List of selinux issues

Daniel J Walsh dwalsh at redhat.com
Tue Apr 6 11:19:50 UTC 2004 

Warren Togami wrote:

> This is my first time running with selinux enforcement enabled and 
> this system has been apt upgraded from FC2test1 to latest rawhide, so 
> please forgive me that some of these will be duplicates and others may 
> be errors.  Please let me know which are not duplicates, and if you 
> want me to bugzilla them.
>
> To be clear, I did the following in order to ensure that my labels are 
> correct during runtime.  I hope this was correct.
>
> setenforce off
> fixfiles relabel
> setenforce 1
>
>
>
> 1) Infinite Loop of these messages when using "/sbin/ifup eth0" as 
> non-root user.  This is allowed when enforcement is disabled.  CTRL-C 
> is abled to stop the looping.
>
> Apr  5 21:07:28 ibmlaptop kernel: audit(1081235248.571:0): avc:  
> denied  { setuid } for  pid=2463 exe=/bin/bash capability=7 
> scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
> tclass=capability
> Apr  5 21:07:28 ibmlaptop kernel: audit(1081235248.589:0): avc:  
> denied  { setuid } for  pid=2463 exe=/usr/sbin/usernetctl capability=7 
> scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
> tclass=capability
>
>
I am not sure how you set this up to work.  I execute /sbin/ifup eth0 
and I get
Users cannot control this device.

If we want to allow this we will need policy to allow it.  Any want to 
take a try at it?

> 2) "su -" from my non-root user caused this error.  I was however 
> allowed to work as root.
>
> Apr  5 21:07:42 ibmlaptop su(pam_unix)[12399]: session opened for user 
> root by warren(uid=500)
> Apr  5 21:07:42 ibmlaptop su[12399]: pam_xauth: error creating 
> temporary file `/root/.xauthsDAz4e': Permission denied
> Apr  5 21:07:42 ibmlaptop kernel: audit(1081235262.772:0): avc:  
> denied  { write } for  pid=12399 exe=/bin/su name=root dev=hda2 
> ino=1291809 scontext=user_u:user_r:user_su_t 
> tcontext=root:object_r:staff_home_dir_t tclass=dir
>
>
This should be fixed in latest policy 1.9.2-12

> 3) Then as root, I used "ifup eth0" which succeeded, but with the 
> following in /var/log/messages.
>
> Apr  5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:  
> denied  { search } for  pid=12493 exe=/sbin/dhclient name=lib dev=hda2 
> ino=1389922 scontext=root:system_r:dhcpc_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> Apr  5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:  
> denied  { search } for  pid=12493 exe=/sbin/dhclient name=lib dev=hda2 
> ino=1389922 scontext=root:system_r:dhcpc_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> Apr  5 21:07:45 ibmlaptop dhclient: can't create 
> /var/lib/dhcp/dhclient-eth0.leases: Permission denied
> Apr  5 21:07:46 ibmlaptop dhclient: sit0: unknown hardware address 
> type 776
> Apr  5 21:07:48 ibmlaptop dhclient: DHCPDISCOVER on eth0 to 
> 255.255.255.255 port 67 interval 4
> Apr  5 21:07:48 ibmlaptop dhclient: DHCPOFFER from 172.31.16.1
> Apr  5 21:07:48 ibmlaptop dhclient: DHCPREQUEST on eth0 to 
> 255.255.255.255 port 67
> Apr  5 21:07:48 ibmlaptop dhclient: DHCPACK from 172.31.16.1
> Apr  5 21:07:48 ibmlaptop dhclient: can't create 
> /var/lib/dhcp/dhclient-eth0.leases: Permission denied
> Apr  5 21:07:48 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal 
> in 356918 seconds.
> Apr  5 21:07:48 ibmlaptop kernel: audit(1081235268.039:0): avc:  
> denied  { search } for  pid=12493 exe=/sbin/dhclient name=lib dev=hda2 
> ino=1389922 scontext=root:system_r:dhcpc_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
>
Added policy to allow this , but not sure what it is trying todo.  Could 
you try it in non-enforcing mode and grab the avc messages.

>
> 4) GNOME mixer_applet2 is unable to reach the device.  Strangely this 
> began failing in permissive mode too, but it works when selinux is 
> totally disabled and not loaded.
>
> Apr  5 21:07:10 ibmlaptop kernel: audit(1081235230.797:0): avc:  
> denied  { setattr } for  pid=2435 exe=/usr/libexec/mixer_applet2 
> name=registry.xml dev=hda2 ino=1425367 scontext=user_u:user_r:user_t 
> tcontext=system_u:object_r:var_t tclass=file
>
>
This needs more investigation if it fails in permissive mode.

