Craig White wrote:
> On Fri, 2008-07-25 at 20:01 +, Mike wrote:
>
>> Thanks for all your help. By the way I think that generating some traffic
>> on this list concerning SELinux may also help other users think about
>> making things work rather than switching off SELinux as may have done in th
Mike gmail.com> writes:
This is resolved - thank you to Paul Howarth from the SELinux list...
All it needed was
# chcon -t mnt_t /var/spool/mail
Now a happy bunny again...
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
On Fri, Jul 25, 2008 at 9:16 PM, Craig White <[EMAIL PROTECTED]> wrote:
> On Fri, 2008-07-25 at 20:12 -0400, max bianco wrote:
>> On Fri, Jul 25, 2008 at 4:11 PM, Craig White <[EMAIL PROTECTED]> wrote:
>> >
>> > no doubt - and when Paul Howarth was monitoring this list, I would have
>> > agree
On Fri, 2008-07-25 at 20:12 -0400, max bianco wrote:
> On Fri, Jul 25, 2008 at 4:11 PM, Craig White <[EMAIL PROTECTED]> wrote:
> >
> > no doubt - and when Paul Howarth was monitoring this list, I would have
> > agreed with you but my experience is that only nominal selinux skills
> > monitor t
On Fri, Jul 25, 2008 at 4:11 PM, Craig White <[EMAIL PROTECTED]> wrote:
> On Fri, 2008-07-25 at 20:01 +, Mike wrote:
>
>> Thanks for all your help. By the way I think that generating some traffic
>> on this list concerning SELinux may also help other users think about
>> making things work rath
Mike gmail.com> writes:
> I have an fstab entry
> /opt/Local/spool/mail /var/spool/mail ext3 0 0
That was a typo - the line does have the "bind" in it
/opt/Local/spool/mail /var/spool/mail ext3 bind 0 0
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redha
max gmail.com> writes:
> File Context problems.
> If you want to move files to directories that the current policy does
> not know about you should use the semanage command to tell the system
> what to label these files.
>
> # semanage fcontext -a -t httpd_sys_script_exec_t '/myweb/cg
On Fri, 2008-07-25 at 20:01 +, Mike wrote:
> Thanks for all your help. By the way I think that generating some traffic
> on this list concerning SELinux may also help other users think about
> making things work rather than switching off SELinux as may have done in the
> past.
no doubt -
Stuart Sears sjsears.com> writes:
> if you insist on putting such things in /opt, just make sure you label
> the directories/files correctly.
>
> to be certain you do, examine the labels on a normal mailspool with ls -Z
>
> here:
>
> ls -Za /var/spool/mail
OK I now have things running sweetly
Stuart Sears wrote:
Todd Denniston wrote:
Stuart
Thanks for the recipe.
you're welcome
if /rootlockeddown/ is on NFS, would the following command do part of
what is needed? (yet more complexity, but then we do have a real world
to live in :)
setsebool -P use_nfs_home_dirs=1
seems that
Todd Denniston wrote:
> Stuart
>
> Thanks for the recipe.
you're welcome
> if /rootlockeddown/ is on NFS, would the following command do part of
> what is needed? (yet more complexity, but then we do have a real world
> to live in :)
>setsebool -P use_nfs_home_dirs=1
seems that it might. It
On Thu, 2008-07-24 at 20:09 +, Mike wrote:
> I ran sealert -b and followed the advice therein -
> I did
> restorecon -R /opt/*
"restorecon" restores default contexts for that location, but you're
using non-default contexts. For non-standard uses you need to set your
own needed contexts (man
Stuart Sears wrote, On 07/24/2008 07:00 PM:
Todd Denniston wrote:
[ edited. Any context errors resulting are all mine :) ]
I can agree with that, but how do you convince SEL that you desire
/rootlockeddown//authorized_keys to be a valid place for sshd
to read? note /rootlockeddown/ is not whe
Mike wrote:
Craig White azapple.com> writes:
No - you really need a better solution because if anything/anyone
relabels, the current policy will trash those settings.
