List of selinux issues
Daniel J Walsh
dwalsh at redhat.com
Tue Apr 6 11:19:50 UTC 2004
Warren Togami wrote:
> This is my first time running with selinux enforcement enabled and
> this system has been apt upgraded from FC2test1 to latest rawhide, so
> please forgive me that some of these will be duplicates and others may
> be errors. Please let me know which are not duplicates, and if you
> want me to bugzilla them.
>
> To be clear, I did the following in order to ensure that my labels are
> correct during runtime. I hope this was correct.
>
> setenforce off
> fixfiles relabel
> setenforce 1
>
>
>
> 1) Infinite Loop of these messages when using "/sbin/ifup eth0" as
> non-root user. This is allowed when enforcement is disabled. CTRL-C
> is abled to stop the looping.
>
> Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.571:0): avc:
> denied { setuid } for pid=2463 exe=/bin/bash capability=7
> scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
> tclass=capability
> Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.589:0): avc:
> denied { setuid } for pid=2463 exe=/usr/sbin/usernetctl capability=7
> scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
> tclass=capability
>
>
I am not sure how you set this up to work. I execute /sbin/ifup eth0
and I get
Users cannot control this device.
If we want to allow this we will need policy to allow it. Any want to
take a try at it?
> 2) "su -" from my non-root user caused this error. I was however
> allowed to work as root.
>
> Apr 5 21:07:42 ibmlaptop su(pam_unix)[12399]: session opened for user
> root by warren(uid=500)
> Apr 5 21:07:42 ibmlaptop su[12399]: pam_xauth: error creating
> temporary file `/root/.xauthsDAz4e': Permission denied
> Apr 5 21:07:42 ibmlaptop kernel: audit(1081235262.772:0): avc:
> denied { write } for pid=12399 exe=/bin/su name=root dev=hda2
> ino=1291809 scontext=user_u:user_r:user_su_t
> tcontext=root:object_r:staff_home_dir_t tclass=dir
>
>
This should be fixed in latest policy 1.9.2-12
> 3) Then as root, I used "ifup eth0" which succeeded, but with the
> following in /var/log/messages.
>
> Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:
> denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
> ino=1389922 scontext=root:system_r:dhcpc_t
> tcontext=system_u:object_r:home_root_t tclass=dir
> Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:
> denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
> ino=1389922 scontext=root:system_r:dhcpc_t
> tcontext=system_u:object_r:home_root_t tclass=dir
> Apr 5 21:07:45 ibmlaptop dhclient: can't create
> /var/lib/dhcp/dhclient-eth0.leases: Permission denied
> Apr 5 21:07:46 ibmlaptop dhclient: sit0: unknown hardware address
> type 776
> Apr 5 21:07:48 ibmlaptop dhclient: DHCPDISCOVER on eth0 to
> 255.255.255.255 port 67 interval 4
> Apr 5 21:07:48 ibmlaptop dhclient: DHCPOFFER from 172.31.16.1
> Apr 5 21:07:48 ibmlaptop dhclient: DHCPREQUEST on eth0 to
> 255.255.255.255 port 67
> Apr 5 21:07:48 ibmlaptop dhclient: DHCPACK from 172.31.16.1
> Apr 5 21:07:48 ibmlaptop dhclient: can't create
> /var/lib/dhcp/dhclient-eth0.leases: Permission denied
> Apr 5 21:07:48 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal
> in 356918 seconds.
> Apr 5 21:07:48 ibmlaptop kernel: audit(1081235268.039:0): avc:
> denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
> ino=1389922 scontext=root:system_r:dhcpc_t
> tcontext=system_u:object_r:home_root_t tclass=dir
>
Added policy to allow this , but not sure what it is trying todo. Could
you try it in non-enforcing mode and grab the avc messages.
>
> 4) GNOME mixer_applet2 is unable to reach the device. Strangely this
> began failing in permissive mode too, but it works when selinux is
> totally disabled and not loaded.
>
> Apr 5 21:07:10 ibmlaptop kernel: audit(1081235230.797:0): avc:
> denied { setattr } for pid=2435 exe=/usr/libexec/mixer_applet2
> name=registry.xml dev=hda2 ino=1425367 scontext=user_u:user_r:user_t
> tcontext=system_u:object_r:var_t tclass=file
>
>
This needs more investigation if it fails in permissive mode.
> 5) This is vmware from the VMWare WS 4.5.1 service startup. The
> issues are ... complicated, numerous, and scary looking.
