00:56.55 | stickster | jsmith: Sorry I ran away earlier |
00:56.57 | jsmith | stickster: Another silly question, when you've got a second |
00:57.06 | *** part/#fredlug jsmith (n=jsmith@72.21.36.138) |
00:57.09 | *** join/#fredlug jsmith (n=jsmith@72.21.36.138) |
00:57.13 | jsmith | Ugh... |
00:57.15 | stickster | heh |
00:57.17 | jsmith | curses his trackpad |
00:57.32 | stickster | So... I'm puzzled still by your first problem. |
00:57.39 | jsmith | I had to run to Scouts and teach a bunch of wild kids how to do first aid |
00:57.50 | jsmith | Me too... but for now I'll just mount the ISO locally instead |
00:58.17 | *** part/#fredlug jsmith (n=jsmith@72.21.36.138) |
00:58.24 | *** join/#fredlug jsmith (n=jsmith@72.21.36.138) |
00:58.26 | jsmith | Ugh, again |
00:58.29 | stickster | o noez! gremlinz iz in ur box |
00:58.41 | jsmith | No, it's something I'm hitting on this trackpad |
00:58.51 | jsmith | My palms hit and somehow close the window |
00:59.06 | stickster | Bummer |
00:59.06 | jsmith | Anyhoo.. I've run into a more perplexing problem |
00:59.26 | jsmith | I'm up against the "SELinux wants the disk images in /var/lib/xen/images" problem |
00:59.51 | jsmith | I've got the disk image there, and I've run restorecon -R -V /var/lib/xen just to make sure everything is labeled correctly |
01:00.00 | jsmith | But SELinux is still denying access |
01:00.58 | stickster | jsmith: Can you pastebin the last dozen lines or so in the audit.log after hitting the images? |
01:01.08 | jsmith | Absolutely! |
01:02.26 | jsmith | http://selinux.pastebin.com/d2fd6b8e1 |
01:04.33 | jsmith | feels as if the fates are out to get him today |
01:11.35 | stickster | It's funny that there's a whole separate subdomain for selinux on pastebin.com. |
01:13.40 | stickster | jsmith: What if you move that image to /var/lib/libvirt/images? |
01:14.08 | jsmith | Trying that now... |
01:14.10 | stickster | (which should relabel it with type virt_image_t |
01:14.13 | stickster | ) |
01:16.35 | jsmith | Well, I had to restorecon it again |
01:16.38 | jsmith | But that appears to have worked |
01:16.43 | jsmith | I guess my docs were out of date |
01:16.50 | jsmith | Ugh... now it can't read my ISO |
01:17.16 | stickster | ? |
01:17.31 | stickster | Oh yeah. |
01:17.35 | jsmith | host=localhost.localdomain type=AVC msg=audit(1210727702.399:75): avc: denied { read } for pid=4082 comm="qemu-kvm" name="Bootcamp.img" dev=dm-0 ino=206435 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:xen_image_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1210727702.399:75): arch=40000003 syscall=5 success=no exit=-13 a0=bfd7f7e0 a1=8000 a2=0 a3=8000 items=0 ppid=2362 pid=4082 auid=4294967295 uid=0 gid=0 euid=0 suid |
01:17.36 | jsmith | =0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null) |
01:18.05 | stickster | Ah. May not have relabeled it. If you do 'ls -Z bootcamp.img' do you see xen_image_t still? |
01:18.07 | jsmith | Oops, that was the old one |
01:18.10 | stickster | ah |
01:18.12 | jsmith | host=localhost.localdomain type=AVC msg=audit(1210727830.494:82): avc: denied { getattr } for pid=4130 comm="qemu-kvm" path="/home/jsmith/Download/CentOS-5.1-i386-bin-DVD.iso" dev=dm-1 ino=272895 scontext=system_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1210727830.494:82): arch=40000003 syscall=195 success=no exit=-13 a0=bff4b9b0 a1=bff49000 a2=9dfff4 a3=a369138 items=0 |
01:18.13 | jsmith | ppid=2362 pid=4130 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null) |
01:18.16 | stickster | yup |
01:18.31 | stickster | You know, I'm sure there's a way to bind mounts or something that would work |
01:18.43 | stickster | I didn't work hard enough at figuring it out. |
01:18.53 | stickster | So I just moved the image to /var/lib/libvirt/images alongside the HDD image. |
01:19.01 | jsmith | I'm not mounting that ISO... I'm just pointing virt-manager at it |
01:19.06 | stickster | s/moved the image/moved the ISO image/ |
01:19.11 | jsmith | Ah... |
01:19.24 | jsmith | At this rate, I'll never get anything installed tonight :-( |
01:19.35 | stickster | I *know* there's a way to solve that easier. I just haven't figured it out yet. |
01:19.57 | stickster | Well, one way would be to create yourself a special policy module for ISOs in your home directory |
01:20.07 | stickster | basically allowing qemu-kvm to read stuff in the user_home_t type. |
01:20.11 | jsmith | Ugh... like I'm smart enough to do that |
01:20.16 | stickster | Let me see, where are the commands for that... |
01:20.21 | jsmith | Shoot... I can't restorecon myself out of a wet paper bag |
01:20.23 | stickster | It's in the SELinux doc stuff |
