Yep - you'll want to do a 'ls -lZ' on both dirs and compare the differences... On Apr 24, 2013 8:32 AM, "Larry Martell" larry.martell@gmail.com wrote:

On Wed, Apr 24, 2013 at 8:50 AM, Johan Vermeulen jvermeulen@cawdekempen.be wrote:

...

Dear All,

I'm currently troubleshooting NetworkManger scripts.

I see a difference in machine A :

drwxr-xr-x 2 root root 4096 apr 24 16:33 . drwxr-xr-x 5 root root 4096 jan 9 12:13 .. -rwxr-xr-x 1 root root 175 jan 9 12:13 00-netreport -rwxr-xr-x 1 root root 335 okt 22 2012 04-iscsi -rwxr-xr-x 1 root root 345 jan 9 12:13 05-netfs -rwxr-xr-x 1 root root 926 sep 25 2012 10-dhclient -rwxr-xr-x 1 root root 301 apr 24 15:58 20-backuplauncher -rwxr-xr-x 1 root root 220 jun 22 2012 yum-NetworkManager-dispatcher

and machine B:

drwxr-xr-x. 2 root root 4096 apr 24 16:34 . drwxr-xr-x. 5 root root 4096 apr 23 12:06 .. -rwxr-xr-x. 1 root root 175 jan 9 12:13 00-netreport -rwxr-xr-x. 1 root root 345 jan 9 12:13 05-netfs -rwxr-xr-x. 1 root root 926 sep 25 2012 10-dhclient -rwxr-xr-x. 1 root root 326 apr 23 13:42 15-nfslauncher -rwxr-xr-x. 1 root root 307 apr 24 16:10 20-backuplauncher -rwxr-xr-x. 1 root root 220 jun 22 2012 yum-NetworkManager-dispatcher

the difference being -rwxr-xr-x and -rwxr-xr-x.

so with or without a dot (.)

Does that mean anything?

Thanks for any advise on this.

The . means the file has an access list with SELinux. You could try disabling SELinux on machine B and seeing if that fixes the issue. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 04/24/2013 02:57 PM, Johan Vermeulen wrote:

Dear All,

thanks for the responses.

Indeed, on machine A, Selinux is disabled.

-bash-4.1# selinuxenabled && echo enabled || echo disabled disabled

and on machine B, it's enabled.

I will test the script again on B with Selinux disabled.

Greetings, J.

Op 24-04-13 18:06, Ian Forde schreef:

...

Yep - you'll want to do a 'ls -lZ' on both dirs and compare the differences... On Apr 24, 2013 8:32 AM, "Larry Martell" larry.martell@gmail.com wrote:

...

On Wed, Apr 24, 2013 at 8:50 AM, Johan Vermeulen jvermeulen@cawdekempen.be wrote:

...

Dear All,

I'm currently troubleshooting NetworkManger scripts.

I see a difference in machine A :

drwxr-xr-x 2 root root 4096 apr 24 16:33 . drwxr-xr-x 5 root root 4096 jan 9 12:13 .. -rwxr-xr-x 1 root root 175 jan 9 12:13 00-netreport -rwxr-xr-x 1 root root 335 okt 22 2012 04-iscsi -rwxr-xr-x 1 root root 345 jan 9 12:13 05-netfs -rwxr-xr-x 1 root root 926 sep 25 2012 10-dhclient -rwxr-xr-x 1 root root 301 apr 24 15:58 20-backuplauncher -rwxr-xr-x 1 root root 220 jun 22 2012 yum-NetworkManager-dispatcher

and machine B:

drwxr-xr-x. 2 root root 4096 apr 24 16:34 . drwxr-xr-x. 5 root root 4096 apr 23 12:06 .. -rwxr-xr-x. 1 root root 175 jan 9 12:13 00-netreport -rwxr-xr-x. 1 root root 345 jan 9 12:13 05-netfs -rwxr-xr-x. 1 root root 926 sep 25 2012 10-dhclient -rwxr-xr-x. 1 root root 326 apr 23 13:42 15-nfslauncher -rwxr-xr-x. 1 root root 307 apr 24 16:10 20-backuplauncher -rwxr-xr-x. 1 root root 220 jun 22 2012 yum-NetworkManager-dispatcher

the difference being -rwxr-xr-x and -rwxr-xr-x.

so with or without a dot (.)

