From russell at coker.com.au Wed Dec 1 07:20:47 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 1 Dec 2004 18:20:47 +1100 Subject: init labeling question for targeted policy In-Reply-To: <1101576644.19983.8.camel@nexus.verbum.private> References: <1101340066.16858.7497.camel@erato.phig.org> <1101560636.30388.1380.camel@erato.phig.org> <1101576644.19983.8.camel@nexus.verbum.private> Message-ID: <200412011820.50189.russell@coker.com.au> On Sunday 28 November 2004 04:30, Colin Walters wrote: > On Sat, 2004-11-27 at 05:03 -0800, Karsten Wade wrote: > > init is started with the unconfined_t context? Was this behavior that > > changed between FC2 and FC3, or am I missing something fundamental here? > > I think the distinction is just targeted vs. strict policy; FC2 didn't > have targeted. So basically everything just starts out as unconfined, > including the kernel, and then transitions happen for a few specific > domains like httpd_t. For strict policy, I think it's pretty much as > Russell described it. Does that answer your question? Incidentally I wrote the article for FC2 and then quickly updated it for FC3. I probably should have added more material about targeted policy. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at gmail.com Wed Dec 1 15:00:45 2004 From: selinux at gmail.com (Tom London) Date: Wed, 1 Dec 2004 07:00:45 -0800 Subject: use can_network_XXX() in inetd.te, ssh.te, rhgb.te, rpcd.te...? Message-ID: <4c4ba1530412010700112fd5ed@mail.gmail.com> Running strict/enforcing off of latest Rawhide Several problems after latest update, mostly like: Nov 30 20:14:43 fedora kernel: audit(1101874483.584:0): avc: denied { accept } for pid=3656 exe=/usr/sbin/sshd lport=22 scontext=root:system_r:sshd_t tcontext=root:system_r:sshd_t tclass=tcp_socket or Nov 30 19:17:04 fedora kernel: audit(1101871024.847:0): avc: denied { listen } for pid=2251 exe=/usr/sbin/xinetd lport=113 scontext=system_u:system_r:inetd_t tcontext=system_u:system_r:inetd_t tclass=tcp_socket Nov 30 19:17:04 fedora xinetd[2251]: service auth, accept: Permission denied (errno = 13) or Nov 30 19:16:51 fedora kernel: audit(1101871006.547:0): avc: denied { listen } for pid=1959 exe=/sbin/rpc.statd lport=32768 scontext=system_u:system_r:rpcd_t tcontext=system_u:system_r:rpcd_t tclass=tcp_socket or Nov 30 19:42:36 fedora kernel: audit(1101843722.414:0): avc: denied { connect } for pid=1198 exe=/usr/bin/rhgb scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t tclass=tcp_socket Nov 30 19:42:36 fedora kernel: audit(1101843722.421:0): avc: denied { connect } for pid=1198 exe=/usr/bin/rhgb scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t tclass=tcp_socket etc. I added something like 'allow XXX self:tcp_socket {listen accept}' or 'allow XXX self:tcp_socket {connect}' to get the daemons up and running, but shouldn't these guys use the can_network_tcp(), can_network_client(), or can_network_server()? Are patches needed, or is this in the works? tom -- Tom London From kwade at redhat.com Wed Dec 1 15:41:15 2004 From: kwade at redhat.com (Karsten Wade) Date: Wed, 01 Dec 2004 07:41:15 -0800 Subject: SELinux/httpd integration In-Reply-To: <200411282010.iASKAY6v002921@mms-r00.iijmio.jp> References: <1101658996.30388.3981.camel@erato.phig.org> <200411282010.iASKAY6v002921@mms-r00.iijmio.jp> Message-ID: <1101915674.3646.7756.camel@erato.phig.org> On Sun, 2004-11-28 at 12:10, Yuichi Nakamura wrote: > > I can't find this allow rule in 1.17.30-2.34. I've used apol direct and > > transitive information flow analysis and good ol' grep to no avail. > I tried apol now, but I could not find the rule, either. > apol information flow may not support attributes or booleans, but I am not sure. This turned out to be a mistake in the way I was using apol. First, all the necessary Booleans have to be set (I had missed enabling httpd_enable_cgi). For analyzing policy.conf, the allow rule can be found using Policy Rules > TE Rules, enabling Include Indirect Matches, with the Source Type set to httpd_t and Target Type set to httpd_sys_content_t: (5597) allow httpd_t httpdcontent : file { create ioctl read getattr lock write setattr append link unlink rename }; That is right at the top of the list. The (5597) is a link directly to the line in policy.conf (in another tab). Doing the same search on the binary policy file will actually expand httpdcontent into httpd_sys_content_t. I also could have found it by leaving the Booleans alone and disabling "Only search for enabled rules". The information flow analysis (Analysis tab) requires the Booleans to be set, but they also find the rule. - Karsten -- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From selinux at gmail.com Wed Dec 1 15:44:28 2004 From: selinux at gmail.com (Tom London) Date: Wed, 1 Dec 2004 07:44:28 -0800 Subject: kernel fails to install Message-ID: <4c4ba153041201074443475fc7@mail.gmail.com> Running strict/enforcing off of Rawhide. Doing yesterday's updates, the kernel failed to install to /boot. That is, no files installed under /boot, but worked OK installing files to /lib/modules. I did an rpm -e, setenforce 0; rpm -ivh, and got the following: w Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied { read } for pid=3647 exe=/bin/bash name=.bashrc dev=hda2 ino=1196086 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied { getattr } for pid=3647 exe=/bin/bash path=/root/.bashrc dev=hda2 ino=1196086 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.337:0): avc: denied { read } for pid=3649 exe=/usr/bin/id name=config dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:selinux_config_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.338:0): avc: denied { getattr } for pid=3649 exe=/usr/bin/id path=/etc/selinux/config dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:selinux_config_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.501:0): avc: denied { execute } for pid=3647 exe=/bin/bash name=colorls.sh dev=hda2 ino=4474159 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:etc_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied { execute } for pid=3662 exe=/bin/bash name=consoletype dev=hda2 ino=2310212 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:consoletype_exec_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied { execute_no_trans } for pid=3662 exe=/bin/bash path=/sbin/consoletype dev=hda2 ino=2310212 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:consoletype_exec_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied { read } for pid=3662 exe=/bin/bash path=/sbin/consoletype dev=hda2 ino=2310212 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:consoletype_exec_t tclass=file allow bootloader_t consoletype_exec_t:file { execute execute_no_trans read }; allow bootloader_t etc_t:file execute; allow bootloader_t selinux_config_t:file { getattr read }; allow bootloader_t staff_home_t:file { getattr read }; -- Tom London From dwalsh at redhat.com Wed Dec 1 15:45:43 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 01 Dec 2004 10:45:43 -0500 Subject: use can_network_XXX() in inetd.te, ssh.te, rhgb.te, rpcd.te...? In-Reply-To: <4c4ba1530412010700112fd5ed@mail.gmail.com> References: <4c4ba1530412010700112fd5ed@mail.gmail.com> Message-ID: <41ADE727.6010205@redhat.com> Tom London wrote: >Running strict/enforcing off of latest Rawhide > >Several problems after latest update, >mostly like: > >Nov 30 20:14:43 fedora kernel: audit(1101874483.584:0): avc: denied >{ accept } for pid=3656 exe=/usr/sbin/sshd lport=22 >scontext=root:system_r:sshd_t tcontext=root:system_r:sshd_t >tclass=tcp_socket > >or > >Nov 30 19:17:04 fedora kernel: audit(1101871024.847:0): avc: denied >{ listen } for pid=2251 exe=/usr/sbin/xinetd lport=113 >scontext=system_u:system_r:inetd_t tcontext=system_u:system_r:inetd_t >tclass=tcp_socket >Nov 30 19:17:04 fedora xinetd[2251]: service auth, accept: Permission >denied (errno = 13) > >or > >Nov 30 19:16:51 fedora kernel: audit(1101871006.547:0): avc: denied >{ listen } for pid=1959 exe=/sbin/rpc.statd lport=32768 >scontext=system_u:system_r:rpcd_t tcontext=system_u:system_r:rpcd_t >tclass=tcp_socket > >or > >Nov 30 19:42:36 fedora kernel: audit(1101843722.414:0): avc: denied >{ connect } for pid=1198 exe=/usr/bin/rhgb >scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t >tclass=tcp_socket >Nov 30 19:42:36 fedora kernel: audit(1101843722.421:0): avc: denied >{ connect } for pid=1198 exe=/usr/bin/rhgb >scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t >tclass=tcp_socket > >etc. > >I added something like 'allow XXX self:tcp_socket {listen accept}' >or 'allow XXX self:tcp_socket {connect}' >to get the daemons up and running, but shouldn't >these guys use the can_network_tcp(), can_network_client(), >or can_network_server()? > >Are patches needed, or is this in the works? > > tom > > Yes patches are in the work. You can drop them to can_network() to get the full functionality. I will put up a fixed policy on ftp://people.redhat.com/dwalsh/SELinux/Fedora Dan From dwalsh at redhat.com Wed Dec 1 16:08:31 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 01 Dec 2004 11:08:31 -0500 Subject: kernel fails to install In-Reply-To: <4c4ba153041201074443475fc7@mail.gmail.com> References: <4c4ba153041201074443475fc7@mail.gmail.com> Message-ID: <41ADEC7F.1070505@redhat.com> Tom London wrote: >Running strict/enforcing off of Rawhide. > >Doing yesterday's updates, the kernel failed to >install to /boot. That is, no files installed >under /boot, but worked OK installing >files to /lib/modules. > >I did an rpm -e, setenforce 0; rpm -ivh, and got >the following: >w >Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied >{ read } for pid=3647 exe=/bin/bash name=.bashrc dev=hda2 ino=1196086 >scontext=root:sysadm_r:bootloader_t >tcontext=root:object_r:staff_home_t tclass=file >Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied >{ getattr } for pid=3647 exe=/bin/bash path=/root/.bashrc dev=hda2 >ino=1196086 scontext=root:sysadm_r:bootloader_t >tcontext=root:object_r:staff_home_t tclass=file >Nov 30 19:36:32 fedora kernel: audit(1101872192.337:0): avc: denied >{ read } for pid=3649 exe=/usr/bin/id name=config dev=hda2 >ino=4509759 scontext=root:sysadm_r:bootloader_t >tcontext=system_u:object_r:selinux_config_t tclass=file >Nov 30 19:36:32 fedora kernel: audit(1101872192.338:0): avc: denied >{ getattr } for pid=3649 exe=/usr/bin/id path=/etc/selinux/config >dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t >tcontext=system_u:object_r:selinux_config_t tclass=file >Nov 30 19:36:32 fedora kernel: audit(1101872192.501:0): avc: denied >{ execute } for pid=3647 exe=/bin/bash name=colorls.sh dev=hda2 >ino=4474159 scontext=root:sysadm_r:bootloader_t >tcontext=system_u:object_r:etc_t tclass=file >Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied >{ execute } for pid=3662 exe=/bin/bash name=consoletype dev=hda2 >ino=2310212 scontext=root:sysadm_r:bootloader_t >tcontext=system_u:object_r:consoletype_exec_t tclass=file >Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied >{ execute_no_trans } for pid=3662 exe=/bin/bash >path=/sbin/consoletype dev=hda2 ino=2310212 >scontext=root:sysadm_r:bootloader_t >tcontext=system_u:object_r:consoletype_exec_t tclass=file >Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied >{ read } for pid=3662 exe=/bin/bash path=/sbin/consoletype dev=hda2 >ino=2310212 scontext=root:sysadm_r:bootloader_t >tcontext=system_u:object_r:consoletype_exec_t tclass=file > >allow bootloader_t consoletype_exec_t:file { execute execute_no_trans read }; >allow bootloader_t etc_t:file execute; >allow bootloader_t selinux_config_t:file { getattr read }; >allow bootloader_t staff_home_t:file { getattr read }; > > > > Can you try selinux-policy-strict-1.19.8-4 out on my ftp://people.redhat.com/dwalsh/SELinux/Fedora I added can_exec_any(bootloader_t) which should allow it to run consoletype. Not sure what the etc_t:file execute is about, the others are just because you are running under permissive mode. Dan From selinux at gmail.com Wed Dec 1 17:12:09 2004 From: selinux at gmail.com (Tom London) Date: Wed, 1 Dec 2004 09:12:09 -0800 Subject: kernel fails to install In-Reply-To: <41ADEC7F.1070505@redhat.com> References: <4c4ba153041201074443475fc7@mail.gmail.com> <41ADEC7F.1070505@redhat.com> Message-ID: <4c4ba15304120109123ceb1450@mail.gmail.com> On Wed, 01 Dec 2004 11:08:31 -0500, Daniel J Walsh wrote: > Tom London wrote: > Can you try selinux-policy-strict-1.19.8-4 out on my > > ftp://people.redhat.com/dwalsh/SELinux/Fedora > > I added can_exec_any(bootloader_t) which should allow it to run > consoletype. Not sure what the > etc_t:file execute is about, the others are