[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: gconf alert



On Sun, Apr 6, 2008 at 10:37 AM, Valent Turkovic
<valent turkovic gmail com> wrote:
>
> On Sat, Apr 5, 2008 at 9:21 PM, Daniel J Walsh <dwalsh redhat com> wrote:
>  >
>  > -----BEGIN PGP SIGNED MESSAGE-----
>  >  Hash: SHA1
>  >
>  >  Valent Turkovic wrote:
>  >  > On Sat, Mar 29, 2008 at 6:55 PM, Daniel J Walsh <dwalsh redhat com> wrote:
>  >  >> -----BEGIN PGP SIGNED MESSAGE-----
>  >  >>  Hash: SHA1
>  >  >>
>  >  >>  Valent Turkovic wrote:
>  >  >>
>  >  >>> On Thu, Mar 27, 2008 at 6:36 PM, John Dennis <jdennis redhat com> wrote:
>  >  >>  >> Valent Turkovic wrote:
>  >  >>  >>  > I'm creating live cds under rawhide and I have selinux in permissive
>  >  >>  >>  > mode, could that be reason I'm seeing these hundreds of alerts?
>  >  >>  >>
>  >  >>  >>  https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00130.html
>  >  >>  >>
>  >  >>  >>  --
>  >  >>  >>  John Dennis <jdennis redhat com>
>  >  >>  >>
>  >  >>  >
>  >  >>  > Ok, I'm an idiot :) I got so much going on at once (work, moving to
>  >  >>  > new apartment, etc...) that I totally forgot I got this replied
>  >  >>  > already.
>  >  >>  >
>  >  >>  > But I want to keep in permissive an not enforcing mode so is just
>  >  >>  > "load_policy" enough ?
>  >  >>  >
>  >  >>  > Cheers,
>  >  >>  > Valent.
>  >  >>  >
>  >  >>  load_policy and you might need to kill any processes that are running as
>  >  >>  unlabeled_t.  Potentially you could have files that are mislabeled.
>  >  >
>  >  >
>  >  >
>  >  > I made several load_policy and relabels with reboot ans I still see
>  >  > these errors!
>  >  > Do you have any idea why?
>  >  >
>  >  > Cheers,
>  >  > Valent
>  >  > .
>  >  >
>  >  >
>  >  Do you have two policy files in /etc/selinux/targeted/policy?
>
>  # ls -al /etc/selinux/targeted/policy
>  total 4056
>  drwxr-xr-x 2 root root    4096 2008-04-03 23:05 .
>  drwxr-xr-x 5 root root    4096 2008-04-03 23:05 ..
>  -rw-r--r-- 1 root root 4128435 2008-04-03 23:05 policy.21
>
>  as you can see I have only on file in policy directory
>
>
>  >  If you do, remove the lower version and then execute load_policy,
>  >  Relabel the file in question and you should not have a problem.   If the
>  >  file is in /tmp you can remove it or set its label to tmp_t.
>
>  I'm going now to move all files from /tmp to another folder and then
>  if reboot succeeds I'll delete those files and see if I still see
>  selinux alerts.
>
>  So you haven't seen this kind of error? Nobody has reported anything similar?
>
>
>
>  Valent.
>
>  --
>  http://kernelreloaded.blog385.com/
>  linux, blog, anime, spirituality, windsurf, wireless
>  registered as user #367004 with the Linux Counter, http://counter.li.org.
>  ICQ: 2125241, Skype: valent.turkovic
>


Even after deleting all files in /tmp folder I still see these two
alerts (in attachemen).

I investigated alert about saved_state.tmp file and with locate file
command I found this:
/home/valentt/.gconfd/saved_state

does that give you any more clues why I'm seeing these alerts? I'm now
in Fedora 8 not in Rawhide but in Rawhide I see same alerts.

Is it possible that livecd-creator does some things and breaks selinux
in some way that you still aren't aware of?

Valent.

-- 
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic
Sažetak:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.

Detaljan opis:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Dopuštanje pristupa:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Dodatni podaci:

Izvorni kontekst              unconfined_u:object_r:unlabeled_t:s0
Ciljani kontekst              system_u:object_r:fs_t:s0
Ciljani objekti               .testing.writeability [ filesystem ]
Source                        gconfd-2
Source Path                   /usr/libexec/gconfd-2
Port                          <Nepoznato>
Host                          valent.oswireless
Source RPM Packages           GConf2-2.20.1-1.fc8
Target RPM Packages           
RPM pravila                   selinux-policy-3.0.8-95.fc8
Selinux je omogućen          True
Vrsta pravila                 targeted
MLS je omogućen              True
Način prisile                Permissive
Naziv dodatka                 filesystem_associate
Naziv računala               valent.oswireless
Platforma                     Linux valent.oswireless 2.6.24.4-64.fc8 #1 SMP Sat
                              Mar 29 09:54:46 EDT 2008 i686 i686
Broj uzbuna                   2
First Seen                    Ned 06 Tra 2008 10:45:05
Last Seen                     Ned 06 Tra 2008 10:45:06
Local ID                      a8146644-9f87-4a21-a503-44839f130435
Brojevi redaka                

Sirova poruke revizije        

host=valent.oswireless type=AVC msg=audit(1207471506.417:34): avc:  denied  { associate } for  pid=3289 comm="gconfd-2" name=".testing.writeability" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

host=valent.oswireless type=SYSCALL msg=audit(1207471506.417:34): arch=40000003 syscall=5 success=yes exit=35 a0=88c4818 a1=41 a2=1c0 a3=88c4818 items=0 ppid=1 pid=3289 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)


Sažetak:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.

Detaljan opis:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Dopuštanje pristupa:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Dodatni podaci:

Izvorni kontekst              unconfined_u:object_r:unlabeled_t:s0
Ciljani kontekst              system_u:object_r:fs_t:s0
Ciljani objekti               saved_state.tmp [ filesystem ]
Source                        gconfd-2
Source Path                   /usr/libexec/gconfd-2
Port                          <Nepoznato>
Host                          valent.oswireless
Source RPM Packages           GConf2-2.20.1-1.fc8
Target RPM Packages           
RPM pravila                   selinux-policy-3.0.8-95.fc8
Selinux je omogućen          True
Vrsta pravila                 targeted
MLS je omogućen              True
Način prisile                Permissive
Naziv dodatka                 filesystem_associate
Naziv računala               valent.oswireless
Platforma                     Linux valent.oswireless 2.6.24.4-64.fc8 #1 SMP Sat
                              Mar 29 09:54:46 EDT 2008 i686 i686
Broj uzbuna                   1
First Seen                    Ned 06 Tra 2008 10:45:35
Last Seen                     Ned 06 Tra 2008 10:45:35
Local ID                      dc68311c-e8e2-409c-96a1-de04d58f95b3
Brojevi redaka                

Sirova poruke revizije        

host=valent.oswireless type=AVC msg=audit(1207471535.121:37): avc:  denied  { associate } for  pid=3289 comm="gconfd-2" name="saved_state.tmp" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

host=valent.oswireless type=SYSCALL msg=audit(1207471535.121:37): arch=40000003 syscall=5 success=yes exit=14 a0=88c2440 a1=241 a2=1c0 a3=8663230 items=0 ppid=1 pid=3289 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]