SELinux Attack!

Karl Larsen k5di at zianet.com
Sat Oct 13 17:32:11 UTC 2007 

Matthew Saltzman wrote:
> On Sat, 2007-10-13 at 09:42 -0600, Karl Larsen wrote:
>   
>> Matthew Saltzman wrote:
>>     
>>> On Sat, 2007-10-13 at 06:41 -0600, Karl Larsen wrote:
>>>   
>>>       
>>>> Vinayak Mahadevan wrote:
>>>>     
>>>>         
>>>>> On 10/13/07, Karl Larsen <k5di at zianet.com> wrote:
>>>>>   
>>>>>       
>>>>>           
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>>     I have had all those problems in the past years. But this problem
>>>>>> yesterday was in fact caused by SELinux. I say that because different
>>>>>> from your experience when I turned off SELinux all the problems went away.
>>>>>>     
>>>>>>         
>>>>>>             
>>>>> let the machine  run for some days and then let us know your
>>>>> experience with the machine.
>>>>>
>>>>> Vinayak
>>>>>
>>>>>   
>>>>>       
>>>>>           
>>>>     So far so good. But I would like to know why SELinux did this. And 
>>>> what do I need to do to to make SELinux work on this machine? There seem 
>>>> to be others that use it and it works without a problem.
>>>>     
>>>>         
>>> Karl-
>>>
>>> As I recall, you said earlier in the thread that you had disabled
>>> SELinux for a while when you were experimenting with spinning a custom
>>> distribution.  
>>>
>>> SELinux checks the contexts of files (their SELinux security
>>> information) to see if programs are violating their restrictions, but it
>>> also updates the contexts when files are created and updated.  If you
>>> turn SELinux off, file contexts stop getting updated.  When you turn it
>>> back on, the files may suddenly not have contexts that allow their
>>> applications to access them.  You'll see the things going wrong
>>> in /var/log/messages (grep for AVC and look for "denied" messages) or
>>> you'll get that star icon in your notification area when a program.  And
>>> of course, the programs that use incorrectly labeled files will not
>>> work.
>>>
>>> You also said at some point that you followed instructions to relabel
>>> your filesystem and things started to work.  That is exactly the
>>> solution to the problems introduced by turning SELinux off.  So if you
>>> turn SELinux back on and relabel one more time, you should be OK after
>>> that (as long as you leave SELinux on).
>>>
>>> Most people don't see (too many) SELinux problems because most people
>>> don't ever turn it off.  So it maintains itself.
>>>
>>>   
>>>       
>>>>     
>>>>         
>>     Well I did get a whole lot of messages like this, every ten seconds 
>> or so:
>>
>> Oct 11 02:31:08 k5di dbus: Can't send to audit system: USER_AVC avc:  
>> received policyload notice (seqno=2) : exe="/bin/dbus-daemon" 
>> (sauid=500, hostname=?, addr=?, terminal=?)
>>
>> I'm not sure what this means but it seems to mean that /bin/dbus-daemon 
>> has a problem with my hostname ect.
>>
>> I looked at man dbus-daemon and it is a library that any device can 
>> access. It appears it doesn't have what SELinux wants. How do I fix this 
>> I wonder?
>>     
>
> I found a couple of references to that message by googling.  They seem
> to suggest a bug related to dbus.
>
> I have a handful of these in my logs from the last few weeks, but they
> aren't frequent and they seem otherwise harmless.  If you are getting
> lots and lots, that may be an issue, but it may just be an artifact of
> some other problem.
>
> http://www.redhat.com/archives/fedora-selinux-list/2007-June/msg00103.html
>
>   
    Well thanks Matt. The web page tells me that other people have had 
this same problem which is a Bug for dbus. They say it was fixed for FC6 
but it is showing up again in F7.

    I will not turn on SELinux again until I see a update for dbus. It 
appears dbus is used only by SELinux.



-- 

	Karl F. Larsen, AKA K5DI
	Linux User
	#450462   http://counter.li.org.

More information about the fedora-list mailing list