just because you are running > under permissive mode. > > Dan > Dan, Thanks for the updated policy. I installed via 'rpm -Uvh' both selinux-policy-strict and selinux-policy-strict-sources, rpm -e'ed the latest kernel install, and redid 'yum update' with strict/enforcing. Got the following: Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: kernel 100 % done 1/1 /bin/bash: /root/.bashrc: Permission denied Installed: kernel.i686 0:2.6.9-1.1008_FC4 Complete! [The usual output}. No avc's in log, and it looks like files under /boot were successfully installed. Thanks! tom -- Tom London From selinux at gmail.com Wed Dec 1 17:14:15 2004 From: selinux at gmail.com (Tom London) Date: Wed, 1 Dec 2004 09:14:15 -0800 Subject: use can_network_XXX() in inetd.te, ssh.te, rhgb.te, rpcd.te...? In-Reply-To: <41ADE727.6010205@redhat.com> References: <4c4ba1530412010700112fd5ed@mail.gmail.com> <41ADE727.6010205@redhat.com> Message-ID: <4c4ba15304120109144fcb0471@mail.gmail.com> Thanks. I can wait for the official patches. My humble fixes are enough for now. tom [Needed for privoxy.te too, btw] From astephens at ptera.net Wed Dec 1 19:25:14 2004 From: astephens at ptera.net (Arthur Stephens) Date: Wed, 1 Dec 2004 11:25:14 -0800 Subject: httpd avc denied problem References: <001701c4d642$e8bb4870$c600a8c0@tyliteworker><1101754789.22761.319.camel@serendipity.dogma.lan><003801c4d647$c3350370$c600a8c0@tyliteworker><1101756300.22761.321.camel@serendipity.dogma.lan><006d01c4d655$968db4d0$c600a8c0@tyliteworker><1101769879.3646.1529.camel@erato.phig.org><00c201c4d677$11ca2810$c600a8c0@tyliteworker><1101819830.3646.4548.camel@erato.phig.org><012901c4d70f$35d1a6f0$c600a8c0@tyliteworker><41ACC92F.2000102@redhat.com><013501c4d714$a49e6be0$c600a8c0@tyliteworker><1101849147.3646.6228.camel@erato.phig.org> <1101852079.3646.6425.camel@erato.phig.org> Message-ID: <005701c4d7db$7bc5d970$c600a8c0@tyliteworker> > * Install the policy sources (yum install > selinux-policy-targeted-sources), and do the following: > It said I needed to have public GPG keys installed ???? Sorry, ignorance here. How do I download GPG keys for this? Arthur Stephens Sales Technician Ptera Wireless Internet astephens at ptera.net 509-927-Ptera From ad+lists at uni-x.org Wed Dec 1 19:45:12 2004 From: ad+lists at uni-x.org (Alexander Dalloz) Date: Wed, 01 Dec 2004 20:45:12 +0100 Subject: httpd avc denied problem In-Reply-To: <005701c4d7db$7bc5d970$c600a8c0@tyliteworker> References: <001701c4d642$e8bb4870$c600a8c0@tyliteworker> <1101754789.22761.319.camel@serendipity.dogma.lan> <003801c4d647$c3350370$c600a8c0@tyliteworker> <1101756300.22761.321.camel@serendipity.dogma.lan> <006d01c4d655$968db4d0$c600a8c0@tyliteworker> <1101769879.3646.1529.camel@erato.phig.org> <00c201c4d677$11ca2810$c600a8c0@tyliteworker> <1101819830.3646.4548.camel@erato.phig.org> <012901c4d70f$35d1a6f0$c600a8c0@tyliteworker><41ACC92F.2000102@redhat.com> <013501c4d714$a49e6be0$c600a8c0@tyliteworker> <1101849147.3646.6228.camel@erato.phig.org> <1101852079.3646.6425.camel@erato.phig.org> <005701c4d7db$7bc5d970$c600a8c0@tyliteworker> Message-ID: <1101930312.22761.557.camel@serendipity.dogma.lan> Am Mi, den 01.12.2004 schrieb Arthur Stephens um 20:25: > > * Install the policy sources (yum install > > selinux-policy-targeted-sources), and do the following: > > > It said I needed to have public GPG keys installed ???? > > Sorry, ignorance here. How do I download GPG keys for this? http://www.fedoranews.org/tchung/yum-gpg > Arthur Stephens Alexander P.S. Not an SELinux topic, but while doing security settings, please still keep care for filesystem permissions! [root at webmail ~]# cd /var/www/spokanewines.com/logs/ [root at webmail logs]# ls -alZ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. The chmod 777 for the "[root at webmail ~]# cd /var/www/spokanewines.com" directory is bad. -- Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp Serendipity 20:42:38 up 11 days, 15:30, load average: 0.19, 0.47, 0.38 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From rj at baucells.net Wed Dec 1 20:52:24 2004 From: rj at baucells.net (Rogelio J. Baucells) Date: Wed, 01 Dec 2004 15:52:24 -0500 Subject: Bind and selinux Message-ID: <41AE2F08.7010802@baucells.net> Hi, I have a server running FC3 + selinux (targeted) and I had some problems with bind and dynamic DNS updates. This is how I fix it. The first thing I noticed is that the named server was not able to create the Journal files for the zones I was trying to update # ls -l /var/named/chroot/var total 24 drwxr-x--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp because the user "named" (the one running the daemon) did not have access to create new files inside the named folder. I think this is a problem in the bind-chroot rmp package. I ran the following command to give the user named access to create new files inside the named folder # chmod 770 /var/named/chroot/var/named # ls -l /var/named/chroot/var total 24 drwxrwx--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp That fixed the problem. Now selinux!!! When I try to update one of the zones I get the following error in /var/log/messages ---------------------------------------------------------------------- Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl does not exist, creating it Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: permission denied Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 ino=293768 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': error: journal open failed: unexpected error ---------------------------------------------------------------------- I ran the "Security Level Configuration" tool and enabled "Allow named to overwrite master zone files" and that fixed the problem. Without the ACL modifications of the folder /var/named/chroot/var/named the setting in the "Security Level Configuration" is useless. I hope this information helps somebody having the same problems... RJB From russell at coker.com.au Thu Dec 2 05:21:39 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 2 Dec 2004 16:21:39 +1100 Subject: Bind and selinux In-Reply-To: <41AE2F08.7010802@baucells.net> References: <41AE2F08.7010802@baucells.net> Message-ID: <200412021621.43250.russell@coker.com.au> On Thursday 02 December 2004 07:52, "Rogelio J. Baucells" wrote: > # chmod 770 /var/named/chroot/var/named Please file a bugzilla requesting that the default permissions of the directory be changed to mode 0770. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at gmail.com Thu Dec 2 02:58:51 2004 From: selinux at gmail.com (Tom London) Date: Wed, 1 Dec 2004 18:58:51 -0800 Subject: firefox and /usr/tmp Message-ID: <4c4ba15304120118586b75b378@mail.gmail.com> Running strict/enforcing, latest Rawhide, selinux-policy-strict-1.19.8-4 Starting firefox produces: Dec 1 18:49:33 fedora kernel: audit(1101955773.849:0): avc: denied { read } for pid=4652 exe=/usr/lib/firefox-1.0/firefox-bin name=tmp dev=hda2 ino=4112455 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:tmp_t tclass=lnk_file on attempted read of /usr/tmp (link to /var/tmp) Should there be a dontaudit user_mozilla_t tmp_t:lnk_file read; in mozilla_macros.te ? -- Tom London From russell at coker.com.au Thu Dec 2 06:29:33 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 2 Dec 2004 17:29:33 +1100 Subject: firefox and /usr/tmp In-Reply-To: <4c4ba15304120118586b75b378@mail.gmail.com> References: <4c4ba15304120118586b75b378@mail.gmail.com> Message-ID: <200412021729.35448.russell@coker.com.au> On Thursday 02 December 2004 13:58, Tom London wrote: > Running strict/enforcing, latest Rawhide, > selinux-policy-strict-1.19.8-4 > > Starting firefox produces: > > Dec 1 18:49:33 fedora kernel: audit(1101955773.849:0): avc: denied > { read } for pid=4652 exe=/usr/lib/firefox-1.0/firefox-bin name=tmp > dev=hda2 ino=4112455 scontext=user_u:user_r:user_mozilla_t > tcontext=system_u:object_r:tmp_t tclass=lnk_file "restorecon /usr/tmp" should fix this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From dwalsh at redhat.com Thu Dec 2 13:47:07 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 02 Dec 2004 08:47:07 -0500 Subject: firefox and /usr/tmp In-Reply-To: <4c4ba15304120118586b75b378@mail.gmail.com> References: <4c4ba15304120118586b75b378@mail.gmail.com> Message-ID: <41AF1CDB.1020802@redhat.com> Tom London wrote: >Running strict/enforcing, latest Rawhide, >selinux-policy-strict-1.19.8-4 > >Starting firefox produces: > >Dec 1 18:49:33 fedora kernel: audit(1101955773.849:0): avc: denied >{ read } for pid=4652 exe=/usr/lib/firefox-1.0/firefox-bin name=tmp >dev=hda2 ino=4112455 scontext=user_u:user_r:user_mozilla_t >tcontext=system_u:object_r:tmp_t tclass=lnk_file > >on attempted read of /usr/tmp (link to /var/tmp) > >Should there be a >dontaudit user_mozilla_t tmp_t:lnk_file read; > >in mozilla_macros.te ? > > No /usr/tmp should no longer be labeled tmp_t but usr_t. Try a restorecon on it. From dwalsh at redhat.com Thu Dec 2 13:48:47 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 02 Dec 2004 08:48:47 -0500 Subject: Bind and selinux In-Reply-To: <41AE2F08.7010802@baucells.net> References: <41AE2F08.7010802@baucells.net> Message-ID: <41AF1D3F.50505@redhat.com> Rogelio J. Baucells wrote: > Hi, > > I have a server running FC3 + selinux (targeted) and I had some > problems with bind and dynamic DNS updates. This is how I fix it. > > The first thing I noticed is that the named server was not able to > create the Journal files for the zones I was trying to update > > # ls -l /var/named/chroot/var > total 24 > drwxr-x--- 4 root named 4096 Dec 1 14:42 named > drwxrwx--- 3 root named 4096 Nov 16 11:50 run > drwxrwx--- 2 named named 4096 Mar 13 2003 tmp > > because the user "named" (the one running the daemon) did not have > access to create new files inside the named folder. I think this is a > problem in the bind-chroot rmp package. I ran the following command to > give the user named access to create new files inside the named folder > > # chmod 770 /var/named/chroot/var/named > # ls -l /var/named/chroot/var > total 24 > drwxrwx--- 4 root named 4096 Dec 1 14:42 named > drwxrwx--- 3 root named 4096 Nov 16 11:50 run > drwxrwx--- 2 named named 4096 Mar 13 2003 tmp > > That fixed the problem. Now selinux!!! > > When I try to update one of the zones I get the following error in > /var/log/messages > > ---------------------------------------------------------------------- > Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating > zone 'example.com/IN': adding an RR > > Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating > zone 'example.com/IN': adding an RR > > Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl > does not exist, creating it > > Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: > permission denied > > Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { > write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 > ino=293768 scontext=root:system_r:named_t > tcontext=system_u:object_r:named_zone_t tclass=dir > > Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating > zone 'example.com/IN': error: journal open failed: unexpected error > ---------------------------------------------------------------------- > > I ran the "Security Level Configuration" tool and enabled "Allow named > to overwrite master zone files" and that fixed the problem. > > Without the ACL modifications of the folder > /var/named/chroot/var/named the setting in the "Security Level > Configuration" is useless. I hope this information helps somebody > having the same problems... > > RJB > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list I think the prefered setup is to have the jnl files written to the var/named/run directory. Dan From selinux at gmail.com Thu Dec 2 14:54:06 2004 From: selinux at gmail.com (Tom London) Date: Thu, 2 Dec 2004 06:54:06 -0800 Subject: firefox and /usr/tmp In-Reply-To: <41AF1CDB.1020802@redhat.com> References: <4c4ba15304120118586b75b378@mail.gmail.com> <41AF1CDB.1020802@redhat.com> Message-ID: <4c4ba153041202065445bbc104@mail.gmail.com> Yeah, that seems to have fixed it. thanks tom On Thu, 02 Dec 2004 08:47:07 -0500, Daniel J Walsh wrote: > Tom London wrote: > > > > >Running strict/enforcing, latest Rawhide, > >selinux-policy-strict-1.19.8-4 > > > >Starting firefox produces: > > > >Dec 1 18:49:33 fedora kernel: audit(1101955773.849:0): avc: denied > >{ read } for pid=4652 exe=/usr/lib/firefox-1.0/firefox-bin name=tmp > >dev=hda2 ino=4112455 scontext=user_u:user_r:user_mozilla_t > >tcontext=system_u:object_r:tmp_t tclass=lnk_file > > > >on attempted read of /usr/tmp (link to /var/tmp) > > > >Should there be a > >dontaudit user_mozilla_t tmp_t:lnk_file