>
> Apr 5 21:06:08 ibmlaptop kernel: vmmon: module license 'unspecified'
> taints kernel.
> Apr 5 21:06:08 ibmlaptop kernel: vmnet: module license 'unspecified'
> taints kernel.
> Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.858:0): avc:
> denied { search } for pid=1909 exe=/usr/bin/vmnet-netifup name=net
> dev= ino=344 scontext=system_u:system_r:vmware_t
> tcontext=system_u:object_r:sysfs_t tclass=dir
> Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.867:0): avc:
> denied { search } for pid=1910 exe=/usr/bin/vmnet-netifup name=net
> dev= ino=344 scontext=system_u:system_r:vmware_t
> tcontext=system_u:object_r:sysfs_t tclass=dir
> Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.047:0): avc:
> denied { node_bind } for pid=1931 exe=/usr/bin/vmnet-natd
> scontext=system_u:system_r:vmware_t
> tcontext=system_u:object_r:node_inaddr_any_t tclass=rawip_socket
> Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.048:0): avc:
> denied { create } for pid=1931 exe=/usr/bin/vmnet-natd
> name=vmnat.1931 scontext=system_u:system_r:vmware_t
> tcontext=system_u:object_r:var_run_t tclass=sock_file
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium
> DHCP Server 2.0
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997,
> 1998, 1999 The Internet Software Consortium.
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find
> this software useful.
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit
> http://www.isc.org/dhcp-contrib.html
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium
> DHCP Server 2.0
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997,
> 1998, 1999 The Internet Software Consortium.
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
>
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium
> DHCP Server 2.0
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997,
> 1998, 1999 The Internet Software Consortium.
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.18.0
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find
> this software useful.
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address:
> 173.31.18.254
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit
> http://www.isc.org/dhcp-contrib.html
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Recving on VNet/vmnet1/173.31.18.0
> Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
> Apr 5 21:06:10 ibmlaptop vmnet-dhcpd: Sending on VNet/vmnet1/173.31.18.0
> Apr 5 21:06:11 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.17.0
> Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address:
> 173.31.17.254
> Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Recving on VNet/vmnet8/173.31.17.0
> Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Sending on VNet/vmnet8/173.31.17.0
> Apr 5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc:
> denied { create } for pid=2253 exe=/usr/bin/vmware-nmbd
> scontext=system_u:system_r:vmware_t
> tcontext=system_u:system_r:vmware_t tclass=udp_socket
> Apr 5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc:
> denied { create } for pid=2253 exe=/usr/bin/vmware-nmbd
> scontext=system_u:system_r:vmware_t
> tcontext=system_u:system_r:vmware_t tclass=udp_socket
> Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.460:0): avc:
> denied { read } for pid=2254 exe=/usr/bin/vmware-smbd name=urandom
> dev=hda2 ino=1270748 scontext=system_u:system_r:vmware_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_fileApr 5
> 21:06:16 ibmlaptop kernel: audit(1081235176.461:0): avc: denied {
> read } for pid=2254 exe=/usr/bin/vmware-smbd name=shadow dev=hda2
> ino=1963867 scontext=system_u:system_r:vmware_t
> tcontext=system_u:object_r:shadow_t tclass=file
> Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc:
> denied { setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
> scontext=system_u:system_r:vmware_t
> tcontext=system_u:system_r:vmware_t tclass=capability
> Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc:
> denied { setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
> scontext=system_u:system_r:vmware_t
> tcontext=system_u:system_r:vmware_t tclass=capability
> Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.805:0): avc:
> denied { setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
> scontext=system_u:system_r:vmware_t
> tcontext=system_u:system_r:vmware_t tclass=capability
> Apr 5 21:06:16 ibmlaptop last message repeated 2 times
> Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc:
> denied { read } for pid=2254 exe=/usr/bin/vmware-smbd name=printcap
> dev=hda2 ino=1962265 scontext=system_u:system_r:vmware_t
> tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file
> Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc:
> denied { create } for pid=2254 exe=/usr/bin/vmware-smbd
> scontext=system_u:system_r:vmware_t
> tcontext=system_u:system_r:vmware_t tclass=udp_socket Apr 5 21:06:17
> ibmlaptop kernel: audit(1081235177.041:0): avc: denied {
> sys_resource } for pid=2254 exe=/usr/bin/vmware-smbd capability=24
> scontext=system_u:system_r:vmware_t
> tcontext=system_u:system_r:vmware_t tclass=capability
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list