Gene Heskett wrote:
On Monday 24 April 2006 16:27, Paul Howarth wrote:
[...]
You might find selinux denial messages in /var/log/messages - search
for the string "avc: denied" (note the two spaces after the colon).
You can also check to make sure it's an SELinux problem by doing
"setenforce 0" and see if there's still a problem.
Yeee Gods, the log is drowning in them, and whats more, logrotate isn't
rotating the logs. I thought anacron was supposed to take care of
that?
Anyway, heres the last few minutes of the log:
(unrelated stuff snipped)
Apr 24 18:41:45 diablo kernel: audit(1145918505.112:334): avc: denied
{ execmod } for pid=4250 comm="java" name="libawt.so"
dev=hda5 ino=9561458 scontext=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=root:object_r:tmp_t:s0 tclass=file
This java library is running in the default "unconfined_t", which
doesn't allow "execmod". Java should run in its own domain, which would
then allow this. The reason that no transition has happened is probably
either:
1. Java was installed using a non SELinux-aware installer (rpm is
SELinux-aware for instance) and hence files didn't have the correct
contexts set, or
2. Java was installed into a non-standard place, which would also result
in the wrong file contexts being set.
You might also try my Java HOWTO:
http://www.city-fan.org/tips/JpackageJava
I'll take a look at that.
As you've found, installing Java using the JPackage RPMs does not result
in these issues.
> But first I've got to get logrotate to rotate
the friggin log, it must be a megabyte or more. No, actually its
rapidly approaching 4 megs, dateing back to when I installed FC5 I
think. 4/16
WTF is this?
[root@diablo etc]# cron.daily/logrotate
error: freshclam:8 unknown user 'clamav'
and it dies instantly. This is getting frustrating. According to that
log I had yum install clamav on the 20th. If clamav needs a user
clamav, why the heck didn't make one?
The user is created by the preinstall script of the clamv-data package
in Extras. Are you using some other clamav package?
Looking in the firefox plugins dir after installing j2se-1.5.0.6 and
copying the ns7 version of the libhavaplugins.so
to /usr/lib/firefox-version/plugins I see:
[root@diablo plugins]# ls -lZ
-rwxr-xr-x root root root:object_r:lib_t
libjavaplugin_oji.so
-rwxr-xr-x root root system_u:object_r:textrel_shlib_t
libnullplugin.so
-rwxr-xr-x root root system_u:object_r:textrel_shlib_t
libunixprintplugin.so
-rwxr-xr-x root root system_u:object_r:textrel_shlib_t
nppdf.so
Now, maybe I'm slow this morning, but my reading of the semanage
manpage makes no mention of setting a 'default' that a relabel will
leave alone.
Using semanage you can change policy for file contexts amongst other
things. This affects the contexts applied to files using restorecon
etc.
I've used chcon to set libjavaplugin_oji.so to textrel_shlib_t,
root@diablo plugins]# ls -lZ
-rwxr-xr-x root root root:object_r:textrel_shlib_t
libjavaplugin_oji.so
-rwxr-xr-x root root system_u:object_r:textrel_shlib_t
libnullplugin.so
-rwxr-xr-x root root system_u:object_r:textrel_shlib_t
libunixprintplugin.so
-rwxr-xr-x root root system_u:object_r:textrel_shlib_t
nppdf.so
but how do I change it from root: to system_u:? (I'm assuming that
will allow all users as opposed to just root to use it)
The "root" doesn't matter. In targeted policy you only need worry
about the type, not the user.
If you really want to change it though, try:
# chcon system_u:object_r:textrel_shlib_t libjavaplugin_oji.so
And FWIW, This change did not enable java in the firefox plugins
listings.
And how do we make it permanent in the face of another relabel?
Something like this should work:
# semanage fcontext -a -f -- -t textrel_shlib_t \
'/usr/lib(64)?/firefox.*/plugins/.*\.so'
[root@diablo etc]# semanage fcontext -a -f -- -t textrel_shlib_t \
'/usr/lib(64)?/firefox.*/plugins/.*\.so'
-bash: /usr/lib(64)?/firefox.*/plugins/.*\.so: No such file or directory
Looks like a mistyped command. Try it all as one long line:
# semanage fcontext -a -f -- -t textrel_shlib_t
'/usr/lib(64)?/firefox.*/plugins/.*\.so'
Paul.