Hi all,
Not really a bug report because I did not manage to figure out the cause.
However, after upgrading from FC31 to FC32 I could not login any more, due to SELinux problems. Auto-relabeling did not work, nothing really...
... until I did dnf uninstall MonetDB-selinux.
I came to this point because trying to give systemd services the correct labels with restorecon failed with an error referencing a monetdb specific file.
I do not have the details unfortunately, but if you get problems, beware that MonetDB SELinux package and systemd may interfere in some way beyond my knowledge of these services.
Best regards,
Arjen
PS: Some output from logs:
sudo ausearch -c monetdb -m AVC,SELINUX_ERR
[..]
---- time->Sat May 2 20:57:01 2020 type=AVC msg=audit(1588445821.693:203): avc: denied { open } for pid=1232 comm="monetdbd" path="/etc/resolv.conf" dev="dm-0" ino=3409775 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1 ---- time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.043:1194): avc: denied { execute } for pid=2861 comm="(monetdbd)" name="monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0" ---- time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.043:1195): avc: denied { execute_no_trans } for pid=2861 comm="(monetdbd)" path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0" ---- time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.044:1196): avc: denied { map } for pid=2861 comm="monetdbd" path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0" ---- time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1197): avc: denied { remove_name } for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 trawcon="system_u:object_r:monetdbd_var_run_t:s0" ---- time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1198): avc: denied { unlink } for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1199): avc: denied { write } for pid=1232 comm="monetdbd" name=".merovingian_lock" dev="dm-0" ino=5899443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="system_u:object_r:monetdbd_lock_t:s0" ---- time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1209): avc: denied { read } for pid=2925 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1210): avc: denied { open } for pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1211): avc: denied { map } for pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1281): avc: denied { read } for pid=3072 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1282): avc: denied { open } for pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 ---- time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1283): avc: denied { map } for pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
What error did you get from restorecon?
On 02/05/2020 23.32, Arjen P. de Vries wrote:
Hi all,
Not really a bug report because I did not manage to figure out the cause.
However, after upgrading from FC31 to FC32 I could not login any more, due to SELinux problems. Auto-relabeling did not work, nothing really...
... until I did dnf uninstall MonetDB-selinux.
I came to this point because trying to give systemd services the correct labels with restorecon failed with an error referencing a monetdb specific file.
I do not have the details unfortunately, but if you get problems, beware that MonetDB SELinux package and systemd may interfere in some way beyond my knowledge of these services.
Best regards,
Arjen
PS: Some output from logs:
sudo ausearch -c monetdb -m AVC,SELINUX_ERR
[..]
time->Sat May 2 20:57:01 2020 type=AVC msg=audit(1588445821.693:203): avc: denied { open } for pid=1232 comm="monetdbd" path="/etc/resolv.conf" dev="dm-0" ino=3409775 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.043:1194): avc: denied { execute } for pid=2861 comm="(monetdbd)" name="monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.043:1195): avc: denied { execute_no_trans } for pid=2861 comm="(monetdbd)" path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.044:1196): avc: denied { map } for pid=2861 comm="monetdbd" path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1197): avc: denied { remove_name } for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 trawcon="system_u:object_r:monetdbd_var_run_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1198): avc: denied { unlink } for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1199): avc: denied { write } for pid=1232 comm="monetdbd" name=".merovingian_lock" dev="dm-0" ino=5899443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="system_u:object_r:monetdbd_lock_t:s0"
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1209): avc: denied { read } for pid=2925 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1210): avc: denied { open } for pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1211): avc: denied { map } for pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1281): avc: denied { read } for pid=3072 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1282): avc: denied { open } for pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1283): avc: denied { map } for pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
--
ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl mailto:arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/====================
--
ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl mailto:arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/====================
users-list mailing list users-list@monetdb.org https://www.monetdb.org/mailman/listinfo/users-list
I think (hope) I fixed the problem. But I'm afraid this will have to wait for a release (unless you want to build yourself).
On 03/05/2020 18.56, Sjoerd Mullender wrote:
What error did you get from restorecon?
On 02/05/2020 23.32, Arjen P. de Vries wrote:
Hi all,
Not really a bug report because I did not manage to figure out the cause.
However, after upgrading from FC31 to FC32 I could not login any more, due to SELinux problems. Auto-relabeling did not work, nothing really...
... until I did dnf uninstall MonetDB-selinux.
