00:19.06 | *** join/#fredlug Aaron__ (n=Aaron@pool-72-73-37-194.clppva.east.verizon.net) |
00:54.40 | stickster_work | plarsen_: Does setsebool -P not work for you? |
01:00.41 | plarsen_ | stickster_work: doesn't look like it |
01:00.52 | plarsen_ | it make no differencde. getsebool returned "true" but it kept refusing access to home directories. |
01:01.02 | stickster_work | Got audit on? |
01:01.07 | plarsen | yes |
01:02.01 | stickster_work | What does audit2allow tell you about the AVC denial? |
01:02.01 | plarsen | hang on, let me logon |
01:06.47 | plarsen | May 23 21:06:11 infrastructure setroubleshoot: SELinux is preventing the samba daemon from reading users home directories. For complete SELinux messages. run sealert -l 9e95f311-8008-4162-95e9-390d3e7c9e7d |
01:07.05 | stickster_work | I wonder if FC4 needs a policy reload |
01:07.12 | stickster_work | You might need to check the FC4 SELinux FAQ for that |
01:07.14 | stickster_work | It's been a whlie |
01:07.14 | plarsen | that's not FC4 |
01:07.17 | stickster_work | *while |
01:07.20 | stickster_work | Oh? |
01:07.21 | plarsen | Sorry, I'm always multitasking |
01:07.24 | plarsen | That's CentOS5 |
01:07.27 | stickster_work | Ah |
01:07.28 | plarsen | Basically FC6 |
01:07.31 | stickster_work | RHEL5 docs then |
01:07.48 | plarsen | yep |
01:08.42 | plarsen | Raw Audit Messages |
01:08.43 | plarsen | avc: denied { read } for comm="smbd" dev=dm-0 egid=500 euid=500 |
01:08.43 | plarsen | exe="/usr/sbin/smbd" exit=-13 fsgid=500 fsuid=500 gid=0 items=0 name="plarsen" |
01:08.43 | plarsen | pid=8721 scontext=root:system_r:smbd_t:s0 sgid=0 subj=root:system_r:smbd_t:s0 |
01:08.43 | plarsen | suid=0 tclass=dir tcontext=root:object_r:home_root_t:s0 tty=(none) uid=500 |
01:10.08 | plarsen | what pars do I give "audit2allow" ? |
01:12.30 | plarsen | allow smbd_t home_root_t:dir { read search }; |
01:12.34 | plarsen | allow smbd_t home_root_t:file getattr; |
01:12.38 | plarsen | allow smbd_t rpm_script_tmp_t:dir getattr; |
01:12.42 | plarsen | allow smbd_t rpm_script_tmp_t:file getattr; |
01:12.46 | plarsen | allow smbd_t samba_share_t:sock_file getattr; |
01:12.46 | stickster_work | If you bring that to a file, audit2allow -i <file> |
01:12.50 | plarsen | allow smbd_t tmp_t:file getattr; |
01:12.54 | plarsen | allow smbd_t tmp_t:sock_file getattr; |
01:12.58 | plarsen | allow smbd_t xdm_tmp_t:dir getattr; |
01:12.58 | plarsen | allow smbd_t xdm_tmp_t:file getattr; |
01:12.59 | plarsen | allow smbd_t xdm_tmp_t:sock_file getattr; |
01:13.00 | plarsen | allow smbd_t xfs_tmp_t:dir getattr; |
01:13.00 | plarsen | That's if I just do an audit2allow -i /var/log/audit/audit.log |
01:13.06 | stickster_work | Yeah, probably too much |
01:13.07 | plarsen | Didn't know if I needed one of those "analyst" things |
01:14.44 | plarsen | so does that make any sense to you? |
01:15.55 | stickster_work | Yeah, but I'm pretty sure that may be grabbing too much |
01:16.27 | stickster_work | What's your '/usr/sbin/getsebool -a | grep samba' show? |
01:17.08 | plarsen | [root@infrastructure ~]# /usr/sbin/getsebool -a | grep samba |
01:17.08 | plarsen | samba_enable_home_dirs --> on |
01:17.08 | plarsen | samba_share_nfs --> off |
01:17.08 | plarsen | use_samba_home_dirs --> off |
01:17.27 | plarsen | Didn't know about the last one |
01:17.30 | plarsen | Is that the issue? |
01:17.40 | plarsen | I think I read that it may be "remote" use ..... |
01:18.53 | plarsen | nope .. didn'thelp |
01:23.16 | stickster_work | Yeah, you're correct, that's for home directories via Samba |
01:23.51 | plarsen | [root@infrastructure ~]# !481 |
