Daniel J Walsh wrote:
David Timms wrote:
AFAICS, I haven't made any configs to sendmail, yet I've started to get lots of AVC warnings in setroubleshoot, of three particular types:
1:======== Summary SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files (<Unknown>).
Detailed Description SELinux has denied /usr/sbin/sendmail.sendmail access to potentially mislabeled file(s) (<Unknown>). This means that SELinux will not allow
A postinstall script has ruined the labeling on your /etc/services file.
# restorecon -v /etc/services will fix
# ls -lZ /etc/services -rw-r--r-- root root unconfined_u:object_r:rpm_script_tmp_t /etc/services Yes, you are correct.
# restorecon -v /etc/services restorecon reset /etc/services context unconfined_u:object_r:rpm_script_tmp_t:s0->system_u:object_r:etc_t:s0
I guess experience rather than reading the troubleshoot message led you to /etc/services ?
If you any idea which rpm did this. I would like to know.
yum.logs--- I'l try to narrow it down, not sure how. I can't remember now exactly what I was doing around the date that it started occurring. === Jan 27 18:17:06 Installed: apr-util - 1.2.10-2.fc8.i386 Jan 27 18:17:10 Installed: subversion - 1.4.4-7.i386 Jan 27 18:21:36 Installed: libxkbfile - 1.0.4-3.fc8.i386 Jan 27 18:21:37 Installed: xorg-x11-xkb-utils - 7.2-3.fc8.i386 Jan 27 18:23:39 Installed: wireshark - 0.99.7-2.fc8.i386 Jan 27 18:25:58 Installed: torcs-data - 1.3.0-2.noarch Jan 27 18:26:58 Installed: libgnomeui-devel - 2.20.1.1-1.fc8.i386 Jan 27 18:30:28 Installed: libcaca - 0.99-0.3.beta11.fc8.i386 Jan 27 18:30:31 Installed: xine - 0.99.5-1.fc7.i386 Jan 27 18:33:26 Installed: gettext - 0.16.1-12.fc8.i386 Jan 27 18:33:27 Installed: redhat-lsb - 3.1-19.fc8.i386 Jan 27 18:34:23 Installed: bluez-libs - 3.20-1.fc8.i386 Jan 27 18:34:25 Installed: gnokii - 0.6.18-3.fc8.i386 Jan 27 18:37:01 Installed: ffmpeg - 0.4.9-0.8.20070530.fc7.i386 Jan 27 18:42:45 Installed: indent - 2.2.9-16.fc7.i386 Jan 27 18:48:09 Erased: perl-LDAP Jan 27 18:50:05 Installed: fuse - 2.7.0-8.fc8.i386 Jan 27 18:51:32 Erased: audacity Jan 27 18:52:00 Installed: compat-wxGTK26 - 2.6.4-0.8.i386 Jan 27 18:52:03 Installed: audacity - 1.3.2-17.fc8.i386 Jan 27 18:53:02 Erased: dvdrip Jan 27 18:53:04 Erased: subtitleripper Jan 27 18:53:06 Erased: transcode Jan 27 18:53:43 Installed: ffmpeg-libpostproc - 0.4.9-0.8.20070530.fc7.i386 Jan 27 18:53:48 Installed: transcode - 1.0.3-1.fc7.i386 Jan 27 18:54:20 Erased: x264-devel Jan 27 18:54:47 Installed: x264-devel - 0.0.0-0.3.20070529.fc7.i386 Jan 27 18:55:25 Erased: timmsy-servers Jan 27 18:59:20 Erased: gkrellm Jan 27 18:59:26 Erased: timmsy-apps Jan 27 18:59:58 Installed: lm_sensors - 2.10.5-1.fc8.i386 Jan 27 19:00:00 Installed: gkrellm - 2.3.0-4.fc8.i386 Jan 27 19:02:23 Erased: faad2-devel Jan 27 19:02:55 Installed: setroubleshoot-server - 1.10.7-1.fc8.noarch Jan 27 19:03:31 Erased: ocsinventory-client Jan 27 19:05:47 Installed: lincity-ng-data - 1.1.1-2.fc8.i386 Jan 27 19:10:25 Installed: libquicktime - 1.0.0-1.fc7.i386 Jan 27 19:11:45 Installed: tcl - 1:8.4.15-5.fc8.i386 Jan 27 19:11:49 Installed: ppracer - 0.3.1-13.fc8.i386 Jan 27 19:14:09 Erased: perl-AnyEvent Jan 27 19:14:10 Erased: perl-Event-ExecFlow Jan 27 19:14:11 Erased: perl-Coro Jan 27 19:15:04 Erased: perl-Net-Jabber Jan 27 19:15:06 Erased: perl-SOAP-Lite Jan 27 20:02:54 Installed: thunderbird-debuginfo - 2.0.0.9-1.fc8.i386 Jan 27 21:30:09 Erased: thunderbird Jan 27 21:35:35 Installed: thunderbird - 2.0.0.9-1.fc8.i386 Jan 27 22:31:47 Installed: tetex-fonts - 