You would only need to build and install the selinux bit which doesn't get built normally when building the MonetDB suite. Check out the Jun2020 branch, then cd into buildtools/selinux. Also dnf install selinux-policy-devel. Then run make NAME=targeted -f /usr/share/selinux/devel/Makefile inside that buildtools/selinux directory. This produces a file monetdb.pp. Install this using /sbin/semodule -s targeted -i monetdb.pp Finally run restorecon -R /var/monetdb5 /var/log/monetdb /var/run/monetdb /usr/bin/monetdbd /usr/bin/mserver5 /usr/lib/systemd/system/monetdbd.service (that's one long line). The latter two commands as root.
I haven't yet tested these changes, nor the instructions. (The instructions come from the MonetDB.spec file which does work.)
On 05/05/2020 15.23, Arjen P. de Vries wrote:
That'd be great!
I was trying to recover the error info from the logs, but not successful yet; it was in between many things I tried, and I did not actually expect this to be the solution, so did not keep notes. But it was complaining about errors on /var/lib/sss/mc/passwd and I think trying to apply the suggested resolution did give errors mentioning a monetdb file, when I tried dnf remove MonetDB-selinux and then my system was back to normal state...
I hesitate to bring it in failed state again using the current packages... but happy to try and compile a new MonetDB.
If I would try whether your fix works, should I just build a MonetDB from current repo to test?
Cheers,
Arjen
On Mon, 4 May 2020 at 17:22, Sjoerd Mullender <sjoerd@monetdb.org mailto:sjoerd@monetdb.org> wrote:
I think (hope) I fixed the problem. But I'm afraid this will have to wait for a release (unless you want to build yourself). On 03/05/2020 18.56, Sjoerd Mullender wrote: > What error did you get from restorecon? > > On 02/05/2020 23.32, Arjen P. de Vries wrote: >> Hi all, >> >> Not really a bug report because I did not manage to figure out the cause. >> >> However, after upgrading from FC31 to FC32 I could not login any more, >> due to SELinux problems. Auto-relabeling did not work, nothing really... >> >> ... until I did dnf uninstall MonetDB-selinux. >> >> I came to this point because trying to give systemd services the correct >> labels with restorecon failed with an error referencing a monetdb >> specific file. >> >> I do not have the details unfortunately, but if you get problems, beware >> that MonetDB SELinux package and systemd may interfere in some way >> beyond my knowledge of these services. >> >> Best regards, >> >> Arjen >> >> PS: Some output from logs: >> >> sudo ausearch -c monetdb -m AVC,SELINUX_ERR >> >> [..] >> >> ---- >> time->Sat May 2 20:57:01 2020 >> type=AVC msg=audit(1588445821.693:203): avc: denied { open } for >> pid=1232 comm="monetdbd" path="/etc/resolv.conf" dev="dm-0" ino=3409775 >> scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1 >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.043:1194): avc: denied { execute } for >> pid=2861 comm="(monetdbd)" name="monetdbd" dev="dm-0" ino=2147256 >> scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 >> trawcon="unconfined_u:object_r:monetdbd_exec_t:s0" >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.043:1195): avc: denied { >> execute_no_trans } for pid=2861 comm="(monetdbd)" >> path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 >> scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 >> trawcon="unconfined_u:object_r:monetdbd_exec_t:s0" >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.044:1196): avc: denied { map } for >> pid=2861 comm="monetdbd" path="/usr/bin/monetdbd" dev="dm-0" >> ino=2147256 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 >> trawcon="unconfined_u:object_r:monetdbd_exec_t:s0" >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.714:1197): avc: denied { remove_name } >> for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" >> ino=34369 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 >> trawcon="system_u:object_r:monetdbd_var_run_t:s0" >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.714:1198): avc: denied { unlink } for >> pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 >> scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.714:1199): avc: denied { write } for >> pid=1232 comm="monetdbd" name=".merovingian_lock" dev="dm-0" >> ino=5899443 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 >> trawcon="system_u:object_r:monetdbd_lock_t:s0" >> ---- >> time->Sat May 2 21:13:15 2020 >> type=AVC msg=audit(1588446795.214:1209): avc: denied { read } for >> pid=2925 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 >> scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 >> tclass=file permissive=1 >> ---- >> time->Sat May 2 21:13:15 2020 >> type=AVC msg=audit(1588446795.214:1210): avc: denied { open } for >> pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" >> ino=524514 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 >> ---- >> time->Sat May 2 21:13:15 2020 >> type=AVC msg=audit(1588446795.214:1211): avc: denied { map } for >> pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" >> ino=524514 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 >> ---- >> time->Sat May 2 21:14:24 2020 >> type=AVC msg=audit(1588446864.487:1281): avc: denied { read } for >> pid=3072 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 >> scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 >> tclass=file permissive=1 >> ---- >> time->Sat May 2 21:14:24 2020 >> type=AVC msg=audit(1588446864.487:1282): avc: denied { open } for >> pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" >> ino=524514 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 >> ---- >> time->Sat May 2 21:14:24 2020 >> type=AVC msg=audit(1588446864.487:1283): avc: denied { map } for >> pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" >> ino=524514 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 >> >> -- >> ==================================================================== >> ICIS, office M1.00.05 Radboud University >> Mercator 1 Faculty of Science >> Toernooiveld 212 arjen@cs.ru.nl <mailto:arjen@cs.ru.nl> >> <mailto:arjen@cs.ru.nl <mailto:arjen@cs.ru.nl>> >> NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 >> ===================== http://www.informagus.nl/==================== >> >> >> >> -- >> ==================================================================== >> ICIS, office M1.00.05 Radboud University >> Mercator 1 Faculty of Science >> Toernooiveld 212 arjen@cs.ru.nl <mailto:arjen@cs.ru.nl> >> <mailto:arjen@cs.ru.nl <mailto:arjen@cs.ru.nl>> >> NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 >> ===================== http://www.informagus.nl/==================== >> >> _______________________________________________ >> users-list mailing list >> users-list@monetdb.org <mailto:users-list@monetdb.org> >> https://www.monetdb.org/mailman/listinfo/users-list >> > -- Sjoerd Mullender _______________________________________________ users-list mailing list users-list@monetdb.org <mailto:users-list@monetdb.org> https://www.monetdb.org/mailman/listinfo/users-list
--
ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl mailto:arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/====================
users-list mailing list users-list@monetdb.org https://www.monetdb.org/mailman/listinfo/users-list