Fedora
 » 
Fedora SELinux List

Relabelling issue

View: New views
19 Messages — Rating Filter:   Alert me  

Relabelling issue

by Arthur Dent-6 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hello all,

I got an avc the other day that made me suspect that I might have
labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel;
reboot"

The avc turned out to be unrelated to this, but I was a little surprised
to see the following errors during the relabelling process:

SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
SELinux:  Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
Adding 2096440k swap on /dev/sdb10.  Priority:-1 extents:1 across:2096440k
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts


Should I be concerned?

Thanks for any suggestions...

Mark

p.s.

Latest yum log entries:
[root@localhost ~]# cat /var/log/yum.log | grep -i selinux
Aug 08 21:05:15 Updated: selinux-policy-3.6.12-69.fc11.noarch
Aug 08 21:08:51 Updated: selinux-policy-targeted-3.6.12-69.fc11.noarch
Aug 12 13:28:30 Updated: selinux-policy-3.6.12-72.fc11.noarch
Aug 12 13:29:05 Updated: selinux-policy-targeted-3.6.12-72.fc11.noarch
Aug 22 10:31:50 Updated: selinux-policy-3.6.12-78.fc11.noarch
Aug 22 10:32:25 Updated: selinux-policy-targeted-3.6.12-78.fc11.noarch
Aug 29 16:17:14 Updated: selinux-policy-3.6.12-80.fc11.noarch
Aug 29 16:17:48 Updated: selinux-policy-targeted-3.6.12-80.fc11.noarch
Sep 07 18:20:34 Updated: selinux-policy-3.6.12-81.fc11.noarch
Sep 07 18:21:09 Updated: selinux-policy-targeted-3.6.12-81.fc11.noarch
Sep 12 09:31:35 Updated: selinux-policy-3.6.12-82.fc11.noarch
Sep 12 09:32:08 Updated: selinux-policy-targeted-3.6.12-82.fc11.noarch
Oct 01 19:43:02 Updated: selinux-policy-3.6.12-83.fc11.noarch
Oct 01 19:43:35 Updated: selinux-policy-targeted-3.6.12-83.fc11.noarch
Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch
Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch




--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

signature.asc (204 bytes) Download Attachment

Re: Relabelling issue

by Bruno Wolff III :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Sun, Oct 25, 2009 at 13:01:49 +0000,
  Arthur Dent <misc.lists@...> wrote:
>
> I got an avc the other day that made me suspect that I might have
> labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel;
> reboot"
>
> Should I be concerned?

Generally it is a good idea to switch to permissive mode for a full relabel.
Otherwise you might not be permitted to make the changes. Normally that
won't be a problem after minor updates, but if things are to the point where
you want to do a full relabel, it's generally simpler to make sure it will
do all of the work needed rather than have to manually deal with the odd
case here and there.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Relabelling issue

by Arthur Dent-6 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Sun, 2009-10-25 at 12:37 -0500, Bruno Wolff III wrote:

> On Sun, Oct 25, 2009 at 13:01:49 +0000,
>   Arthur Dent <misc.lists@...> wrote:
> >
> > I got an avc the other day that made me suspect that I might have
> > labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel;
> > reboot"
> >
> > Should I be concerned?
>
> Generally it is a good idea to switch to permissive mode for a full relabel.
> Otherwise you might not be permitted to make the changes. Normally that
> won't be a problem after minor updates, but if things are to the point where
> you want to do a full relabel, it's generally simpler to make sure it will
> do all of the work needed rather than have to manually deal with the odd
> case here and there.
Thank you - but I'm not sure I fully understand what you're saying. Do
you mean that if I had first switched to permissive mode, that those
errors would not have occurred?

Surely if a particular context is "not valid" there is nothing a relabel
can do - permissive mode or otherwise? Or have I misunderstood?

My question was really:
a) How have I ended up with all of those invalid contexts? and
b) Given that, as far as I can tell, most things seem to work - should I
be concerned about these error messages?

Thanks

Mark


--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

signature.asc (204 bytes) Download Attachment

Re: Relabelling issue

by Bruno Wolff III :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Sun, Oct 25, 2009 at 20:37:40 +0000,
  Arthur Dent <misc.lists@...> wrote:
>
> Thank you - but I'm not sure I fully understand what you're saying. Do
> you mean that if I had first switched to permissive mode, that those
> errors would not have occurred?

Yes.

> Surely if a particular context is "not valid" there is nothing a relabel
> can do - permissive mode or otherwise? Or have I misunderstood?

It's not that the context is valid, but that you may not have permission
to make the changes.

> My question was really:
> a) How have I ended up with all of those invalid contexts? and

It might be just changes in labels from previous versions of the policy.
Normally the changes get made during updates.

> b) Given that, as far as I can tell, most things seem to work - should I
> be concerned about these error messages?

Having things mislabelled can cause problems. You can either do a full
relabel or use restorecon to fix them. Since you seem to know which ones
did not get relabelled you can do a targetted relabelling with restorecon
instead of checking evry file on your system.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Relabelling issue

by Daniel J Walsh :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On 10/25/2009 09:01 AM, Arthur Dent wrote:

> Hello all,
>
> I got an avc the other day that made me suspect that I might have
> labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel;
> reboot"
>
> The avc turned out to be unrelated to this, but I was a little surprised
> to see the following errors during the relabelling process:
>
> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
> type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
> SELinux:  Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
> type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
> Adding 2096440k swap on /dev/sdb10.  Priority:-1 extents:1 across:2096440k
> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
>
>
> Should I be concerned?
>
> Thanks for any suggestions...
>
> Mark
>
> p.s.
>
> Latest yum log entries:
> [root@localhost ~]# cat /var/log/yum.log | grep -i selinux
> Aug 08 21:05:15 Updated: selinux-policy-3.6.12-69.fc11.noarch
> Aug 08 21:08:51 Updated: selinux-policy-targeted-3.6.12-69.fc11.noarch
> Aug 12 13:28:30 Updated: selinux-policy-3.6.12-72.fc11.noarch
> Aug 12 13:29:05 Updated: selinux-policy-targeted-3.6.12-72.fc11.noarch
> Aug 22 10:31:50 Updated: selinux-policy-3.6.12-78.fc11.noarch
> Aug 22 10:32:25 Updated: selinux-policy-targeted-3.6.12-78.fc11.noarch
> Aug 29 16:17:14 Updated: selinux-policy-3.6.12-80.fc11.noarch
> Aug 29 16:17:48 Updated: selinux-policy-targeted-3.6.12-80.fc11.noarch
> Sep 07 18:20:34 Updated: selinux-policy-3.6.12-81.fc11.noarch
> Sep 07 18:21:09 Updated: selinux-policy-targeted-3.6.12-81.fc11.noarch
> Sep 12 09:31:35 Updated: selinux-policy-3.6.12-82.fc11.noarch
> Sep 12 09:32:08 Updated: selinux-policy-targeted-3.6.12-82.fc11.noarch
> Oct 01 19:43:02 Updated: selinux-policy-3.6.12-83.fc11.noarch
> Oct 01 19:43:35 Updated: selinux-policy-targeted-3.6.12-83.fc11.noarch
> Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch
> Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a mismatch of policy and labels on disk.


*_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these.

So relabeling is probably a good idea.

gamin_exec_t has disappeared.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Relabelling issue

by Arthur Dent-6 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:

> On 10/25/2009 09:01 AM, Arthur Dent wrote:
> > Hello all,
> >
> > I got an avc the other day that made me suspect that I might have
> > labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel;
> > reboot"
> >
> > The avc turned out to be unrelated to this, but I was a little surprised
> > to see the following errors during the relabelling process:
> >
> > SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
> > type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
> > SELinux:  Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
> > type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
> > Adding 2096440k swap on /dev/sdb10.  Priority:-1 extents:1 across:2096440k
> > SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
> >
> >
> > Should I be concerned?
> >
> > Thanks for any suggestions...
> >
> > Mark
> >
> > p.s.
> >
> > Latest yum log entries:
> > [root@localhost ~]# cat /var/log/yum.log | grep -i selinux
> > Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch
> > Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
> >

> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@...
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> This looks like a mismatch of policy and labels on disk.
>
>
> *_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these.
>
> So relabeling is probably a good idea.
>
> gamin_exec_t has disappeared.
OK - I finally got round to doing another relabel - this time in
permissive mode (I wanted to watch for error messages and couldn't face
the thought of sitting watching little asterisks march across the screen
until today).

Unfortunately I get exactly the same messages during the relabelling
process:
SELinux: initialized (dev sdb6, type ext3), uses xattr
SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts
SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts
fuse init (API version 7.11)
SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
SELinux:  Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
SELinux:  Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
Adding 2096440k swap on /dev/sdb10.  Priority:-1 extents:1 across:2096440k
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts

So now I'm not sure what to do - just ignore it and wait until I rebuild
with Fedora 12 - or do something now?

Thanks for any advice...

Mark



--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

signature.asc (204 bytes) Download Attachment

Re: Relabelling issue

by Daniel J Walsh :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On 10/28/2009 05:38 AM, Arthur Dent wrote:

> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
>> On 10/25/2009 09:01 AM, Arthur Dent wrote:
>>> Hello all,
>>>
>>> I got an avc the other day that made me suspect that I might have
>>> labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel;
>>> reboot"
>>>
>>> The avc turned out to be unrelated to this, but I was a little surprised
>>> to see the following errors during the relabelling process:
>>>
>>> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
>>> type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
>>> SELinux:  Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
>>> type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
>>> Adding 2096440k swap on /dev/sdb10.  Priority:-1 extents:1 across:2096440k
>>> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
>>>
>>>
>>> Should I be concerned?
>>>
>>> Thanks for any suggestions...
>>>
>>> Mark
>>>
>>> p.s.
>>>
>>> Latest yum log entries:
>>> [root@localhost ~]# cat /var/log/yum.log | grep -i selinux
>>> Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch
>>> Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
>>>
>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@...
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> This looks like a mismatch of policy and labels on disk.
>>
>>
>> *_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these.
>>
>> So relabeling is probably a good idea.
>>
>> gamin_exec_t has disappeared.
>
> OK - I finally got round to doing another relabel - this time in
> permissive mode (I wanted to watch for error messages and couldn't face
> the thought of sitting watching little asterisks march across the screen
> until today).
>
> Unfortunately I get exactly the same messages during the relabelling
> process:
> SELinux: initialized (dev sdb6, type ext3), uses xattr
> SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts
> SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts
> fuse init (API version 7.11)
> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
> SELinux:  Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
> SELinux:  Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
> Adding 2096440k swap on /dev/sdb10.  Priority:-1 extents:1 across:2096440k
> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
>
> So now I'm not sure what to do - just ignore it and wait until I rebuild
> with Fedora 12 - or do something now?
>
> Thanks for any advice...
>
> Mark
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-l
If you do a load_policy do you see these messages?

What version of policy and which version of the OS are you using?

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Tgtd policy

by Matthew Ife-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Tgtd is a iscsi target daemon for linux. Its eventually going to also do
FCoE but currently doesnt.

Heres my policy for it. It needs some cleanup and i've not tested it
with proper fixed disk devices. I assume the kernel actually does most
of the read/write of the devices itself so the block device access i've
given the daemon is minimal.

Any feedback appreciated.