> 5) This is vmware from the VMWare WS 4.5.1 service startup.  The 
> issues are ... complicated, numerous, and scary looking.
>
> Apr  5 21:06:08 ibmlaptop kernel: vmmon: module license 'unspecified' 
> taints kernel.
> Apr  5 21:06:08 ibmlaptop kernel: vmnet: module license 'unspecified' 
> taints kernel.
> Apr  5 21:06:08 ibmlaptop kernel: audit(1081235168.858:0): avc:  
> denied  { search } for  pid=1909 exe=/usr/bin/vmnet-netifup name=net 
> dev= ino=344 scontext=system_u:system_r:vmware_t 
> tcontext=system_u:object_r:sysfs_t tclass=dir
> Apr  5 21:06:08 ibmlaptop kernel: audit(1081235168.867:0): avc:  
> denied  { search } for  pid=1910 exe=/usr/bin/vmnet-netifup name=net 
> dev= ino=344 scontext=system_u:system_r:vmware_t 
> tcontext=system_u:object_r:sysfs_t tclass=dir
> Apr  5 21:06:09 ibmlaptop kernel: audit(1081235169.047:0): avc:  
> denied  { node_bind } for  pid=1931 exe=/usr/bin/vmnet-natd 
> scontext=system_u:system_r:vmware_t 
> tcontext=system_u:object_r:node_inaddr_any_t tclass=rawip_socket
> Apr  5 21:06:09 ibmlaptop kernel: audit(1081235169.048:0): avc:  
> denied  { create } for  pid=1931 exe=/usr/bin/vmnet-natd 
> name=vmnat.1931 scontext=system_u:system_r:vmware_t 
> tcontext=system_u:object_r:var_run_t tclass=sock_file
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium 
> DHCP Server 2.0
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 
> 1998, 1999 The Internet Software Consortium.
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd:
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find 
> this software useful.
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit 
> http://www.isc.org/dhcp-contrib.html
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd:
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium 
> DHCP Server 2.0
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 
> 1998, 1999 The Internet Software Consortium.
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
>
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd:
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium 
> DHCP Server 2.0
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 
> 1998, 1999 The Internet Software Consortium.
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd:
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.18.0
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find 
> this software useful.
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address: 
> 173.31.18.254
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit 
> http://www.isc.org/dhcp-contrib.html
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd: Recving on VNet/vmnet1/173.31.18.0
> Apr  5 21:06:09 ibmlaptop vmnet-dhcpd:
> Apr  5 21:06:10 ibmlaptop vmnet-dhcpd: Sending on VNet/vmnet1/173.31.18.0
> Apr  5 21:06:11 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.17.0
> Apr  5 21:06:12 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address: 
> 173.31.17.254
> Apr  5 21:06:12 ibmlaptop vmnet-dhcpd: Recving on VNet/vmnet8/173.31.17.0
> Apr  5 21:06:12 ibmlaptop vmnet-dhcpd: Sending on VNet/vmnet8/173.31.17.0
> Apr  5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc:  
> denied  { create } for  pid=2253 exe=/usr/bin/vmware-nmbd 
> scontext=system_u:system_r:vmware_t 
> tcontext=system_u:system_r:vmware_t tclass=udp_socket
> Apr  5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc:  
> denied  { create } for  pid=2253 exe=/usr/bin/vmware-nmbd 
> scontext=system_u:system_r:vmware_t 
> tcontext=system_u:system_r:vmware_t tclass=udp_socket
> Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.460:0): avc:  
> denied  { read } for  pid=2254 exe=/usr/bin/vmware-smbd name=urandom 
> dev=hda2 ino=1270748 scontext=system_u:system_r:vmware_t 
> tcontext=system_u:object_r:urandom_device_t tclass=chr_fileApr  5 
> 21:06:16 ibmlaptop kernel: audit(1081235176.461:0): avc:  denied  { 
> read } for  pid=2254 exe=/usr/bin/vmware-smbd name=shadow dev=hda2 
> ino=1963867 scontext=system_u:system_r:vmware_t 
> tcontext=system_u:object_r:shadow_t tclass=file
> Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc:  
> denied  { setgid } for  pid=2254 exe=/usr/bin/vmware-smbd capability=6 
> scontext=system_u:system_r:vmware_t 
> tcontext=system_u:system_r:vmware_t tclass=capability
> Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc:  
> denied  { setgid } for  pid=2254 exe=/usr/bin/vmware-smbd capability=6 
> scontext=system_u:system_r:vmware_t 
> tcontext=system_u:system_r:vmware_t tclass=capability
> Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.805:0): avc:  
> denied  { setgid } for  pid=2254 exe=/usr/bin/vmware-smbd capability=6 
> scontext=system_u:system_r:vmware_t 
> tcontext=system_u:system_r:vmware_t tclass=capability
> Apr  5 21:06:16 ibmlaptop last message repeated 2 times
> Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc:  
> denied  { read } for  pid=2254 exe=/usr/bin/vmware-smbd name=printcap 
> dev=hda2 ino=1962265 scontext=system_u:system_r:vmware_t 
> tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file
> Apr  5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc:  
> denied  { create } for  pid=2254 exe=/usr/bin/vmware-smbd 
> scontext=system_u:system_r:vmware_t 
> tcontext=system_u:system_r:vmware_t tclass=udp_socket Apr  5 21:06:17 
> ibmlaptop kernel: audit(1081235177.041:0): avc:  denied  { 
> sys_resource } for  pid=2254 exe=/usr/bin/vmware-smbd capability=24 
> scontext=system_u:system_r:vmware_t 
> tcontext=system_u:system_r:vmware_t tclass=capability
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list