On 04/16/2010 01:51 AM, Paul Ward wrote:
I have run the command as follows but I am still getting the permission issues.
Apr 16 11:48:13 sargas snmpd[23987]: /home/work/exports: Permission denied
# restorecon -v /home/work/exports restorecon reset context /home/work/exports:->system_u:object_r:user_home_t
Without the -R switch only the directory itself will be labeled. I'm pretty sure you want to run restorecon as suggested by dwalsh.
What does 'ausearch -m -ts recent' tell? You can pipe the output to audit2why or audit2allow like:
ausearch -m avc -ts recent | audit2why ausearch -m avc -ts recent | audit2allow -M mysnmp
The latter will generate a loadable module. There is some documentation at [1] about creating and loading your own modules.
[1] http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-Enh...
ls -lZd /home/work/exports
drwxrwxr-x oracle dba system_u:object_r:user_home_t /home/work/exports
Whats next? Do I need to restart something?
On 16 April 2010 11:11, Sandro Janke gui1ty_fedora@penguinpee.nl wrote:
On 04/16/2010 12:33 AM, Paul Ward wrote:
What does 'rpm -qv selinux-policy-targeted' say? What are the settings in /etc/selinux/config?
My server shows the following selinux packages.
selinux-policy-targeted-1.17.30-2.152.el4 selinux-policy-targeted-sources-1.17.30-2.152.el4
I have run: snmpwalk -v 2c -c public .iso cd /etc/selinux/targeted/src/policy audit2allow -d -l -o domains/misc/local.te make load
Until no more errors were found, this fixed theoriginal errors from selinux, but not the permissions.
Try running restorecon -R -v /home
If I run
restorecon -R -v /home
Would this affect a production servers running or should I do this in a mainaintance window?
Well, you can try to run it with the -n switch first to show you what would happen. According to the man page: "It can be run at any time to correct errors..."
On 15 April 2010 19:05, Sandro Janke gui1ty_fedora@penguinpee.nl wrote:
On 04/15/2010 06:49 AM, Paul Ward wrote:
Hi all,
I am sure this comes up a lot but have spent hours trying to find th eanswers with no success apart from disabling selinux which I don't want to do.
Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
The following filesystems are mounted with same issue.
/dev/sda7 3.9G 427M 3.3G 12% /home/appl /dev/sda6 4.0G 2.7G 1.2G 71% /home/users /dev/sda8 3.9G 2.5G 1.2G 68% /home/work
ls -ldZ /home/appl/ drwxr-xr-x root root /home/appl/
This shows that the directory has not been labeled, yet.
/usr/sbin/sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing
Could it be that you don't have any policy package installed?
What does 'rpm -qv selinux-policy-targeted' say? What are the settings in /etc/selinux/config?
What do I need to do to fix this chcon? If so what is the full comman / context to enter?
Thanks
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I have just run the command with : restorecon -R -v /home/work/exports
I am still getting errors though.
Apr 16 12:24:28 sargas snmpd[23987]: /home/users: Permission denied Apr 16 12:24:28 sargas snmpd[23987]: /home/work: Permission denied Apr 16 12:24:28 sargas snmpd[23987]: /home/work/exports: Permission denied
On 16 April 2010 12:11, Sandro Janke gui1ty_fedora@penguinpee.nl wrote:
On 04/16/2010 01:51 AM, Paul Ward wrote:
I have run the command as follows but I am still getting the permission issues.
Apr 16 11:48:13 sargas snmpd[23987]: /home/work/exports: Permission denied
# restorecon -v /home/work/exports restorecon reset context /home/work/exports:->system_u:object_r:user_home_t
Without the -R switch only the directory itself will be labeled. I'm pretty sure you want to run restorecon as suggested by dwalsh.
What does 'ausearch -m -ts recent' tell? You can pipe the output to audit2why or audit2allow like:
ausearch -m avc -ts recent | audit2why ausearch -m avc -ts recent | audit2allow -M mysnmp
The latter will generate a loadable module. There is some documentation at [1] about creating and loading your own modules.
[1] http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-Enh...
ls -lZd /home/work/exports
drwxrwxr-x oracle dba system_u:object_r:user_home_t /home/work/exports
Whats next? Do I need to restart something?
On 16 April 2010 11:11, Sandro Janke gui1ty_fedora@penguinpee.nl wrote:
On 04/16/2010 12:33 AM, Paul Ward wrote:
What does 'rpm -qv selinux-policy-targeted' say? What are the settings in /etc/selinux/config?
My server shows the following selinux packages.
selinux-policy-targeted-1.17.30-2.152.el4 selinux-policy-targeted-sources-1.17.30-2.152.el4
I have run: snmpwalk -v 2c -c public .iso cd /etc/selinux/targeted/src/policy audit2allow -d -l -o domains/misc/local.te make load
Until no more errors were found, this fixed theoriginal errors from selinux, but not the permissions.
Try running restorecon -R -v /home
If I run
restorecon -R -v /home
Would this affect a production servers running or should I do this in a mainaintance window?
Well, you can try to run it with the -n switch first to show you what would happen. According to the man page: "It can be run at any time to correct errors..."
On 15 April 2010 19:05, Sandro Janke gui1ty_fedora@penguinpee.nl wrote:
On 04/15/2010 06:49 AM, Paul Ward wrote:
Hi all,
I am sure this comes up a lot but have spent hours trying to find th eanswers with no success apart from disabling selinux which I don't want to do.
Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
The following filesystems are mounted with same issue.