01:23.52 | plarsen | /usr/sbin/getsebool -a | grep samba |
01:23.53 | plarsen | samba_enable_home_dirs --> on |
01:23.53 | plarsen | samba_share_nfs --> off |
01:23.53 | plarsen | use_samba_home_dirs --> on |
01:24.00 | plarsen | That's now ... .and it still doesn't work. |
01:24.46 | plarsen | I even tried to enable "samba_share_nfs" and that didn't work either. |
01:25.08 | stickster_work | plarsen: I don't think that will help this case |
01:25.17 | stickster_work | plarsen: Can you set Samba to not parse through root's home directory? |
01:25.43 | plarsen | nope, me neither .... |
01:25.43 | stickster_work | That seems to be the hangup in the AVC message you posted |
01:25.43 | plarsen | It shouldn't? |
01:25.44 | plarsen | Root's home is /root |
01:25.51 | stickster_work | Ah, wait! |
01:25.59 | plarsen | the share defines /home/%u |
01:26.02 | stickster_work | root_home_t is "something in /home with root ownership" |
01:26.10 | stickster_work | sorry, home_root_t |
01:26.42 | stickster_work | So check /home for things owned by root |
01:26.47 | plarsen | besides /home itself, everything is not owned by root |
01:27.08 | plarsen | [root@infrastructure ~]# ll -a /home |
01:27.20 | plarsen | total 56 |
01:27.24 | stickster_work | check in /home/plarsen |
01:27.24 | plarsen | drwxr-xr-x 7 root root 4096 May 18 22:33 . |
01:27.28 | plarsen | drwxr-xr-x 24 root root 4096 May 23 09:18 .. |
01:27.32 | plarsen | drwxr-xr-x 2 dpkennedy hms 4096 May 18 22:30 dpkennedy |
01:27.36 | plarsen | drwxr-xr-x 2 mperedo hms 4096 May 18 22:33 mperedo |
01:27.48 | plarsen | drwxr-xr-x 2 ngoyal hms 4096 May 18 22:31 ngoyal |
01:27.50 | plarsen | drwxr-xr-x 2 plarsen hms 4096 May 18 22:26 plarsen |
01:27.50 | plarsen | drwxr-xr-x 2 vtandale hms 4096 May 18 22:28 vtandale |
01:28.19 | plarsen | nope ... there's nothin in there but skelton ... |
01:28.24 | plarsen | 3 dot files |
01:28.28 | plarsen | all owned by the user plarsen |
01:28.34 | stickster_work | hmm |
01:29.26 | plarsen | yeah, excatly |
01:30.06 | stickster_work | find -context '*home_root_t*' |
01:30.22 | plarsen | from what dir? |
01:30.26 | plarsen | <PROTECTED> |
01:30.29 | stickster_work | yup |
01:30.51 | plarsen | all files |
01:31.30 | stickster_work | well, you could search -type d since the AVC denied is on a dir |
01:32.02 | plarsen | [root@infrastructure ~]# find /home//plarsen -context '*home_root_t*' |
01:32.03 | plarsen | /home//plarsen |
01:32.03 | plarsen | /home//plarsen/.bashrc |
01:32.03 | plarsen | /home//plarsen/.bash_profile |
01:32.04 | plarsen | /home//plarsen/.bash_logout |
01:32.14 | stickster_work | those are wrong then |
01:32.23 | plarsen | looks like it .... |
01:32.36 | stickster_work | Those should all be user_home_t |
01:33.05 | plarsen | "restorecon /home" didn't fix it. |
01:33.10 | stickster_work | And your ls -Z /home shows that plarsen is user_home_dir_t, right? |
01:33.27 | plarsen | nope ... |
01:33.30 | plarsen | home_root_t |
01:33.33 | plarsen | all of them. |
01:33.37 | stickster_work | That's all wrong then |
01:33.42 | stickster_work | restorecon -R /home |
01:33.47 | stickster_work | Needs to be recursive |
01:34.06 | plarsen | GRRRR - had I know that it would have bene fixed this afternoon;) |
01:34.13 | stickster_work | man restorecon ;-) |
01:34.14 | plarsen | ok, they changed ... let's see if that helped. |
01:34.19 | plarsen | lol - yeah |
01:34.35 | plarsen | WOOOHOOO |
01:34.43 | plarsen | Ok ... where did you see the root_t thing? |
01:34.44 | stickster_work | disco |
01:34.49 | stickster_work | ? |
01:34.52 | stickster_work | Oh, OK: |