Does that mean anything?

Thanks for any advise on this.

The . means the file has an access list with SELinux. You could try disabling SELinux on machine B and seeing if that fixes the issue. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

Disabling SELinux is not going to fix your problem. Since the field is just showing you that you have extended attibutes assigned to yr files.

Why not just script around it.

ls -l | sed 's/. / /g'

Would replace all ". " from your output.

John R. Dennison wrote:

On Wed, Apr 24, 2013 at 03:06:11PM -0400, Daniel J Walsh wrote:

...

Disabling SELinux is not going to fix your problem. Since the field is just showing you that you have extended attibutes assigned to yr files.

Why not just script around it.

ls -l | sed 's/. / /g'

Would replace all ". " from your output.

Because that would be too easy and people absolutely love to shoot themselves in the face by disabling selinux. Because it is, as we all know, ridiculously hard to manage.

Don't get me started. I'm fighting it regularly. For example, SELinux is preventing /usr/bin/perl from getattr access on the file /sys/devices/system/node/node0/meminfo. For complete SELinux messages.

And yes, I did post a few things to the selinux list....

mark

as far as I can test this at the moment, it works without Selinux and doesn't work with Selinux enabled.

I also want Selinux enabled. So I will do some searching on how to make it work with Selinux.

Although i don't use NetworkManager I suspect it runs in some kind of context such as NetworkManager_t ...

It's unlikely that context will have permission to read/write/traverse/etc home_t (which is the file context for user home directories).

I suspect there is no boolean to allow what you want so if you want selinux enabled you'll need to build a module - look at audit2allow and the various guides surrounding that for how to use it ...

First thing to check will be run in Permissive and then look at `audit2allow -a` to see exactly what process is trying to do what operation ... and then from there you can create the module to allow what you want.

On 04/25/13 04:54, Johan Vermeulen wrote:

Op 24-04-13 22:53, m.roth@5-cent.us schreef:

...

John R. Dennison wrote:

...

On Wed, Apr 24, 2013 at 03:06:11PM -0400, Daniel J Walsh wrote:

...

Disabling SELinux is not going to fix your problem. Since the field is just showing you that you have extended attibutes assigned to yr files.

Why not just script around it.

ls -l | sed 's/. / /g'

Would replace all ". " from your output.

Because that would be too easy and people absolutely love to shoot themselves in the face by disabling selinux. Because it is, as we all know, ridiculously hard to manage.

Don't get me started. I'm fighting it regularly. For example, SELinux is preventing /usr/bin/perl from getattr access on the file /sys/devices/system/node/node0/meminfo. For complete SELinux messages.

And yes, I did post a few things to the selinux list....

thanks again for the reactions.

This is the NetworkManager script I'm trying to use:

<snip>

as far as I can test this at the moment, it works without Selinux and doesn't work with Selinux enabled.

I also want Selinux enabled. So I will do some searching on how to make it work with Selinux.

Two things: unless this is a laptop, shut down NetworkManager - there is *no* use for it in a wired environment. And edit /etc/sysconfig/network-scripts/ifcfg-eth? so that they say NMCONTROLLED="no". network works just fine, and doesn't introduce the overhead.

Second, check the selinux contexts - ll -Z, and if setroubleshoot isn't installed, you should do so. Running the sealert messages that show in /var/log/messages will frequently (NOT always) help you fix the context issues.

mark

On Thu, Apr 25, 2013 at 12:27 PM, John R Pierce pierce@hogranch.com wrote:

...

