Fedora Security :: SELinux Relabel Every 3 Boot?

Mar 29, 2010

I get a SELinux relabel often even without changing stuff. SELinux troubleshoot doesn't show any error nor are there any messages in /log/messages that give any clue. Where should I look to see whats happening ?

2.6.31.12-174.2.22.fc12.x86_64
selinux-policy-3.6.32-103.fc12

View 2 Replies


ADVERTISEMENT

Fedora Security :: SElinux Fails To Start Filesystem Relabel

Sep 10, 2009

I recently made a custom spin of fedora on 29th August 2009. It initially failed to go past the slash screen but a solution was found here on fedora forum. It included adding the following to kernel line in grub.

enforcing=0

I later checked SElinux and found the option to do a filesystem relabel at next boot was enabled. I rebooted the system without adding the above words "enforcing=o" and it got stuck after the the splash screen (the blue screen with a fedora bubble). I then did some more research on SElinux and filesystem relabelling. There were several comments that said that a notice is given in the event of a filesystem relabel. I went to the konsole and as root I wrote the following commands:

touch /.autorelabel
reboot

I gave my pc 20Hrs 48min and nothing happened. My HDD is 80GB but it only had 7.5GB of data. There were no messages that indicated that the filesystem relabel was in progress or even if it had started. I also tried the following command but failed:

make relabel

I have now had to edit grub.conf and added the words "enforcing=0" as it is the only way the system will go passed the splash screen.

View 13 Replies View Related

Fedora Security :: Moved /var/log To New Disk - Selinux Relabel Now Incorrect

Apr 27, 2011

I've moved my /var/log directory to another disk (/mnt/serverlogs) and created a symlink for the original directory:

Code:

[root@fileserver2 var]# ls -aldZ /var/log
lrwxrwxrwx. root root unconfined_u:object_r:var_t:s0 /var/log -> /data/serverlogs
[root@fileserver2 var]# ls -aldZ /data/serverlogs
drwxr-xr-x. root root system_u:object_r:var_log_t /data/serverlogs

I have SELinux set to permissive and am getting lots of errors because the contexts are incorrect after a filesystem relabel. e.g.

Code:

[root@fileserver2 var]# ls -alZ /data/serverlogs/messages
-rw-------. root root system_u:object_r:default_t:s0 /data/serverlogs/messages

I believe that this file should be var_log_t.How can I restore the correct context to all of the files in /var/log?I've tried running:

Code:

restorecon -vR /var/log/

But this does not change the contexts, I guess because the files are now in the 'incorrect' location. I've looked through the file: /etc/selinux/targeted/contexts/files/file_contexts which I believe contains the original/default settings - maybe I need to alter this file to fix the problem? I've also tried modifying /data/serverlogs using:

Code:

semanage fcontext -a -t var_log_t /data/serverlogs

which fixes the directory itself, but not the contents,

View 8 Replies View Related

General :: Boot Hang In Red Hat 4 V5 After SElinux Relabel

Nov 22, 2010

On boot I get

** Warning -- SELinux relabel is required. ***
*** Disabling security enforcement. ***
*** Relabeling could take a very long time, ***
*** depending on file system size. ***

On the next screen the boot hangs. There is a solution posted here: [URL] it states I booted my VM from a rescue CD ISO, mounted the root directory, and:

# cd /mnt/local
# rm -f .autorelabel

Once this is done you may want to consider upgrading your VM to more -current that has this fixed. I've booted using a knoppix CD, but I don't know how to mount the root directory to try the fix.

View 6 Replies View Related

Fedora Security :: 'restorecon' Does Not Relabel Correctly?

Jul 24, 2009

I have a very curious problem with 'restorecon'.Problem:'restorecon' should relabel the context of the path /maco/glass to system_u:object_r:glass_rw_t:s0, however, it relabels the context tosystem_u:object_r:user_home_dir_t:s0.

The commad that triggers the error:restorecon -F -R -v /maco/glass/Expected result:drwxr-xr-x. 2 system_u:object_r:glass_rw_t:s0 glass glass 4096 2009-07-24 11:32 glassActual result:drwxr-xr-x. 2 system_u:object_r:user_home_dir_t:s0 glass glass 4096 2009-07-24 11:32 glassBackground:I have created a

[code]....

