Hi.
I'm seeing lots of these alerts in rawhide. Is this "normal" or is it a gnome or selinux issue or is my system problematic?
Valent.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valent Turkovic wrote:
Hi.
I'm seeing lots of these alerts in rawhide. Is this "normal" or is it a gnome or selinux issue or is my system problematic?
Valent.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well you are logging in as root via XWindows which is not a good idea and we do not plan to fix the policy for this. Since it is such a bad idea, and would break any security we have tried to add to SELinux to eliminate the AVC. You also setup the user to login via user_t?
On Sat, Mar 22, 2008 at 12:20 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valent Turkovic wrote:
Hi.
I'm seeing lots of these alerts in rawhide. Is this "normal" or is it a gnome or selinux issue or is my system problematic?
Valent.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well you are logging in as root via XWindows which is not a good idea and we do not plan to fix the policy for this. Since it is such a bad idea, and would break any security we have tried to add to SELinux to eliminate the AVC. You also setup the user to login via user_t? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfkQtAACgkQrlYvE4MpobMhRACeJ9srkML85WxzUU6DVBtEPMS9 Uw0AoLqLWJUxIzTk79o7Tn4ybDSKRsE8 =z7RQ -----END PGP SIGNATURE-----
I'm not logging in as root to gnome.
Valent .
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valent Turkovic wrote:
On Sat, Mar 22, 2008 at 12:20 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valent Turkovic wrote:
Hi.
I'm seeing lots of these alerts in rawhide. Is this "normal" or is it a gnome or selinux issue or is my system problematic?
Valent.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well you are logging in as root via XWindows which is not a good idea and we do not plan to fix the policy for this. Since it is such a bad idea, and would break any security we have tried to add to SELinux to eliminate the AVC. You also setup the user to login via user_t? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfkQtAACgkQrlYvE4MpobMhRACeJ9srkML85WxzUU6DVBtEPMS9 Uw0AoLqLWJUxIzTk79o7Tn4ybDSKRsE8 =z7RQ -----END PGP SIGNATURE-----
I'm not logging in as root to gnome.
Valent .
Well the AVC says
host=valent.lan type=AVC msg=audit(1206099072.482:443): avc: denied { rename } for pid=13738 comm="gconfd-2" name="saved_state.tmp" dev=sda9 ino=865370 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:admin_home_t:s0 tclass=file
host=valent.lan type=SYSCALL msg=audit(1206099072.482:443): arch=40000003 syscall=38 success=yes exit=0 a0=9f59b20 a1=9f57118 a2=0 a3=5 items=0 ppid=1 pid=13738 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=user_u:user_r:user_t:s0 key=(null)
admin_home_t is the label of /root
So either you have a labeling problem or you have gconfd-2 trying to relabel saved_state.tmp which is labeled the root directory label admin_home_t
On Sat, Mar 22, 2008 at 12:14 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valent Turkovic wrote:
On Sat, Mar 22, 2008 at 12:20 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valent Turkovic wrote:
Hi.
I'm seeing lots of these alerts in rawhide. Is this "normal" or is it a gnome or selinux issue or is my system problematic?
Valent.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well you are logging in as root via XWindows which is not a good idea and we do not plan to fix the policy for this. Since it is such a bad idea, and would break any security we have tried to add to SELinux to eliminate the AVC. You also setup the user to login via user_t? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfkQtAACgkQrlYvE4MpobMhRACeJ9srkML85WxzUU6DVBtEPMS9 Uw0AoLqLWJUxIzTk79o7Tn4ybDSKRsE8 =z7RQ -----END PGP SIGNATURE-----
I'm not logging in as root to gnome.
Valent .
Well the AVC says
host=valent.lan type=AVC msg=audit(1206099072.482:443): avc: denied { rename } for pid=13738 comm="gconfd-2" name="saved_state.tmp" dev=sda9 ino=865370 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:admin_home_t:s0 tclass=file
host=valent.lan type=SYSCALL msg=audit(1206099072.482:443): arch=40000003 syscall=38 success=yes exit=0 a0=9f59b20 a1=9f57118 a2=0 a3=5 items=0 ppid=1 pid=13738 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=user_u:user_r:user_t:s0 key=(null)
admin_home_t is the label of /root
So either you have a labeling problem or you have gconfd-2 trying to relabel saved_state.tmp which is labeled the root directory label admin_home_t
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfk6gAACgkQrlYvE4MpobMAXwCg2YpVaswVCQVI7kSuOUk+CgDN JWMAoIHx0BNqxOdbUKGsA1ruGBTlYvin =F+6B -----END PGP SIGNATURE-----
I relabeled my system 2 times in last few days and I'm not running as gmome as root. I don't know why I'm seeing this alert and that is why I'm sending you this email.