01:20.26 | stickster | Nah, it's actually easy |
01:20.34 | jsmith | I'll just move the ISO |
01:20.35 | stickster | What's silly is there are like five commands you have to run, like a recipe |
01:20.45 | stickster | I wonder why there isn't a helper for it. |
01:20.45 | jsmith | If it's something you don't know off the top of your head, it ain't worth me knowing how |
01:20.59 | stickster | Probably they don't have a helper because this is, you know, *security* :-D |
01:21.10 | stickster | No! If it's easy you're Doing It Wrong |
01:21.25 | stickster | (the security guy's mantra) |
01:30.30 | jsmith | And, with that, we're off to the races. |
01:30.50 | jsmith | Thanks for pulling me through... I was sorely tempted to just say "setenforce 0" and follow the path of least resistance |
01:36.44 | stickster | jsmith: awesome |
01:36.50 | stickster | I had to face this too. |
01:36.58 | jsmith | Ugh... more problems ;-( |
01:37.01 | *** join/#fredlug nmcbride (n=nmcbride@c-76-27-172-185.hsd1.va.comcast.net) |
01:37.18 | stickster | jsmith: do tel |
01:37.21 | jsmith | So I still had a network URL in my kickstart script |
01:37.33 | jsmith | And so anaconda barfed, and I had to restart the VM |
01:37.48 | jsmith | Is there an easy way to tell it "Hey, restart in install off the local media"? |
01:37.55 | jsmith | s/in install/an install/ |
01:37.59 | nmcbride | stickster: if u ever get a free moment I could really use ur help troubleshooting my stupid network problem. It's getting really frustrating. |
01:38.10 | jsmith | Or should I just go all the way through virt-manager again? |
01:38.46 | stickster | jsmith: Hm, I'm not sure. I thought if it can't find the install source it would drop back to a dialog asking you for one. |
01:39.00 | jsmith | Only if it can't find the kickstart script |
01:39.07 | stickster | Oh right. |
01:39.14 | stickster | Yeah, restarting's probably the quickest cure. |
01:39.14 | jsmith | But if it finds the kickstart script, gets the url, and the files aren't there... |
01:39.17 | stickster | nmcbride: what's up? |
01:39.38 | nmcbride | stickster: even on F9, wep / wpa keeps disconnecting after a few mintues... |
01:39.54 | stickster | nmcbride: Hm. |
01:40.07 | stickster | I don't know what to tell you |
01:40.12 | stickster | I'm using F9 here with iwl3945 |
01:40.35 | stickster | I've used WEP and WPA and they work for me. |
01:40.51 | stickster | nmcbride: What's the NIC? |
01:41.00 | nmcbride | intel ipw2200 abg |
01:43.42 | stickster | hrm |
02:24.29 | nmcbride | stickster: what can I do to watch it? If I can find out what it's doing i can fix it. |
02:25.04 | stickster | Hmm, you could reinsert the module with debug=1 |
02:25.10 | stickster | (or more) |
02:25.20 | stickster | It might be debug=255 |
02:25.22 | stickster | no idea. |
02:25.25 | nmcbride | so like |
02:25.40 | nmcbride | modprobe ipw2200 --debug=255? |
02:25.42 | stickster | sudo /sbin/modprobe -r ipw2200 ; sudo /sbin/modprobe ipw2200 debug=255 |
02:25.48 | stickster | no dashes, it's not a command line |
02:25.49 | nmcbride | ah |
02:25.53 | stickster | er, CLI switch |
02:26.07 | stickster | You can find available flags like that with /sbin/modinfo <module_name> |
02:26.14 | nmcbride | oh cool |
02:26.24 | stickster | is beat, hitting the hay. |
02:26.35 | stickster | Up till 1:30am one weeknight a week is my limit. |
02:26.40 | nmcbride | wow... |
02:26.43 | nmcbride | log of wifi crap in dmesg |
02:26.58 | nmcbride | just a short bit |
02:26.59 | nmcbride | wlan0: authenticate with AP 00:11:95:4b:53:9f |
02:26.59 | nmcbride | wlan0: RX authentication from 00:11:95:4b:53:9f (alg=0 transaction=2 status=0) |
02:26.59 | nmcbride | wlan0: authenticated |
02:26.59 | nmcbride | wlan0: associate with AP 00:11:95:4b:53:9f |
02:26.59 | nmcbride | wlan0: RX ReassocResp from 00:11:95:4b:53:9f (capab=0x431 status=0 aid=2) |
02:27.00 | nmcbride | wlan0: associated |
02:27.02 | nmcbride | wlan0: switched to short barker preamble (BSSID=00:11:95:4b:53:9f) |
02:27.04 | nmcbride | wlan0: disassociate(reason=3) |
02:27.15 | nmcbride | oh >< ok |
02:46.34 | *** join/#fredlug nmcbride (n=nmcbride@c-76-27-172-185.hsd1.va.comcast.net) |
02:46.57 | *** part/#fredlug nmcbride (n=nmcbride@c-76-27-172-185.hsd1.va.comcast.net) |
12:45.33 | *** join/#fredlug plarsen (n=plarsen@ip65-46-125-186.z125-46-65.customer.algx.net) |
14:18.32 | *** join/#fredlug bit2man (n=plarsen@ip65-46-125-186.z125-46-65.customer.algx.net) |
17:30.57 | *** join/#fredlug nombyte (n=nmcbride@ip65-46-125-186.z125-46-65.customer.algx.net) |
20:10.17 | nombyte | stickster: sigh |
20:10.27 | nombyte | :D |