Two things: unless this is a laptop, shut down NetworkManager - there is *no* use for it in a wired environment.

doesn't it handle DHCP too? or is there an alternate mechanism for that?

At least in an 'always connected' scenario DHCP should work without NetworkManager. You might need it to notice cable disconnects and reconnection on different networks.

-- Les Mikesell lesmikesell@gmail.com

Op 25-04-13 19:41, m.roth@5-cent.us schreef:

John R Pierce wrote:

...

On 4/25/2013 5:01 AM, mark wrote:

...

Two things: unless this is a laptop, shut down NetworkManager - there is *no* use for it in a wired environment.

doesn't it handle DHCP too? or is there an alternate mechanism for that?

Dunno if it does, but network certainly does. I would expect dhclient to be installed by default, and so it's merely a matter of making sure that it says BOOTPROTO="dhcp" in /etc/sysconfig/network-scripts/ifcfg-<whatever>

  mark

---

CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

Dear All,

I finally tested this further ( in the mean time I did NOT disable any selinuxes but worked with cron ) :

#chcon -t bin_t /usr/bin/rsync

works.

chcon : change file SELinux security context

bin_t :

# Using the type statement to declare a type of bin_t, where # bin_t is used to identify a file as an ordinary program type.

Thanks all of you to help me move on WITH SElinux.

greetings, J.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 05/28/2013 10:06 AM, m.roth@5-cent.us wrote:

Johan Vermeulen wrote:

...

Op 25-04-13 19:41, m.roth@5-cent.us schreef:

...

John R Pierce wrote:

...

On 4/25/2013 5:01 AM, mark wrote:

...

Two things: unless this is a laptop, shut down NetworkManager - there is *no* use for it in a wired environment.

doesn't it handle DHCP too? or is there an alternate mechanism for that?

Dunno if it does, but network certainly does. I would expect dhclient to be installed by default, and so it's merely a matter of making sure that it says BOOTPROTO="dhcp" in /etc/sysconfig/network-scripts/ifcfg-<whatever>

I finally tested this further ( in the mean time I did NOT disable any selinuxes but worked with cron ) :

#chcon -t bin_t /usr/bin/rsync

works.

chcon : change file SELinux security context

<snip> Warning: you may have needed to read further: a chcon doesn't last through a reboot. To make that permanent, you need to do: semanage fcontext -a -t bin_t /usr/bin/rsync

You can make sure that took effect with restorecon -v /usr/bin/rsync

mark

_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

It does last through a reboot but not a relabel. Which is why the semanage fcontext is important.

Op 25-04-13 14:49, Daniel J Walsh schreef:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 04/25/2013 04:54 AM, Johan Vermeulen wrote:

...

Op 24-04-13 22:53, m.roth@5-cent.us schreef:

...

John R. Dennison wrote:

...

On Wed, Apr 24, 2013 at 03:06:11PM -0400, Daniel J Walsh wrote:

...

Disabling SELinux is not going to fix your problem. Since the field is just showing you that you have extended attibutes assigned to yr files.

Why not just script around it.

ls -l | sed 's/. / /g'

Would replace all ". " from your output.

Because that would be too easy and people absolutely love to shoot themselves in the face by disabling selinux. Because it is, as we all know, ridiculously hard to manage.

Don't get me started. I'm fighting it regularly. For example, SELinux is preventing /usr/bin/perl from getattr access on the file /sys/devices/system/node/node0/meminfo. For complete SELinux messages.

And yes, I did post a few things to the selinux list....

mark

_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

Dear All,

thanks again for the reactions.

This is the NetworkManager script I'm trying to use:

----------------------------------------------------- #!/bin/sh

export LC_ALL=C

if [ "$2" = "down" ]; then exit0 fi

if [ "$2" = "up" ]; then #LAN Subnet at work NETMASK="192.168.66.128/25" if [ -n "`/sbin/ip addr show $IF to $NETMASK`" ]; then

rsync -azvp /home/james/ 192.168.66.129:/home/jvermeulen

See if chcon -t bin_t /usr/bin/rsync solves your problem.