I came to this point because trying to give systemd services the correct labels with restorecon failed with an error referencing a monetdb specific file.
I do not have the details unfortunately, but if you get problems, beware that MonetDB SELinux package and systemd may interfere in some way beyond my knowledge of these services.
Best regards,
Arjen
PS: Some output from logs:
sudo ausearch -c monetdb -m AVC,SELINUX_ERR
[..]
time->Sat May 2 20:57:01 2020 type=AVC msg=audit(1588445821.693:203): avc: denied { open } for pid=1232 comm="monetdbd" path="/etc/resolv.conf" dev="dm-0" ino=3409775 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.043:1194): avc: denied { execute } for pid=2861 comm="(monetdbd)" name="monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.043:1195): avc: denied { execute_no_trans } for pid=2861 comm="(monetdbd)" path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.044:1196): avc: denied { map } for pid=2861 comm="monetdbd" path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1197): avc: denied { remove_name } for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 trawcon="system_u:object_r:monetdbd_var_run_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1198): avc: denied { unlink } for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1199): avc: denied { write } for pid=1232 comm="monetdbd" name=".merovingian_lock" dev="dm-0" ino=5899443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="system_u:object_r:monetdbd_lock_t:s0"
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1209): avc: denied { read } for pid=2925 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1210): avc: denied { open } for pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1211): avc: denied { map } for pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1281): avc: denied { read } for pid=3072 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1282): avc: denied { open } for pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1283): avc: denied { map } for pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
--
ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl mailto:arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/====================
--
ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl mailto:arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/====================
users-list mailing list users-list@monetdb.org https://www.monetdb.org/mailman/listinfo/users-list
That'd be great!
I was trying to recover the error info from the logs, but not successful yet; it was in between many things I tried, and I did not actually expect this to be the solution, so did not keep notes. But it was complaining about errors on /var/lib/sss/mc/passwd and I think trying to apply the suggested resolution did give errors mentioning a monetdb file, when I tried dnf remove MonetDB-selinux and then my system was back to normal state...
I hesitate to bring it in failed state again using the current packages... but happy to try and compile a new MonetDB.
If I would try whether your fix works, should I just build a MonetDB from current repo to test?
Cheers,
Arjen
On Mon, 4 May 2020 at 17:22, Sjoerd Mullender sjoerd@monetdb.org wrote:
I think (hope) I fixed the problem. But I'm afraid this will have to wait for a release (unless you want to build yourself).
On 03/05/2020 18.56, Sjoerd Mullender wrote:
What error did you get from restorecon?
On 02/05/2020 23.32, Arjen P. de Vries wrote:
Hi all,
Not really a bug report because I did not manage to figure out the
cause.
However, after upgrading from FC31 to FC32 I could not login any more, due to SELinux problems. Auto-relabeling did not work, nothing really...
... until I did dnf uninstall MonetDB-selinux.
I came to this point because trying to give systemd services the correct labels with restorecon failed with an error referencing a monetdb specific file.
I do not have the details unfortunately, but if you get problems, beware that MonetDB SELinux package and systemd may interfere in some way beyond my knowledge of these services.
Best regards,
Arjen
PS: Some output from logs:
sudo ausearch -c monetdb -m AVC,SELINUX_ERR
[..]
time->Sat May 2 20:57:01 2020 type=AVC msg=audit(1588445821.693:203): avc: denied { open } for pid=1232 comm="monetdbd" path="/etc/resolv.conf" dev="dm-0" ino=3409775 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.043:1194): avc: denied { execute } for pid=2861 comm="(monetdbd)" name="monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.043:1195): avc: denied { execute_no_trans } for pid=2861 comm="(monetdbd)" path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.044:1196): avc: denied { map } for pid=2861 comm="monetdbd" path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1197): avc: denied { remove_name } for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 trawcon="system_u:object_r:monetdbd_var_run_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1198): avc: denied { unlink } for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1199): avc: denied { write } for pid=1232 comm="monetdbd" name=".merovingian_lock" dev="dm-0" ino=5899443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="system_u:object_r:monetdbd_lock_t:s0"
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1209): avc: denied { read } for pid=2925 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1210): avc: denied { open } for pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1211): avc: denied { map } for pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1281): avc: denied { read } for pid=3072 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1282): avc: denied { open } for pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1283): avc: denied { map } for pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
--
ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl mailto:arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/====================
--
ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl mailto:arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/====================
users-list mailing list users-list@monetdb.org https://www.monetdb.org/mailman/listinfo/users-list
-- Sjoerd Mullender _______________________________________________ users-list mailing list users-list@monetdb.org https://www.monetdb.org/mailman/listinfo/users-list
I forgot that history as user account gives a different history than history as root!