View 3 Replies View Related

Fedora Security :: How Long To Relabel After Seedit Reboot

Dec 29, 2010

I wanted to edit the Selinux policies using a GUI and i read that there's seedit. The problem was the selinux-policy-targeted package. It was conflicting every time i wanted seedit. I uninstalled the selinux-policy targeted and was able to install seedit. After that, I did ./seedit-init, after that i just entered reboot. Was there supposed to be a button or anything popping up after the seedit-init?

So it reboots, and during the first reboot, a bunch of words flashed, and i see some words like Green [OK]. It was very quick so i have no idea what it said. It then reboots again and it loads but now after the fedora loading bar and word turns grey, it just stops. Nothing else happens. I can type things in, but just that, nothing else. Ctrl+Alt+Delete restarts it though.

So my problem is, is it still relabeling? Because that's what I'm told seedit is doing; relabeling all the policies. If so, how long does it take?And if it's not relabeling, then did something happen a long the way?I started the seedit around 3ish and it's almost 8 already. I'm currently using Fedora 14 with a 500gb HDD. However, i partitioned 11gig for the fedora, and the rest is for Windows 7. So basically it is a dual-boot.okay, after much waiting, it was an error =/. I just don't know why though. I did a restart, made the kernal disable selinux and went and uninstalled seedit. I reapplid the selinux-policy-target. I did a restart and there it was, telling me it had to relabel.

View 7 Replies View Related

Fedora Security :: Make SELinux Changes Remain After Boot?

May 10, 2011

After I do a recommended SELinux change from an alert:

'grep blender /var/log/audit/audit.log | audit2allow -M mypol'

the next time I boot, I have to add the rule again. How would I make this permanent? Can this only be done with the SELinux Policy Generation Tool? I've tried making bug reports for some SELinux warnings.

View 3 Replies View Related

Fedora Security :: FC11, SELinux, And Initrd No-boot Scenario And Resolution?

Jul 16, 2009

So, I had fun with this one the past week. I had an FC11 system running just fine. Then one day it would not boot - it was hung somewhere inside the init script of the initrd image. CTRL-ALT-DEL would reboot the system. Using grub editor, I could temporarily delete the initrd line and boot into the system OK. But what was going on?

mkinitrd was of no help to me. I even did a yum update, which got a new kernel, which also generated a new initrd - no joy. I extracted the initrd file system and edited the init script. I eventually hit on this tidbit: If I commented out this line:

daemonize --ignore-missing /bin/plymouthd and rebuild the initrd image - the system would finally at least tell me what the problem was: mount failed for selinuxfs on /selinux. No such file or directory.

So, I examine the root (the real root, not the initrd temporary root) - and sure enough, no /selinux. I make one and reboot. The system goes into a "targeted policy relabel" operation, reboots, and I am back in business - even with my original, unmodified, initrd.

I have no idea what happened to my /selinux directory, but I think the initrd "init" script needs to check for this directory's existance, and make it if necessary. Or at least report that it isn't there. In FC11 right now the system just HANGS without this directory being present, without any clue as to what the problem is!

View 1 Replies View Related

Fedora Security :: Wierd SeLinux Security Alerts \ Got:Code:Summary: System May Be Seriously Compromised?

Apr 13, 2011

this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:

Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]

[code]....

View 5 Replies View Related

Fedora Security :: SELinux Context For Cgi-bin?

Oct 20, 2010

I'm attempting to get MapServer running on my Fedora 13 computer. I was able to install with the package manager, and the executable (mapserv) was originally placed in /usr/sbin. But I need it in /var/www/cgi-bin to work on the webserver. So I copied the file to the right location. Unfortunately, it doesn't have the correct SELinux context. Here's the message from the troubleshooter:

SELinux denied access requested by /var/www/cgi-bin/mapserv. /var/www/cgi-bin/mapserv is mislabeled. /var/www/cgi-bin/mapserv default type is httpd_sys_script_exec_t, but its current type is httpd_sys_script_exec_t. Changing this file back to the default type, may fix your problem.

How's that for circular logic? Does anyone have an idea what the correct SELinux context for a cgi-bin executable might be?

View 3 Replies View Related

Fedora Security :: Selinux Not Enabled?

