IRC log for #fredlug on 20070524

`00:19.06`	`*** join/#fredlug Aaron__ (n=Aaron@pool-72-73-37-194.clppva.east.verizon.net)`
`00:54.40`	`stickster_work`	`plarsen_: Does setsebool -P not work for you?`
`01:00.41`	`plarsen_`	`stickster_work: doesn't look like it`
`01:00.52`	`plarsen_`	`it make no differencde. getsebool returned "true" but it kept refusing access to home directories.`
`01:01.02`	`stickster_work`	`Got audit on?`
`01:01.07`	`plarsen`	`yes`
`01:02.01`	`stickster_work`	`What does audit2allow tell you about the AVC denial?`
`01:02.01`	`plarsen`	`hang on, let me logon`
`01:06.47`	`plarsen`	`May 23 21:06:11 infrastructure setroubleshoot: SELinux is preventing the samba daemon from reading users home directories. For complete SELinux messages. run sealert -l 9e95f311-8008-4162-95e9-390d3e7c9e7d`
`01:07.05`	`stickster_work`	`I wonder if FC4 needs a policy reload`
`01:07.12`	`stickster_work`	`You might need to check the FC4 SELinux FAQ for that`
`01:07.14`	`stickster_work`	`It's been a whlie`
`01:07.14`	`plarsen`	`that's not FC4`
`01:07.17`	`stickster_work`	`*while`
`01:07.20`	`stickster_work`	`Oh?`
`01:07.21`	`plarsen`	`Sorry, I'm always multitasking`
`01:07.24`	`plarsen`	`That's CentOS5`
`01:07.27`	`stickster_work`	`Ah`
`01:07.28`	`plarsen`	`Basically FC6`
`01:07.31`	`stickster_work`	`RHEL5 docs then`
`01:07.48`	`plarsen`	`yep`
`01:08.42`	`plarsen`	`Raw Audit Messages`
`01:08.43`	`plarsen`	`avc: denied { read } for comm="smbd" dev=dm-0 egid=500 euid=500`
`01:08.43`	`plarsen`	`exe="/usr/sbin/smbd" exit=-13 fsgid=500 fsuid=500 gid=0 items=0 name="plarsen"`
`01:08.43`	`plarsen`	`pid=8721 scontext=root:system_r:smbd_t:s0 sgid=0 subj=root:system_r:smbd_t:s0`
`01:08.43`	`plarsen`	`suid=0 tclass=dir tcontext=root:object_r:home_root_t:s0 tty=(none) uid=500`
`01:10.08`	`plarsen`	`what pars do I give "audit2allow" ?`
`01:12.30`	`plarsen`	`allow smbd_t home_root_t:dir { read search };`
`01:12.34`	`plarsen`	`allow smbd_t home_root_t:file getattr;`
`01:12.38`	`plarsen`	`allow smbd_t rpm_script_tmp_t:dir getattr;`
`01:12.42`	`plarsen`	`allow smbd_t rpm_script_tmp_t:file getattr;`
`01:12.46`	`plarsen`	`allow smbd_t samba_share_t:sock_file getattr;`
`01:12.46`	`stickster_work`	`If you bring that to a file, audit2allow -i <file>`
`01:12.50`	`plarsen`	`allow smbd_t tmp_t:file getattr;`
`01:12.54`	`plarsen`	`allow smbd_t tmp_t:sock_file getattr;`
`01:12.58`	`plarsen`	`allow smbd_t xdm_tmp_t:dir getattr;`
`01:12.58`	`plarsen`	`allow smbd_t xdm_tmp_t:file getattr;`
`01:12.59`	`plarsen`	`allow smbd_t xdm_tmp_t:sock_file getattr;`
`01:13.00`	`plarsen`	`allow smbd_t xfs_tmp_t:dir getattr;`
`01:13.00`	`plarsen`	`That's if I just do an audit2allow -i /var/log/audit/audit.log`
`01:13.06`	`stickster_work`	`Yeah, probably too much`
`01:13.07`	`plarsen`	`Didn't know if I needed one of those "analyst" things`
`01:14.44`	`plarsen`	`so does that make any sense to you?`
`01:15.55`	`stickster_work`	`Yeah, but I'm pretty sure that may be grabbing too much`
`01:16.27`	`stickster_work`	`What's your '/usr/sbin/getsebool -a \| grep samba' show?`