I believe that NetworkManager runs its helper scripts as initrc_t which is an unconfined domains, except that when it executes rsync, it transition to a confined rsync server domain(rsync_t). Changing the context to bin_t would eliminate the transition and leave rsync running in initrc_t.

...

fi fi

---

as far as I can test this at the moment, it works without Selinux and doesn't work with Selinux enabled.

I also want Selinux enabled. So I will do some searching on how to make it work with Selinux.

Greetings, J.

_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlF5JlAACgkQrlYvE4MpobN/FgCfRbN/kbhKTlkuEt9LsD5cIdWN eRQAoMNhwlUIebj9gI1Vh1iCrAiq5kWD =8yid -----END PGP SIGNATURE-----

Dear All,

thanks for the advise.

Yes, it concerns a laptop, if not I would indeed turn of NetworkManager.

I am in the process of converting our last older OpenSuse-laptop to CentOs6.4. Now all 26 of our Linux laptops ( 4 sadly run Windows ) will be on CentOs.

I often hear people say they would never run CentOs on laptops, but I think it works great.

Also today I will replace the last of 4 machines of our admin Department to CentOs. ( One will remain on Windows ) .

I just needed to share that with somebody.

Tomorrow I will test the advise that I kindly received here.

Greetings, J.

Op 25-04-13 16:33, m.roth@5-cent.us schreef:

Johan Vermeulen wrote:

...

Op 25-04-13 14:49, Daniel J Walsh schreef:

...

On 04/25/2013 04:54 AM, Johan Vermeulen wrote:

...

Op 24-04-13 22:53, m.roth@5-cent.us schreef:

...

John R. Dennison wrote:

...

On Wed, Apr 24, 2013 at 03:06:11PM -0400, Daniel J Walsh wrote: > Disabling SELinux is not going to fix your problem. Since the field > is just showing you that you have extended attibutes assigned to yr > files.

<snip> >>> Dear All, >>> >>> thanks again for the reactions. >>> >>> This is the NetworkManager script I'm trying to use: <snip> >>> as far as I can test this at the moment, it works without Selinux and >>> doesn't work with Selinux enabled. >>> >>> I also want Selinux enabled. So I will do some searching on how to make >>> it work with Selinux. > Dear All, > > thanks for the advise. > > Yes, it concerns a laptop, if not I would indeed turn of NetworkManager. Ah! And selinux. Have you encrypted the h/d's?

you know, I did argue that with my boss but he was against it. Guess he didn't want to type 2 passwords. So the only encrypted laptop is my own. But my boss was sorry when his got stolen a few months ago.

...

I am in the process of converting our last older OpenSuse-laptop to CentOs6.4. Now all 26 of our Linux laptops ( 4 sadly run Windows ) will be on CentOs.

I often hear people say they would never run CentOs on laptops, but I think it works great.

Also today I will replace the last of 4 machines of our admin Department to CentOs. ( One will remain on Windows ) .

I just needed to share that with somebody.

I think we all understand that one, and I think a round of applause is due

• congratulations.

     mark
  
  

---

CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

thank you thank you

On Thu, Apr 25, 2013 at 7:49 AM, Daniel J Walsh dwalsh@redhat.com wrote:

See if chcon -t bin_t /usr/bin/rsync solves your problem.

I believe that NetworkManager runs its helper scripts as initrc_t which is an unconfined domains, except that when it executes rsync, it transition to a confined rsync server domain(rsync_t). Changing the context to bin_t would eliminate the transition and leave rsync running in initrc_t.

What's the logic behind rsync having its own context here? If it isn't running as a standalone daemon (and maybe even if it is) shouldn't it have the permissions of whoever starts it?

-- Les Mikesell lesmikesell@gmail.com