Personally, I think you should probably mount what is /opt as /home
and that would fix most issues.
It would - but that wou
Todd Denniston wrote:
[ edited. Any context errors resulting are all mine :) ]
I can agree with that, but how do you convince SEL that you desire
/rootlockeddown//authorized_keys to be a valid place for sshd
to read? note /rootlockeddown/ is not where home directories are, it
is where the admi
On Thu, 2008-07-24 at 22:13 +, Mike wrote:
> Craig White azapple.com> writes:
>
> > No - you really need a better solution because if anything/anyone
> > relabels, the current policy will trash those settings.
> >
> > Personally, I think you should probably mount what is /opt as /home and
>
Craig White azapple.com> writes:
> No - you really need a better solution because if anything/anyone
> relabels, the current policy will trash those settings.
>
> Personally, I think you should probably mount what is /opt as /home and
> that would fix most issues.
It would - but that would mean
On Thu, 2008-07-24 at 21:36 +, Mike wrote:
> Craig White azapple.com> writes:
>
> > $ ls -lZ /home/craig/.ssh
> > -rw--- craig craig user_u:object_r:user_home_t
> > client.id_dsa.key
> > -rw--- craig craig user_u:object_r:user_home_t id_dsa
> > -rw-rw-r-- craig craig unconfine
On Thu, 2008-07-24 at 17:35 -0400, Todd Denniston wrote:
> Craig White wrote, On 07/24/2008 04:49 PM:
> > I would doubt that.../opt is not a usual place for users $home
> > directories and thus the policy for files in that tree would not be
> > suitable for the method you are using.
> >
> > Craig
Craig White azapple.com> writes:
> $ ls -lZ /home/craig/.ssh
> -rw--- craig craig user_u:object_r:user_home_t
> client.id_dsa.key
> -rw--- craig craig user_u:object_r:user_home_t id_dsa
> -rw-rw-r-- craig craig unconfined_u:object_r:user_home_t
> id_dsa.keystore
> -rw-r--r-- crai
Craig White wrote, On 07/24/2008 04:49 PM:
On Thu, 2008-07-24 at 20:45 +, Mike wrote:
Mike gmail.com> writes:
http://www.mjmwired.net/linux/2008/06/16/selinux-preventing-ssh-passwordless-login/
The above is on a single line - I had to break the line entering the url
Following the advice
Craig White azapple.com> writes:
> but the issue of policy is that these are not the settings these files
> would get if they were located in /opt.
>
> That's why you need to go to the selinux-list because they might have
> some good ideas
I have posted in selinux-list - will see if someone can
On Thu, 2008-07-24 at 21:11 +, Mike wrote:
> Craig White azapple.com> writes:
>
> > > Hence there seems to be a bug in the SELinux policy on this issue?
> >
> > I would doubt that.../opt is not a usual place for users $home
> > directories and thus the policy for files in that tree woul
Craig White azapple.com> writes:
> > Hence there seems to be a bug in the SELinux policy on this issue?
>
> I would doubt that.../opt is not a usual place for users $home
> directories and thus the policy for files in that tree would not be
> suitable for the method you are using.
You may
On Thu, 2008-07-24 at 20:45 +, Mike wrote:
> Mike gmail.com> writes:
>
> > http://www.mjmwired.net/linux/2008/06/16/
> > selinux-preventing-ssh-passwordless-login/
> >
> > The above is on a single line - I had to break the line entering the url
>
> Following the advice in that link I did
>
Craig White azapple.com> writes:
> you probably want to check with the selinux list
>
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You may well be right...
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-li
Mike gmail.com> writes:
> http://www.mjmwired.net/linux/2008/06/16/
> selinux-preventing-ssh-passwordless-login/
>
> The above is on a single line - I had to break the line entering the url
Following the advice in that link I did
touch /.autorelabel;reboot
This reverted the system so that ssh
On Thu, 2008-07-24 at 20:35 +, Mike wrote:
> Craig White azapple.com> writes:
>
> > make life easy on yourself and install setroubleshoot...