`01:17.08`	`plarsen`	`[root@infrastructure ~]# /usr/sbin/getsebool -a \| grep samba`
`01:17.08`	`plarsen`	`samba_enable_home_dirs --> on`
`01:17.08`	`plarsen`	`samba_share_nfs --> off`
`01:17.08`	`plarsen`	`use_samba_home_dirs --> off`
`01:17.27`	`plarsen`	`Didn't know about the last one`
`01:17.30`	`plarsen`	`Is that the issue?`
`01:17.40`	`plarsen`	`I think I read that it may be "remote" use .....`
`01:18.53`	`plarsen`	`nope .. didn'thelp`
`01:23.16`	`stickster_work`	`Yeah, you're correct, that's for home directories via Samba`
`01:23.51`	`plarsen`	`[root@infrastructure ~]# !481`
`01:23.52`	`plarsen`	`/usr/sbin/getsebool -a \| grep samba`
`01:23.53`	`plarsen`	`samba_enable_home_dirs --> on`
`01:23.53`	`plarsen`	`samba_share_nfs --> off`
`01:23.53`	`plarsen`	`use_samba_home_dirs --> on`
`01:24.00`	`plarsen`	`That's now ... .and it still doesn't work.`
`01:24.46`	`plarsen`	`I even tried to enable "samba_share_nfs" and that didn't work either.`
`01:25.08`	`stickster_work`	`plarsen: I don't think that will help this case`
`01:25.17`	`stickster_work`	`plarsen: Can you set Samba to not parse through root's home directory?`
`01:25.43`	`plarsen`	`nope, me neither ....`
`01:25.43`	`stickster_work`	`That seems to be the hangup in the AVC message you posted`
`01:25.43`	`plarsen`	`It shouldn't?`
`01:25.44`	`plarsen`	`Root's home is /root`
`01:25.51`	`stickster_work`	`Ah, wait!`
`01:25.59`	`plarsen`	`the share defines /home/%u`
`01:26.02`	`stickster_work`	`root_home_t is "something in /home with root ownership"`
`01:26.10`	`stickster_work`	`sorry, home_root_t`
`01:26.42`	`stickster_work`	`So check /home for things owned by root`
`01:26.47`	`plarsen`	`besides /home itself, everything is not owned by root`
`01:27.08`	`plarsen`	`[root@infrastructure ~]# ll -a /home`
`01:27.20`	`plarsen`	`total 56`
`01:27.24`	`stickster_work`	`check in /home/plarsen`
`01:27.24`	`plarsen`	`drwxr-xr-x 7 root root 4096 May 18 22:33 .`
`01:27.28`	`plarsen`	`drwxr-xr-x 24 root root 4096 May 23 09:18 ..`
`01:27.32`	`plarsen`	`drwxr-xr-x 2 dpkennedy hms 4096 May 18 22:30 dpkennedy`
`01:27.36`	`plarsen`	`drwxr-xr-x 2 mperedo hms 4096 May 18 22:33 mperedo`
`01:27.48`	`plarsen`	`drwxr-xr-x 2 ngoyal hms 4096 May 18 22:31 ngoyal`
`01:27.50`	`plarsen`	`drwxr-xr-x 2 plarsen hms 4096 May 18 22:26 plarsen`
`01:27.50`	`plarsen`	`drwxr-xr-x 2 vtandale hms 4096 May 18 22:28 vtandale`
`01:28.19`	`plarsen`	`nope ... there's nothin in there but skelton ...`
`01:28.24`	`plarsen`	`3 dot files`
`01:28.28`	`plarsen`	`all owned by the user plarsen`
`01:28.34`	`stickster_work`	`hmm`
`01:29.26`	`plarsen`	`yeah, excatly`
`01:30.06`	`stickster_work`	`find -context 'home_root_t'`
`01:30.22`	`plarsen`	`from what dir?`
`01:30.26`	`plarsen`	`<PROTECTED>`
`01:30.29`	`stickster_work`	`yup`
`01:30.51`	`plarsen`	`all files`
`01:31.30`	`stickster_work`	`well, you could search -type d since the AVC denied is on a dir`
`01:32.02`	`plarsen`	`[root@infrastructure ~]# find /home//plarsen -context 'home_root_t'`
`01:32.03`	`plarsen`	`/home//plarsen`
