tobias Florek wrote:
> Hi,
>
> thanks for looking into it.
>
>
>>> type=AVC msg=audit(1442045142.791:158569): avc: denied { read } for
>>> pid=3358 comm="nslookup" name="resolv.conf" dev="dm-1" ino=95751
>>> scontext=system_u:system_r:svirt_lxc_net_t:s0:c411,c700
Hi,
thanks for looking into it.
> > type=AVC msg=audit(1442045142.791:158569): avc: denied { read } for
> > pid=3358 comm="nslookup" name="resolv.conf" dev="dm-1" ino=95751
> > scontext=system_u:system_r:svirt_lxc_net_t:s0:c411,c700
> > tcontext=system_u:object_r:svirt_sandbox_file_t:s0
Hi,
thanks for looking into it.
> > type=AVC msg=audit(1442045142.791:158569): avc: denied { read } for
> > pid=3358 comm="nslookup" name="resolv.conf" dev="dm-1" ino=95751
> > scontext=system_u:system_r:svirt_lxc_net_t:s0:c411,c700
> > tcontext=system_u:object_r:svirt_sandbox_file_t:s0
On 09/14/2015 03:26 AM, Tobias Florek wrote:
> Hi,
>
> I am getting the following AVCs on _one_ of the atomic hosts. This is on
> a slightly newer installation (a few weeks ago) than the other hosts,
> I don't know of any other difference between them.
>
> The logs are from a with enforcing=0 bec
Hi,
I am getting the following AVCs on _one_ of the atomic hosts. This is on
a slightly newer installation (a few weeks ago) than the other hosts,
I don't know of any other difference between them.
The logs are from a with enforcing=0 because it's a remote machine and
I can't log in without ssh.
14 matches
Mail list logo