<DIV>Hey Steve,The csm at the end of my name stands for Certified Surpreme Master Gemcutter which was issued by the American Society of Gemcutters and not Walmart.I challenge you to try to obtain one!Kent McClanahan csm fedora-selinux-list-request@redhat.com wrote: <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">Send fedora-selinux-list mailing list submissions to fedora-selinux-list@redhat.com To subscribe or unsubscribe via the World Wide Web, visit http://www.redhat.com/mailman/listinfo/fedora-selinux-list or, via email, send a message with subject or body 'help' to fedora-selinux-list-request@redhat.com You can reach the person managing the list at fedora-selinux-list-owner@redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of fedora-selinux-list digest..." Today's Topics: 1. "invalid contex" question (David Hampton) 2. Re: "invalid contex" question (Stephen Smalley) 3. Re: "invalid contex" question (David Hampton) 4. Permissions for new users (Richard Jensen) 5. execmem and targeted policy (Colin Walters) 6. Re: execmem and targeted policy (Stephen Smalley) 7! . Re: NAZI DATA (steve) 8. problems (steve) 9. Newbie to fedora/linux (Stephen Valenti) 10. Re: execmem and targeted policy (dragoran) 11. Re: Newbie to fedora/linux (ne...) ---------------------------------------------------------------------- Message: 1 Date: Thu, 10 Feb 2005 12:32:59 -0500 From: David Hampton <HAMPTON@EMPLOYEES.ORG> Subject: "invalid contex" question To: fedora-selinux-list@redhat.com Message-ID: <1108056779.29383.24.camel@hampton-pc.rainbolthampton.net> Content-Type: text/plain; charset="us-ascii" I'm running an FC3 system with the latest rawhide strict policy. I'm currently trying to tweak the dovecot files for my system and am running into an invalid context error. My changes so far: Index: domains/program/dovecot.te +type dovecot_data_t, file_type, sysadmfile; +create_dir_file(dovecot_t, dovecot_data_t) Index: file_contexts/program/dovecot.fc +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t; The problem is that after a 'make reload' when I try to relabel the /var/spool/dovecot directory, I get the error message: /etc/selinux/strict/contexts/files/file_contexts: line 999 has invalid context system_u:object_r:dovecot_data_t; Doing a 'make install' in the policy directory gives me this same error. Is there something else I need to do to create this new type? Thanks. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : https://www.redhat.com/archives/fedora-selinux-list/attachments/20050210/adf2d238/attachment.bin ------------------------------ Message: 2 Date: Thu, 10 Feb 2005 12:31:15 -0500 From: Stephen Smalley <SDS@EPOCH.NCSC.MIL> Subject: Re: "invalid contex" question To: "Fedora SELinux support list for users & developers." <FEDORA-SELINUX-LIST@REDHAT.COM> Message-ID: <1108056675.22172.108.camel@moss-spartans.epoch.ncsc.mil> Content-Type: text/plain On Thu, 2005-02-10 at 12:32, David Hampton wrote: > Index: file_contexts/program/dovecot.fc > > +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t; No semicolon terminators in file contexts files. They are just newline delimited. -- Stephen Smalley <SDS@EPOCH.NCSC.MIL> National Security Agency ------------------------------ Message: 3 Date: Thu, 10 Feb 2005 12:54:42 -0500 From: David Hampton <HAMPTON@EMPLOYEES.ORG> Subject: Re: "invalid contex" question To: "Fedora SELinux support list for users & developers." <FEDORA-SELINUX-LIST@REDHAT.COM> Message-ID: <1108058082.29383.25.camel@hampton-pc.rainbolthampton.net> Content-Type: text/plain; charset="us-ascii" On Thu, 2005-02-10 at 12:31 -0500, Stephen Smalley wrote: > On Thu, 2005-02-10 at 12:32, David Hampton wrote: > > Index: file_contexts/program/dovecot.fc > > > > +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t; > > No semicolon terminators in file contexts files. They are just newline > delimited. Thanks. (Boy do I feel silly.) David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : https://www.redhat.com/archives/fedora-selinux-list/attachments/20050210/a67e99e3/attachment.bin ------------------------------ Message: 4 Date: Wed, 09 Feb 2005 18:13:33 -0600 From: Richard Jensen <RICHARD@RHJENSEN.COM> Subject: Permissions for new users To: fedora-selinux-list@redhat.com Message-ID: <420AA72D.2010108@rhjensen.com> Content-Type: text/plain; charset=ISO-8859-1 Hi. I'm wondering about the permissions new users get when they are created. Before SELinux I had to add users to 'wheel' to enable them to su to root. I did an adduser and it seems to be unrestricted: [testse@lankhmar ~]$ id -Z user_u:system_r:unconfined_t and the user is able to su to root. Is this normal? How would I keep the user from being able to su? I added: user testse roles { user_r }; to /etc/selinux/targeted/src/policy/users