`01:32.03`	`plarsen`	`/home//plarsen/.bashrc`
`01:32.03`	`plarsen`	`/home//plarsen/.bash_profile`
`01:32.04`	`plarsen`	`/home//plarsen/.bash_logout`
`01:32.14`	`stickster_work`	`those are wrong then`
`01:32.23`	`plarsen`	`looks like it ....`
`01:32.36`	`stickster_work`	`Those should all be user_home_t`
`01:33.05`	`plarsen`	`"restorecon /home" didn't fix it.`
`01:33.10`	`stickster_work`	`And your ls -Z /home shows that plarsen is user_home_dir_t, right?`
`01:33.27`	`plarsen`	`nope ...`
`01:33.30`	`plarsen`	`home_root_t`
`01:33.33`	`plarsen`	`all of them.`
`01:33.37`	`stickster_work`	`That's all wrong then`
`01:33.42`	`stickster_work`	`restorecon -R /home`
`01:33.47`	`stickster_work`	`Needs to be recursive`
`01:34.06`	`plarsen`	`GRRRR - had I know that it would have bene fixed this afternoon;)`
`01:34.13`	`stickster_work`	`man restorecon ;-)`
`01:34.14`	`plarsen`	`ok, they changed ... let's see if that helped.`
`01:34.19`	`plarsen`	`lol - yeah`
`01:34.35`	`plarsen`	`WOOOHOOO`
`01:34.43`	`plarsen`	`Ok ... where did you see the root_t thing?`
`01:34.44`	`stickster_work`	`disco`
`01:34.49`	`stickster_work`	`?`
`01:34.52`	`stickster_work`	`Oh, OK:`
`01:35.04`	`stickster_work`	`21:08:24 < plarsen> avc: denied { read } for comm="smbd" dev=dm-0 egid=500 euid=500`
`01:35.07`	`stickster_work`	`21:08:24 < plarsen> exe="/usr/sbin/smbd" exit=-13 fsgid=500 fsuid=500 gid=0 items=0 name="plarsen"`
`01:35.11`	`stickster_work`	`21:08:24 < plarsen> pid=8721 scontext=root:system_r:smbd_t:s0 sgid=0 subj=root:system_r:smbd_t:s0`
`01:35.14`	`stickster_work`	`21:08:24 < plarsen> suid=0 tclass=dir tcontext=root:object_r:home_root_t:s0 tty=(none) uid=500`
`01:36.02`	`plarsen`	`I wonder if useradd has a bug ..... they were just created today`
`01:36.08`	`stickster_work`	`So that says that smbd had a problem reading a dir object named "plarsen" which is a directory, where it hit a context of root:object_r:home_root_t, which is disallowed`
`01:36.19`	`stickster_work`	`Did you maybe have selinux disabled when you did the useradds?`
`01:36.29`	`plarsen`	`no`
`01:36.31`	`stickster_work`	`Hm, no, that would have been no context`
`01:36.43`	`plarsen`	`It was quite a while before I relized it was an se error`
`01:36.54`	`plarsen`	`I've been staring at the smb message that it was denied access to /home/plarsen`
`01:37.21`	`stickster_work`	`It sometimes helps to have SELinux messages for audit get echoed to all terminals if you're not using a desktop`
`01:37.53`	`plarsen`	`well, I am - this is actually running in aVM ... I do most of my stuff from terminals.`
`01:38.07`	`plarsen`	`I got the stuff into the /var/log/messages now ... so I'll see the messages`
`01:38.21`	`plarsen`	`Which is good .... it's the first log file I consult.`
`01:38.31`	`stickster_work`	`Yeah, or just tail the audit.log somewhere while you work`
`01:38.51`	`stickster_work`	`This is a very good use of D-Bus by the setroubleshoot/sealert stuff -- you can see problems pop up a notification when they happen`