/dev/sda7 3.9G 427M 3.3G 12% /home/appl /dev/sda6 4.0G 2.7G 1.2G 71% /home/users /dev/sda8 3.9G 2.5G 1.2G 68% /home/work
ls -ldZ /home/appl/ drwxr-xr-x root root /home/appl/
This shows that the directory has not been labeled, yet.
/usr/sbin/sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing
Could it be that you don't have any policy package installed?
What does 'rpm -qv selinux-policy-targeted' say? What are the settings in /etc/selinux/config?
What do I need to do to fix this chcon? If so what is the full comman / context to enter?
Thanks
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I should add ausearch found nothing.
ausearch -m avc -ts recent <no matches>
On 16 April 2010 12:25, Paul Ward pnward@googlemail.com wrote:
I have just run the command with : restorecon -R -v /home/work/exports
I am still getting errors though.
Apr 16 12:24:28 sargas snmpd[23987]: /home/users: Permission denied Apr 16 12:24:28 sargas snmpd[23987]: /home/work: Permission denied Apr 16 12:24:28 sargas snmpd[23987]: /home/work/exports: Permission denied
On 16 April 2010 12:11, Sandro Janke gui1ty_fedora@penguinpee.nl wrote:
On 04/16/2010 01:51 AM, Paul Ward wrote:
I have run the command as follows but I am still getting the permission issues.
Apr 16 11:48:13 sargas snmpd[23987]: /home/work/exports: Permission denied
# restorecon -v /home/work/exports restorecon reset context /home/work/exports:->system_u:object_r:user_home_t
Without the -R switch only the directory itself will be labeled. I'm pretty sure you want to run restorecon as suggested by dwalsh.
What does 'ausearch -m -ts recent' tell? You can pipe the output to audit2why or audit2allow like:
ausearch -m avc -ts recent | audit2why ausearch -m avc -ts recent | audit2allow -M mysnmp
The latter will generate a loadable module. There is some documentation at [1] about creating and loading your own modules.
[1] http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-Enh...
ls -lZd /home/work/exports
drwxrwxr-x oracle dba system_u:object_r:user_home_t /home/work/exports
Whats next? Do I need to restart something?
On 16 April 2010 11:11, Sandro Janke gui1ty_fedora@penguinpee.nl wrote:
On 04/16/2010 12:33 AM, Paul Ward wrote:
What does 'rpm -qv selinux-policy-targeted' say? What are the settings in /etc/selinux/config?
My server shows the following selinux packages.
selinux-policy-targeted-1.17.30-2.152.el4 selinux-policy-targeted-sources-1.17.30-2.152.el4
I have run: snmpwalk -v 2c -c public .iso cd /etc/selinux/targeted/src/policy audit2allow -d -l -o domains/misc/local.te make load
Until no more errors were found, this fixed theoriginal errors from selinux, but not the permissions.
Try running restorecon -R -v /home
If I run
restorecon -R -v /home
Would this affect a production servers running or should I do this in a mainaintance window?
Well, you can try to run it with the -n switch first to show you what would happen. According to the man page: "It can be run at any time to correct errors..."
On 15 April 2010 19:05, Sandro Janke gui1ty_fedora@penguinpee.nl wrote:
On 04/15/2010 06:49 AM, Paul Ward wrote: > Hi all, > > I am sure this comes up a lot but have spent hours trying to find th > eanswers with no success apart from disabling selinux which I don't > want to do. > > Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied > > The following filesystems are mounted with same issue. > > /dev/sda7 3.9G 427M 3.3G 12% /home/appl > /dev/sda6 4.0G 2.7G 1.2G 71% /home/users > /dev/sda8 3.9G 2.5G 1.2G 68% /home/work > > ls -ldZ /home/appl/ > drwxr-xr-x root root /home/appl/
This shows that the directory has not been labeled, yet.
> /usr/sbin/sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing >
Could it be that you don't have any policy package installed?
What does 'rpm -qv selinux-policy-targeted' say? What are the settings in /etc/selinux/config?
> What do I need to do to fix this chcon? If so what is the full comman > / context to enter? > > Thanks > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The problem you are seeing is dontaudit rules. snmp is not allowed to read content within the users home dirs. If you want to turn off dontaudit rules you can by executing
semodule -DB
semodule -B
Will turn the rules back on.
Hi Daniel,
Thanks for your reply, looks like that may be what I need. :)
I assume again this wont upset teh running of the machine when this is performed?
Also is theis change persisteant after reboots?
Is there a way for making a new policy to allow the required actions instead of removing the dontaudit all together?
many thanks
On 17 April 2010 00:45, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The problem you are seeing is dontaudit rules. snmp is not allowed to read content within the users home dirs. If you want to turn off dontaudit rules you can by executing
semodule -DB
semodule -B
Will turn the rules back on.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvIW+cACgkQrlYvE4MpobOmqACgvgMQ6oh6XFKuDhzTDIDftRFL xVkAoIbYMk88+HHHMxcJfkc+R/U2aVf7 =x7Ni -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/18/2010 11:11 PM, Paul Ward wrote:
Hi Daniel,
Thanks for your reply, looks like that may be what I need. :)
I assume again this wont upset teh running of the machine when this is performed?
Also is theis change persisteant after reboots?
Is there a way for making a new policy to allow the required actions instead of removing the dontaudit all together?
many thanks
Yes, You can add the new rules using audit2allow
grep AVC /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp
Will add the rules.
semodule -B
Will turn back on the dontaudit rules.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Paul Ward -
Sandro Janke