01:35.04 | stickster_work | 21:08:24 < plarsen> avc: denied { read } for comm="smbd" dev=dm-0 egid=500 euid=500 |
01:35.07 | stickster_work | 21:08:24 < plarsen> exe="/usr/sbin/smbd" exit=-13 fsgid=500 fsuid=500 gid=0 items=0 name="plarsen" |
01:35.11 | stickster_work | 21:08:24 < plarsen> pid=8721 scontext=root:system_r:smbd_t:s0 sgid=0 subj=root:system_r:smbd_t:s0 |
01:35.14 | stickster_work | 21:08:24 < plarsen> suid=0 tclass=dir tcontext=root:object_r:home_root_t:s0 tty=(none) uid=500 |
01:36.02 | plarsen | I wonder if useradd has a bug ..... they were just created today |
01:36.08 | stickster_work | So that says that smbd had a problem reading a dir object named "plarsen" which is a directory, where it hit a context of root:object_r:home_root_t, which is disallowed |
01:36.19 | stickster_work | Did you maybe have selinux disabled when you did the useradds? |
01:36.29 | plarsen | no |
01:36.31 | stickster_work | Hm, no, that would have been no context |
01:36.43 | plarsen | It was quite a while before I relized it was an se error |
01:36.54 | plarsen | I've been staring at the smb message that it was denied access to /home/plarsen |
01:37.21 | stickster_work | It sometimes helps to have SELinux messages for audit get echoed to all terminals if you're not using a desktop |
01:37.53 | plarsen | well, I am - this is actually running in aVM ... I do most of my stuff from terminals. |
01:38.07 | plarsen | I got the stuff into the /var/log/messages now ... so I'll see the messages |
01:38.21 | plarsen | Which is good .... it's the first log file I consult. |
01:38.31 | stickster_work | Yeah, or just tail the audit.log somewhere while you work |
01:38.51 | stickster_work | This is a very good use of D-Bus by the setroubleshoot/sealert stuff -- you can see problems pop up a notification when they happen |
01:39.13 | plarsen | I had a DNS error message that I finally found was due to IPv6 ... it was flooding my logfiles. |
01:39.30 | plarsen | I've seen them; but you only see "but so many" :) |
01:39.46 | plarsen | If multiple stuff happens you still have to load the program. But I'm glad it's getting more automated. |
01:39.50 | stickster_work | So that AVC message tells you the *name* of the object being accessed, the *scontext* (source context), the *tcontext* (target context), and of course other factors |
01:40.05 | plarsen | I actually generated policies today to allow samba to share non /home files. |
01:40.05 | stickster_work | Also *class* (type of object, like "dir", "file", "pipe", etc.) |
01:40.40 | plarsen | and as long as you remember the base policies that SHOULD be in effect, you can look for abnormalities. |
01:41.07 | plarsen | I like the 'sealert' command |
01:41.21 | plarsen | Very nice and detailed output. Even a little hint, although that didn't help me this time. |
01:41.50 | plarsen | Are the bools I've set permanent? |
01:41.55 | plarsen | sebools* |
01:42.06 | stickster_work | Yes, if you used setsebool -P |
01:42.12 | stickster_work | But you can disable them the same way |
01:42.28 | stickster_work | Otherwise they persist until changed during this uptime |
01:42.42 | stickster_work | By you or a policy change |
01:42.47 | plarsen | figured so. I looked for a config file, but didn't find it. |
01:43.14 | stickster_work | Yeah, the policy is in /etc/selinux/targeted/policy/policy.* |
01:43.20 | stickster_work | compiled form, tho' |
01:43.23 | plarsen | So how would I export selinux settings and import them on a different system? |
01:43.36 | plarsen | yeah, binary ;) |
01:44.42 | stickster_work | You may need the tools package for that |