`01:39.13`	`plarsen`	`I had a DNS error message that I finally found was due to IPv6 ... it was flooding my logfiles.`
`01:39.30`	`plarsen`	`I've seen them; but you only see "but so many" :)`
`01:39.46`	`plarsen`	`If multiple stuff happens you still have to load the program. But I'm glad it's getting more automated.`
`01:39.50`	`stickster_work`	`So that AVC message tells you the name of the object being accessed, the scontext (source context), the tcontext (target context), and of course other factors`
`01:40.05`	`plarsen`	`I actually generated policies today to allow samba to share non /home files.`
`01:40.05`	`stickster_work`	`Also class (type of object, like "dir", "file", "pipe", etc.)`
`01:40.40`	`plarsen`	`and as long as you remember the base policies that SHOULD be in effect, you can look for abnormalities.`
`01:41.07`	`plarsen`	`I like the 'sealert' command`
`01:41.21`	`plarsen`	`Very nice and detailed output. Even a little hint, although that didn't help me this time.`
`01:41.50`	`plarsen`	`Are the bools I've set permanent?`
`01:41.55`	`plarsen`	`sebools*`
`01:42.06`	`stickster_work`	`Yes, if you used setsebool -P`
`01:42.12`	`stickster_work`	`But you can disable them the same way`
`01:42.28`	`stickster_work`	`Otherwise they persist until changed during this uptime`
`01:42.42`	`stickster_work`	`By you or a policy change`
`01:42.47`	`plarsen`	`figured so. I looked for a config file, but didn't find it.`
`01:43.14`	`stickster_work`	`Yeah, the policy is in /etc/selinux/targeted/policy/policy.*`
`01:43.20`	`stickster_work`	`compiled form, tho'`
`01:43.23`	`plarsen`	`So how would I export selinux settings and import them on a different system?`
`01:43.36`	`plarsen`	`yeah, binary ;)`
`01:44.42`	`stickster_work`	`You may need the tools package for that`
`01:44.55`	`stickster_work`	`I think it's selinux-policy-devel`
`01:45.26`	`plarsen`	`good thinking:)`
`01:45.38`	`plarsen`	`GOASH - I love my local yum mirror :)`
`01:45.47`	`stickster_work`	`Yup, life with 'em is good`
`01:46.45`	`stickster_work`	`You may want to check out http://www.gurulabs.com/goodies/YUM_automatic_local_mirror.php for some ideas`
`01:47.01`	`stickster_work`	`Also mirrormanager`
`01:47.37`	`plarsen`	`uhmmm - I did get it working though. A bit of trial and error. However, I didn't make it able to deal with multiple releases ...`
`01:47.54`	`plarsen`	`I'll setup an up2date mirror tomororw - if I get time`
`01:48.06`	`stickster_work`	`I have a mirror at work that serves FC5, FC6, and Rawhide`
`01:48.22`	`stickster_work`	`I just use a homegrown script and rsync to do the heavy lifting nightly`
`01:48.38`	`plarsen`	`right - me too :)`
`01:48.43`	`plarsen`	`well, script and script`
`01:48.46`	`plarsen`	`just a set of commands ;)`
`01:48.59`	`plarsen`	`mainly rsync and the buildrepo`
`01:49.24`	`stickster_work`	`All right, I'm not getting any work done... need to bug out for a bit.`
`01:50.16`	`plarsen`	`:) ok.`
`01:50.29`	`plarsen`	`Thanks for the help here ... maybe one day I'll truely understand SElinux :)`
`02:04.45`	`stickster_work`	`np`