Nov 10, 2010

Trying to keep selinux enabled. When I start SeLinux Troubleshooter from the menu, which is inautostart as well, It tells me SELinux not enabled, sealert will not run on nonSELinus systems".How do I get SELinux permanently started then

View 10 Replies View Related

Fedora Security :: How To Enable The SELinux

Jan 17, 2011

My newly installed Fedora-14 (64-bit) has SELinux disabled. I can't find any way to enable it. I tried to set it manually in /etc/selinux/config to enforcing or permissive but nothing happens after reboot. In GUI configuration tool it is set to disabled and grayed out so that there is no way to enable it there. Is there another way to enable SELinux?

View 11 Replies View Related

Fedora Security :: SELinux Not Enforcing?

Apr 30, 2011

I tried to log in to my xguest account and it asked for a password, which it shouldn't, so there's a problem with SELinux.When I type getenforce it says it is disabled, yet when I go to /etc/selinux and look at the config, it is in enforcing mode and not commented out, type is strict.When I go to the SELinux management GUI I can't change the current enforcing mode and it's set to disabled and default to enforcing.

View 2 Replies View Related

Fedora Security :: Prevent Firefox With SELinux?

May 11, 2009

I am new to Fedora 10, and to SELinux too.

I would like to know how can I prevent from users with role user_r to connect to Internet with firefox.

View 2 Replies View Related

Fedora Security :: SELinux Is Blocking Ipod?

Jul 8, 2009

I am running Fedora 11 and every time i plug in my iPod it tells me... SELinux is preventing mkdir (podsleuth_t) "read" security_t ... I have no idea on how to create a policy module to allow access.

View 2 Replies View Related

Fedora Security :: SELinux Really Necessary For Home Desktop?

Jul 11, 2010

I wonder if SELinux really are necessary for a home desktop ?
It only makes my computer use more problematic than it already is.
What can happend if I uninstall it on my Fedora 13 dist ?
Is the hole Internet going to come in to my computer and destroy it ?

If I uninstall SELinux, is the firewall uninstalled also ?

View 14 Replies View Related

Fedora Security :: SELinux Has Broken Bugzilla

Jul 19, 2010

I have recently upgraded from FC12 to FC13, and last week I updated all packages using YUM. The system is running as a VM inside CentOS 5.5 using KVM. SELinux is enforcing, using the targeted policy. Bugzilla is version 3.6.1 and was NOT installed using RPM or YUM.

Bugzilla was working OK on this machine until SELinux was upgraded last week from 3.7.19-28 to 3.7.19-33, and is still broken after testing 3.7.19-37 from the testing repo. With SELinux in enforcing mode, apache returns error 500 when I browse to the main bugzilla page. The apache error log shows this:-

Code:
[Mon Jul 19 13:15:08 2010] [error] [client 192.168.40.1] (13)Permission denied: exec of '/var/www/html/bugzilla/index.cgi' failed
Nothing, and I mean absolutely nothing, is recorded in /var/log/audit/audit.log, /var/log/messages or /var/log/secure.

[Code]....

View 5 Replies View Related

Fedora Security :: SELinux Warning On Rkhunter?

Mar 17, 2011

i get this warning from selinux :

"SELinux is preventing /bin/mailx from append access on the file /var/lib/rkhunter/rkhcronlog.OmRFCZOynG."

I tried to fix it by "# /sbin/restorecon -v /var/lib/rkhunter/rkhcronlog.OmRFCZOynG" as suggested by SELinux but it comes back with another warning, but with a different /rkhcronlog.xxxxxxxxx...

i think its just a way of rkhunter logging issue -. attached here is the actual error message by selinux.

View 6 Replies View Related

Fedora Security :: SELinux Troubleshooter Missing

Jul 20, 2011

I just install Fedora 15 and I see the SELinux Policy Genertation Tool and the SELinux Administration application in the app launcher but I do not see the SELinux Troubleshooter app. I seems to be missing. How do I get it on my system?

View 2 Replies View Related

Fedora Security :: SELinux Policy Changing In 15

Jul 24, 2011

I need to change SELinux policy to permissive and then back to enforced for an installation. I understand that I should be able to do that through the SELinux Administration window accessed through System -> Administration ->SELinux Management. But I do not have any real sysadmin tools available in my Fedora 15 Gnome Gui interface. Am I missing something, or should I use some sort of similar command line tool to do this?