and did: make load This didn't seem to make any difference. This is on FC3 (2.6.10-1.760_FC3) selinux-policy-targeted-1.17.30-2.75 [root@lankhmar ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config fi! le: enforcing Policy version: 18 Policy from config file:targeted I'm not sure if this is clear, or enough information. I tried searching the archives but didn't find anything. [I may be searching incorrectly]. Thanks, Richard. ------------------------------ Message: 5 Date: Thu, 10 Feb 2005 13:17:58 -0500 From: Colin Walters <WALTERS@REDHAT.COM> Subject: execmem and targeted policy To: fedora-selinux-list@redhat.com Message-ID: <1108059478.6288.7.camel@nexus.verbum.private> Content-Type: text/plain Hi, I noticed that as of a recent rawhide update that Eclipse stopped working: audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process Chatting with Dan, this is apparently because the execmem permission was dropped from unconfined_domain recently. We can't d! o this in targeted policy because it would require us to know about (and specially label) all such programs. We could potentially label /usr/bin/eclipse as unconfined_execmem_t or whatever since we have Eclipse packages in Fedora. However, I am almost positive the Sun JVM requires this permission too, and if we go this route, then every person who untars the Sun JVM and tries to run Java programs will run into this problem. This is against the philosophy of the targeted policy in that it affects programs outside of the targeted daemon set. My worry is that for every person (like me) who tracks down this problem and finds a workaround, there will be 999 others who disable SELinux entirely. And that's bad, because we need it to be enabled by default so we can use it to confine the programs that really need it. (Dan says that textrel_shlib_t has a similar issue) One approach might be to have e.g. bin_t and bin_nonexecmem_t. We label programs that we know work as bin_nonexecmem_t. ------------------------------ Message: 6 Date: Thu, 10 Feb 2005 13:20:28 -0500 From: Stephen Smalley <SDS@EPOCH.NCSC.MIL> Subject: Re: execmem and targeted policy To: "Fedora SELinux support list for users & developers." <FEDORA-SELINUX-LIST@REDHAT.COM> Message-ID: <1108059628.22172.162.camel@moss-spartans.epoch.ncsc.mil> Content-Type: text/plain On Thu, 2005-02-10 at 13:17, Colin Walters wrote: > I noticed that as of a recent rawhide update that Eclipse stopped > working: > > audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process > > Chatting with Dan, this is apparently because the execmem permission was > dropped from unconfined_domain recently. > > We can't do this in targeted policy! because it would require us to know > about (and specially label) all such programs. It is controlled by a boolean. So simply enable the allow_execmem and allow_execmod booleans by default in the targeted policy (via the booleans config file). Or if you absolutely must unconditionally allow it in targeted policy, put the allow rules in the targeted unconfined.te file so that you don't affect the strict policy. But note that the reason for subjecting these permissions to booleans even in the targeted policy was that we were asked to do so by Ulrich (see the earlier discussion on rhselinux-list). -- Stephen Smalley <SDS@EPOCH.NCSC.MIL> National Security Agency ------------------------------ Message: 7 Date: Thu, 10 Feb 2005 17:00:35 -0600 From: steve <W5SET@ALLTEL.NET> Subject: Re: NAZI DATA To: "Fedora SELinux support list for users & developers." <FEDORA-SELINUX-LIST@REDHAT.COM> Message-ID: <200502101700.35460.w5set@alltel.net> Content-Type: text/plain; charset="utf-8" Sure--that info is readily available. Just march into the CIA Headquarters and demand the info you need and site the Freedom of Information ACT. But they will stall you forever, and try to read you another ACT, but I have heard that most of the collaboration is being done on the CLONEHitler project. Or was that the CLOWN HITLER project? OHHHH--my mind is so fuzzy these days--YOU should recognize that symptom right off. But thanks to modern medicine I am so much better these days--maybe you should try some. On a more realistic note, have you heard from ET lately? He hasn't called me in months now. And the csm at the end of your name---Do you work for Wal Mart? CSM there stands for Customer Service Manager. Almost Sincerely, Steve On Thursday February 10 2005 09:48, kent mcclanahan wrote: > Gentlemen,could you please ! inform me how to obtain data on Nazi involvement > with the National Security Agency and The Central Intelligence Agency > including names of the projects?Most Sincerely,Kent McClanahan csm > > > --------------------------------- > Do you Yahoo!? > Meet the all-new My Yahoo! Try it