`02:04.54`	`stickster_work`	`It's not as hard as it seems`
`02:05.03`	`stickster_work`	`Trust me, I was in exactly the same bind not too long ago`
`02:05.23`	`stickster_work`	`Dan Walsh has some great information on the Fedora wiki, but much of it has probably been grabbed in the RHEL5 guide`
`14:29.43`	`*** join/#fredlug jsmith (n=jsmith@69-94-196-106.biltmorecomm.com)`
`15:30.21`	`*** join/#fredlug plarsen (n=plarsen@w158.z06400088.was-dc.dsl.cnc.net)`
`18:02.53`	`jsmith`	`stickster_work: Dayumn... since when will yelp read DocBook files?`
`18:04.19`	`jsmith`	`stickster_work: Is there a yelp-tui by chance?`
`18:05.29`	`stickster_work`	`jsmith: Ha, we wish!`
`18:05.44`	`stickster_work`	`No, it uses mozilla for the rendering engine I believe`
`18:06.08`	`stickster_work`	`yeah, gtkembedmoz`
`18:06.22`	`stickster_work`	`I've been using it for this for the better part of a year I think`
`18:06.35`	`stickster_work`	`Faster than validate, build, refresh`
`18:06.38`	`jsmith`	`Figures... does it use an XSLT stylesheet to render the HTML? Or is it hard-coded?`
`18:06.44`	`stickster_work`	`Correct`
`18:06.57`	`stickster_work`	`I mean, the first -- /usr/share/yelp/xslt/`
`18:07.10`	`jsmith`	`Man, that XSLT stylesheet is slick!`
`18:07.13`	`jsmith`	`I like it.`
`18:08.43`	`stickster_work`	`I'm going to try and get some time to hack our FDP XSLT a bit after F7 GA`
`18:09.39`	`jsmith`	`Man, the yelp one didn't work with xsltproc`
`18:09.48`	`jsmith`	`hmmmn.... be right back`
`18:21.32`	`stickster_work`	`jsmith: Yeah, the yelp namespace is probably meaningless outside the yelp program`
`18:22.28`	`jsmith`	`So, is there a good XSLT that looks like what yelp shows that I can use with xsltproc?`
`18:28.46`	`jsmith`	`Yuck... the output of yelp -> cups-pdf -> PDF file is garbled :-(`
`18:32.29`	`stickster_work`	`jsmith: Really?`
`18:32.44`	`stickster_work`	`It's a tiny bit plainer (missing admonition icons) in F7 but very readable`
`18:34.42`	`jsmith`	`Yes sir... you want I should send output you?`
`18:34.50`	`stickster_work`	`sure`
`18:36.10`	`jsmith`	`Re-printing, just to make sure it wasn't a doober`
`18:38.45`	`jsmith`	`On its way to your gmail acct.`
`18:39.44`	`jsmith`	`I'm watching all the Asterisk developers have a gpg key-signing party`
`18:41.00`	`jsmith`	`Hmmmn... also appears that yelp doesn't like sidebars`
`18:41.51`	`stickster_work`	`You're on slow connection, right?`
`18:42.01`	`stickster_work`	`So sending you mine is probably not helpful ;-)`
`18:42.54`	`stickster_work`	`haven't received yours yet`
`19:05.10`	`jsmith`	`No, I'm on a good connection`
`19:05.49`	`jsmith`	`What was the name of that collaborative editor?`
`19:06.45`	`jsmith`	`stickster_work: Did it end up on your spam filter?`
`19:06.52`	`stickster_work`	`No, I have it`
`19:06.56`	`stickster_work`	`Sorry, was away`
`19:07.04`	`stickster_work`	`I just rendered it here and it looks just hunky-dory`
`19:07.08`	`jsmith`	`As was I.... had to read my gpg fingerprint out loud`
`19:07.08`	`stickster_work`	`yelp ch11.xml`