--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

tgtd_policy.tar.gz (1K) Download Attachment

Re: Tgtd policy

by Daniel J Walsh :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On 10/28/2009 09:28 AM, Matthew Ife wrote:

> Tgtd is a iscsi target daemon for linux. Its eventually going to also do
> FCoE but currently doesnt.
>
> Heres my policy for it. It needs some cleanup and i've not tested it
> with proper fixed disk devices. I assume the kernel actually does most
> of the read/write of the devices itself so the block device access i've
> given the daemon is minimal.
>
> Any feedback appreciated.
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Better off sending policy to  the refpolicy list <refpolicy@...>

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Tgtd policy

by Matthew Ife-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, 2009-10-28 at 09:43 -0400, Daniel J Walsh wrote:

> On 10/28/2009 09:28 AM, Matthew Ife wrote:
> > Tgtd is a iscsi target daemon for linux. Its eventually going to also do
> > FCoE but currently doesnt.
> >
> > Heres my policy for it. It needs some cleanup and i've not tested it
> > with proper fixed disk devices. I assume the kernel actually does most
> > of the read/write of the devices itself so the block device access i've
> > given the daemon is minimal.
> >
> > Any feedback appreciated.
> >
> >
> >
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@...
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Better off sending policy to  the refpolicy list

Done

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Tgtd policy

by Daniel J Walsh :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On 10/28/2009 09:49 AM, Matthew Ife wrote:

> On Wed, 2009-10-28 at 09:43 -0400, Daniel J Walsh wrote:
>> On 10/28/2009 09:28 AM, Matthew Ife wrote:
>>> Tgtd is a iscsi target daemon for linux. Its eventually going to also do
>>> FCoE but currently doesnt.
>>>
>>> Heres my policy for it. It needs some cleanup and i've not tested it
>>> with proper fixed disk devices. I assume the kernel actually does most
>>> of the read/write of the devices itself so the block device access i've
>>> given the daemon is minimal.
>>>
>>> Any feedback appreciated.
>>>
>>>
>>>
>>>
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@...
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Better off sending policy to  the refpolicy list
>
> Done
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Here is my fixes for your policy.  

##
/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t, s0)

/etc/tgt(/.*)?          gen_context(system_u:object_r:tgtd_etc_t, s0)

/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t, s0)

/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t, s0)

## <summary>Tgtd shared policy module.</summary>

########################################
## <summary>
##      Allowed to read target configuration files
## </summary>
## <desc>
##      <p>
## Read the tgtd conf files
##      </p>
## </desc>
## <param name="source_domain">
##      <summary>
##      Type of domain allowed access
##      </summary>
## </param>
#
interface(`tgtd_read_config_files',`
        gen_require(`
                type tgtd_etc_t;
        ')
        read_files_pattern($1, tgtd_etc_t, tgtd_etc_t)
')

########################################
## <summary>
##      Allowed to write target configuration files
## </summary>
## <desc>
##      <p>
##      Read and write the tgtd conf files
##      </p>
## </desc>
## <param name="source_domain">
##      <summary>
##      Type of domain allowed access
##      </summary>
## </param>
#
interface(`tgtd_rw_config_files',`
        gen_require(`
                type tgtd_etc_t;
        ')
        manage_files_pattern($1, tgtd_etc_t, tgtd_etc_t)
        manage_dirs_pattern($1, tgtd_etc_t, tgtd_etc_t)

        filetrans_pattern($1, tgtd_etc_t, tgtd_etc_t, { dir file} )
')

## <summary>
##      Allowed to read var_lib files
## </summary>
## <desc>
##      <p>
##      Read the tgtd var_lib files
##      </p>
## </desc>
## <param name="source_domain">
##      <summary>
##      Type of domain allowed access
##      </summary>
## </param>
#
interface(`tgtd_read_var_lib_files',`
        gen_require(`
                type tgtd_var_lib_t;
        ')
        files_search_var_lib($1)

        read_files_pattern($1, tgtd_var_lib_t, tgtd_var_lib_t)
')