today! ------------------------------ Message: 8 Date: Thu, 10 Feb 2005 17:25:35 -0600 From: steve <W5SET@ALLTEL.NET> Subject: problems To: "Fedora SELinux support list for users & developers." <FEDORA-SELINUX-LIST@REDHAT.COM> Message-ID: <200502101725.35518.w5set@alltel.net> Content-Type: text/plain; charset="us-ascii" And ya'll think that having problems with such a mundane subject as Fedora Core SELinux is a biggie, Kent obviously has much bigger (problem) fish to fry. About time I had a good laugh reading this email forum, but back to reality and getting my server to run without a! ny help from the Internet "assistants" that stop often to help me by inputing code or something that trys to overfill the buffers or evade detection by my router/firewalls. Ho-Hum. -- .................steve w5set ------------------------------ Message: 9 Date: Fri, 11 Feb 2005 15:28:57 +0800 From: "Stephen Valenti" <KVA64770@BIGPOND.NET.AU> Subject: Newbie to fedora/linux To: <FEDORA-SELINUX-LIST@REDHAT.COM> Message-ID: <001401c5100b$595c6800$0600000a@stephen> Content-Type: text/plain; charset="iso-8859-1" Hi, I was wondering if anybody could help.Im a real newbie at linux and dont know much about it.I installed fedora core 3 with \windows xp sp2.and am currently trying to get my speedtouch adsl 530 modem to work but everytime I try create a folder to install too it tells me "I cant create the folder I dont own the computer" or something like that.I tried to find administration tools within fedo! ra but couldnt what am I doing wrong or do i need to re-install fedora Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20050211/4bd8a506/attachment.htm ------------------------------ Message: 10 Date: Fri, 11 Feb 2005 12:20:51 +0100 From: dragoran <DRAGORAN@FEUERPOKEMON.DE> Subject: Re: execmem and targeted policy To: "Fedora SELinux support list for users & developers." <FEDORA-SELINUX-LIST@REDHAT.COM> Message-ID: <420C9513.20206@feuerpokemon.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Colin Walters wrote: >Hi, > >I noticed that as of a recent rawhide update that Eclipse stopped >working: > >audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process > >Chatting with Dan, this is apparently because the execmem permission was >dropped from unconfined_domain recently. > >We can't do this in targeted policy because it would require us to know >about (and specially label) all such programs. We could potentially >label /usr/bin/eclipse as unconfined_execmem_t or whatever since we have >Eclipse packages in Fedora. However, I am almost positive the Sun JVM >requires this permission too, and if we go this route, then every person >who untars the Sun JVM and tries to run Java programs will run into this >problem. > >This is against the philosophy of the targeted policy in that it affects >programs outside of the targeted daemon set. My worry is that for every >person (like me) who tracks down this problem and finds a workaround, >there will be 999 others who disable SELinux entirely. And that's bad, >because we n! eed it to be enabled by default so we can use it to confine >the programs that really need it. > >(Dan says that textrel_shlib_t has a similar issue) > >One approach might be to have e.g. bin_t and bin_nonexecmem_t. We label >programs that we know work as bin_nonexecmem_t. > > >-- >fedora-selinux-list mailing list >fedora-selinux-list@redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > mysqld has the same issues even in fc3 when running 2.6.11-rc3 http://www.redhat.com/archives/fedora-selinux-list/2005-February/msg00056.html ------------------------------ Message: 11 Date: Fri, 11 Feb 2005 07:51:58 -0500 From: "ne..." <GUHVIES@GMAIL.COM> Subject: Re: Newbie to fedora/linux To: "Fedora SELinux support list for users &, developers." <FEDORA-SELINUX-LIST@REDHAT.COM> Message-ID: <A227B70C0502110451A67978E@MAIL.GMAIL.COM> Content-Type: text/plain; charset=US-ASCII On Fri, 11 Feb 2005 15:28:57 +0800, Stephen Valenti <KVA64770@BIGPOND.NET.AU>wrote: > > Hi, > I was wondering if anybody could help. Yep. > what am I doing wrong or do i need to re-install fedora Posting to the wrong group. You to join fedora-list and post your problems there. N.Emile... -- Registered Linux User # 125653 (http://counter.li.org) Certified: 75% bastard, 42% of which is tard. http://www.thespark.com/bastardtest Now accepting personal mail for GMail invites. ------------------------------ -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list End of fedora-selinux-list Digest, Vol 12, Issue 11 *************************************************** </BLOCKQUOTE></DIV> <hr size=1>Do you Yahoo!? Yahoo! Search presents - <a href="http://us.rd.yahoo.com/evt=30648/*http://movies.yahoo.com/movies/feature/jibjabinaugural.html">Jib Jab's 'Second Term'</a>