`19:07.12`	`stickster_work`	`(Print to PS)`
`19:07.22`	`jsmith`	`To PS, or to PDF?`
`19:07.31`	`stickster_work`	`ps2pdf -dEmbedAllFonts=true -dPDFSETTINGS=/ebook ch11.ps`
`19:07.44`	`jsmith`	`I installed cups-pdf, and printed it to the cups-pdf printer`
`19:07.49`	`jsmith`	`Let me try that...`
`19:07.50`	`stickster_work`	`Oh, I haven't done that`
`19:16.45`	`jsmith`	`Hmmmn... Print to File didn't seem to do anything.`
`19:16.52`	`jsmith`	`So I tried to load my whole book in yelp`
`19:17.07`	`jsmith`	`Certainly caused my laptop to heat up`
`19:20.11`	`stickster_work`	`I'm using Rawhide, so may be differences based on that`
`19:20.21`	`jsmith`	`Ah, very well could be`
`19:20.26`	`jsmith`	`Did you try with cups-pdf by chance?`
`19:20.33`	`jsmith`	`Just curious... I don't mean to waste your time`
`19:20.44`	`stickster_work`	`jsmith: Not yet... gimme a sec, trying on home FC6 box`
`19:23.35`	`jsmith`	`Oooh... I think I found a bug in Yelp!`
`19:25.41`	`stickster_work`	`There's bound to be some :-)`
`19:26.36`	`jsmith`	`Well, maybe not...`
`19:29.06`	`*** join/#fredlug stickster (n=stickste@fedora/stickster)`
`19:30.50`	`*** join/#fredlug jsmith (n=jsmith@69-94-196-106.biltmorecomm.com)`
`19:31.22`	`jsmith`	`Man, I had my laptop working great before the "big crash"`
`19:31.35`	`jsmith`	`Now, suspend doesn't work and the wirless flakes out every 15 minutes or so`
`19:32.28`	`stickster`	`I remember I had to add some /etc/pm/hooks for suspend in FC6 here`
`19:36.59`	`jsmith`	`I don't think I did... but I did mess around with pbbuttonsd and stuff... but I don't think I actually used it.`
`19:37.12`	`jsmith`	`Seems like there was some other package for powerbooks that wasn't as invasive as pbbuttonsd`
`19:37.18`	`jsmith`	`But I can't remember it`
`21:13.20`	`*** join/#fredlug jsmith (n=jsmith@69-94-196-204.biltmorecomm.com)`
`21:56.04`	`*** join/#fredlug stickster_ (n=stickste@fedora/stickster)`
`22:01.46`	`jsmith`	`My desktop got really clean when my hard drive crashed`
`22:02.06`	`stickster_home`	`heh`
`22:02.14`	`stickster_home`	`I've done that before, this way is better :-D`
`22:02.19`	`jsmith`	`Obviously`
`22:02.30`	`stickster_home`	`sorry, didn't mean to laugh at your expense :-(`
`22:02.35`	`jsmith`	`No, that's fine`
`22:02.52`	`stickster_home`	`"No, no, go on... laugh all you want... I'll be (snif) OK..."`
`22:03.20`	`jsmith`	`I chuckled`
`22:03.37`	`stickster_home`	`You knew that beagle is being sidelined for F7, right?`
`22:03.53`	`stickster_home`	`It'll be there and installable, but its aggressiveness is causing real problems for laptop users`
`22:04.17`	`stickster_home`	`Until the developers can start finding better heuristics for deciding when to index, it's not going to default to "on"`
`22:05.16`	`stickster_home`	`OK, dinner on the way....`
`22:23.54`	`jsmith`	`Yes, I saw that.`
`22:24.23`	`jsmith`	`It's in the manifest, but until it stops eating people's cpus (mine included), it won't get installed except on an upgrade`

Generated by irclog2html.pl Modified by Tim Riker to work with infobot.