System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Program runs from one file system but not the other

 
SOLVED
Go to solution
tony j. podrasky
Valued Contributor

Program runs from one file system but not the other

O/S: Fedora 16

 

o I have 2 boot disks: /sda and /sdb

 

o I run on /sda for 6 months, doing monthly backups. At the end of 6 months I:

 

- boot off of /sdb

- mount /sda

- tar /sda to backup device

- boot /sda

- mkfs /sdb

- mount /sdb

- tar backup of /sda onto /sdb

- edit files like fstab

- boot and run off of /sdb

 

(I may have missed a step above (I've got the flu and am not fully on-line :-), I've been doing this since 1995 with no problem).

 

So I do all that and boot from /sdb.

 

 

Now, I login as me and find that I can no longer do <ping> or <rlogin>:

 

(I'm going to use fully-qualified pathnames so you can see what's going on)

 

 

tonyp% /bin/ping m2404txp
ping: icmp open socket: Operation not permitted

tonyp% /usr/bin/rlogin m2404txp
rcmd: socket: Permission denied

 

-- Now look what happens when I do it from /sda--

 

 

tonyp% /sda/bin/ping m2404txp
PING m2404txp (15.19.89.12) 56(84) bytes of data.
64 bytes from m2404txp (15.19.89.12): icmp_req=1 ttl=64 time=0.284 ms
64 bytes from m2404txp (15.19.89.12): icmp_req=2 ttl=64 time=0.260 ms
64 bytes from m2404txp (15.19.89.12): icmp_req=3 ttl=64 time=0.257 ms

tonyp% /sda/usr/bin/rlogin m2404txp
Last login: Sat Oct 27 09:19:39 from blacktower

--

 

I've checked the directory permissions and <diff> the files and they are the same.

 

My only guess is that somewhere there is an entry that says "tonyp can run the following utilities on /sda".

 

Any ideas as to what to look for?

 

(I'm going to boot from /sda and then mount /sdb and see if I get the opposite results of the rlogin and ping commands.

 

regards,

tony.podrasky@gmail.com

 

 

REMEMBER: Once you eliminate your #1 problem, #2 gets a promotion.
2 REPLIES
Matti_Kurkela
Honored Contributor
Solution

Re: Program runs from one file system but not the other

> My only guess is that somewhere there is an entry that says "tonyp can run the following utilities on /sda".

 

Actually, the utilities *are* running just fine, but the OS rejects some operations that are critical for the proper functioning of those utilities.

 

In the case of ping, the utility is trying to open a raw socket for the purpose of sending and receiving ICMP ping packets, and the OS is rejecting that. Classically, root access is needed to do that.

 

In the case of rlogin, the utility needs to use the privileged ports (TCP/UDP port range 0-1023) which are classically reserved for root use only in Unix-like systems.

 

This is why ping and rlogin are usually setuid root binaries (owned by root and permissions something like -r?s?-x?-x).

 

But, as a long-time Linux veteran, you probably have already checked that.

The next possible cause is the new-fangled feature known as SELinux.

It adds a more fine-grained security layer that can restrict even root processes. So the missing entry is not related to user "tonyp"; it's actually more like "program /bin/ping may use raw sockets" and "program /usr/bin/login may use privileged ports".

 

Fedora 16 is new enough to possibly have SELinux enabled by default. If that's true, your system cloning procedure will need one extra step: restoring the SELinux labels after the tar operation, or alternatively copying the SELinux labels along with the tar operation.

 

The system can do the relabeling automatically based on the SELinux ruleset stored in /etc/selinux, it just needs to be told that a full relabeling is needed.

The easiest way to do that is to create a file named "/.autorelabel" to the root filesystem that is restored/regenerated with tar. So in your case, the amended last steps of your procedure would have to be:

[...]

- tar backup of /sda onto /sdb

- edit files like fstab

- touch /sdb/.autorelabel

- boot and run off of /sdb

 

If you don't want to repeat your backup procedure, fixing your current situation without rebooting would be as easy as running "restorecon -v /" as root... but if SELinux is really in effect and all the labels are gone, you may have to use /sda/bin/su or /sda/usr/bin/sudo to get a real omnipotent root session first, as the versions of su and sudo on sdb may be unable to give you full root powers because, again, the commands are missing their proper SELinux labels.

MK
tony j. podrasky
Valued Contributor

Re: Program runs from one file system but not the other

Hello Matti et al;

 

I tried the ideas you supplied and had no success with modifying the selinux environment.

 

I wound up doing a <chmod u+s> on ping and rlogin to fix the problems. Works fine now. I also did that on /sda. Tomorrow I'll do another backup/restore to /sdb and see if things work on /sdb. I expect so.

 

I would rather have gotten the selinux to work correctly, but I admit when I built the Fedora 16 on my new computer, I had so much trouble - because it is NOTHING like Red Hat Enterprise 3.0 - that I wound up butchering the heck out of the O/S.

 

I've been running Linux since 1995 Slackware 1.2 and have never seen such a nightmare as Fedora 16.

 

Anyway, thanx for the help and the fix.

 

regards,

tony.podrasky

REMEMBER: Once you eliminate your #1 problem, #2 gets a promotion.