########################################
## <summary>
##      Allowed to manage tgtd var lib files
## </summary>
## <desc>
##      <p>
##      Read and write the tgtd var lib files
##      </p>
## </desc>
## <param name="source_domain">
##      <summary>
##      Type of domain allowed access
##      </summary>
## </param>
#
interface(`tgtd_manage_var_lib',`
        gen_require(`
                type tgtd_var_lib_t;
        ')

        files_search_var_lib($1)
        manage_files_pattern($1, tgtd_var_lib_t, tgtd_var_lib_t)
        manage_dirs_pattern($1, tgtd_var_lib_t, tgtd_var_lib_t)
        manage_sock_files_pattern($1, tgtd_var_lib_t, tgtd_var_lib_t)
')

########################################
## <summary>
##      Allowed to domain to connecto to tgtd
## </summary>
## <desc>
##      <p>
##      Connect to target daemon
##      </p>
## </desc>
## <param name="source_domain">
##      <summary>
##      Type of domain allowed access
##      </summary>
## </param>
#
interface(`tgtd_stream_connect',`
        gen_require(`
                type tgtd_t, tgtd_var_lib_t;
        ')

        stream_connect_pattern($1, tgtd_var_lib_t, tgtd_var_lib_t, tgtd_t)
')

policy_module(tgtd,1.0.0)

type tgtd_t;
type tgtd_exec_t;
init_daemon_domain(tgtd_t, tgtd_exec_t)

type tgtd_var_lib_t;
files_type(tgtd_var_lib_t)

type tgtd_etc_t;
files_config_file(tgtd_etc_t)

type tgtd_initrc_exec_t;
init_script_file(tgtd_initrc_exec_t)

type tgtd_tmp_t;
files_tmp_file(tgtd_tmp_t)

########################################
#
# tgtd script local policy
#

allow tgtd_t self:capability sys_resource;
allow tgtd_t self:fifo_file { read write };
allow tgtd_t self:netlink_route_socket r_netlink_socket_perms;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:shm create_shm_prems;
allow tgtd_t self:tcp_socket create_stream_socket_perms;
allow tgtd_t self:udp_socket create_socket_perms;
allow tgtd_t self:unix_dgram_socket create_socket_perms;

manage_dirs_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
manage_files_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
manage_sock_files_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
filetrans_pattern(tgtd_t, tmp_t, tgtd_tmp_t, { dir file sock_file })

kernel_read_fs_sysctls(tgtd_t)

corenet_all_recvfrom_netlabel(tgtd_t)
corenet_all_recvfrom_unlabeled(tgtd_t)
corenet_tcp_bind_generic_node(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)
corenet_tcp_sendrecv_iscsi_port(tgtd_t)

# Probably need tgtd_tmpfs_t
fs_rw_tmpfs_files(tgtd_t)
fs_associate_tmpfs(tgtd_t)

storage_getattr_fixed_disk_dev(tgtd_t)

logging_send_syslog_msg(tgtd_t)

# Are you sure it needs this or just read?
miscfiles_rw_localization(tgtd_t)

tgtd_read_config_files(tgtd_t)
tgtd_manage_var_lib(tgtd_t)

#This should not be here, probably whatever process is running initrc_t needs its own policy.

require { type initrc_t; }

allow tgtd_t initrc_t:sem rw_shm_perms;


--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Tgtd policy

by Dominick Grift :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, 2009-10-28 at 13:28 +0000, Matthew Ife wrote:

I attached my version of the policy.

> Tgtd is a iscsi target daemon for linux. Its eventually going to also do
> FCoE but currently doesnt.
>
> Heres my policy for it. It needs some cleanup and i've not tested it
> with proper fixed disk devices. I assume the kernel actually does most
> of the read/write of the devices itself so the block device access i've
> given the daemon is minimal.
>
> Any feedback appreciated.
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

## <summary>Linux Target Framework Daemon.</summary>
## <desc>
##      <p>
## Linux target framework (tgt) aims to simplify various
## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
## and maintenance. Our key goals are the clean integration into
## the scsi-mid layer and implementing a great portion of tgt
## in user space.
##      </p>
## </desc>



policy_module(tgtd, 1.0.0)

