[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux question(s) (/home really = /n/home..)




Right, but I'm on a fully updated F9. I got the F10 libxcb package updated/installed, and all seems to be well. kinda a bit hack-y to add to my image/kickstart, but, if it works, it works, and I'll be rebuilding a F10 version as soon as its out I'm sure.

Thanks for the help!

Matt
On Wed, Nov 5, 2008 at 8:44 AM, Daniel J Walsh <dwalsh redhat com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt Nicholson wrote:
> output from /var/log/messages as I try to login as guest user: (xguest):
>
> Nov  4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting
> Nov  4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
> subsystem ns
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting
> (version 2.22.0), pid 3121 user 'xguest'
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration
> source at position 0
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
> "xml:readwrite:/home/xguest/.gconf" to a writable configuration source at
> position 1
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration
> source at position 2
> Nov  4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
> audit(1225825996.389:5): avc:  denied  { read write } for  pid=3148
> comm="dbus-daemon" path="socket:[37602]" dev=sockfs ino=37602
> scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
> tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
> Nov  4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
> RLIMIT_CORE: Permission denied
> Nov  4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from 3229[0:0]
> Nov  4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd0000000) is not
> aligned on a size(0x3e80000) boundary
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting (version
> 2.22.0), pid 3258 user 'gdm'
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration
> source at position 0
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.system" to a read-only configuration
> source at position 1
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/var/lib/gdm/.gconf.mandatory" to a read-only configuration
> source at position 2
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readwrite:/var/lib/gdm/.gconf" to a writable configuration source at
> position 3
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration
> source at position 4
> Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value
> for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
> existing read-only value: Value for
> `/apps/gnome-screensaver/power_management_delay' set in a read-only source
> at the front of your configuration path
> Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value
> for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
> existing read-only value: Value for
> `/apps/gnome-screensaver/power_management_delay' set in a read-only source
> at the front of your configuration path
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot set
> UID on session object.
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called SUID
> root and real-time/high-priority scheduling was requested in the
> configuration. However, we lack the necessary priviliges:
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are not
> in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping
> SUID again.
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For enabling
> real-time scheduling please acquire the appropriate PolicyKit priviliges, or
> become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO
> resource limits for this user.
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
> setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
> setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c: Device
> front:0 doesn't support 44100 Hz, changed to 44099 Hz.
>
> Obviously, the things that stick out in there are the :
>
> Nov  4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
> audit(1225825996.389:5): avc:  denied  { read write } for  pid=3148
> comm="dbus-daemon" path="socket:[37602]" dev=sockfs ino=37602
> scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
> tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
> Nov  4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
> RLIMIT_CORE: Permission denied
>
> and:
>
> Nov  4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
> subsystem ns
>
> more specifically, the sealert says:
>
> SELinux is preventing dbus-daemon (xguest_dbusd_t) "read write" to socket
> (xguest_t).
>
>
>
> On Tue, Nov 4, 2008 at 2:03 PM, Matt Nicholson <sjoeboo sjoeboo com> wrote:
>
>> yes, all upto date. a new build from my kickstart is finishing updating
>> right now (had to add oddjob/turn it on by default). Once its done I'll send
>> what info I can.
>>
>> Before i was getting an selinux alert/error, but i generated and loaded a
>> local policy, which took care of the selinux alert, but still didn't fix
>> xguest (it just bouces back out to GDM).
>>
>> More coming soon. Thanks for all the help!
>>
>>
>>
>> On Tue, Nov 4, 2008 at 1:54 PM, Daniel J Walsh <dwalsh redhat com> wrote:
>>
> Matt Nicholson wrote:
>>>>> Right, that did it (after i started the oddjobd service, that is).
>>>>>
>>>>> Now, the original reason i turned selinux back on was to use
>>>>> xguest....saddly, this isn't working still...
>>>>>
> Why not?  Are you fully up2date?
>
> xguest should be working on F9 and F10 right now.
>
> <SNIP>
>>>
- --
I don't think you have all the packages that are in the final release of
F10.  Since the AVC you are talking about is fixed and the libxcb
package should be there also.

selinux-policy-3.5.13-11.fc10
libxcb-1.1.91-5.fc10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkRo0wACgkQrlYvE4MpobOTGwCgzOMaTZUI+mt0qeO/XktT1rk/
X9AAnjZ7PzOLQF+qjz0PYM+ycyPJYbNI
=NrnJ


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]