One of these commands pointed me to MonetDB-selinux as the possible source of the problem, do not remember which one and what file it pointed to though.
799 /sbin/restorecon -v /usr/lib/systemd/systemd-journald 800 /sbin/restorecon -v /var/lib/lightdm-data/arjen 801 restorecon -v 'lightdm.log' 802 /sbin/restorecon -v /var/log/lightdm/lightdm.log 804 /sbin/restorecon -v /etc/ld.so.cache 805 /sbin/restorecon -v /etc/ld.so.cache 806 /sbin/restorecon -v /var/lib/sss/mc/passwd 807 /sbin/restorecon -v /bin 808 /sbin/restorecon -v /etc/ld.so.cache 809 /sbin/restorecon -v /etc/.pwd.lock 810 /sbin/restorecon -v /var/lib/sss/mc/group
I think it is was one of the two ..../sss/.... commands.
A.
On Tue, 5 May 2020 at 15:23, Arjen P. de Vries arjen@acm.org wrote:
That'd be great!
I was trying to recover the error info from the logs, but not successful yet; it was in between many things I tried, and I did not actually expect this to be the solution, so did not keep notes. But it was complaining about errors on /var/lib/sss/mc/passwd and I think trying to apply the suggested resolution did give errors mentioning a monetdb file, when I tried dnf remove MonetDB-selinux and then my system was back to normal state...
I hesitate to bring it in failed state again using the current packages... but happy to try and compile a new MonetDB.
If I would try whether your fix works, should I just build a MonetDB from current repo to test?
Cheers,
Arjen
On Mon, 4 May 2020 at 17:22, Sjoerd Mullender sjoerd@monetdb.org wrote:
I think (hope) I fixed the problem. But I'm afraid this will have to wait for a release (unless you want to build yourself).
On 03/05/2020 18.56, Sjoerd Mullender wrote:
What error did you get from restorecon?
On 02/05/2020 23.32, Arjen P. de Vries wrote:
Hi all,
Not really a bug report because I did not manage to figure out the
cause.
However, after upgrading from FC31 to FC32 I could not login any more, due to SELinux problems. Auto-relabeling did not work, nothing
really...
... until I did dnf uninstall MonetDB-selinux.
I came to this point because trying to give systemd services the
correct
labels with restorecon failed with an error referencing a monetdb specific file.
I do not have the details unfortunately, but if you get problems,
beware
that MonetDB SELinux package and systemd may interfere in some way beyond my knowledge of these services.
Best regards,
Arjen
PS: Some output from logs:
sudo ausearch -c monetdb -m AVC,SELINUX_ERR
[..]
time->Sat May 2 20:57:01 2020 type=AVC msg=audit(1588445821.693:203): avc: denied { open } for pid=1232 comm="monetdbd" path="/etc/resolv.conf" dev="dm-0"
ino=3409775
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.043:1194): avc: denied { execute } for pid=2861 comm="(monetdbd)" name="monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.043:1195): avc: denied { execute_no_trans } for pid=2861 comm="(monetdbd)" path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.044:1196): avc: denied { map } for pid=2861 comm="monetdbd" path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="unconfined_u:object_r:monetdbd_exec_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1197): avc: denied { remove_name } for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 trawcon="system_u:object_r:monetdbd_var_run_t:s0"
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1198): avc: denied { unlink } for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
time->Sat May 2 21:12:56 2020 type=AVC msg=audit(1588446776.714:1199): avc: denied { write } for pid=1232 comm="monetdbd" name=".merovingian_lock" dev="dm-0" ino=5899443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="system_u:object_r:monetdbd_lock_t:s0"
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1209): avc: denied { read } for pid=2925 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:var_t:s0
tclass=file permissive=1
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1210): avc: denied { open } for pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:13:15 2020 type=AVC msg=audit(1588446795.214:1211): avc: denied { map } for pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1281): avc: denied { read } for pid=3072 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:var_t:s0
tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1282): avc: denied { open } for pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
time->Sat May 2 21:14:24 2020 type=AVC msg=audit(1588446864.487:1283): avc: denied { map } for pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=524514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
--
ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl mailto:arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/====================
--
ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl mailto:arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/====================
users-list mailing list users-list@monetdb.org https://www.monetdb.org/mailman/listinfo/users-list
-- Sjoerd Mullender _______________________________________________ users-list mailing list users-list@monetdb.org https://www.monetdb.org/mailman/listinfo/users-list
--
ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/ ====================
You would only need to build and install the selinux bit which doesn't get built normally when building the MonetDB suite. Check out the Jun2020 branch, then cd into buildtools/selinux. Also dnf install selinux-policy-devel. Then run make NAME=targeted -f /usr/share/selinux/devel/Makefile inside that buildtools/selinux directory. This produces a file monetdb.pp. Install this using /sbin/semodule -s targeted -i monetdb.pp Finally run restorecon -R /var/monetdb5 /var/log/monetdb /var/run/monetdb /usr/bin/monetdbd /usr/bin/mserver5 /usr/lib/systemd/system/monetdbd.service (that's one long line). The latter two commands as root.