> >
> > # rpm -qa|grep setrouble
> > setroubleshoot-plugins-2.0.4-5.fc9.noarch
> > setroubleshoot-server-2.0.8-2.fc9.noarch
> > setroubleshoot-2.0.8-2.
Craig White azapple.com> writes:
> make life easy on yourself and install setroubleshoot...
>
> # rpm -qa|grep setrouble
> setroubleshoot-plugins-2.0.4-5.fc9.noarch
> setroubleshoot-server-2.0.8-2.fc9.noarch
> setroubleshoot-2.0.8-2.fc9.noarch
>
Already installed and running - in this instance
On Thu, 2008-07-24 at 19:51 +, Mike wrote:
> Dave Burns hawaii.edu> writes:
>
> > That's some heavy lifting. The cheat I tend to use is
> >
> > grep sealert /var/log/messages
> >
> > SELinux puts stuff in the log that includes a suggestion to run its
> > utility sealert with appropriate par
Mike gmail.com> writes:
>
> The sealert output is:
>
> host=lapmike2 type=AVC msg=audit(1216928753.73:112): avc: denied { search }
> for pid=5282 comm="sshd" name="Local" dev=sda8 ino=1241537
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:file_t:s0 tclass=dir
Dave Burns hawaii.edu> writes:
> That's some heavy lifting. The cheat I tend to use is
>
> grep sealert /var/log/messages
>
> SELinux puts stuff in the log that includes a suggestion to run its
> utility sealert with appropriate parameters. The output from that
> command usually includes a fair
Mike gmail.com> writes:
> > 1. yum install setroubleshoot
> > 2. service setroubleshoot start
> >
> > 3. then ssh in
> >
> > 4. look in /var/log/messages on your machine for lines containing 'sealert'
> > (or just run sealert -b if you have a graphical desktop)
I changed the context and tried
On Wed, Jul 23, 2008 at 10:00 PM, Mike <[EMAIL PROTECTED]> wrote:
> Do you know of any links to a "getting started understanding SELinux"
> type of guide?
That's some heavy lifting. The cheat I tend to use is
grep sealert /var/log/messages
SELinux puts stuff in the log that includes a suggestion
Stuart Sears sjsears.com> writes:
> how, exactly?
> These are the labels on my system (using ls -Z):
> /home/* system_u:object_r:user_home_dir_t:s0
> /home/USER/*system_u:object_r:user_home_t:s0
> /home system_u:object_r:home_root_t:s0
>
> whereas files in /opt/local seem t
Stuart Sears sjsears.com> writes:
> 6. let us know what the error messages are. We can be of more help that
> way. Everything we do at the moment is little more than educated guesswork.
OK many thanks Stuart - when I get back to the machine this evening I will
get some answers to the questions
Mike wrote:
Tim yahoo.com.au> writes:
I would imagine that the SELinux contexts are wrong. They're applied to
expected filepaths (home space contexts for the usual /home/username/
filepaths), I imagine that they won't get applied across symlinks, as
it'd be too easy for someone to symlink non
Tim yahoo.com.au> writes:
> I would imagine that the SELinux contexts are wrong. They're applied to
> expected filepaths (home space contexts for the usual /home/username/
> filepaths), I imagine that they won't get applied across symlinks, as
> it'd be too easy for someone to symlink non-public
On Wed, 2008-07-23 at 21:36 +, Mike wrote:
> I have just done a clean f9 install on a laptop where the user areas are
> on a separate partition (/opt/Local/home) on the HD.
>
> Having left SELinux on after the install I did my usual post-install
> change of doing as root:
> cd /
> mv home home
I have just done a clean f9 install on a laptop where the user areas are
on a separate partition (/opt/Local/home) on the HD.
Having left SELinux on after the install I did my usual post-install
change of doing as root:
cd /
mv home home.dist
ln -s /opt/Local/home .
Now /home is a symlink to /opt
40 matches
Mail list logo
