Hi all,
I think I give up... no way to get my SELinux system working as it should. For the moment, I've just disabled it.
I've tried everything, but nothing... What's strange is that I've these problems only on a machine where I updated from FC1 to FC3. Others machines where I installed FC3 from scratch I've no problems at all.
j3d.
On Tue, 2004-12-14 at 11:59 +0100, Giuseppe Greco wrote:
Hi all,
I think I give up... no way to get my SELinux system working as it should. For the moment, I've just disabled it.
Was your problem only with squid? Did you just turn off the squid Boolean (in system-config-securitylevel or with setsebool)? Or did you have to disable SELinux entirely?
If you can, it is recommended to leave SELinux running and disable it only for the daemon you are having problems with.
I've tried everything, but nothing... What's strange is that I've these problems only on a machine where I updated from FC1 to FC3. Others machines where I installed FC3 from scratch I've no problems at all.
I'm working with an FC1 -> FC3 upgrade (via Anaconda), and although I'm not having SELinux problems, I do have other instabilities. I think that's a fairly big leap to be taking, so it's not surprising that some older, remaining packages are causing me problems. This seems to be a unique situation -- the delta between FC1 and FC3 is much larger than usual.
- Karsten
On Tue, 2004-12-14 at 05:08 -0800, Karsten Wade wrote:
On Tue, 2004-12-14 at 11:59 +0100, Giuseppe Greco wrote:
Hi all,
I think I give up... no way to get my SELinux system working as it should. For the moment, I've just disabled it.
Was your problem only with squid?
No, I've also problems with squirrelmail when trying to send emails with attachments (simple emails without attachments are OK):
audit(1102761151.989:0): avc denied { search } for pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
audit(1102761496.288:0): avc denied { getattr } for pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
Did you just turn off the squid Boolean (in system-config-securitylevel or with setsebool)? Or did you have to disable SELinux entirely?
I've disabled SELinux entirely in /etc/selinux/config by setting SELINUX=disabled...
If you can, it is recommended to leave SELinux running and disable it only for the daemon you are having problems with.
Yes, that could a much better idea...
I've tried everything, but nothing... What's strange is that I've these problems only on a machine where I updated from FC1 to FC3. Others machines where I installed FC3 from scratch I've no problems at all.
I'm working with an FC1 -> FC3 upgrade (via Anaconda), and although I'm not having SELinux problems, I do have other instabilities. I think that's a fairly big leap to be taking, so it's not surprising that some older, remaining packages are causing me problems. This seems to be a unique situation -- the delta between FC1 and FC3 is much larger than usual.
What could be the solution? Backup the configuration and reinstall FC3 from scratch?
Thanks, j3d.
- Karsten
No, I've also problems with squirrelmail when trying to send emails with attachments (simple emails without attachments are OK):
I had a problem like this and the attachment dir (/var/spool/squirrelmail/attach/) had the wrong permissions. I changed the permissions and everything worked as expected with SElinux enabled and enforcing. I think the squirrelmail rpm is not setting the correct permissions on that dir.
Below is a note of the squirrelmail config script: ------------------------------- Note: There are a few security considerations regarding this directory: 1. It should have the permission 733 (rwx-wx-wx) to make it impossible for a random person with access to the webserver to list files in this directory. Confidential data might be laying around in there. Depending on your user:group assignments, 730 (rwx-wx---) may be possible, and more secure (e.g. root:apache) 2. Since the webserver is not able to list the files in the content is also impossible for the webserver to delete files lying around there for too long. 3. It should probably be another directory than the data directory specified in option 3. --------------------------------
Maybe this helps,
Marcio
On Wed, Dec 15, 2004 at 10:55:34AM -0200, Márcio da Rós Gomes wrote:
No, I've also problems with squirrelmail when trying to send emails with attachments (simple emails without attachments are OK):
I had a problem like this and the attachment dir (/var/spool/squirrelmail/attach/) had the wrong permissions. I changed the permissions and everything worked as expected with SElinux enabled and enforcing. I think the squirrelmail rpm is not setting the correct permissions on that dir.
The permissions of /var/spool/squirrelmail/attach should be correct out of the box. The policy didn't allow writing to this directory but that was fixed recently, it should be in the current or next update of the FC3 targeted policy package. If not, please file a bug!
Regards,
joe
selinux@lists.fedoraproject.org
-
Giuseppe Greco -
Joe Orton -
Karsten Wade -
Márcio da Rós Gomes