read; > > > >in mozilla_macros.te ? > > > > > No /usr/tmp should no longer be labeled tmp_t but usr_t. Try a > restorecon on it. > > -- Tom London From rj at baucells.net Thu Dec 2 14:53:26 2004 From: rj at baucells.net (Rogelio J. Baucells) Date: Thu, 02 Dec 2004 09:53:26 -0500 Subject: Bind and selinux In-Reply-To: <41AF1D3F.50505@redhat.com> References: <41AE2F08.7010802@baucells.net> <41AF1D3F.50505@redhat.com> Message-ID: <41AF2C66.5070505@baucells.net> Daniel J Walsh wrote: > Rogelio J. Baucells wrote: > >> Hi, >> >> I have a server running FC3 + selinux (targeted) and I had some >> problems with bind and dynamic DNS updates. This is how I fix it. >> >> The first thing I noticed is that the named server was not able to >> create the Journal files for the zones I was trying to update >> >> # ls -l /var/named/chroot/var >> total 24 >> drwxr-x--- 4 root named 4096 Dec 1 14:42 named >> drwxrwx--- 3 root named 4096 Nov 16 11:50 run >> drwxrwx--- 2 named named 4096 Mar 13 2003 tmp >> >> because the user "named" (the one running the daemon) did not have >> access to create new files inside the named folder. I think this is a >> problem in the bind-chroot rmp package. I ran the following command to >> give the user named access to create new files inside the named folder >> >> # chmod 770 /var/named/chroot/var/named >> # ls -l /var/named/chroot/var >> total 24 >> drwxrwx--- 4 root named 4096 Dec 1 14:42 named >> drwxrwx--- 3 root named 4096 Nov 16 11:50 run >> drwxrwx--- 2 named named 4096 Mar 13 2003 tmp >> >> That fixed the problem. Now selinux!!! >> >> When I try to update one of the zones I get the following error in >> /var/log/messages >> >> ---------------------------------------------------------------------- >> Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating >> zone 'example.com/IN': adding an RR >> >> Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating >> zone 'example.com/IN': adding an RR >> >> Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl >> does not exist, creating it >> >> Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: >> permission denied >> >> Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { >> write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 >> ino=293768 scontext=root:system_r:named_t >> tcontext=system_u:object_r:named_zone_t tclass=dir >> >> Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating >> zone 'example.com/IN': error: journal open failed: unexpected error >> ---------------------------------------------------------------------- >> >> I ran the "Security Level Configuration" tool and enabled "Allow named >> to overwrite master zone files" and that fixed the problem. >> >> Without the ACL modifications of the folder >> /var/named/chroot/var/named the setting in the "Security Level >> Configuration" is useless. I hope this information helps somebody >> having the same problems... >> >> RJB >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > I think the prefered setup is to have the jnl files written to the > var/named/run directory. > > Dan > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list Hi, Is there a setting in the named.conf to do that? I think the default is to store the jnl files in the same location as the zone files. RJB From jvdias at redhat.com Thu Dec 2 15:08:16 2004 From: jvdias at redhat.com (Jason Vas Dias) Date: Thu, 02 Dec 2004 10:08:16 -0500 Subject: Bind and selinux In-Reply-To: <41AF1D3F.50505@redhat.com> References: <41AE2F08.7010802@baucells.net> <41AF1D3F.50505@redhat.com> Message-ID: <1102000095.2625.16.camel@jvdsibm.boston.redhat.com> Hi - Yes, for added security, named must be explicitly enabled to update its master zone files with the 'named_write_master_zones=1' setting in /etc/selinux/targeted/booleans and by granting write access to the 'named' user for the directory in which dynamically updated zone files are stored. Named will always create .jnl files in the same directory as the zone to be updated. One solution would be to put the dynamically updated zones in a 'ddns/' subdirectory of the $ROOTDIR/var/named and make that directory owned by named:named; then for each dynamically updated zone X, set the 'file ' option in named.conf to 'ddns/X.db' . A decision was made not to enable named to write its zone files by default to prevent attackers gaining control of the named process being able to change the zone file contents. On Thu, 2004-12-02 at 08:48, Daniel J Walsh wrote: > Rogelio J. Baucells wrote: > > > Hi, > > > > I have a server running FC3 + selinux (targeted) and I had some > > problems with bind and dynamic DNS updates. This is how I fix it. > > > > The first thing I noticed is that the named server was not able to > > create the Journal files for the zones I was trying to update > > > > # ls -l /var/named/chroot/var > > total 24 > > drwxr-x--- 4 root named 4096 Dec 1 14:42 named > > drwxrwx--- 3 root named 4096 Nov 16 11:50 run > > drwxrwx--- 2 named named 4096 Mar 13 2003 tmp > > > > because the user "named" (the one running the daemon) did not have > > access to create new files inside the named folder. I think this is a > > problem in the bind-chroot rmp package. I ran the following command to > > give the user named access to create new files inside the named folder > > > > # chmod 770 /var/named/chroot/var/named > > # ls -l /var/named/chroot/var > > total 24 > > drwxrwx--- 4 root named 4096 Dec 1 14:42 named > > drwxrwx--- 3 root named 4096 Nov 16 11:50 run > > drwxrwx--- 2 named named 4096 Mar 13 2003 tmp > > > > That fixed the problem. Now selinux!!! > > > > When I try to update one of the zones I get the following error in > > /var/log/messages > > > > ---------------------------------------------------------------------- > > Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating > > zone 'example.com/IN': adding an RR > > > > Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating > > zone 'example.com/IN': adding an RR > > > > Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl > > does not exist, creating it > > > > Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: > > permission denied > > > > Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { > > write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 > > ino=293768 scontext=root:system_r:named_t > > tcontext=system_u:object_r:named_zone_t tclass=dir > > > > Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating > > zone 'example.com/IN': error: journal open failed: unexpected error > > ---------------------------------------------------------------------- > > > > I ran the "Security Level Configuration" tool and enabled "Allow named > > to overwrite master zone files" and that fixed the problem. > > > > Without the ACL modifications of the folder > > /var/named/chroot/var/named the setting in the "Security Level > > Configuration" is useless. I hope this information helps somebody > > having the same problems... > > > > RJB > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > I think the prefered setup is to have the jnl files written to the > var/named/run directory. > > Dan From selinux at gmail.com Thu Dec 2 16:52:56 2004 From: selinux at gmail.com (Tom London) Date: Thu, 2 Dec 2004 08:52:56 -0800 Subject: lpoptions, printing from firefox. mozilla_macros.te? Message-ID: <4c4ba15304120208526e566dc0@mail.gmail.com> Running strict/enforcing, latest Rawhide. Each time I boot, /etc/cups/lpoptions appears to be created with the 'wrong' type: cupsd_etc_t instead of cupsd_rw_etc_t. Printing from firefox produces the following avc's complaining about accessing /etc/cups/lpoptions in either case. Does mozilla_macros.te need: ifdef(`cups.te', ` allow $1_mozilla_t cupsd_etc_t:dir search; +allow user_mozilla_t cupsd_rw_etc_t:file read; ') I'm still working on figuring out why lpoptions is getting the wrong type..... tom Dec 2 07:27:56 fedora kernel: audit(1102001276.342:0): avc: denied { read } for pid=3363 exe=/usr/lib/firefox-1.0/firefox-bin name=lpoptions dev=hda2 ino=4474994 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file Dec 2 07:27:56 fedora kernel: audit(1102001276.695:0): avc: denied { read } for pid=3363 exe=/usr/lib/firefox-1.0/firefox-bin name=lpoptions dev=hda2 ino=4474994 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file Dec 2 07:28:00 fedora kernel: audit(1102001280.378:0): avc: denied { read } for pid=3363 exe=/usr/lib/firefox-1.0/firefox-bin name=lpoptions dev=hda2 ino=4474994 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file -- Tom London From selinux at gmail.com Thu Dec 2 16:55:48 2004 From: selinux at gmail.com (Tom London) Date: Thu, 2 Dec 2004 08:55:48 -0800 Subject: initrc/ptal ... Message-ID: <4c4ba1530412020855782e8505@mail.gmail.com> Running strict/enforcing off of latest Rawhide: initrc runs hpoj which runs /usr/sbin/ptal-init which produces the following avc's. [I tried changing the type of /usr/sbin/ptal-init to ptal_exec_t, but that didn't work ;-( ] tom Dec 2 06:45:39 fedora kernel: audit(1101998713.227:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series dev=hda2 ino=38214 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__1 dev=hda2 ino=38215 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__2 dev=hda2 ino=38216 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__3 dev=hda2 ino=38217 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__4 dev=hda2 ino=38218 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__5 dev=hda2 ino=38219 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.228:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__6 dev=hda2 ino=38220 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.229:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__7 dev=hda2 ino=38221 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.229:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__8 dev=hda2 ino=38222 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998713.229:0): avc: denied { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series__9 dev=hda2 ino=38223 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file Dec 2 06:45:39 fedora kernel: audit(1101998739.288:0): avc: denied { rmdir } for pid=1980 exe=/bin/rm name=ptal-mlcd dev=hda2 ino=38157 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ptal_var_run_t tclass=dir -- Tom London From astephens at ptera.net Thu Dec 2 18:27:28 2004 From: astephens at ptera.net (Arthur Stephens) Date: Thu, 2 Dec 2004 10:27:28 -0800 Subject: httpd avc denied problem References: <001701c4d642$e8bb4870$c600a8c0@tyliteworker><1101754789.22761.319.camel@serendipity.dogma.lan><003801c4d647$c3350370$c600a8c0@tyliteworker><1101756300.22761.321.camel@serendipity.dogma.lan><006d01c4d655$968db4d0$c600a8c0@tyliteworker><1101769879.3646.1529.camel@erato.phig.org><00c201c4d677$11ca2810$c600a8c0@tyliteworker><1101819830.3646.4548.camel@erato.phig.org><012901c4d70f$35d1a6f0$c600a8c0@tyliteworker><41ACC92F.2000102@redhat.com><013501c4d714$a49e6be0$c600a8c0@tyliteworker><1101849147.3646.6228.camel@erato.phig.org> <1101852079.3646.6425.camel@erato.phig.org> Message-ID: <00f201c4d89c$94168c60$c600a8c0@tyliteworker> I installed the policy sources on my fedora core 3. :) Got to step one Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts There is no such file :( [root at webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/ distros.fc misc program types.fc [root at webmail ~]# Arthur Stephens Sales Technician Ptera Wireless Internet astephens at ptera.net 509-927-Ptera ----- Original Message ----- From: "Karsten Wade" To: "Fedora SELinux support list for users & developers." Sent: Tuesday, November 30, 2004 2:01 PM Subject: Re: httpd avc denied problem > On Tue, 2004-11-30 at 13:12, Karsten Wade wrote: > > > chcon -R -t httpd_log_t /var/www/*/logs/* > > service httpd start > > BTW, if this works, you'll want to do something to make the change > permanent. Otherwise, the next running of restorecon will hose your > configuration. > > Two options jump to mind: > > * Move the logs into a path that will receive httpd_log_t, i.e., > /var/logs/httpd/ > > * Install the policy sources (yum install > selinux-policy-targeted-sources), and do the following: > > 1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts > > 2. Add this line: > /var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t > > Feel free to correct my regexp, but I think it's right. :) > > 3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make > load'. This will build and load the new policy directly into memory. > > 4. If you now do restorecon, the /var/www/*/logs directories should get > the proper context. > > Be aware that if you make another change to SELinux, especially