Valent.
On Sat, Mar 22, 2008 at 1:55 PM, Valent Turkovic valent.turkovic@gmail.com wrote:
On Sat, Mar 22, 2008 at 12:14 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valent Turkovic wrote:
On Sat, Mar 22, 2008 at 12:20 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valent Turkovic wrote:
Hi.
I'm seeing lots of these alerts in rawhide. Is this "normal" or is it a gnome or selinux issue or is my system problematic?
Valent.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well you are logging in as root via XWindows which is not a good idea and we do not plan to fix the policy for this. Since it is such a bad idea, and would break any security we have tried to add to SELinux to eliminate the AVC. You also setup the user to login via user_t? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfkQtAACgkQrlYvE4MpobMhRACeJ9srkML85WxzUU6DVBtEPMS9 Uw0AoLqLWJUxIzTk79o7Tn4ybDSKRsE8 =z7RQ -----END PGP SIGNATURE-----
I'm not logging in as root to gnome.
Valent .
Well the AVC says
host=valent.lan type=AVC msg=audit(1206099072.482:443): avc: denied { rename } for pid=13738 comm="gconfd-2" name="saved_state.tmp" dev=sda9 ino=865370 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:admin_home_t:s0 tclass=file
host=valent.lan type=SYSCALL msg=audit(1206099072.482:443): arch=40000003 syscall=38 success=yes exit=0 a0=9f59b20 a1=9f57118 a2=0 a3=5 items=0 ppid=1 pid=13738 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=user_u:user_r:user_t:s0 key=(null)
admin_home_t is the label of /root
So either you have a labeling problem or you have gconfd-2 trying to relabel saved_state.tmp which is labeled the root directory label admin_home_t
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfk6gAACgkQrlYvE4MpobMAXwCg2YpVaswVCQVI7kSuOUk+CgDN JWMAoIHx0BNqxOdbUKGsA1ruGBTlYvin =F+6B -----END PGP SIGNATURE-----
I relabeled my system 2 times in last few days and I'm not running as gmome as root. I don't know why I'm seeing this alert and that is why I'm sending you this email.
Valent.
-- http://kernelreloaded.blog385.com/ linux, blog, anime, spirituality, windsurf, wireless registered as user #367004 with the Linux Counter, http://counter.li.org. ICQ: 2125241, Skype: valent.turkovic
I'm seeing it in F8 and also in F9 Beta .
Here are the latest ones from F8.
I'll reboot to F9 beta and send those also.
Valent.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valent Turkovic wrote:
Here are the latest ones from F8.
I'll reboot to F9 beta and send those also.
Valent.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I believe you have some stuff out in /tmp that is causing this. /tmp is not cleaned up on a relabel.
On Sun, 2008-03-23 at 07:34 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valent Turkovic wrote:
Here are the latest ones from F8.
I'll reboot to F9 beta and send those also.
Valent.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I believe you have some stuff out in /tmp that is causing this. /tmp is not cleaned up on a relabel.
/me had great trouble with this in the past. Any way /.autorelabel can just blow away /tmp/* altogether? Didn't it do that once upon a time?
-Eric
Eric Paris wrote:
/me had great trouble with this in the past. Any way /.autorelabel can just blow away /tmp/* altogether? Didn't it do that once upon a time?
After suggestion from Dan in another thread I've changed my rawhide systems to use tmpfs for /tmp and its working very nicely. I have had no problems with it other than needing to manually define a tmp location for nautilus-burner (I used /opt); the basic tmpfs setup leaves tmp too small for burning big images, but that is the only thing I've needed a huge tmp for so far.
I'm using: tmpfs /tmp tmpfs defaults 0 0
selinux@lists.fedoraproject.org