selinux question(s) (/home really = /n/home..)

Matt Nicholson sjoeboo at sjoeboo.com
Wed Nov 5 15:15:22 UTC 2008 

Right, but I'm on a fully updated F9. I got the F10 libxcb package
updated/installed, and all seems to be well. kinda a bit hack-y to add to my
image/kickstart, but, if it works, it works, and I'll be rebuilding a F10
version as soon as its out I'm sure.

Thanks for the help!

Matt
On Wed, Nov 5, 2008 at 8:44 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matt Nicholson wrote:
> > output from /var/log/messages as I try to login as guest user: (xguest):
> >
> > Nov  4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting
> > Nov  4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for
> unused
> > subsystem ns
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting
> > (version 2.22.0), pid 3121 user 'xguest'
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address
> > "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
> configuration
> > source at position 0
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address
> > "xml:readwrite:/home/xguest/.gconf" to a writable configuration source at
> > position 1
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address
> > "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration
> > source at position 2
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
> > audit(1225825996.389:5): avc:  denied  { read write } for  pid=3148
> > comm="dbus-daemon" path="socket:[37602]" dev=sockfs ino=37602
> > scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
> > tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
> > RLIMIT_CORE: Permission denied
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from
> 3229[0:0]
> > Nov  4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd0000000) is
> not
> > aligned on a size(0x3e80000) boundary
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting
> (version
> > 2.22.0), pid 3258 user 'gdm'
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> > "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
> configuration
> > source at position 0
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> > "xml:readonly:/etc/gconf/gconf.xml.system" to a read-only configuration
> > source at position 1
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> > "xml:readonly:/var/lib/gdm/.gconf.mandatory" to a read-only configuration
> > source at position 2
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> > "xml:readwrite:/var/lib/gdm/.gconf" to a writable configuration source at
> > position 3
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> > "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration
> > source at position 4
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
> value
> > for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
> > existing read-only value: Value for
> > `/apps/gnome-screensaver/power_management_delay' set in a read-only
> source
> > at the front of your configuration path
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
> value
> > for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
> > existing read-only value: Value for
> > `/apps/gnome-screensaver/power_management_delay' set in a read-only
> source
> > at the front of your configuration path
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot
> set
> > UID on session object.
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called
> SUID
> > root and real-time/high-priority scheduling was requested in the
> > configuration. However, we lack the necessary priviliges:
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are
> not
> > in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping
> > SUID again.
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For
> enabling
> > real-time scheduling please acquire the appropriate PolicyKit priviliges,
> or
> > become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO
> > resource limits for this user.
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
> > setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
> > setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c:
> Device
> > front:0 doesn't support 44100 Hz, changed to 44099 Hz.
> >
> > Obviously, the things that stick out in there are the :
> >
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
> > audit(1225825996.389:5): avc:  denied  { read write } for  pid=3148
> > comm="dbus-daemon" path="socket:[37602]" dev=sockfs ino=37602
> > scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
> > tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
> > RLIMIT_CORE: Permission denied
> >
> > and:
> >
> > Nov  4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for
> unused
> > subsystem ns
> >
> > more specifically, the sealert says:
> >
> > SELinux is preventing dbus-daemon (xguest_dbusd_t) "read write" to socket
> > (xguest_t).
> >
> >
> >
> > On Tue, Nov 4, 2008 at 2:03 PM, Matt Nicholson <sjoeboo at sjoeboo.com>
> wrote:
> >
> >> yes, all upto date. a new build from my kickstart is finishing updating
> >> right now (had to add oddjob/turn it on by default). Once its done I'll
> send
> >> what info I can.
> >>
> >> Before i was getting an selinux alert/error, but i generated and loaded
> a
> >> local policy, which took care of the selinux alert, but still didn't fix
> >> xguest (it just bouces back out to GDM).
> >>
> >> More coming soon. Thanks for all the help!
> >>
> >>
> >>
> >> On Tue, Nov 4, 2008 at 1:54 PM, Daniel J Walsh <dwalsh at redhat.com>
> wrote:
> >>
> > Matt Nicholson wrote:
> >>>>> Right, that did it (after i started the oddjobd service, that is).
> >>>>>
> >>>>> Now, the original reason i turned selinux back on was to use
> >>>>> xguest....saddly, this isn't working still...
> >>>>>
> > Why not?  Are you fully up2date?
> >
> > xguest should be working on F9 and F10 right now.
> >
> > <SNIP>
> >>>
> - --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines:
> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
> >>>
> >>
>
> I don't think you have all the packages that are in the final release of
> F10.  Since the AVC you are talking about is fixed and the libxcb
> package should be there also.
>
> selinux-policy-3.5.13-11.fc10
> libxcb-1.1.91-5.fc10
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkkRo0wACgkQrlYvE4MpobOTGwCgzOMaTZUI+mt0qeO/XktT1rk/
> X9AAnjZ7PzOLQF+qjz0PYM+ycyPJYbNI
> =NrnJ
> -----END PGP SIGNATURE-----
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines:
> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20081105/2cad1dc3/attachment-0001.htm>

More information about the fedora-list mailing list