I haven't yet tested these changes, nor the instructions. (The instructions come from the MonetDB.spec file which does work.)
On 05/05/2020 15.23, Arjen P. de Vries wrote:
That'd be great!
I was trying to recover the error info from the logs, but not successful yet; it was in between many things I tried, and I did not actually expect this to be the solution, so did not keep notes. But it was complaining about errors on /var/lib/sss/mc/passwd and I think trying to apply the suggested resolution did give errors mentioning a monetdb file, when I tried dnf remove MonetDB-selinux and then my system was back to normal state...
I hesitate to bring it in failed state again using the current packages... but happy to try and compile a new MonetDB.
If I would try whether your fix works, should I just build a MonetDB from current repo to test?
Cheers,
Arjen
On Mon, 4 May 2020 at 17:22, Sjoerd Mullender <sjoerd@monetdb.org mailto:sjoerd@monetdb.org> wrote:
I think (hope) I fixed the problem. But I'm afraid this will have to wait for a release (unless you want to build yourself). On 03/05/2020 18.56, Sjoerd Mullender wrote: > What error did you get from restorecon? > > On 02/05/2020 23.32, Arjen P. de Vries wrote: >> Hi all, >> >> Not really a bug report because I did not manage to figure out the cause. >> >> However, after upgrading from FC31 to FC32 I could not login any more, >> due to SELinux problems. Auto-relabeling did not work, nothing really... >> >> ... until I did dnf uninstall MonetDB-selinux. >> >> I came to this point because trying to give systemd services the correct >> labels with restorecon failed with an error referencing a monetdb >> specific file. >> >> I do not have the details unfortunately, but if you get problems, beware >> that MonetDB SELinux package and systemd may interfere in some way >> beyond my knowledge of these services. >> >> Best regards, >> >> Arjen >> >> PS: Some output from logs: >> >> sudo ausearch -c monetdb -m AVC,SELINUX_ERR >> >> [..] >> >> ---- >> time->Sat May 2 20:57:01 2020 >> type=AVC msg=audit(1588445821.693:203): avc: denied { open } for >> pid=1232 comm="monetdbd" path="/etc/resolv.conf" dev="dm-0" ino=3409775 >> scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1 >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.043:1194): avc: denied { execute } for >> pid=2861 comm="(monetdbd)" name="monetdbd" dev="dm-0" ino=2147256 >> scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 >> trawcon="unconfined_u:object_r:monetdbd_exec_t:s0" >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.043:1195): avc: denied { >> execute_no_trans } for pid=2861 comm="(monetdbd)" >> path="/usr/bin/monetdbd" dev="dm-0" ino=2147256 >> scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 >> trawcon="unconfined_u:object_r:monetdbd_exec_t:s0" >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.044:1196): avc: denied { map } for >> pid=2861 comm="monetdbd" path="/usr/bin/monetdbd" dev="dm-0" >> ino=2147256 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 >> trawcon="unconfined_u:object_r:monetdbd_exec_t:s0" >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.714:1197): avc: denied { remove_name } >> for pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" >> ino=34369 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 >> trawcon="system_u:object_r:monetdbd_var_run_t:s0" >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.714:1198): avc: denied { unlink } for >> pid=1232 comm="monetdbd" name="merovingian.pid" dev="tmpfs" ino=34369 >> scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 >> ---- >> time->Sat May 2 21:12:56 2020 >> type=AVC msg=audit(1588446776.714:1199): avc: denied { write } for >> pid=1232 comm="monetdbd" name=".merovingian_lock" dev="dm-0" >> ino=5899443 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 >> trawcon="system_u:object_r:monetdbd_lock_t:s0" >> ---- >> time->Sat May 2 21:13:15 2020 >> type=AVC msg=audit(1588446795.214:1209): avc: denied { read } for >> pid=2925 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 >> scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 >> tclass=file