-   Linux - Security (
-   -   SELinux: Retag errors / unconfined_u multiple avc denial (

mrmnemo 11-25-2009 05:47 PM

SELinux: Retag errors / unconfined_u multiple avc denial
ok details first:
FC11 w/2.6.30
Key services ::
NFS ( For Mac's in the house)
SAMBA ( for win / trying to export NFS to home network as well)
SELinux : Default policy as shipped with FC11
IPTables: Nothing but the basic FC11 generated file using ' firewall [/ INDENT]via the kde gui.

Ok, so here is my problem: I was having issues exporting Samba and NFS shares AFTER allowing both service via the iptables ( checked the actual file for ACCEPT entries)and running >

sudo chcon -t smaba_share_t /media/storage/albums

sudo setsebool -P samba_export_all_ro on

The odd thing was an error generated after running chcon of "opperation not supported" which makes me wonder if fedora has another way of tagging.
I was able get everything up and running eventually; however, I am still getting alot avc denials ( miss tagged files ) after retagging at reboot.

users are being put into unconfined_u by default ( which from what i have reading kinda mitigates the any advantages of running SELinux). I could use some pointers or a point in the right direction on which way to go with user levels in SELinux as well as addressing the TONZ of avc denials after retag.

Thanks for any help. I couls post some examples of the aduit if it would help. I am just getting used to setting up iptables and account permissions and WHAM...SELinux.

mjmwired 11-25-2009 07:13 PM

This maybe totally silly but you have:
chcon -t smaba_share_t

Is that a typo here, or did you use this on your machine?

chrism01 11-25-2009 07:37 PM

And also

• Change file context
• chcon -R -t public_content_t /mydata/html
• Does not persist across a relabel!

• Add new mapping
• semanage fcontext -a -t public_content_t '/mydata/html(/.*)?'

• Apply the policy context to existing files
• restorecon -vvFR /mydata/html

mrmnemo 11-28-2009 03:43 PM


Originally Posted by mjmwired (Post 3769782)
This maybe totally silly but you have:
chcon -t smaba_share_t

Is that a typo here, or did you use this on your machine?

no typo....i screwed up didnt i. either way, i understood about the not carrying across on a retag. I noticed while doing some research that you can edit file tag properties in a way that will duplicate across a retag ( somewhere). I have since canned FEDORA11 and am going back to slack as fedora was really getting on my nerves ( or was it my lack of understanding) Slack just seems more straight forward and the commands seemed to match LPIC exam book better. I do appreciate your showing willingness to help. Maybe i could get you to give me a hand in setting up a fresh install of SELinux on slackware. Would be a learning experiance for me....practice in patience for you- 8)

Also, i noticed your syntax was chcon -R -t vs. chcon -t ( why?)

All times are GMT -5. The time now is 12:45 PM.