using > system-config-securitylevel, the file /.autorelabel may get created. > That triggers a relabeling on reboot, and may hose any manual > customizations not fixed in policy. > > - Karsten > -- > Karsten Wade, RHCE, Tech Writer > a lemon is just a melon in disguise > http://people.redhat.com/kwade/ > gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From info at ecorak.de Thu Dec 2 18:34:57 2004 From: info at ecorak.de (Edy Corak) Date: Thu, 02 Dec 2004 19:34:57 +0100 Subject: sendmail.postfix avc denied problem In-Reply-To: <41AE2F08.7010802@baucells.net> References: <41AE2F08.7010802@baucells.net> Message-ID: <41AF6051.7010907@ecorak.de> Helo List, i have a problem sending mail from php script. audit(1101900916.389:0): avc: denied { getattr } for pid=18363 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file Everything other works very good with SELinux. System FC3 Postfix, SELinux enforcing, targeted. Thank you for any help. -- Edy Corak E-Mail: info at ecorak.de Internet: http://www.ecorak.net/ ----- From dwalsh at redhat.com Thu Dec 2 18:36:35 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 02 Dec 2004 13:36:35 -0500 Subject: Bind and selinux In-Reply-To: <41AF2C66.5070505@baucells.net> References: <41AE2F08.7010802@baucells.net> <41AF1D3F.50505@redhat.com> <41AF2C66.5070505@baucells.net> Message-ID: <41AF60B3.8050908@redhat.com> Rogelio J. Baucells wrote: > Daniel J Walsh wrote: > >> Rogelio J. Baucells wrote: >> >>> Hi, >>> >>> I have a server running FC3 + selinux (targeted) and I had some >>> problems with bind and dynamic DNS updates. This is how I fix it. >>> >>> The first thing I noticed is that the named server was not able to >>> create the Journal files for the zones I was trying to update >>> >>> # ls -l /var/named/chroot/var >>> total 24 >>> drwxr-x--- 4 root named 4096 Dec 1 14:42 named >>> drwxrwx--- 3 root named 4096 Nov 16 11:50 run >>> drwxrwx--- 2 named named 4096 Mar 13 2003 tmp >>> >>> because the user "named" (the one running the daemon) did not have >>> access to create new files inside the named folder. I think this is a >>> problem in the bind-chroot rmp package. I ran the following command >>> to give the user named access to create new files inside the named >>> folder >>> >>> # chmod 770 /var/named/chroot/var/named >>> # ls -l /var/named/chroot/var >>> total 24 >>> drwxrwx--- 4 root named 4096 Dec 1 14:42 named >>> drwxrwx--- 3 root named 4096 Nov 16 11:50 run >>> drwxrwx--- 2 named named 4096 Mar 13 2003 tmp >>> >>> That fixed the problem. Now selinux!!! >>> >>> When I try to update one of the zones I get the following error in >>> /var/log/messages >>> >>> ---------------------------------------------------------------------- >>> Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating >>> zone 'example.com/IN': adding an RR >>> >>> Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating >>> zone 'example.com/IN': adding an RR >>> >>> Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl >>> does not exist, creating it >>> >>> Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: >>> permission denied >>> >>> Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { >>> write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 >>> ino=293768 scontext=root:system_r:named_t >>> tcontext=system_u:object_r:named_zone_t tclass=dir >>> >>> Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating >>> zone 'example.com/IN': error: journal open failed: unexpected error >>> ---------------------------------------------------------------------- >>> >>> I ran the "Security Level Configuration" tool and enabled "Allow >>> named to overwrite master zone files" and that fixed the problem. >>> >>> Without the ACL modifications of the folder >>> /var/named/chroot/var/named the setting in the "Security Level >>> Configuration" is useless. I hope this information helps somebody >>> having the same problems... >>> >>> RJB >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> >> >> I think the prefered setup is to have the jnl files written to the >> var/named/run directory. >> >> Dan >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Hi, > > Is there a setting in the named.conf to do that? I think the default > is to store the jnl files in the same location as the zone files. > Yes I was wrong, Jason explained to me what is going on, so I believe you set it up correctly to handle your situation. > RJB > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Thu Dec 2 18:46:55 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 02 Dec 2004 13:46:55 -0500 Subject: httpd avc denied problem In-Reply-To: <00f201c4d89c$94168c60$c600a8c0@tyliteworker> References: <001701c4d642$e8bb4870$c600a8c0@tyliteworker><1101754789.22761.319.camel@serendipity.dogma.lan><003801c4d647$c3350370$c600a8c0@tyliteworker><1101756300.22761.321.camel@serendipity.dogma.lan><006d01c4d655$968db4d0$c600a8c0@tyliteworker><1101769879.3646.1529.camel@erato.phig.org><00c201c4d677$11ca2810$c600a8c0@tyliteworker><1101819830.3646.4548.camel@erato.phig.org><012901c4d70f$35d1a6f0$c600a8c0@tyliteworker><41ACC92F.2000102@redhat.com><013501c4d714$a49e6be0$c600a8c0@tyliteworker><1101849147.3646.6228.camel@erato.phig.org> <1101852079.3646.6425.camel@erato.phig.org> <00f201c4d89c$94168c60$c600a8c0@tyliteworker> Message-ID: <41AF631F.5050107@redhat.com> Arthur Stephens wrote: >I installed the policy sources on my fedora core 3. :) >Got to step one >Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts > >There is no such file :( >[root at webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/ >distros.fc misc program types.fc >[root at webmail ~]# > > Ok create a file in the misc directory called custom.fc, file_context file is only created via the make file. echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >> misc/customer.fc Then rebuild policy make load Now restorecon >Arthur Stephens >Sales Technician >Ptera Wireless Internet >astephens at ptera.net >509-927-Ptera > >----- Original Message ----- >From: "Karsten Wade" >To: "Fedora SELinux support list for users & developers." > >Sent: Tuesday, November 30, 2004 2:01 PM >Subject: Re: httpd avc denied problem > > > > >>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote: >> >> >> >>> chcon -R -t httpd_log_t /var/www/*/logs/* >>> service httpd start >>> >>> >>BTW, if this works, you'll want to do something to make the change >>permanent. Otherwise, the next running of restorecon will hose your >>configuration. >> >>Two options jump to mind: >> >>* Move the logs into a path that will receive httpd_log_t, i.e., >>/var/logs/httpd/ >> >>* Install the policy sources (yum install >>selinux-policy-targeted-sources), and do the following: >> >>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts >> >>2. Add this line: >>/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t >> >>Feel free to correct my regexp, but I think it's right. :) >> >>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make >>load'. This will build and load the new policy directly into memory. >> >>4. If you now do restorecon, the /var/www/*/logs directories should get >>the proper context. >> >>Be aware that if you make another change to SELinux, especially using >>system-config-securitylevel, the file /.autorelabel may get created. >>That triggers a relabeling on reboot, and may hose any manual >>customizations not fixed in policy. >> >>- Karsten >>-- >>Karsten Wade, RHCE, Tech Writer >>a lemon is just a melon in disguise >>http://people.redhat.com/kwade/ >>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 >> >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From dwalsh at redhat.com Thu Dec 2 18:48:01 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 02 Dec 2004 13:48:01 -0500 Subject: sendmail.postfix avc denied problem In-Reply-To: <41AF6051.7010907@ecorak.de> References: <41AE2F08.7010802@baucells.net> <41AF6051.7010907@ecorak.de> Message-ID: <41AF6361.3000101@redhat.com> Edy Corak wrote: > Helo List, > > i have a problem sending mail from php script. > > audit(1101900916.389:0): avc: denied { getattr } for pid=18363 > exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 > scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:sbin_t tclass=file > > Everything other works very good with SELinux. > > System FC3 Postfix, SELinux enforcing, targeted. > > Thank you for any help. > Update to the latest policy, should fix this problem. Dan From edy at ecorak.de Thu Dec 2 18:32:43 2004 From: edy at ecorak.de (Edy Corak) Date: Thu, 02 Dec 2004 19:32:43 +0100 Subject: sendmail.postfix avc denied problem In-Reply-To: <00c201c4d677$11ca2810$c600a8c0@tyliteworker> References: <001701c4d642$e8bb4870$c600a8c0@tyliteworker><1101754789.22761.319.camel@serendipity.dogma.lan><003801c4d647$c3350370$c600a8c0@tyliteworker><1101756300.22761.321.camel@serendipity.dogma.lan><006d01c4d655$968db4d0$c600a8c0@tyliteworker> <1101769879.3646.1529.camel@erato.phig.org> <00c201c4d677$11ca2810$c600a8c0@tyliteworker> Message-ID: <41AF5FCB.6050802@ecorak.de> Helo List, i have a problem sending mail from php script. audit(1101900916.389:0): avc: denied { getattr } for pid=18363 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file Everything other works very good with SELinux. System FC3 Postfix, SELinux enforcing, targeted. Thank you for any help. -- Edy Corak E-Mail: edy at ecorak.de Internet: http://www.ecorak.net/ ----- From astephens at ptera.net Thu Dec 2 20:04:28 2004 From: astephens at ptera.net (Arthur Stephens) Date: Thu, 2 Dec 2004 12:04:28 -0800 Subject: httpd avc denied problem References: <001701c4d642$e8bb4870$c600a8c0@tyliteworker><1101754789.22761.319.camel@serendipity.dogma.lan><003801c4d647$c3350370$c600a8c0@tyliteworker><1101756300.22761.321.camel@serendipity.dogma.lan><006d01c4d655$968db4d0$c600a8c0@tyliteworker><1101769879.3646.1529.camel@erato.phig.org><00c201c4d677$11ca2810$c600a8c0@tyliteworker><1101819830.3646.4548.camel@erato.phig.org><012901c4d70f$35d1a6f0$c600a8c0@tyliteworker><41ACC92F.2000102@redhat.com><013501c4d714$a49e6be0$c600a8c0@tyliteworker><1101849147.3646.6228.camel@erato.phig.org> <1101852079.3646.6425.camel@erato.phig.org><00f201c4d89c$94168c60$c600a8c0@tyliteworker> <41AF631F.5050107@redhat.com> Message-ID: <011501c4d8aa$2181ef60$c600a8c0@tyliteworker> Ok that solved that problem but showed up another one. I have a folder under /var/log/httpd called /mail which I put logs messages that come from Squirrel mail httpd fails with this informative message... 'Unable to open logs' /var/log/messages 'httpd: httpd startup failed' I look at the /var/log/httpd directory and I do see this folder I created is labeled differently [root at webmail ~]# ls -Z /var/log/httpd/ -rw-r--r-- root root system_u:object_r:httpd_log_t access_log -rw-r--r-- root root system_u:object_r:httpd_log_t access_log.1 -rw-r--r-- root root system_u:object_r:httpd_log_t error_log -rw-r--r-- root root system_u:object_r:httpd_log_t error_log.1 drwxr-xr-x root root system_u:object_r:httpd_log_t mail -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_access_log -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log.1 -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_request_log And here is what I have in my custom.fc /var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t /var/log/httpd/mail(/.*)? system_u:object_r:httpd_log_t /var/log/httpd/mail system_u:object_r:httpd_log_t [root at webmail ~]# ls -Z /var/log/httpd/mail/ -rw-r--r-- root root root:object_r:httpd_runtime_t error_log After running fixfile relabel [root at webmail ~]# ls -Z /var/log/httpd/mail/ -rw-r--r-- root root system_u:object_r:httpd_log_t error_log service httpd start httpd fails with this informative message... 