01:44.55 | stickster_work | I think it's selinux-policy-devel |
01:45.26 | plarsen | good thinking:) |
01:45.38 | plarsen | GOASH - I love my local yum mirror :) |
01:45.47 | stickster_work | Yup, life with 'em is good |
01:46.45 | stickster_work | You may want to check out http://www.gurulabs.com/goodies/YUM_automatic_local_mirror.php for some ideas |
01:47.01 | stickster_work | Also mirrormanager |
01:47.37 | plarsen | uhmmm - I did get it working though. A bit of trial and error. However, I didn't make it able to deal with multiple releases ... |
01:47.54 | plarsen | I'll setup an up2date mirror tomororw - if I get time |
01:48.06 | stickster_work | I have a mirror at work that serves FC5, FC6, and Rawhide |
01:48.22 | stickster_work | I just use a homegrown script and rsync to do the heavy lifting nightly |
01:48.38 | plarsen | right - me too :) |
01:48.43 | plarsen | well, script and script |
01:48.46 | plarsen | just a set of commands ;) |
01:48.59 | plarsen | mainly rsync and the buildrepo |
01:49.24 | stickster_work | All right, I'm not getting any work done... need to bug out for a bit. |
01:50.16 | plarsen | :) ok. |
01:50.29 | plarsen | Thanks for the help here ... maybe one day I'll truely understand SElinux :) |
02:04.45 | stickster_work | np |
02:04.54 | stickster_work | It's not as hard as it seems |
02:05.03 | stickster_work | Trust me, I was in exactly the same bind not too long ago |
02:05.23 | stickster_work | Dan Walsh has some great information on the Fedora wiki, but much of it has probably been grabbed in the RHEL5 guide |
14:29.43 | *** join/#fredlug jsmith (n=jsmith@69-94-196-106.biltmorecomm.com) |
15:30.21 | *** join/#fredlug plarsen (n=plarsen@w158.z06400088.was-dc.dsl.cnc.net) |
18:02.53 | jsmith | stickster_work: Dayumn... since when will yelp read DocBook files? |
18:04.19 | jsmith | stickster_work: Is there a yelp-tui by chance? |
18:05.29 | stickster_work | jsmith: Ha, we wish! |
18:05.44 | stickster_work | No, it uses mozilla for the rendering engine I believe |
18:06.08 | stickster_work | yeah, gtkembedmoz |
18:06.22 | stickster_work | I've been using it for this for the better part of a year I think |
18:06.35 | stickster_work | Faster than validate, build, refresh |
18:06.38 | jsmith | Figures... does it use an XSLT stylesheet to render the HTML? Or is it hard-coded? |
18:06.44 | stickster_work | Correct |
18:06.57 | stickster_work | I mean, the first -- /usr/share/yelp/xslt/ |
18:07.10 | jsmith | Man, that XSLT stylesheet is slick! |
18:07.13 | jsmith | I like it. |
18:08.43 | stickster_work | I'm going to try and get some time to hack our FDP XSLT a bit after F7 GA |
18:09.39 | jsmith | Man, the yelp one didn't work with xsltproc |
18:09.48 | jsmith | hmmmn.... be right back |
18:21.32 | stickster_work | jsmith: Yeah, the yelp namespace is probably meaningless outside the yelp program |
18:22.28 | jsmith | So, is there a good XSLT that looks like what yelp shows that I can use with xsltproc? |
18:28.46 | jsmith | Yuck... the output of yelp -> cups-pdf -> PDF file is garbled :-( |
18:32.29 | stickster_work | jsmith: Really? |
18:32.44 | stickster_work | It's a tiny bit plainer (missing admonition icons) in F7 but very readable |
18:34.42 | jsmith | Yes sir... you want I should send output you? |
18:34.50 | stickster_work | sure |
18:36.10 | jsmith | Re-printing, just to make sure it wasn't a doober |
18:38.45 | jsmith | On its way to your gmail acct. |
18:39.44 | jsmith | I'm watching all the Asterisk developers have a gpg key-signing party |
18:41.00 | jsmith | Hmmmn... also appears that yelp doesn't like sidebars |
18:41.51 | stickster_work | You're on slow connection, right? |