########################################
#
# TGTD personal declarations.
#

type tgtd_t;
type tgtd_exec_t;
init_daemon_domain(tgtd_t, tgtd_exec_t)

type tgtd_initrc_exec_t;
init_script_file(tgtd_initrc_exec_t)

type tgtd_tmp_t;
files_tmp_file(tgtd_tmp_t)

type tgtd_tmpfs_t;
files_tmpfs_file(tgtd_tmpfs_t)

type tgtd_var_lib_t;
files_type(tgtd_data_t)

########################################
#
# TGTD personal policy.
#

allow tgtd_t self:capability sys_resource;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
allow tgtd_t self:shm create_shm_perms;
allow tgtd_t self:tcp_socket create_socket_perms;
allow tgtd_t self:udp_socket create_socket_perms;
allow tgtd_t self:unix_dgram_socket create_socket_perms;

manage_dirs_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
manage_files_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
manage_sock_files_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { dir file sock_file })

manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)

manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })

corenet_all_recvfrom_netlabel(tgtd_t)
corenet_all_recvfrom_unlabeled(tgtd_t)

corenet_sendrecv_iscsi_server_packets(tgtd_t)

corenet_tcp_sendrecv_generic_if(tgtd_t)
corenet_tcp_sendrecv_generic_node(tgtd_t)

corenet_tcp_bind_generic_node(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)

corenet_tcp_sendrecv_iscsi_port(tgtd_t)

files_read_etc_files(tgtd_t)

kernel_read_fs_sysctls(tgtd_t)

logging_send_syslog_msg(tgtd_t)

miscfiles_read_localization(tgtd_t)

storage_getattr_fixed_disk_dev(tgtd_t)


/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t, s0)
/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t, s0)
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t, s0)

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Relabelling issue

by Arthur Dent-6 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:

> On 10/28/2009 05:38 AM, Arthur Dent wrote:
> > On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
> >> On 10/25/2009 09:01 AM, Arthur Dent wrote:
> >>> Hello all,
> >>>
> >>> I got an avc the other day that made me suspect that I might have
> >>> labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel;
> >>> reboot"
> >>>
> >>> The avc turned out to be unrelated to this, but I was a little surprised
> >>> to see the following errors during the relabelling process:
> >>>
> >>> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
> >>> type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
> >>> SELinux:  Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
> >>> SELinux:  Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
> >>> type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
> >>> Adding 2096440k swap on /dev/sdb10.  Priority:-1 extents:1 across:2096440k
> >>> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
> >>>
> >>>
> >>> Should I be concerned?
> >>>
> >>> Thanks for any suggestions...
> >>>
> >>> Mark
> >>>
> >>> p.s.
> >>>
> >>> Latest yum log entries:
> >>> [root@localhost ~]# cat /var/log/yum.log | grep -i selinux
> >>> Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch
> >>> Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
> >>>
> >
> >>> --
> >>> fedora-selinux-list mailing list
> >>> fedora-selinux-list@...
> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >> This looks like a mismatch of policy and labels on disk.
> >>
> >>
> >> *_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these.
> >>
> >> So relabeling is probably a good idea.
> >>
> >> gamin_exec_t has disappeared.
> >
> > OK - I finally got round to doing another relabel - this time in
> > permissive mode (I wanted to watch for error messages and couldn't face
> > the thought of sitting watching little asterisks march across the screen
> > until today).
> >
> > Unfortunately I get exactly the same messages during the relabelling
> > process:
> > SELinux: initialized (dev sdb6, type ext3), uses xattr
> > SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts
> > SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts
> > fuse init (API version 7.11)
> > SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
> > SELinux:  Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
> > SELinux:  Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
> > Adding 2096440k swap on /dev/sdb10.  Priority:-1 extents:1 across:2096440k
> > SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
> >
> > So now I'm not sure what to do - just ignore it and wait until I rebuild
> > with Fedora 12 - or do something now?
> >
> > Thanks for any advice...
> >
> > Mark
> >
> >
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@...
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-l
> If you do a load_policy do you see these messages?
>
> What version of policy and which version of the OS are you using?
>
Hi Daniel,

Thanks for helping...

If you look a little further up this thread you will see that I am using
Fedora 11 and...

>Latest yum log entries:
>[root@localhost ~]# cat /var/log/yum.log | grep -i selinux
>Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch
>Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch

I have not come across "load_policy" before. I just typed "load_policy"
on the command line (as root) and got no errors and no feedback at all.

From reading the man page for load_policy I presume that this means exit
status 0 - and therefore that all is well with the command?

What next?

Thanks for the help so far...

Mark



--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

signature.asc (204 bytes) Download Attachment

Re: Relabelling issue

by Daniel J Walsh :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On 10/28/2009 11:14 AM, Arthur Dent wrote:

> On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
>> On 10/28/2009 05:38 AM, Arthur Dent wrote:
>>> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
>>>> On 10/25/2009 09:01 AM, Arthur Dent wrote:
>>>>> Hello all,
>>>>>
>>>>> I got an avc the other day that made me suspect that I might have
>>>>> labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel;
>>>>> reboot"
>>>>>
>>>>> The avc turned out to be unrelated to this, but I was a little surprised
>>>>> to see the following errors during the relabelling process:
>>>>>
>>>>> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
>>>>> type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
>>>>> SELinux:  Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux:  Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
>>>>> type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
>>>>> Adding 2096440k swap on /dev/sdb10.  Priority:-1 extents:1 across:2096440k
>>>>> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
>>>>>
>>>>>
>>>>> Should I be concerned?
>>>>>
>>>>> Thanks for any suggestions...
>>>>>
>>>>> Mark
>>>>>
>>>>> p.s.
>>>>>
>>>>> Latest yum log entries:
>>>>> [root@localhost ~]# cat /var/log/yum.log | grep -i selinux
>>>>> Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch
>>>>> Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
>>>>>
>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@...
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>> This looks like a mismatch of policy and labels on disk.
>>>>
>>>>
>>>> *_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these.
>>>>
>>>> So relabeling is probably a good idea.
>>>>
>>>> gamin_exec_t has disappeared.
>>>
>>> OK - I finally got round to doing another relabel - this time in
>>> permissive mode (I wanted to watch for error messages and couldn't face
>>> the thought of sitting watching little asterisks march across the screen
>>> until today).
>>>
>>> Unfortunately I get exactly the same messages during the relabelling
>>> process:
>>> SELinux: initialized (dev sdb6, type ext3), uses xattr
>>> SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts
>>> SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts
>>> fuse init (API version 7.11)
>>> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
>>> SELinux:  Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux:  Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
>>> Adding 2096440k swap on /dev/sdb10.  Priority:-1 extents:1 across:2096440k
>>> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
>>>
>>> So now I'm not sure what to do - just ignore it and wait until I rebuild
>>> with Fedora 12 - or do something now?
>>>
>>> Thanks for any advice...
>>>
>>> Mark
>>>
>>>
>>>
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@...
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-l
>> If you do a load_policy do you see these messages?
>>
>> What version of policy and which version of the OS are you using?
>>
>
> Hi Daniel,
>
> Thanks for helping...
>
> If you look a little further up this thread you will see that I am using
> Fedora 11 and...
>
>> Latest yum log entries:
>> [root@localhost ~]# cat /var/log/yum.log | grep -i selinux
>> Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch
>> Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
>
> I have not come across "load_policy" before. I just typed "load_policy"
> on the command line (as root) and got no errors and no feedback at all.
>
> From reading the man page for load_policy I presume that this means exit
> status 0 - and therefore that all is well with the command?
>
> What next?
>
> Thanks for the help so far...
>
> Mark
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I guess now reboot and see if you see these errors.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Relabelling issue

by Arthur Dent-6 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote:
> On 10/28/2009 11:14 AM, Arthur Dent wrote:
> > On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
> >> On 10/28/2009 05:38 AM, Arthur Dent wrote:
> >>> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
> >>>> On 10/25/2009 09:01 AM, Arthur Dent wrote:
> >>>>> Hello all,

snip...

