I am ready for my next test, to try out named on a Cubieboard2.
I want to run named with SELinux and not chroot named, and with the problems I have had so far with SELinux and HTTPD that no one has commented on what to do to fix the problem, I was interested to first check out for any experience with named.
I could always run named chrooted without enabling SELinux. That is how I am running right now with RSEL6 (which does not have SELinux working). But I would rather get back to using SELinux and not chroot, as I had for years on Intel Centos.
I have not seen any posts on updates to the Centos7-armv7 rpms, so I am assuming that there has not been any fixes to my SELinux problems.
So anyone out there running named?
thanks
It seems that the SELinux problem is 'built into' the Cubietruck image.
All I did was put the image on a HD, expand the partitions, boot up (uboot on the mSD card)
in /boot/extlinux/extlinux.conf : change the "enforcing=0" to "enforcing=1"
touch /.autorelabel reboot
On the console I saw the following messages:
[ 14.709227] SELinux: Class binder not defined in policy. [ 14.714741] SELinux: the above unknown classes and permissions will be allowed [ 14.778268] audit: type=1403 audit(14.745:2): policy loaded auid=4294967295 ses=4294967295 [ 14.813736] systemd[1]: Successfully loaded SELinux policy in 785.600ms. [ 15.294034] systemd[1]: Relabelled /dev and /run in 295.320ms.
In the past, I did the relabeling after the 'yum update'. This seems to show that SELinux is unhappy from the get go. I will continue in permissive mode with loading up my DNS setup without using chroot and see how the setup works. This is my internal DNS that has no external access, so for now I will run a bit open...
On 02/02/2017 10:50 AM, Robert Moskowitz wrote:
I am ready for my next test, to try out named on a Cubieboard2.
I want to run named with SELinux and not chroot named, and with the problems I have had so far with SELinux and HTTPD that no one has commented on what to do to fix the problem, I was interested to first check out for any experience with named.
I could always run named chrooted without enabling SELinux. That is how I am running right now with RSEL6 (which does not have SELinux working). But I would rather get back to using SELinux and not chroot, as I had for years on Intel Centos.
I have not seen any posts on updates to the Centos7-armv7 rpms, so I am assuming that there has not been any fixes to my SELinux problems.
So anyone out there running named?
thanks
Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
I'm pretty sure I have SELinux enabled on my Chromebook 2 running RSEL7. I don't recall having done anything special, it works by default. I run that on ZoL ZFS root, and it just worked after relabelling the file system (I migrated from zfs-fuse, and fuse confuses SELinux rules because it ends up labelling everything as fuse instead of the appropriate labels for the paths. I cannot imagine CentOS 7 would be any different. You just need to make sure you have policycoreutils, selinux-policy and selinux-policy-targeted installed, and make sure /etc/selinux/config has SELINUXTYPE=targeted set.
On Thu, Feb 2, 2017 at 9:55 PM, Robert Moskowitz rgm@htt-consult.com wrote:
It seems that the SELinux problem is 'built into' the Cubietruck image.
All I did was put the image on a HD, expand the partitions, boot up (uboot on the mSD card)
in /boot/extlinux/extlinux.conf : change the "enforcing=0" to "enforcing=1"
touch /.autorelabel reboot
On the console I saw the following messages:
[ 14.709227] SELinux: Class binder not defined in policy. [ 14.714741] SELinux: the above unknown classes and permissions will be allowed [ 14.778268] audit: type=1403 audit(14.745:2): policy loaded auid=4294967295 ses=4294967295 [ 14.813736] systemd[1]: Successfully loaded SELinux policy in 785.600ms. [ 15.294034] systemd[1]: Relabelled /dev and /run in 295.320ms.
In the past, I did the relabeling after the 'yum update'. This seems to show that SELinux is unhappy from the get go. I will continue in permissive mode with loading up my DNS setup without using chroot and see how the setup works. This is my internal DNS that has no external access, so for now I will run a bit open...
On 02/02/2017 10:50 AM, Robert Moskowitz wrote:
I am ready for my next test, to try out named on a Cubieboard2.
I want to run named with SELinux and not chroot named, and with the problems I have had so far with SELinux and HTTPD that no one has commented on what to do to fix the problem, I was interested to first check out for any experience with named.
I could always run named chrooted without enabling SELinux. That is how I am running right now with RSEL6 (which does not have SELinux working). But I would rather get back to using SELinux and not chroot, as I had for years on Intel Centos.
I have not seen any posts on updates to the Centos7-armv7 rpms, so I am assuming that there has not been any fixes to my SELinux problems.
So anyone out there running named?
thanks
Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
Gordon,
One would think that, but there is something off with at least the CubieTruck build. I will check that all those rpms are installed (pretty sure they are), but when I set up a web server with personal directories, i got permission errors on listing the files, but no problem displaying individual files. Plus there are all these SELinux warnings I am getting that seem to indicate something is amiss.
I am reaching the point of focusing on Fedora server for now. I had hopes of pushing Centos7-arm in a couple of business venues.
Bob
On 02/03/2017 08:50 AM, Gordan Bobic wrote:
I'm pretty sure I have SELinux enabled on my Chromebook 2 running RSEL7. I don't recall having done anything special, it works by default. I run that on ZoL ZFS root, and it just worked after relabelling the file system (I migrated from zfs-fuse, and fuse confuses SELinux rules because it ends up labelling everything as fuse instead of the appropriate labels for the paths. I cannot imagine CentOS 7 would be any different. You just need to make sure you have policycoreutils, selinux-policy and selinux-policy-targeted installed, and make sure /etc/selinux/config has SELINUXTYPE=targeted set.