18:42.01 | stickster_work | So sending you mine is probably not helpful ;-) |
18:42.54 | stickster_work | haven't received yours yet |
19:05.10 | jsmith | No, I'm on a good connection |
19:05.49 | jsmith | What was the name of that collaborative editor? |
19:06.45 | jsmith | stickster_work: Did it end up on your spam filter? |
19:06.52 | stickster_work | No, I have it |
19:06.56 | stickster_work | Sorry, was away |
19:07.04 | stickster_work | I just rendered it here and it looks just hunky-dory |
19:07.08 | jsmith | As was I.... had to read my gpg fingerprint out loud |
19:07.08 | stickster_work | yelp ch11.xml |
19:07.12 | stickster_work | (Print to PS) |
19:07.22 | jsmith | To PS, or to PDF? |
19:07.31 | stickster_work | ps2pdf -dEmbedAllFonts=true -dPDFSETTINGS=/ebook ch11.ps |
19:07.44 | jsmith | I installed cups-pdf, and printed it to the cups-pdf printer |
19:07.49 | jsmith | Let me try that... |
19:07.50 | stickster_work | Oh, I haven't done that |
19:16.45 | jsmith | Hmmmn... Print to File didn't seem to do anything. |
19:16.52 | jsmith | So I tried to load my whole book in yelp |
19:17.07 | jsmith | Certainly caused my laptop to heat up |
19:20.11 | stickster_work | I'm using Rawhide, so may be differences based on that |
19:20.21 | jsmith | Ah, very well could be |
19:20.26 | jsmith | Did you try with cups-pdf by chance? |
19:20.33 | jsmith | Just curious... I don't mean to waste your time |
19:20.44 | stickster_work | jsmith: Not yet... gimme a sec, trying on home FC6 box |
19:23.35 | jsmith | Oooh... I think I found a bug in Yelp! |
19:25.41 | stickster_work | There's bound to be some :-) |
19:26.36 | jsmith | Well, maybe not... |
19:29.06 | *** join/#fredlug stickster (n=stickste@fedora/stickster) |
19:30.50 | *** join/#fredlug jsmith (n=jsmith@69-94-196-106.biltmorecomm.com) |
19:31.22 | jsmith | Man, I had my laptop working great before the "big crash" |
19:31.35 | jsmith | Now, suspend doesn't work and the wirless flakes out every 15 minutes or so |
19:32.28 | stickster | I remember I had to add some /etc/pm/hooks for suspend in FC6 here |
19:36.59 | jsmith | I don't think I did... but I did mess around with pbbuttonsd and stuff... but I don't think I actually used it. |
19:37.12 | jsmith | Seems like there was some other package for powerbooks that wasn't as invasive as pbbuttonsd |
19:37.18 | jsmith | But I can't remember it |
21:13.20 | *** join/#fredlug jsmith (n=jsmith@69-94-196-204.biltmorecomm.com) |
21:56.04 | *** join/#fredlug stickster_ (n=stickste@fedora/stickster) |
22:01.46 | jsmith | My desktop got really clean when my hard drive crashed |
22:02.06 | stickster_home | heh |
22:02.14 | stickster_home | I've done *that* before, this way is better :-D |
22:02.19 | jsmith | Obviously |
22:02.30 | stickster_home | sorry, didn't mean to laugh at your expense :-( |
22:02.35 | jsmith | No, that's fine |
22:02.52 | stickster_home | "No, no, go on... laugh all you want... I'll be (snif) OK..." |
22:03.20 | jsmith | I chuckled |
22:03.37 | stickster_home | You knew that beagle is being sidelined for F7, right? |
22:03.53 | stickster_home | It'll be there and installable, but its aggressiveness is causing real problems for laptop users |
22:04.17 | stickster_home | Until the developers can start finding better heuristics for deciding when to index, it's not going to default to "on" |
22:05.16 | stickster_home | OK, dinner on the way.... |
22:23.54 | jsmith | Yes, I saw that. |
22:24.23 | jsmith | It's in the manifest, but until it stops eating people's cpus (mine included), it won't get installed except on an upgrade |