Running targeted/enforcing, latest Rawhide:
Get the following on boot with latest policy (selinux-policy-targeted-1.21.2-6):
Jan 22 12:57:54 localhost kernel: audit(1106427474.075:0): security_compute_sid: invalid context user_u:system_r:crond_t for scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:crond_exec_t tclass=process Jan 22 12:57:54 localhost gpm[2789]: *** info [mice.c(1766)]: Jan 22 12:57:54 localhost gpm[2789]: imps2: Auto-detected intellimouse PS/2 Jan 22 12:57:55 localhost kernel: audit(1106427475.435:0): security_compute_sid: invalid context user_u:system_r:crond_t for scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:anacron_exec_t tclass=process Jan 22 12:57:55 localhost xfs[2826]: ignoring font path element /usr/X11R6/lib/X11/fonts/Speedo (unreadable) Jan 22 12:57:55 localhost kernel: audit(1106427475.634:0): security_compute_sid: invalid context user_u:system_r:crond_t for scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:crond_exec_t tclass=process
Tom London wrote:
Running targeted/enforcing, latest Rawhide:
Get the following on boot with latest policy (selinux-policy-targeted-1.21.2-6):
Jan 22 12:57:54 localhost kernel: audit(1106427474.075:0): security_compute_sid: invalid context user_u:system_r:crond_t for scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:crond_exec_t tclass=process Jan 22 12:57:54 localhost gpm[2789]: *** info [mice.c(1766)]: Jan 22 12:57:54 localhost gpm[2789]: imps2: Auto-detected intellimouse PS/2 Jan 22 12:57:55 localhost kernel: audit(1106427475.435:0): security_compute_sid: invalid context user_u:system_r:crond_t for scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:anacron_exec_t tclass=process Jan 22 12:57:55 localhost xfs[2826]: ignoring font path element /usr/X11R6/lib/X11/fonts/Speedo (unreadable) Jan 22 12:57:55 localhost kernel: audit(1106427475.634:0): security_compute_sid: invalid context user_u:system_r:crond_t for scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:crond_exec_t tclass=process
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Can you try a make -C /etc/selinux/targeted/src/policy load
On Mon, 24 Jan 2005 15:02:22 -0500, Daniel J Walsh dwalsh@redhat.com wrote:
Can you try a make -C /etc/selinux/targeted/src/policy load
Sorry, no soap. :-(
Here's a log: [root@tlondon ~]# cd /etc/selinux/targeted [root@tlondon targeted]# cd src/policy [root@tlondon policy]# make -C /etc/selinux/targeted/src/policy load make: Entering directory `/etc/selinux/targeted/src/policy' /usr/sbin/load_policy /etc/selinux/targeted/policy/policy.18 touch tmp/load make: Leaving directory `/etc/selinux/targeted/src/policy' [root@tlondon ~]# cd /etc/init.d [root@tlondon init.d]# ./crond status crond is stopped [root@tlondon init.d]# ./crond start Starting crond: /etc/init.d/functions: line 148: /usr/sbin/crond: Permission denied [FAILED] [root@tlondon init.d]#
Here's the AVC: Jan 25 07:38:17 localhost kernel: audit(1106667497.815:0): security_compute_sid: invalid context root:system_r:crond_t for scontext=root:system_r:initrc_t tcontext=system_u:object_r:crond_exec_t tclass=process
tom
Tom London wrote:
On Mon, 24 Jan 2005 15:02:22 -0500, Daniel J Walsh dwalsh@redhat.com wrote:
Can you try a make -C /etc/selinux/targeted/src/policy load
Sorry, no soap. :-(
Here's a log: [root@tlondon ~]# cd /etc/selinux/targeted [root@tlondon targeted]# cd src/policy [root@tlondon policy]# make -C /etc/selinux/targeted/src/policy load make: Entering directory `/etc/selinux/targeted/src/policy' /usr/sbin/load_policy /etc/selinux/targeted/policy/policy.18 touch tmp/load make: Leaving directory `/etc/selinux/targeted/src/policy' [root@tlondon ~]# cd /etc/init.d [root@tlondon init.d]# ./crond status crond is stopped [root@tlondon init.d]# ./crond start Starting crond: /etc/init.d/functions: line 148: /usr/sbin/crond: Permission denied [FAILED] [root@tlondon init.d]#
Here's the AVC: Jan 25 07:38:17 localhost kernel: audit(1106667497.815:0): security_compute_sid: invalid context root:system_r:crond_t for scontext=root:system_r:initrc_t tcontext=system_u:object_r:crond_exec_t tclass=process
tom
Ok, you need to change the policy for crond.te
--- crond.te~ 2005-01-21 16:16:11.000000000 -0500 +++ crond.te 2005-01-25 12:04:52.000000000 -0500 @@ -19,5 +19,5 @@ type sysadm_cron_spool_t, file_type, sysadmfile; type crond_log_t, file_type, sysadmfile; type crond_var_run_t, file_type, sysadmfile; -domain_auto_trans(initrc_t, crond_exec_t, crond_t) -domain_auto_trans(initrc_t, anacron_exec_t, crond_t) +domain_auto_trans(initrc_t, crond_exec_t, unconfined_t) +domain_auto_trans(initrc_t, anacron_exec_t, unconfined_t)
I will update policy and throw it out on people.
selinux-policy-targeted-1.21.3-2
On Tue, 25 Jan 2005 12:10:52 -0500, Daniel J Walsh dwalsh@redhat.com wrote:
Ok, you need to change the policy for crond.te
--- crond.te~ 2005-01-21 16:16:11.000000000 -0500 +++ crond.te 2005-01-25 12:04:52.000000000 -0500 @@ -19,5 +19,5 @@ type sysadm_cron_spool_t, file_type, sysadmfile; type crond_log_t, file_type, sysadmfile; type crond_var_run_t, file_type, sysadmfile; -domain_auto_trans(initrc_t, crond_exec_t, crond_t) -domain_auto_trans(initrc_t, anacron_exec_t, crond_t) +domain_auto_trans(initrc_t, crond_exec_t, unconfined_t) +domain_auto_trans(initrc_t, anacron_exec_t, unconfined_t)
I will update policy and throw it out on people.
selinux-policy-targeted-1.21.3-2
I updated to selinux-policy-targeted-1.21.3-3 and I think I'm still seeing this problem:
Jan 26 08:33:18 localhost kernel: audit(1106757198.533:0): security_compute_sid: invalid context user_u:system_r:system_crond_t for scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:crond_exec_t tclass=process Jan 26 08:33:20 localhost kernel: audit(1106757200.158:0): security_compute_sid: invalid context user_u:system_r:system_crond_t for scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:anacron_exec_t tclass=process Jan 26 08:33:20 localhost kernel: audit(1106757200.370:0): security_compute_sid: invalid context user_u:system_r:system_crond_t for scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:crond_exec_t tclass=process Jan 26 08:33:29 localhost fstab-sync[3279]: removed all generated mount points
crond.te says: type crond_var_run_t, file_type, sysadmfile; domain_auto_trans(initrc_t, crond_exec_t, system_crond_t) domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t) unconfined_domain(system_crond_t)
tom
tom
On Wed, 2005-01-26 at 11:42, Tom London wrote:
Jan 26 08:33:18 localhost kernel: audit(1106757198.533:0): security_compute_sid: invalid context user_u:system_r:system_crond_t for scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:crond_exec_t tclass=process
The error message isn't a permission denial; it is an invalid context, e.g. the role isn't authorized for the type in the targeted policy. Got a 'role system_r types system_crond_t;' anywhere? Likely just a failure to transfer over all of the necessary bits from the strict policy.
On Wed, 26 Jan 2005 12:08:51 -0500, Stephen Smalley sds@epoch.ncsc.mil wrote:
The error message isn't a permission denial; it is an invalid context, e.g. the role isn't authorized for the type in the targeted policy. Got a 'role system_r types system_crond_t;' anywhere? Likely just a failure to transfer over all of the necessary bits from the strict policy.
Got it. The strict policy has this line, targeted does not.
tom
Tom London wrote:
On Wed, 26 Jan 2005 12:08:51 -0500, Stephen Smalley sds@epoch.ncsc.mil wrote:
The error message isn't a permission denial; it is an invalid context, e.g. the role isn't authorized for the type in the targeted policy. Got a 'role system_r types system_crond_t;' anywhere? Likely just a failure to transfer over all of the necessary bits from the strict policy.
Got it. The strict policy has this line, targeted does not.
tom
Added in selinux-policy-targeted-1.21.3-5
Tom London wrote:
On Wed, 26 Jan 2005 12:08:51 -0500, Stephen Smalley sds@epoch.ncsc.mil wrote:
The error message isn't a permission denial; it is an invalid context, e.g. the role isn't authorized for the type in the targeted policy. Got a 'role system_r types system_crond_t;' anywhere? Likely just a failure to transfer over all of the necessary bits from the strict policy.
Got it. The strict policy has this line, targeted does not.
tom
Added in selinux-policy-targeted-1.21.3-5
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Where to get selinux-policy-targeted-1.21.3-5? When I run yum in my fc3 system, it lists only:
Available Packages selinux-doc.noarch 1.14.1-1 base selinux-policy-strict.noarch 1.19.10-2 updates-released selinux-policy-strict-sources.noarch 1.19.10-2 updates-released selinux-policy-targeted.noarch 1.17.30-2.73 updates-released selinux-policy-targeted-sources.noarch 1.17.30-2.73 updates-released
Thanks!
Hongwei Li
Hongwei Li wrote:
Tom London wrote:
On Wed, 26 Jan 2005 12:08:51 -0500, Stephen Smalley sds@epoch.ncsc.mil wrote:
The error message isn't a permission denial; it is an invalid context, e.g. the role isn't authorized for the type in the targeted policy. Got a 'role system_r types system_crond_t;' anywhere? Likely just a failure to transfer over all of the necessary bits from the strict policy.
Got it. The strict policy has this line, targeted does not.
tom
Added in selinux-policy-targeted-1.21.3-5
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Where to get selinux-policy-targeted-1.21.3-5? When I run yum in my fc3 system, it lists only:
Available Packages selinux-doc.noarch 1.14.1-1 base selinux-policy-strict.noarch 1.19.10-2 updates-released selinux-policy-strict-sources.noarch 1.19.10-2 updates-released selinux-policy-targeted.noarch 1.17.30-2.73 updates-released selinux-policy-targeted-sources.noarch 1.17.30-2.73 updates-released
Thanks!
Hongwei Li
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
No you have the correct policy. 1.21 and later are for rawhide, which will be FC4.
You are up to date on policy so now you need to do the restorecon stuff.
Dan
selinux@lists.fedoraproject.org