On Thu, Feb 2, 2017 at 9:55 PM, Robert Moskowitz <rgm@htt-consult.com mailto:rgm@htt-consult.com> wrote:
It seems that the SELinux problem is 'built into' the Cubietruck image. All I did was put the image on a HD, expand the partitions, boot up (uboot on the mSD card) in /boot/extlinux/extlinux.conf : change the "enforcing=0" to "enforcing=1" touch /.autorelabel reboot On the console I saw the following messages: [ 14.709227] SELinux: Class binder not defined in policy. [ 14.714741] SELinux: the above unknown classes and permissions will be allowed [ 14.778268] audit: type=1403 audit(14.745:2): policy loaded auid=4294967295 ses=4294967295 [ 14.813736] systemd[1]: Successfully loaded SELinux policy in 785.600ms. [ 15.294034] systemd[1]: Relabelled /dev and /run in 295.320ms. In the past, I did the relabeling after the 'yum update'. This seems to show that SELinux is unhappy from the get go. I will continue in permissive mode with loading up my DNS setup without using chroot and see how the setup works. This is my internal DNS that has no external access, so for now I will run a bit open... On 02/02/2017 10:50 AM, Robert Moskowitz wrote: I am ready for my next test, to try out named on a Cubieboard2. I want to run named with SELinux and not chroot named, and with the problems I have had so far with SELinux and HTTPD that no one has commented on what to do to fix the problem, I was interested to first check out for any experience with named. I could always run named chrooted without enabling SELinux. That is how I am running right now with RSEL6 (which does not have SELinux working). But I would rather get back to using SELinux and not chroot, as I had for years on Intel Centos. I have not seen any posts on updates to the Centos7-armv7 rpms, so I am assuming that there has not been any fixes to my SELinux problems. So anyone out there running named? thanks _______________________________________________ Arm-dev mailing list Arm-dev@centos.org <mailto:Arm-dev@centos.org> https://lists.centos.org/mailman/listinfo/arm-dev <https://lists.centos.org/mailman/listinfo/arm-dev> _______________________________________________ Arm-dev mailing list Arm-dev@centos.org <mailto:Arm-dev@centos.org> https://lists.centos.org/mailman/listinfo/arm-dev <https://lists.centos.org/mailman/listinfo/arm-dev>
Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
Yes, these are all installed. Plus I add policycoreutils-python for semanage to change policies like for changing the ssh port number.
On 02/03/2017 08:50 AM, Gordan Bobic wrote:
I'm pretty sure I have SELinux enabled on my Chromebook 2 running RSEL7. I don't recall having done anything special, it works by default. I run that on ZoL ZFS root, and it just worked after relabelling the file system (I migrated from zfs-fuse, and fuse confuses SELinux rules because it ends up labelling everything as fuse instead of the appropriate labels for the paths. I cannot imagine CentOS 7 would be any different. You just need to make sure you have policycoreutils, selinux-policy and selinux-policy-targeted installed, and make sure /etc/selinux/config has SELINUXTYPE=targeted set.
On Thu, Feb 2, 2017 at 9:55 PM, Robert Moskowitz <rgm@htt-consult.com mailto:rgm@htt-consult.com> wrote:
It seems that the SELinux problem is 'built into' the Cubietruck image. All I did was put the image on a HD, expand the partitions, boot up (uboot on the mSD card) in /boot/extlinux/extlinux.conf : change the "enforcing=0" to "enforcing=1" touch /.autorelabel reboot On the console I saw the following messages: [ 14.709227] SELinux: Class binder not defined in policy. [ 14.714741] SELinux: the above unknown classes and permissions will be allowed [ 14.778268] audit: type=1403 audit(14.745:2): policy loaded auid=4294967295 ses=4294967295 [ 14.813736] systemd[1]: Successfully loaded SELinux policy in 785.600ms. [ 15.294034] systemd[1]: Relabelled /dev and /run in 295.320ms. In the past, I did the relabeling after the 'yum update'. This seems to show that SELinux is unhappy from the get go. I will continue in permissive mode with loading up my DNS setup without using chroot and see how the setup works. This is my internal DNS that has no external access, so for now I will run a bit open... On 02/02/2017 10:50 AM, Robert Moskowitz wrote: I am ready for my next test, to try out named on a Cubieboard2. I want to run named with SELinux and not chroot named, and with the problems I have had so far with SELinux and HTTPD that no one has commented on what to do to fix the problem, I was interested to first check out for any experience with named. I could always run named chrooted without enabling SELinux. That is how I am running right now with RSEL6 (which does not have SELinux working). But I would rather get back to using SELinux and not chroot, as I had for years on Intel Centos. I have not seen any posts on updates to the Centos7-armv7 rpms, so I am assuming that there has not been any fixes to my SELinux problems. So anyone out there running named? thanks _______________________________________________ Arm-dev mailing list Arm-dev@centos.org <mailto:Arm-dev@centos.org> https://lists.centos.org/mailman/listinfo/arm-dev <https://lists.centos.org/mailman/listinfo/arm-dev> _______________________________________________ Arm-dev mailing list Arm-dev@centos.org <mailto:Arm-dev@centos.org> https://lists.centos.org/mailman/listinfo/arm-dev <https://lists.centos.org/mailman/listinfo/arm-dev>
Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
-
Gordan Bobic -
Robert Moskowitz