View 2 Replies View Related

Fedora Security :: SELinux - Update Stopped Printing

Mar 6, 2009

I know very little about SE Linux and I've heard that in some situations it's better to disable it. For a home user, is it important? Does it improve your life ? or does it get in the way ?

Last week some update stopped my printing and I had to install the new hplip from HP because it wasn't in the Fedora repos to correct the problem. I don't know if SELinux had anything to do with it, but today when I disabled SELinux a few minutes later I get a star up on the toolbar and when I clicked on it it mentioned something about hplip. It wouldn't make any sense to me but maybe this has happened to others.

View 9 Replies View Related

Fedora Security :: SElinux Is Blocking My Internet Connection

Mar 15, 2009

SElinux is blocking my internet connection and every time when I connect t the internet (pppoe connection) I ge message.

View 2 Replies View Related

Fedora Security :: How To Create A Totally New SELinux User

Jun 4, 2009

Currently working on the targeted policy, I need a help in doing the following things as quick as possible:

1- How to create a totally new SELinux user (not mapping new linux user to SELinux user) I want a new user with no roles or with a maximum of 1 role. I also need how to compile the new user so I can used it for mapping users. At the time, I've tried creating a new file inside /etc/selinux/targeted/contexts/users similar to the other users inside this directory, but it did not actually seem to appear when using the command semanage to list SELinux users : semanage user -l
2- How to create a totally new SELinux role (empty for now) ? and how to make the relation between this new role and domains or types.
3- How to create new domain, actually following some old instructions I created the .fc and .te files, but not the .if file, which is more complicated than the other 2 file.

View 10 Replies View Related

Fedora Security :: Restricting Xattr Flags With Selinux ?

Jul 12, 2009

I've got a question about chattr command. is it possible to restrict a root access for this command. what i want is something similar to freebsd behaviour aka the kernel secure level. setting a particular security level results in limiting some operations (i.e changing immutable flags on files) by root. well, if someone gained an access to a machine in some way, nothing would stop him changing the file's flags. so the question is if it can be achieved with selinux?

View 2 Replies View Related

Fedora Security :: SELinux Stopping Dial Up Connection?

Aug 6, 2009

well after spending most of the morning getting help with my internet connection hanging when I dial up we discover that SELinux is causing it so when I set it to passive I can connect so how can I get it to allow me to connect while being set to enforcing?

View 5 Replies View Related

Fedora Security :: Install Vmware - Must Disable Selinux ?

Aug 17, 2009

I plan to install vmware but I had some problems...So I looked over the internet and I found that I must disable selinux....is this true? It means that I must have to disable the selinux for ever? And then, will my System be safe?

View 6 Replies View Related

Fedora Security :: SElinux Apache Upload Denied

Jun 22, 2010

I want to be able to created directories and upload files (images mostly) via a php web page. The directory structure is a throwback to windows and I really really don't want to have to change it because there are so many files/links already there.

/cust/cust_name/site/version/web (all html/php files go here)

I want to be able to edit the files with a 3rd party tool (SSH based). These are small orgs, like my church, local community club, sports team, etc., so file ownership needs to sync with the editor, not apache.

[Code].....

View 5 Replies View Related

Fedora :: SELinux Trouble Shooter About A Security Alert?

Jul 30, 2010

I sue Fedora 13. Since a few times ago, every time when I start the computer, it appears a message of SELinux trouble shooter about a security alert. But most of times there are no errors to show.

View 9 Replies View Related

Fedora Security :: Guide To Setup Samba With Selinux?

Nov 11, 2010

I have a removable USB drive formated with NTFS. I enabled all the samba boolians in the SElinux GUI but it still doesn't seem to work. If i put it on permissive it will work. What more is there that i need to do to get my directories to show up on samba with selinux enabled?

View 2 Replies View Related

Fedora Security :: Wrong SELinux Context On /etc/sudoers?

Nov 21, 2010

I'm suspicious that the context of /etc/sudoers is wrong. During the last upgrade to Fedora 14, RPM dropped /etc/sudoers.rpmnew, which had a different context than the real sudoers file. But, when I try to get SELinux to relabel the file (using restorecon or fixfiles), it refuses to make a change.

> ls -lZ /etc/sudoers
-r--r-----. root root unconfined_u:object_r:etc_t:s0 /etc/sudoers
> matchpathcon /etc/sudoers

[code]....

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved