You are not logged in.
Recently, very occasionally, when updating, I am getting the error: broken pipe, which I am absolutely certain originates from restorecond relabelling files. My problem is three fold:
1. Pacman was updated around the time the problems started.
2. The SELinux packages were updated around the time the problems started
3. My project de jour is Apparmor profiles for low level I/O daemons like NetworkManager, openvpn, gvfs, udisks2....
Noting #3, my first reaction was that it was the result of one of my new Apparmor profiles. But, for the last couple of weeks, I have put anything that I even remotely suspect of being a possible culprit into complain mode, and repeatedly scanned with aa-logprof. The net result is that my suspicions are now turning towards either Pacman or SELinux. The real complication however, is that, because it happens so rarely, to definitively rule out an Apparmor profile, I would need to eschew using Apparmor, potentially, for a considerable period of time.
I have been doing some Google searches, and there does appear to be issues related to SELinux regarding the error. But, again, there is nothing definitive. Broken pipe errors appear to be fairly common, so what my search results are really saying is that some systems on SELinux platforms have issues with broken pipes.
Finally, it doesn't actually appear to be having any adverse effects. Everything is working as expected, and, when I shut down or reboot, restorecond does it's thing and sets the security context for new files which I haven't explicitly set.
As far as SELinux is concerned, I am still on the initial learning curve. So, if anybody knows anything about this and could give me a clue as to what is going on, or how to identify the source of the problem, I would be extremely grateful.
Irvine
Last edited by IrvineHimself (2018-06-07 06:19:00)
Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!
Offline
Yesterday, I did a major update, including two kernels and whole load of other stuff, from the SELinux environment without any errors being reported by pacman. This tends to point to it being something to do with an AppArmor profile. But, on the other hand, in between dealing with xorg-server problems, for the last week, I have been writing shells to control the mounting and un-mounting of partitions, external hard drives, thumb drives and other ssd's. This also included a systemd unit to auto-unmount a drive if it is showing no recent activity.
Noting that I only use Firejail, along with it's generic AppArmor profile for high level applications and, although, since it is a potential attack vector, I confine makepkg, I do not confine pacman in any way. During all the required testing for the above shells; daily system updates, along with all the installing and un-installing necessitated by my investigations of the xorg-server problems, I would have thought I would have seen some indication of any problems with the AppArmor profiles for either:
gvfsd
gvfsd-trash
gvfsd-metadata
gvfs-udisks2-volume-monitor
udisksd
The other AppArmor profiles I am working on are unlikely to be causing problems with restorecond, these are:
wpa_supplicant
NetworkManager
nm-applet
nm-openvpn-service
openvpn
pulseaudio
tumbler-1/tumblerd
xfce4/notifyd/xfce4-notifyd
ffmpeg
ffmpegthumbnailer
ffplay
The upshot of all this is that I have decided that, while they are essentially compatible, having SELinux user space tools in an AppArmor environment is more trouble than it's worth. As a result, I am going to set up a separate SELinux installation to help me get to grips with the intricacies of SELinux.
All the best
Irvine
Last edited by IrvineHimself (2018-06-07 06:27:33)
Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!
Offline