permissive=1 >> ---- >> time->Sat May 2 21:13:15 2020 >> type=AVC msg=audit(1588446795.214:1210): avc: denied { open } for >> pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" >> ino=524514 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 >> ---- >> time->Sat May 2 21:13:15 2020 >> type=AVC msg=audit(1588446795.214:1211): avc: denied { map } for >> pid=2925 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" >> ino=524514 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 >> ---- >> time->Sat May 2 21:14:24 2020 >> type=AVC msg=audit(1588446864.487:1281): avc: denied { read } for >> pid=3072 comm="(monetdbd)" name="passwd" dev="dm-0" ino=524514 >> scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 >> tclass=file permissive=1 >> ---- >> time->Sat May 2 21:14:24 2020 >> type=AVC msg=audit(1588446864.487:1282): avc: denied { open } for >> pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" >> ino=524514 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 >> ---- >> time->Sat May 2 21:14:24 2020 >> type=AVC msg=audit(1588446864.487:1283): avc: denied { map } for >> pid=3072 comm="(monetdbd)" path="/var/lib/sss/mc/passwd" dev="dm-0" >> ino=524514 scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 >> >> -- >> ==================================================================== >> ICIS, office M1.00.05 Radboud University >> Mercator 1 Faculty of Science >> Toernooiveld 212 arjen@cs.ru.nl <mailto:arjen@cs.ru.nl> >> <mailto:arjen@cs.ru.nl <mailto:arjen@cs.ru.nl>> >> NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 >> ===================== http://www.informagus.nl/==================== >> >> >> >> -- >> ==================================================================== >> ICIS, office M1.00.05 Radboud University >> Mercator 1 Faculty of Science >> Toernooiveld 212 arjen@cs.ru.nl <mailto:arjen@cs.ru.nl> >> <mailto:arjen@cs.ru.nl <mailto:arjen@cs.ru.nl>> >> NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 >> ===================== http://www.informagus.nl/==================== >> >> _______________________________________________ >> users-list mailing list >> users-list@monetdb.org <mailto:users-list@monetdb.org> >> https://www.monetdb.org/mailman/listinfo/users-list >> > -- Sjoerd Mullender _______________________________________________ users-list mailing list users-list@monetdb.org <mailto:users-list@monetdb.org> https://www.monetdb.org/mailman/listinfo/users-list
--
ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl mailto:arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/====================
users-list mailing list users-list@monetdb.org https://www.monetdb.org/mailman/listinfo/users-list
Dear fellow MonetDB users,
The database directory is too large to keep on the root disk, so I always have used a symlink to the dbfarm directory under /var/monetdb.
After updating to FC35, this has however been causing many SELinux errors, that would not want to be fixed easily.
Not too long ago, I (finally?) learned about so-called *bind mounts* as an alternative to symlinks, and decided to give it a go. Indeed, the SELinux problems were gone after issuing the following sequence of commands.
1. Remove pre-existing symlink:
sudo rm /var/monetdb5/dbfarm
2. Create mount point and bind mount:
sudo mkdir /var/monetdb5/dbfarm sudo mount --bind /export/data/dbfarm /var/monetdb5/dbfarm
3. Reinstall the SELinux package:
sudo dnf reinstall MonetDB-selinux
If this works fine, you can add this line to /etc/fstab so the bind mount is persistent through reboot:
/export/data/dbfarm /var/monetdb5/dbfarm none bind
Hope this helps others who are updating their Fedora systems with existing databases,
Happy new year to all, and a thank you for this great software to all MonetDB folks,
Cheers,
Arjen
==================================================================== ICIS, office M1.00.05 Radboud University Mercator 1 Faculty of Science Toernooiveld 212 arjen@cs.ru.nl NL-6525 EC Nijmegen, The Netherlands +31-(0)24-365 2354 ===================== http://www.informagus.nl/ ====================
participants (2)
-
Arjen P. de Vries
-
Sjoerd Mullender