Is SELinux resetting permissions?
Anne Wilson
cannewilson at tiscali.co.uk
Sun Feb 26 15:15:42 UTC 2006
On Sunday 26 February 2006 14:05, Stuart Sears wrote:
> On Sunday 26 February 2006 11:34, Anne Wilson wrote:
> > SELinux is installed but disabled, according to
> > system-config-services,
>
> I hope you mean system-config-securitylevel :)
Oops - yes.
> getenforce (as root) will confirm this for you. It will report
> Disabled, Permissive, or Enforcing.
It reports Disabled.
> only the 3rd of these will cause SElinux to forbid actions on your
> system.
> is this FC3 or FC4 or one of the FC5 test releases?
>
This is FC4.
> > yet I have problems with permissions which
> > appear to get re-set. When I change the permissions attributes of a
> > folder I always get an error dialogue. The perms appear to change,
> > but later I find that they have been re-set. This makes sharing
> > folders difficult if I want to enforce owner/group attributes.
>
> which folders* are these?
> do they belong to you (your current logged-in user)?
On the server box, there is a public directory at top leve, /Public and also a
public directory below my home, /home/anne/Anne-Public (different purposes).
> how are you changing their permissions?
In both those cases I was using kdesu konqueror. I've changed perms on quite
a few files and directories, some from konqueror and some from the CLI, that
have been fine, but others give me that error dialogue, and they seem to
revert. I haven't kept a record of which ones stick and which ones don't, so
perhaps I should.
Another thing that I've noticed when changing permissions recursively in my
own directory is that some branches follow through, while others cause the
error and do not get changed.
> are they mountpoints created automatically by udev?
> exactly what do the error messages say?
>
Nothing useful - just 'Error -' and the name of the file/directory.
> > Is this being caused by SELinux or something else?
>
> are you seeing errors in /var/log/audit/audit.log?
I don't think there's anything that relates to this. There are a bunch like
type=USER_CHAUTHTOK msg=audit(1139487880.406:1865302): user pid=5883 uid=0
auid=4294967295 msg='useradd: op=adding user acct=dbus res=failed'
a couple like
type=USER_AUTH msg=audit(1139506523.247:6): user pid=2571 uid=0
auid=4294967295 msg='PAM authentication: user=?
exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
result=Authentication failure)'
and a few cups problems like
type=USER_AUTH msg=audit(1139680324.390:85): user pid=2101 uid=0
auid=4294967295 msg='PAM authentication: user=root
exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Authentication
failure)'
type=USER_AUTH msg=audit(1139680396.628:86): user pid=2101 uid=0
auid=4294967295 msg='PAM authentication: user=root
exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)'
> AFAIK SElinux does not change the standard UNIX-style permissions on
> files or directories.
>
I wondered if certain files/directories were protected by default. I also
wondered if I have imported problem when copying files across from my old
Mandriva installation.
My plan was to keep SELinux out of the picture until I was sure everthing was
behaving correctly, then introduce it when I could study and control the
effects. This is new to me. I've used a firewall before, shorewall, but
that's all. The software firewall is secondary to the hardware one. I could
also be being influenced by my experiences with Mandriva's msec, where you
had to exclude certain things specifically if you didn't want them to be
controlled ;-)
Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060226/513f5f16/attachment-0001.sig>
More information about the fedora-list
mailing list