> >
> > What next?
> >
> > Thanks for the help so far...
> >
> > Mark
> >
> >
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@...
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> I guess now reboot and see if you see these errors.
Do you mean just reboot, or touch /.autorelabel; reboot ?



--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

signature.asc (204 bytes) Download Attachment

Re: Relabelling issue

by Daniel J Walsh :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On 10/28/2009 01:31 PM, Arthur Dent wrote:

> On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote:
>> On 10/28/2009 11:14 AM, Arthur Dent wrote:
>>> On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
>>>> On 10/28/2009 05:38 AM, Arthur Dent wrote:
>>>>> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
>>>>>> On 10/25/2009 09:01 AM, Arthur Dent wrote:
>>>>>>> Hello all,
>
> snip...
>
>>>
>>> What next?
>>>
>>> Thanks for the help so far...
>>>
>>> Mark
>>>
>>>
>>>
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@...
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> I guess now reboot and see if you see these errors.
>
> Do you mean just reboot, or touch /.autorelabel; reboot ?
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Just reboot.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Relabelling issue

by Arthur Dent-6 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, 2009-10-28 at 13:46 -0400, Daniel J Walsh wrote:

> On 10/28/2009 01:31 PM, Arthur Dent wrote:
> > On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote:
> >> On 10/28/2009 11:14 AM, Arthur Dent wrote:
> >>> On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
> >>>> On 10/28/2009 05:38 AM, Arthur Dent wrote:
> >>>>> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
> >>>>>> On 10/25/2009 09:01 AM, Arthur Dent wrote:
> >>>>>>> Hello all,
> >
> > snip...
> >
> >>>
> >>> What next?
> >>>
> >>> Thanks for the help so far...
> >>>
> >>> Mark
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> fedora-selinux-list mailing list
> >>> fedora-selinux-list@...
> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >> I guess now reboot and see if you see these errors.
> >
> > Do you mean just reboot, or touch /.autorelabel; reboot ?
> >
> >
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@...
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Just reboot.
No errors listed (nothing in dmesg) after a reboot. Do I try a relabel
again now?



--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

signature.asc (204 bytes) Download Attachment

Re: Relabelling issue

by Daniel J Walsh :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On 10/28/2009 01:54 PM, Arthur Dent wrote:

> On Wed, 2009-10-28 at 13:46 -0400, Daniel J Walsh wrote:
>> On 10/28/2009 01:31 PM, Arthur Dent wrote:
>>> On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote:
>>>> On 10/28/2009 11:14 AM, Arthur Dent wrote:
>>>>> On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
>>>>>> On 10/28/2009 05:38 AM, Arthur Dent wrote:
>>>>>>> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
>>>>>>>> On 10/25/2009 09:01 AM, Arthur Dent wrote:
>>>>>>>>> Hello all,
>>>
>>> snip...
>>>
>>>>>
>>>>> What next?
>>>>>
>>>>> Thanks for the help so far...
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@...
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>> I guess now reboot and see if you see these errors.
>>>
>>> Do you mean just reboot, or touch /.autorelabel; reboot ?
>>>
>>>
>>>
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@...
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Just reboot.
>
> No errors listed (nothing in dmesg) after a reboot. Do I try a relabel
> again now?
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think you will be fine.  You could execute

restorecon -R -v /etc/init.d

And see if it reports anything.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Relabelling issue

by Arthur Dent-6 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, 2009-10-28 at 13:57 -0400, Daniel J Walsh wrote:

> I think you will be fine.  You could execute
>
> restorecon -R -v /etc/init.d
>
> And see if it reports anything.

Well that reports nothing...

So I think I'll leave it at that, and just wait until I'm ready to
rebuild with F12 (probably around Xmas time).

I feel reassured now. Thanks for all your help!

Best regards

Mark




--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

signature.asc (204 bytes) Download Attachment
Free embeddable forum powered by Nabble Forum Help