3.0-44.3.fc8.i386 ----started here for one of the 3. Yum log was rolled over at this time as well. Jan 27 22:37:03 Installed: pulseaudio-libs - 0.9.8-5.fc8.i386 Jan 27 22:41:21 Installed: dialog - 1.1-2.20070704.fc8.i386 Jan 27 22:44:43 Installed: fedora-screensaver-theme - 1.0.0-1.fc8.noarch Jan 27 22:46:53 Installed: SDL - 1.2.13-1.fc8.i386 Jan 27 23:06:07 Erased: libswscale0 Jan 27 23:09:38 Erased: kernel-devel Jan 27 23:09:43 Erased: timmsy-development Jan 28 00:04:30 Updated: pulseaudio-core-libs - 0.9.8-5.fc8.i386 Jan 28 00:04:33 Updated: glib-java - 0.2.6-10.fc8.i386 Jan 28 00:04:36 Updated: pulseaudio - 0.9.8-5.fc8.i386 Jan 28 00:04:38 Updated: cairo-java - 1.0.5-8.fc8.i386 Jan 28 00:04:40 Updated: libgtk-java - 2.8.7-5.fc8.i386 Jan 28 00:04:40 Updated: pulseaudio-module-x11 - 0.9.8-5.fc8.i386 Jan 28 00:04:41 Updated: pulseaudio-libs-zeroconf - 0.9.8-5.fc8.i386 Jan 28 00:04:42 Updated: glew - 1.4.0-5.fc8.i386 Jan 28 00:04:43 Updated: libbeagle - 0.2.18-4.fc8.i386 Jan 28 00:05:03 Updated: allegro - 4.2.2-7.fc8.i386 Jan 28 00:05:03 Updated: pulseaudio-libs-glib2 - 0.9.8-5.fc8.i386 Jan 28 00:05:05 Updated: libgconf-java - 2.12.4-9.fc8.i386 Jan 28 00:05:06 Updated: xterm - 231-1.fc8.i386 Jan 28 00:05:07 Updated: pulseaudio-esound-compat - 0.9.8-5.fc8.i386 Jan 28 00:05:50 Installed: kernel - 2.6.23.14-107.fc8.i686 Jan 28 00:05:51 Updated: hwdata - 0.215-1.fc8.noarch Jan 28 00:05:52 Updated: pulseaudio-module-gconf - 0.9.8-5.fc8.i386 Jan 28 00:05:53 Updated: pulseaudio-utils - 0.9.8-5.fc8.i386 Jan 28 00:05:56 Updated: liberation-fonts - 1.0-1.fc8.noarch Jan 28 00:06:08 Updated: docbook-style-xsl - 1.73.2-5.fc8.noarch Jan 28 00:06:08 Updated: python-turbokid - 1.0.4-1.fc8.noarch Jan 28 00:06:09 Updated: logrotate - 3.7.6-2.2.fc8.i386 Jan 28 00:06:17 Updated: kernel-headers - 2.6.23.14-107.fc8.i386 Jan 28 00:31:15 Installed: kernel-devel - 2.6.23.14-107.fc8.i686 Jan 28 10:13:10 Installed: memtest86+ - 1.70-4.fc8.i386 Jan 30 20:09:14 Updated: bash - 3.2-20.fc8.i386 Jan 30 20:09:18 Updated: libacl - 2.2.39-13.fc8.i386
On Tue, 05 Feb 2008 08:23:43 +1100 David Timms dtimms@iinet.net.au wrote:
Daniel J Walsh wrote:
David Timms wrote:
AFAICS, I haven't made any configs to sendmail, yet I've started to get lots of AVC warnings in setroubleshoot, of three particular types:
1:======== Summary SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files (<Unknown>).
Detailed Description SELinux has denied /usr/sbin/sendmail.sendmail access to potentially mislabeled file(s) (<Unknown>). This means that SELinux will not allow
A postinstall script has ruined the labeling on your /etc/services file.
# restorecon -v /etc/services will fix
# ls -lZ /etc/services -rw-r--r-- root root unconfined_u:object_r:rpm_script_tmp_t /etc/services Yes, you are correct.
# restorecon -v /etc/services restorecon reset /etc/services context unconfined_u:object_r:rpm_script_tmp_t:s0->system_u:object_r:etc_t:s0
I guess experience rather than reading the troubleshoot message led you to /etc/services ?
If you any idea which rpm did this. I would like to know.
yum.logs--- I'l try to narrow it down, not sure how. I can't remember now exactly what I was doing around the date that it started occurring. ===
Might you have installed VMware? Mangling the context of /etc/services to rpm_script_tmp_t is a long-standing bug in the VMware package scripts.
Paul.
Paul Howarth wrote:
Might you have installed VMware?
Correct.
Mangling the context of /etc/services to rpm_script_tmp_t is a long-standing bug in the VMware package scripts.
# ls -lZ /etc/serv* -rw-r--r-- root root system_u:object_r:etc_t /etc/services
# rpm -Uvh --replacepkgs VMware-server-1.0.4-56528.i386.rpm Preparing... ########################################### [100%] 1:VMware-server ########################################### [100%]
# ls -lZ /etc/serv* -rw-r--r-- root root unconfined_u:object_r:rpm_script_tmp_t /etc/services
Searching the vmware forums found the identical cause leading to slghtly different selinux symptoms - logging not working, and a comment form myself in there: http://communities.vmware.com/message/856343#856343 referencing: http://www.redhat.com/archives/fedora-list/2007-April/msg00780.html ,794
and another on using vmware-server with F8: http://communities.vmware.com/message/856343#856343 which didn't stop me, but helped others.
Actually, I submitted a vmware "defect report" to this effect.
A secondary question: is there a way in which troubleshoot browser could be improved to point the finger at the correct cause / solution ? Or is the effort best spent in getting vmware to script the install more carefully ?
DaveT. "short memory, must have a, short memory" - midnight oil
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
David Timms wrote:
Paul Howarth wrote:
Might you have installed VMware?
Correct.
Mangling the context of /etc/services to rpm_script_tmp_t is a long-standing bug in the VMware package scripts.
# ls -lZ /etc/serv* -rw-r--r-- root root system_u:object_r:etc_t /etc/services
# rpm -Uvh --replacepkgs VMware-server-1.0.4-56528.i386.rpm Preparing... ########################################### [100%] 1:VMware-server ########################################### [100%]
# ls -lZ /etc/serv* -rw-r--r-- root root unconfined_u:object_r:rpm_script_tmp_t /etc/services
Searching the vmware forums found the identical cause leading to slghtly different selinux symptoms - logging not working, and a comment form myself in there: http://communities.vmware.com/message/856343#856343 referencing: http://www.redhat.com/archives/fedora-list/2007-April/msg00780.html ,794
and another on using vmware-server with F8: http://communities.vmware.com/message/856343#856343 which didn't stop me, but helped others.
Actually, I submitted a vmware "defect report" to this effect.
A secondary question: is there a way in which troubleshoot browser could be improved to point the finger at the correct cause / solution ? Or is the effort best spent in getting vmware to script the install more carefully ?
DaveT. "short memory, must have a, short memory" - midnight oil
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can also use restorecond to watch this file in the future.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Daniel J Walsh wrote:
David Timms wrote:
Paul Howarth wrote:
Might you have installed VMware?
Correct.
Mangling the context of /etc/services to rpm_script_tmp_t is a long-standing bug in the VMware package scripts.
# ls -lZ /etc/serv* -rw-r--r-- root root system_u:object_r:etc_t /etc/services
# rpm -Uvh --replacepkgs VMware-server-1.0.4-56528.i386.rpm Preparing... ########################################### [100%] 1:VMware-server ########################################### [100%]
# ls -lZ /etc/serv* -rw-r--r-- root root unconfined_u:object_r:rpm_script_tmp_t /etc/services
Searching the vmware forums found the identical cause leading to slghtly different selinux symptoms - logging not working, and a comment form myself in there: http://communities.vmware.com/message/856343#856343 referencing: http://www.redhat.com/archives/fedora-list/2007-April/msg00780.html ,794
and another on using vmware-server with F8: http://communities.vmware.com/message/856343#856343 which didn't stop me, but helped others.
Actually, I submitted a vmware "defect report" to this effect.
A secondary question: is there a way in which troubleshoot browser could be improved to point the finger at the correct cause / solution ? Or is the effort best spent in getting vmware to script the install more carefully ?
DaveT. "short memory, must have a, short memory" - midnight oil
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can also use restorecond to watch this file in the future.
Or even better use xen of qemu for free:^) - -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
David Timms wrote:
Daniel J Walsh wrote:
David Timms wrote:
AFAICS, I haven't made any configs to sendmail, yet I've started to get lots of AVC warnings in setroubleshoot, of three particular types:
1:======== Summary SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files (<Unknown>).
Detailed Description SELinux has denied /usr/sbin/sendmail.sendmail access to potentially mislabeled file(s) (<Unknown>). This means that SELinux will not allow
A postinstall script has ruined the labeling on your /etc/services file.
# restorecon -v /etc/services will fix
# ls -lZ /etc/services -rw-r--r-- root root unconfined_u:object_r:rpm_script_tmp_t /etc/services Yes, you are correct.
# restorecon -v /etc/services restorecon reset /etc/services context unconfined_u:object_r:rpm_script_tmp_t:s0->system_u:object_r:etc_t:s0
I guess experience rather than reading the troubleshoot message led you to /etc/services ?
Yes, although this is actually a bug in audit/setroubleshoot that is causing the target mislabeled file to be <Unknown> If the frame work had actually specified /etc/services, one of the plugins does a matchpatcon on the file and sees that the file context differs from the default and sets it correctly. Please report this as a bug on setroubleshoot and include the audit messages so we can see why setroubleshoot failed.
selinux@lists.fedoraproject.org