'Unable to open logs' /var/log/messages 'httpd: httpd startup failed' So I am write in thinking at this point the problem is no longer with selinux? Arthur Stephens Sales Technician Ptera Wireless Internet astephens at ptera.net 509-927-Ptera ----- Original Message ----- From: "Daniel J Walsh" To: "Fedora SELinux support list for users & developers." Sent: Thursday, December 02, 2004 10:46 AM Subject: Re: httpd avc denied problem > Arthur Stephens wrote: > > >I installed the policy sources on my fedora core 3. :) > >Got to step one > >Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts > > > >There is no such file :( > >[root at webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/ > >distros.fc misc program types.fc > >[root at webmail ~]# > > > > > Ok create a file in the misc directory called custom.fc, file_context > file is only created via the make file. > > echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >> misc/customer.fc > Then rebuild policy > > make load > Now restorecon > > > > >Arthur Stephens > >Sales Technician > >Ptera Wireless Internet > >astephens at ptera.net > >509-927-Ptera > > > >----- Original Message ----- > >From: "Karsten Wade" > >To: "Fedora SELinux support list for users & developers." > > > >Sent: Tuesday, November 30, 2004 2:01 PM > >Subject: Re: httpd avc denied problem > > > > > > > > > >>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote: > >> > >> > >> > >>> chcon -R -t httpd_log_t /var/www/*/logs/* > >>> service httpd start > >>> > >>> > >>BTW, if this works, you'll want to do something to make the change > >>permanent. Otherwise, the next running of restorecon will hose your > >>configuration. > >> > >>Two options jump to mind: > >> > >>* Move the logs into a path that will receive httpd_log_t, i.e., > >>/var/logs/httpd/ > >> > >>* Install the policy sources (yum install > >>selinux-policy-targeted-sources), and do the following: > >> > >>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts > >> > >>2. Add this line: > >>/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t > >> > >>Feel free to correct my regexp, but I think it's right. :) > >> > >>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make > >>load'. This will build and load the new policy directly into memory. > >> > >>4. If you now do restorecon, the /var/www/*/logs directories should get > >>the proper context. > >> > >>Be aware that if you make another change to SELinux, especially using > >>system-config-securitylevel, the file /.autorelabel may get created. > >>That triggers a relabeling on reboot, and may hose any manual > >>customizations not fixed in policy. > >> > >>- Karsten > >>-- > >>Karsten Wade, RHCE, Tech Writer > >>a lemon is just a melon in disguise > >>http://people.redhat.com/kwade/ > >>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 > >> > >>-- > >>fedora-selinux-list mailing list > >>fedora-selinux-list at redhat.com > >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> > >> > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Thu Dec 2 20:03:04 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 02 Dec 2004 15:03:04 -0500 Subject: httpd avc denied problem In-Reply-To: <011501c4d8aa$2181ef60$c600a8c0@tyliteworker> References: <001701c4d642$e8bb4870$c600a8c0@tyliteworker><1101754789.22761.319.camel@serendipity.dogma.lan><003801c4d647$c3350370$c600a8c0@tyliteworker><1101756300.22761.321.camel@serendipity.dogma.lan><006d01c4d655$968db4d0$c600a8c0@tyliteworker><1101769879.3646.1529.camel@erato.phig.org><00c201c4d677$11ca2810$c600a8c0@tyliteworker><1101819830.3646.4548.camel@erato.phig.org><012901c4d70f$35d1a6f0$c600a8c0@tyliteworker><41ACC92F.2000102@redhat.com><013501c4d714$a49e6be0$c600a8c0@tyliteworker><1101849147.3646.6228.camel@erato.phig.org> <1101852079.3646.6425.camel@erato.phig.org><00f201c4d89c$94168c60$c600a8c0@tyliteworker> <41AF631F.5050107@redhat.com> <011501c4d8aa$2181ef60$c600a8c0@tyliteworker> Message-ID: <41AF74F8.1070400@redhat.com> Arthur Stephens wrote: >Ok that solved that problem but showed up another one. >I have a folder under /var/log/httpd >called /mail >which I put logs messages that come from Squirrel mail >httpd fails with this informative message... >'Unable to open logs' >/var/log/messages >'httpd: httpd startup failed' > >I look at the /var/log/httpd directory and I do see this folder I created is >labeled differently >[root at webmail ~]# ls -Z /var/log/httpd/ >-rw-r--r-- root root system_u:object_r:httpd_log_t access_log >-rw-r--r-- root root system_u:object_r:httpd_log_t access_log.1 >-rw-r--r-- root root system_u:object_r:httpd_log_t error_log >-rw-r--r-- root root system_u:object_r:httpd_log_t error_log.1 >drwxr-xr-x root root system_u:object_r:httpd_log_t mail >-rw-r--r-- root root system_u:object_r:httpd_log_t >ssl_access_log >-rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log >-rw-r--r-- root root system_u:object_r:httpd_log_t >ssl_error_log.1 >-rw-r--r-- root root system_u:object_r:httpd_log_t >ssl_request_log > >And here is what I have in my custom.fc >/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t >/var/log/httpd/mail(/.*)? system_u:object_r:httpd_log_t >/var/log/httpd/mail system_u:object_r:httpd_log_t > >[root at webmail ~]# ls -Z /var/log/httpd/mail/ >-rw-r--r-- root root root:object_r:httpd_runtime_t error_log > >After running fixfile relabel >[root at webmail ~]# ls -Z /var/log/httpd/mail/ >-rw-r--r-- root root system_u:object_r:httpd_log_t error_log > >service httpd start >httpd fails with this informative message... >'Unable to open logs' >/var/log/messages >'httpd: httpd startup failed' > >So I am write in thinking at this point the problem is no longer with >selinux? > > I have no idea, type setenforce 0 service httpd start If this works, then the problem is SELinux, if not then it probably is not SELinux. setenforce 0 turns off selinux protection. setenforce 1 turns it back on. >Arthur Stephens >Sales Technician >Ptera Wireless Internet >astephens at ptera.net >509-927-Ptera > >----- Original Message ----- >From: "Daniel J Walsh" >To: "Fedora SELinux support list for users & developers." > >Sent: Thursday, December 02, 2004 10:46 AM >Subject: Re: httpd avc denied problem > > > > >>Arthur Stephens wrote: >> >> >> >>>I installed the policy sources on my fedora core 3. :) >>>Got to step one >>>Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts >>> >>>There is no such file :( >>>[root at webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/ >>>distros.fc misc program types.fc >>>[root at webmail ~]# >>> >>> >>> >>> >>Ok create a file in the misc directory called custom.fc, file_context >>file is only created via the make file. >> >>echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >> >> >> >misc/customer.fc > > >>Then rebuild policy >> >>make load >>Now restorecon >> >> >> >> >> >>>Arthur Stephens >>>Sales Technician >>>Ptera Wireless Internet >>>astephens at ptera.net >>>509-927-Ptera >>> >>>----- Original Message ----- >>>From: "Karsten Wade" >>>To: "Fedora SELinux support list for users & developers." >>> >>>Sent: Tuesday, November 30, 2004 2:01 PM >>>Subject: Re: httpd avc denied problem >>> >>> >>> >>> >>> >>> >>>>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote: >>>> >>>> >>>> >>>> >>>> >>>>> chcon -R -t httpd_log_t /var/www/*/logs/* >>>>> service httpd start >>>>> >>>>> >>>>> >>>>> >>>>BTW, if this works, you'll want to do something to make the change >>>>permanent. Otherwise, the next running of restorecon will hose your >>>>configuration. >>>> >>>>Two options jump to mind: >>>> >>>>* Move the logs into a path that will receive httpd_log_t, i.e., >>>>/var/logs/httpd/ >>>> >>>>* Install the policy sources (yum install >>>>selinux-policy-targeted-sources), and do the following: >>>> >>>>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts >>>> >>>>2. Add this line: >>>>/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t >>>> >>>>Feel free to correct my regexp, but I think it's right. :) >>>> >>>>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make >>>>load'. This will build and load the new policy directly into memory. >>>> >>>>4. If you now do restorecon, the /var/www/*/logs directories should get >>>>the proper context. >>>> >>>>Be aware that if you make another change to SELinux, especially using >>>>system-config-securitylevel, the file /.autorelabel may get created. >>>>That triggers a relabeling on reboot, and may hose any manual >>>>customizations not fixed in policy. >>>> >>>>- Karsten >>>>-- >>>>Karsten Wade, RHCE, Tech Writer >>>>a lemon is just a melon in disguise >>>>http://people.redhat.com/kwade/ >>>>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 >>>> >>>>-- >>>>fedora-selinux-list mailing list >>>>fedora-selinux-list at redhat.com >>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> >>>> >>>> >>>-- >>>fedora-selinux-list mailing list >>>fedora-selinux-list at redhat.com >>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >>> >>> >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From steve at szmidt.org Thu Dec 2 21:23:55 2004 From: steve at szmidt.org (steve szmidt) Date: Thu, 2 Dec 2004 16:23:55 -0500 Subject: sendmail.postfix avc denied problem In-Reply-To: <41AF6051.7010907@ecorak.de> References: <41AE2F08.7010802@baucells.net> <41AF6051.7010907@ecorak.de> Message-ID: <200412021623.55456.steve@szmidt.org> On Thursday 02 December 2004 01:34 pm, Edy Corak wrote: > Helo List, > > i have a problem sending mail from php script. > > audit(1101900916.389:0): avc: denied { getattr } for pid=18363 > exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 > scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:sbin_t tclass=file > > Everything other works very good with SELinux. > > System FC3 Postfix, SELinux enforcing, targeted. > > Thank you for any help. Hi, Please don't start a new thread in someone elses thread. I know you changed the subject line, but that does not remove the old thread, as that information is stored in the header of the email. The correct way to save keystrokes is not to change the subject but to right click on the list name and selecting New. Thanks, -- Steve Szmidt "They that would give up essential liberty for temporary safety deserve neither liberty nor safety." Benjamin Franklin From info at ecorak.de Thu Dec 2 22:12:19 2004 From: info at ecorak.de (Edy Corak) Date: Thu, 02 Dec 2004 23:12:19 +0100 Subject: sendmail.postfix avc denied problem In-Reply-To: <41AF6361.3000101@redhat.com> References: <41AE2F08.7010802@baucells.net> <41AF6051.7010907@ecorak.de> <41AF6361.3000101@redhat.com> Message-ID: <41AF9343.2060308@ecorak.de> Daniel J Walsh wrote: > Edy Corak wrote: > >> Helo List, >> >> i have a problem sending mail from php script. >> >> audit(1101900916.389:0): avc: denied { getattr } for pid=18363 >> exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 >> scontext=root:system_r:httpd_sys_script_t >> tcontext=system_u:object_r:sbin_t tclass=file >> >> Everything other works very good with SELinux. >> >> System FC3 Postfix, SELinux enforcing, targeted. >> >> Thank you for any help. >> > Update to the latest policy, should fix this problem. > > Dan > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > Thank you very much for your prompt answer. I have updated the policy-targeted to 1.17.30-2.39 but it's the same problem, no chance to send mail from php script. audit(1102024220.525:0): avc: denied { getattr } for pid=8178 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7513871 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file I look at the policy-targeted-source under file_contexts in postfix.fc there is sendmail.postfix labeled as /usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t and under /usr/sbin as system_u:object_r:sbin_t sendmail.postfix rpm -q -l postfix | restorecon -R -v -f - changes to system_u:object_r:sbin_t sendmail.postfix which of them is correct ? Sorry for my bad reply before, next time i start i will right click to new. Thank you very much Edy -- Edy Corak E-Mail: info at ecorak.de Internet: http://www.ecorak.net/ ----- From Valdis.Kletnieks at vt.edu Thu Dec 2 22:36:01 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 02 Dec 2004 17:36:01 -0500 Subject: Not all the world uses... whatever.. In-Reply-To: Your message of "Thu, 02 Dec 2004 16:23:55 EST." <200412021623.55456.steve@szmidt.org> References: <200412021623.55456.steve@szmidt.org> Message-ID: <200412022236.iB2Ma1Ta005882@turing-police.cc.vt.edu> On Thu, 02 Dec 2004 16:23:55 EST, steve szmidt said: > The correct way to save keystrokes is not to change the subject but to right > click on the list name and selecting New. Oddly enough, right clicking on the list name and selecting New doesn't seem to work in my exmh client.... ;) Apparently, based on the X-Mailers, you sent your message with KMail/1.6.1, while Edy posted with Thunderbird 0.9. Not being a Thunderbird user, I have no way of knowing if your advice to Edy is correct - but it's certainly *incorrect* for at least some readers of this list... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From jorton at redhat.com Fri Dec 3 08:03:43 2004 From: jorton at redhat.com (Joe Orton) Date: Fri, 3 Dec 2004 08:03:43 +0000 Subject: labelling issues Message-ID: <20041203080343.GA28886@redhat.com> I've seen a few issues where file labels are getting lost: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140706 http://bugs.php.net/bug.php?id=30952 and another one reported to the httpd users' list. Is there a known cause of these problems? Is it prelink related, possibly? Regards, joe From dwalsh at redhat.com Fri Dec 3 13:40:20 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 03 Dec 2004 08:40:20 -0500 Subject: sendmail.postfix avc denied problem In-Reply-To: <41AF9343.2060308@ecorak.de> References: <41AE2F08.7010802@baucells.net> <41AF6051.7010907@ecorak.de> <41AF6361.3000101@redhat.com> <41AF9343.2060308@ecorak.de> Message-ID: <41B06CC4.9070406@redhat.com> Edy Corak wrote: > Daniel J Walsh wrote: > >> Edy Corak wrote: >> >>> Helo List, >>> >>> i have a problem sending mail from php script. >>> >>> audit(1101900916.389:0): avc: denied { getattr } for pid=18363 >>> exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 >>> scontext=root:system_r:httpd_sys_script_t >>> tcontext=system_u:object_r:sbin_t tclass=file >>> >>> Everything other works very good with SELinux. >>> >>> System FC3 Postfix, SELinux enforcing, targeted. >>> >>> Thank you for any help. >>> >> Update to the latest policy, should fix this problem. >> >> Dan >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > Thank you very much for your prompt answer. > > I have updated the policy-targeted to 1.17.30-2.39 but it's the same > problem, no chance to send mail from php script. > > audit(1102024220.525:0): avc: denied { getattr } for pid=8178 > exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7513871 > scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:sbin_t tclass=file > > I look at the policy-targeted-source under file_contexts in postfix.fc > there is > sendmail.postfix labeled as /usr/sbin/sendmail.postfix -- > system_u:object_r:sendmail_exec_t > > and under /usr/sbin as system_u:object_r:sbin_t sendmail.postfix > > rpm -q -l postfix | restorecon -R -v -f - changes to > system_u:object_r:sbin_t sendmail.postfix > > which of them is correct ? > > Sorry for my bad reply before, next time i start i will right click to > new. > > Thank you very much > > Edy > > Ok I see the problem. It will be fixed in selinux-policy-targeted-1.17.30-2.41 It is already fixed in rawhide (selinux-policy-targeted-1.19.8-1) From sds at epoch.ncsc.mil Fri Dec 3 13:36:41 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 03 Dec 2004 08:36:41 -0500 Subject: labelling issues In-Reply-To: <20041203080343.GA28886@redhat.com> References: <20041203080343.GA28886@redhat.com> Message-ID: <1102081001.29971.33.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-12-03 at 03:03, Joe Orton wrote: > I've seen a few issues where file labels are getting lost: > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140706 > http://bugs.php.net/bug.php?id=30952 > > and another one reported to the httpd users' list. Is there a known > cause of these problems? Is it prelink related, possibly? I've seen prior reports suggesting that it is prelink-related, but no hard evidence. On the other hand, I just checked my FC3 systems (all strict policy) and they don't have any mislabeled shared objects. While they have been getting regular updates via yum and the prelink cron job is present, I see that prelink has been getting denials because of the /etc/ld.so.cache mislabeling problem (problem in rpm, not sure if a fixed rpm has found its way into FC3 or not). So possibly if prelink wasn't encountering those denials on ld.so.cache, it would gone on to complete its processing and would have left the shared objects with the wrong label. I'll restorecon /etc/ld.so.cache again and see if the problem manifests upon the next prelink run. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Dec 3 13:44:19 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 03 Dec 2004 08:44:19 -0500 Subject: labelling issues In-Reply-To: <1102081001.29971.33.camel@moss-spartans.epoch.ncsc.mil> References: <20041203080343.GA28886@redhat.com> <1102081001.29971.33.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <41B06DB3.1020909@redhat.com> Stephen Smalley wrote: >On Fri, 2004-12-03 at 03:03, Joe Orton wrote: > > >>I've seen a few issues where file labels are getting lost: >> >>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140706 >>http://bugs.php.net/bug.php?id=30952 >> >>and another one reported to the httpd users' list. Is there a known >>cause of these problems? Is it prelink related, possibly? >> >> > >I've seen prior reports suggesting that it is prelink-related, but no >hard evidence. On the other hand, I just checked my FC3 systems (all >strict policy) and they don't have any mislabeled shared objects. While >they have been getting regular updates via yum and the prelink cron job >is present, I see that prelink has been getting denials because of the >/etc/ld.so.cache mislabeling problem (problem in rpm, not sure if a >fixed rpm has found its way into FC3 or not). So possibly if prelink >wasn't encountering those denials on ld.so.cache, it would gone on to >complete its processing and would have left the shared objects with the >wrong label. I'll restorecon /etc/ld.so.cache again and see if the >problem manifests upon the next prelink run. > > > The new RPM is in FC3. We have also seen this problem, but have not been able to find the cause. We believe it is either prelink or rpm related. Dan From sds at epoch.ncsc.mil Fri Dec 3 13:42:18 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 03 Dec 2004 08:42:18 -0500 Subject: labelling issues In-Reply-To: <1102081001.29971.33.camel@moss-spartans.epoch.ncsc.mil> References: <20041203080343.GA28886@redhat.com> <1102081001.29971.33.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1102081338.29971.37.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-12-03 at 08:36, Stephen Smalley wrote: > I've seen prior reports suggesting that it is prelink-related, but no > hard evidence. On the other hand, I just checked my FC3 systems (all > strict policy) and they don't have any mislabeled shared objects. While > they have been getting regular updates via yum and the prelink cron job > is present, I see that prelink has been getting denials because of the > /etc/ld.so.cache mislabeling problem (problem in rpm, not sure if a > fixed rpm has found its way into FC3 or not). So possibly if prelink > wasn't encountering those denials on ld.so.cache, it would gone on to > complete its processing and would have left the shared objects with the > wrong label. I'll restorecon /etc/ld.so.cache again and see if the > problem manifests upon the next prelink run. BTW, ask people who encounter the mislabeled shared objects to check their /var/log/prelink.log for errors, particularly "Could not get security context" or "Could not set security context", as prelink is supposed to log those errors when it cannot get or set the file context. -- Stephen Smalley National Security Agency From info at ecorak.de Fri Dec 3 13:49:38 2004 From: info at ecorak.de (Edy Corak) Date: Fri, 03 Dec 2004 14:49:38 +0100 Subject: sendmail.postfix avc denied problem In-Reply-To: <41B06CC4.9070406@redhat.com> References: <41AE2F08.7010802@baucells.net> <41AF6051.7010907@ecorak.de> <41AF6361.3000101@redhat.com> <41AF9343.2060308@ecorak.de> <41B06CC4.9070406@redhat.com> Message-ID: <41B06EF2.1080905@ecorak.de> Daniel J Walsh wrote: > Edy Corak wrote: > >> Daniel J Walsh wrote: >> >>> Edy Corak wrote: >>> >>>> Helo List, >>>> >>>> i have a problem sending mail from php script. >>>> >>>> audit(1101900916.389:0): avc: denied { getattr } for pid=18363 >>>> exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 >>>> scontext=root:system_r:httpd_sys_script_t >>>> tcontext=system_u:object_r:sbin_t tclass=file >>>> >>>> Everything other works very good with SELinux. >>>> >>>> System FC3 Postfix, SELinux enforcing, targeted. >>>> >>>> Thank you for any help. >>>> >>> Update to the latest policy, should fix this problem. >>> >>> Dan >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >> Thank you very much for your prompt answer. >> >> I have updated the policy-targeted to 1.17.30-2.39 but it's the same >> problem, no chance to send mail from php script. >> >> audit(1102024220.525:0): avc: denied { getattr } for pid=8178 >> exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7513871 >> scontext=root:system_r:httpd_sys_script_t >> tcontext=system_u:object_r:sbin_t tclass=file >> >> I look at the policy-targeted-source under file_contexts in postfix.fc >> there is >> sendmail.postfix labeled as /usr/sbin/sendmail.postfix -- >> system_u:object_r:sendmail_exec_t >> >> and under /usr/sbin as system_u:object_r:sbin_t sendmail.postfix >> >> rpm -q -l postfix | restorecon -R -v -f - changes to >> system_u:object_r:sbin_t sendmail.postfix >> >> which of them is correct ? >> >> Sorry for my bad reply before, next time i start i will right click to >> new. >> >> Thank you very much >> >> Edy >> >> > Ok I see the problem. It will be fixed in > selinux-policy-targeted-1.17.30-2.41 > It is already fixed in rawhide (selinux-policy-targeted-1.19.8-1) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > OK I will wait for the update. Thank you very much for your help. Edy -- Edy Corak E-Mail: info at ecorak.de Internet: http://www.ecorak.net/ ----- From selinux at gmail.com Fri Dec 3 16:34:22 2004 From: selinux at gmail.com (Tom London) Date: Fri, 3 Dec 2004 08:34:22 -0800 Subject: initrc, md0, mapper Message-ID: <4c4ba15304120308345888bb62@mail.gmail.com> Running strict/enforcing, latest rawhide (selinux-policy-strict-1.19.10-1) Booting produces following avc: Dec 3 08:23:45 fedora kernel: audit(1102090997.316:0): avc: denied { create } for pid=1348 exe=/sbin/nash name=md0 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=blk_file Dec 3 08:23:45 fedora kernel: device-mapper: 4.1.0-ioctl (2003-12-10) initialised: dm at uk.sistina.com Dec 3 08:23:45 fedora kernel: audit(1102090997.383:0): avc: denied { create } for pid=1354 exe=/sbin/nash name=mapper scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=dir Does initrc get create perms for this? tom -- Tom London From jorton at redhat.com Fri Dec 3 16:44:12 2004 From: jorton at redhat.com (Joe Orton) Date: Fri, 3 Dec 2004 16:44:12 +0000 Subject: rpm -V selinux-policy-targeted In-Reply-To: References: <20041124144315.GA31199@redhat.com> <41A4A353.2060404@redhat.com> <20041124161443.GA27400@redhat.com> <41A4B96B.1060706@redhat.com> <41A4D929.9060309@redhat.com> Message-ID: <20041203164412.GA7538@redhat.com> Was there any resolution on this issue? The problem still seems to be present in the latest policy-targeted-1.17.30-2.* packages. (Do you want me to file a bug?) Regards, joe From dwalsh at redhat.com Fri Dec 3 16:59:46 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 03 Dec 2004 11:59:46 -0500 Subject: rpm -V selinux-policy-targeted In-Reply-To: <20041203164412.GA7538@redhat.com> References: <20041124144315.GA31199@redhat.com> <41A4A353.2060404@redhat.com> <20041124161443.GA27400@redhat.com> <41A4B96B.1060706@redhat.com> <41A4D929.9060309@redhat.com> <20041203164412.GA7538@redhat.com> Message-ID: <41B09B82.3000403@redhat.com> Joe Orton wrote: >Was there any resolution on this issue? The problem still seems to be >present in the latest policy-targeted-1.17.30-2.* packages. (Do you >want me to file a bug?) > >Regards, > >joe > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > No I just moved the fix from the Rawhide policy to the FC3 policy. So this will be fixed in 1.17.30-2.42 From astephens at ptera.net Fri Dec 3 19:34:55 2004 From: astephens at ptera.net (Arthur Stephens) Date: Fri, 3 Dec 2004 11:34:55 -0800 Subject: perl/cgi script problem Message-ID: <011c01c4d96f$2b386550$c600a8c0@tyliteworker> Ok I thought I had this SELinux thing figured out atleast a little. Finally got httpd to startup. But now I have perl/cgi script problems. When trying to access my Genesis WebAuthoring System the script works in the /cgi-bin/genesis/ directory displaying the login screen but when I go to log in I get this error message. Error: could not write to file '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens' - Permission denied - Permission denied Plus these on the console Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Oh I know what this means so I added this to my custom.fc /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t which is what I saw in file_contexts for /var/www/cgi-bin make load fixfiles relabel The log shows it relabled everything. But now I get... Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file So I ran out of what I know to do or maybe I messed things up. Arthur Stephens Sales Technician Ptera Wireless Internet astephens at ptera.net 509-927-Ptera -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Fri Dec 3 19:34:22 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 03 Dec 2004 14:34:22 -0500 Subject: perl/cgi script problem In-Reply-To: <011c01c4d96f$2b386550$c600a8c0@tyliteworker> References: <011c01c4d96f$2b386550$c600a8c0@tyliteworker> Message-ID: <41B0BFBE.1050900@redhat.com> Arthur Stephens wrote: > Ok I thought I had this SELinux thing figured out atleast a little. > Finally got httpd to startup. > But now I have perl/cgi script problems. > When trying to access my Genesis WebAuthoring System the script works > in the /cgi-bin/genesis/ directory displaying the login screen > but when I go to log in I get this error message. > ** > *Error:* could not write to file > '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens' > - Permission denied - Permission denied > > Plus these on the console > Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied > { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:sysctl_t tclass=dir > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > { search } for pid=2360 exe=/usr/bin/perl > scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:sysctl_t tclass=dir > Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied > { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens > dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:httpd_sys_content_t tclass=file > Oh I know what this means so I added this to my custom.fc > /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t > > which is what I saw in file_contexts for /var/www/cgi-bin > > make load > fixfiles relabel > > The log shows it relabled everything. > But now I get... > > Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied > { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object_r:sysctl_t tclass=dir > Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied > { search } for pid=1874 exe=/usr/bin/perl > scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied > { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object_r:sysctl_t tclass=dir > Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied > { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens > dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file > So I ran out of what I know to do or maybe I messed things up. > > > Arthur Stephens > Sales Technician > Ptera Wireless Internet > astephens at ptera.net > 509-927-Ptera > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > We have placed an update to the SELinux policy that should fix this problem. I am not sure it has made it into Fedora-Updates yet. The latest policy is available at ftp://people.redhat.com/dwalsh/SELinux/FC3 Dan From Valdis.Kletnieks at vt.edu Fri Dec 3 20:12:45 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 03 Dec 2004 15:12:45 -0500 Subject: Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail... Message-ID: <200412032012.iB3KCjaT030175@turing-police.cc.vt.edu> Running Fedora Core Rawhide as of the other night, so fairly recent. Using 'strict/permissive' at the moment... So I set up 'smartd' to monitor the hard drive in my laptop - I *know* there's one bad spot of about 10 blocks long on it, and want to be told if it decides to start getting bigger. And sure enough, at boot it tries to e-mail me and tell me there's bad blocks. Unfortunately, it seems to invoke 'sh -c mail' or something like that, so even the ugly hack of adding an exec_auto_trans(sendmail_t) doesn't look like it will help. Any good ideas on how to deal with this one? (And I have *NO* idea why it pops the first 5-6 while trying to find resolv.conf) Is it trying to open port 25 to send the mail, and if there's no sendmail running, it invokes 'sh -c mail'? If so, the solution (or part of it) would simply be to have smartd start after sendmail does..... Oddly curious - the failed read for pipe:[9756] - both ends appear to be fsdaemon_t ;) The messages (almost 70 of them): Dec 3 11:07:42 turing-police kernel: audit(1102089972.656:0): avc: denied { search } for pid=17328 exe=/usr/sbin/smartd name=/ dev=tmpfs ino=3131 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir Dec 3 11:07:42 turing-police kernel: audit(1102089972.697:0): avc: denied { write } for pid=17328 exe=/usr/sbin/smartd name=log dev=tmpfs ino=9084 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file Dec 3 11:07:42 turing-police kernel: audit(1102089974.784:0): avc: denied { read } for pid=17328 exe=/usr/sbin/smartd name=resolv.conf dev=dm-5 ino=24648 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:net_conf_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089974.784:0): avc: denied { getattr } for pid=17328 exe=/usr/sbin/smartd path=/etc/resolv.conf dev=dm-5 ino=24648 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:net_conf_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089974.839:0): avc: denied { create } for pid=17328 exe=/usr/sbin/smartd scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=unix_stream_socket Dec 3 11:07:42 turing-police kernel: audit(1102089974.839:0): avc: denied { connect } for pid=17328 exe=/usr/sbin/smartd scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=unix_stream_socket Dec 3 11:07:42 turing-police kernel: audit(1102089974.947:0): avc: denied { search } for pid=8202 exe=/usr/sbin/smartd name=bin dev=dm-5 ino=26670 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=dir Dec 3 11:07:42 turing-police kernel: audit(1102089974.947:0): avc: denied { read } for pid=8202 exe=/usr/sbin/smartd name=sh dev=dm-5 ino=57489 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=lnk_file Dec 3 11:07:42 turing-police kernel: audit(1102089975.002:0): avc: denied { execute } for pid=8202 exe=/usr/sbin/smartd name=bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.002:0): avc: denied { execute_no_trans } for pid=8202 exe=/usr/sbin/smartd path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.058:0): avc: denied { read } for pid=8202 exe=/usr/sbin/smartd path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.089:0): avc: denied { read } for pid=8202 exe=/bin/bash name=meminfo dev=proc ino=-268435454 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:proc_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.089:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:proc_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.149:0): avc: denied { search } for pid=8202 exe=/bin/bash name=sbin dev=dm-5 ino=47195 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:sbin_t tclass=dir Dec 3 11:07:42 turing-police kernel: audit(1102089975.149:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.213:0): avc: denied { getattr } for pid=17328 exe=/usr/sbin/smartd path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file Dec 3 11:07:42 turing-police kernel: audit(1102089975.213:0): avc: denied { read } for pid=17328 exe=/usr/sbin/smartd path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file Dec 3 11:07:42 turing-police kernel: audit(1102089975.280:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.280:0): avc: denied { execute } for pid=8202 exe=/bin/bash name=mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file Dec 3 11:07:42 turing-police kernel: audit(1102089975.346:0): avc: denied { getattr } for pid=7644 exe=/bin/bash path=/tmp dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:42 turing-police kernel: audit(1102089975.346:0): avc: denied { search } for pid=7644 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:42 turing-police kernel: audit(1102089975.415:0): avc: denied { write } for pid=7644 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089975.449:0): avc: denied { add_name } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089975.449:0): avc: denied { create } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.517:0): avc: denied { write } for pid=7644 exe=/bin/bash path=/tmp/sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.567:0): avc: denied { read } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.610:0): avc: denied { remove_name } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089975.610:0): avc: denied { unlink } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.679:0): avc: denied { execute_no_trans } for pid=7644 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.679:0): avc: denied { read } for pid=7644 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.783:0): avc: denied { setgid } for pid=7644 exe=/bin/mail capability=6 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=capability Dec 3 11:07:43 turing-police kernel: audit(1102089975.831:0): avc: denied { ioctl } for pid=7644 exe=/bin/mail path=/tmp/sh-thd-1102109337 (deleted) dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089975.866:0): avc: denied { ioctl } for pid=7644 exe=/bin/mail path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file Dec 3 11:07:43 turing-police kernel: audit(1102089975.901:0): avc: denied { getattr } for pid=7644 exe=/bin/mail path=/tmp/Rsx6eaR5 dev=dm-10 ino=6151 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089976.007:0): avc: denied { execute } for pid=13925 exe=/bin/mail name=sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089976.007:0): avc: denied { execute_no_trans } for pid=13925 exe=/bin/mail path=/usr/sbin/sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089976.091:0): avc: denied { read } for pid=13925 exe=/bin/mail path=/usr/sbin/sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089976.683:0): avc: denied { create } for pid=13925 exe=/usr/sbin/sendmail scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=tcp_socket Dec 3 11:07:43 turing-police kernel: audit(1102089976.813:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=mail dev=dm-5 ino=43015 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089976.865:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/etc/mail/submit.cf dev=dm-5 ino=43033 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089976.865:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/etc/mail dev=dm-5 ino=43015 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089976.947:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=submit.cf dev=dm-5 ino=43033 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.097:0): avc: denied { setuid } for pid=13925 exe=/usr/sbin/sendmail capability=7 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=capability Dec 3 11:07:43 turing-police kernel: audit(1102089977.174:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=spool dev=dm-3 ino=34821 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:var_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.218:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.218:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.371:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool dev=dm-3 ino=34821 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:var_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.466:0): avc: denied { write } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.509:0): avc: denied { add_name } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089977.509:0): avc: denied { create } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.580:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.580:0): avc: denied { lock } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.678:0): avc: denied { write } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.771:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089977.809:0): avc: denied { connect } for pid=13925 exe=/usr/sbin/sendmail scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=tcp_socket Dec 3 11:07:43 turing-police kernel: audit(1102089977.809:0): avc: denied { tcp_send } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t tclass=netif Dec 3 11:07:43 turing-police kernel: audit(1102089977.879:0): avc: denied { tcp_send } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t tclass=node Dec 3 11:07:43 turing-police kernel: audit(1102089977.879:0): avc: denied { send_msg } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { tcp_recv } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t tclass=netif Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { tcp_recv } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t tclass=node Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { recv_msg } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { remove_name } for pid=13925 exe=/usr/sbin/sendmail name=tfiB3G6HJS013925 dev=dm-3 ino=55327 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { rename } for pid=13925 exe=/usr/sbin/sendmail name=tfiB3G6HJS013925 dev=dm-3 ino=55327 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { unlink } for pid=13925 exe=/usr/sbin/sendmail name=qfiB3G6HJS013925 dev=dm-3 ino=55326 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Dec 3 11:07:43 turing-police kernel: audit(1102089978.366:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089978.595:0): avc: denied { getattr } for pid=10722 exe=/bin/bash path=/tmp dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089978.633:0): avc: denied { search } for pid=10722 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:43 turing-police kernel: audit(1102089978.633:0): avc: denied { write } for pid=10722 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:44 turing-police kernel: audit(1102089978.701:0): avc: denied { add_name } for pid=10722 exe=/bin/bash name=sh-thd-1102111169 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:07:44 turing-police kernel: audit(1102089978.701:0): avc: denied { remove_name } for pid=10722 exe=/bin/bash name=sh-thd-1102111169 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir Dec 3 11:36:19 turing-police kernel: audit(1102091779.951:0): avc: denied { search } for pid=16629 exe=/usr/sbin/smartd name=/ dev=tmpfs ino=3131 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir Dec 3 11:36:20 turing-police kernel: audit(1102091780.816:0): avc: denied { write } for pid=16629 exe=/usr/sbin/smartd name=log dev=tmpfs ino=9084 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From astephens at ptera.net Fri Dec 3 20:20:40 2004 From: astephens at ptera.net (Arthur Stephens) Date: Fri, 3 Dec 2004 12:20:40 -0800 Subject: perl/cgi script problem References: <011c01c4d96f$2b386550$c600a8c0@tyliteworker> <41B0BFBE.1050900@redhat.com> Message-ID: <014801c4d975$8f7ad790$c600a8c0@tyliteworker> Which file? ----- Original Message ----- From: "Daniel J Walsh" To: "Fedora SELinux support list for users & developers." Sent: Friday, December 03, 2004 11:34 AM Subject: Re: perl/cgi script problem > Arthur Stephens wrote: > > > Ok I thought I had this SELinux thing figured out atleast a little. > > Finally got httpd to startup. > > But now I have perl/cgi script problems. > > When trying to access my Genesis WebAuthoring System the script works > > in the /cgi-bin/genesis/ directory displaying the login screen > > but when I go to log in I get this error message. > > ** > > *Error:* could not write to file > > '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens' > > - Permission denied - Permission denied > > > > Plus these on the console > > Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied > > { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > > { search } for pid=2360 exe=/usr/bin/perl > > scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > > { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied > > { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens > > dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:httpd_sys_content_t tclass=file > > Oh I know what this means so I added this to my custom.fc > > /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t > > > > which is what I saw in file_contexts for /var/www/cgi-bin > > > > make load > > fixfiles relabel > > > > The log shows it relabled everything. > > But now I get... > > > > Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied > > { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied > > { search } for pid=1874 exe=/usr/bin/perl > > scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > > Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied > > { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied > > { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens > > dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file > > So I ran out of what I know to do or maybe I messed things up. > > > > > > Arthur Stephens > > Sales Technician > > Ptera Wireless Internet > > astephens at ptera.net > > 509-927-Ptera > > > >------------------------------------------------------------------------ > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > We have placed an update to the SELinux policy that should fix this problem. > I am not sure it has made it into Fedora-Updates yet. The latest policy > is available at > > ftp://people.redhat.com/dwalsh/SELinux/FC3 > > Dan > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From astephens at ptera.net Fri Dec 3 21:15:32 2004 From: astephens at ptera.net (Arthur Stephens) Date: Fri, 3 Dec 2004 13:15:32 -0800 Subject: perl/cgi script problem References: <011c01c4d96f$2b386550$c600a8c0@tyliteworker> <41B0BFBE.1050900@redhat.com> Message-ID: <017301c4d97d$395815f0$c600a8c0@tyliteworker> [root at webmail ~]# rpm -Uvh selinux-policy-targeted-sources-1.17.30-2.42.noarch.rpm error: Failed dependencies: selinux-policy-targeted = 1.17.30-2.42 is needed by selinux-policy-targeted-sources-1.17.30-2.42.noarch [root at webmail ~]# rpm -Uvh selinux-policy-targeted-1.17.30-2.42.noarch.rpm error: Failed dependencies: selinux-policy-targeted = 1.17.30-2.34 is needed by (installed) selinux-policy-targeted-sources-1.17.30-2.34.noarch ----- Original Message ----- From: "Daniel J Walsh" To: "Fedora SELinux support list for users & developers." Sent: Friday, December 03, 2004 11:34 AM Subject: Re: perl/cgi script problem > Arthur Stephens wrote: > > > Ok I thought I had this SELinux thing figured out atleast a little. > > Finally got httpd to startup. > > But now I have perl/cgi script problems. > > When trying to access my Genesis WebAuthoring System the script works > > in the /cgi-bin/genesis/ directory displaying the login screen > > but when I go to log in I get this error message. > > ** > > *Error:* could not write to file > > '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens' > > - Permission denied - Permission denied > > > > Plus these on the console > > Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied > > { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > > { search } for pid=2360 exe=/usr/bin/perl > > scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > > { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied > > { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens > > dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:httpd_sys_content_t tclass=file > > Oh I know what this means so I added this to my custom.fc > > /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t > > > > which is what I saw in file_contexts for /var/www/cgi-bin > > > > make load > > fixfiles relabel > > > > The log shows it relabled everything. > > But now I get... > > > > Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied > > { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied > > { search } for pid=1874 exe=/usr/bin/perl > > scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > > Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied > > { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied > > { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens > > dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file > > So I ran out of what I know to do or maybe I messed things up. > > > > > > Arthur Stephens > > Sales Technician > > Ptera Wireless Internet > > astephens at ptera.net > > 509-927-Ptera > > > >------------------------------------------------------------------------ > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > We have placed an update to the SELinux policy that should fix this problem. > I am not sure it has made it into Fedora-Updates yet. The latest policy > is available at > > ftp://people.redhat.com/dwalsh/SELinux/FC3 > > Dan > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From astephens at ptera.net Sat Dec 4 00:58:46 2004 From: astephens at ptera.net (Arthur Stephens) Date: Fri, 3 Dec 2004 16:58:46 -0800 Subject: perl/cgi script problem References: <011c01c4d96f$2b386550$c600a8c0@tyliteworker><41B0BFBE.1050900@redhat.com> <017301c4d97d$395815f0$c600a8c0@tyliteworker> Message-ID: <000a01c4d99c$69f2c560$c600a8c0@tyliteworker> So do I force the upgrade? ----- Original Message ----- From: "Arthur Stephens" To: "Fedora SELinux support list for users & developers." Sent: Friday, December 03, 2004 1:15 PM Subject: Re: perl/cgi script problem > [root at webmail ~]# rpm -Uvh > selinux-policy-targeted-sources-1.17.30-2.42.noarch.rpm > error: Failed dependencies: > selinux-policy-targeted = 1.17.30-2.42 is needed by > selinux-policy-targeted-sources-1.17.30-2.42.noarch > [root at webmail ~]# rpm -Uvh selinux-policy-targeted-1.17.30-2.42.noarch.rpm > error: Failed dependencies: > selinux-policy-targeted = 1.17.30-2.34 is needed by (installed) > selinux-policy-targeted-sources-1.17.30-2.34.noarch > > ----- Original Message ----- > From: "Daniel J Walsh" > To: "Fedora SELinux support list for users & developers." > > Sent: Friday, December 03, 2004 11:34 AM > Subject: Re: perl/cgi script problem > > > > Arthur Stephens wrote: > > > > > Ok I thought I had this SELinux thing figured out atleast a little. > > > Finally got httpd to startup. > > > But now I have perl/cgi script problems. > > > When trying to access my Genesis WebAuthoring System the script works > > > in the /cgi-bin/genesis/ directory displaying the login screen > > > but when I go to log in I get this error message. > > > ** > > > *Error:* could not write to file > > > '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens' > > > - Permission denied - Permission denied > > > > > > Plus these on the console > > > Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied > > > { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc > > > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_t tclass=dir > > > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > > > { search } for pid=2360 exe=/usr/bin/perl > > > scontext=root:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > > > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > > > { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc > > > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_t tclass=dir > > > Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied > > > { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens > > > dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:httpd_sys_content_t tclass=file > > > Oh I know what this means so I added this to my custom.fc > > > /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t > > > > > > which is what I saw in file_contexts for /var/www/cgi-bin > > > > > > make load > > > fixfiles relabel > > > > > > The log shows it relabled everything. > > > But now I get... > > > > > > Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied > > > { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc > > > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_t tclass=dir > > > Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied > > > { search } for pid=1874 exe=/usr/bin/perl > > > scontext=user_u:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > > > Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied > > > { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc > > > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_t tclass=dir > > > Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied > > > { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens > > > dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file > > > So I ran out of what I know to do or maybe I messed things up. > > > > > > > > > Arthur Stephens > > > Sales Technician > > > Ptera Wireless Internet > > > astephens at ptera.net > > > 509-927-Ptera > > > > > >------------------------------------------------------------------------ > > > > > >-- > > >fedora-selinux-list mailing list > > >fedora-selinux-list at redhat.com > > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > We have placed an update to the SELinux policy that should fix this > problem. > > I am not sure it has made it into Fedora-Updates yet. The latest policy > > is available at > > > > ftp://people.redhat.com/dwalsh/SELinux/FC3 > > > > Dan > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From rhally at mindspring.com Sat Dec 4 01:19:12 2004 From: rhally at mindspring.com (Richard Hally) Date: Fri, 03 Dec 2004 20:19:12 -0500 Subject: perl/cgi script problem In-Reply-To: <000a01c4d99c$69f2c560$c600a8c0@tyliteworker> References: <011c01c4d96f$2b386550$c600a8c0@tyliteworker><41B0BFBE.1050900@redhat.com> <017301c4d97d$395815f0$c600a8c0@tyliteworker> <000a01c4d99c$69f2c560$c600a8c0@tyliteworker> Message-ID: <41B11090.40707@mindspring.com> Arthur Stephens wrote: >So do I force the upgrade? > >----- Original Message ----- >From: "Arthur Stephens" >To: "Fedora SELinux support list for users & developers." > >Sent: Friday, December 03, 2004 1:15 PM >Subject: Re: perl/cgi script problem > > > > >>[root at webmail ~]# rpm -Uvh >>selinux-policy-targeted-sources-1.17.30-2.42.noarch.rpm >>error: Failed dependencies: >> selinux-policy-targeted = 1.17.30-2.42 is needed by >>selinux-policy-targeted-sources-1.17.30-2.42.noarch >>[root at webmail ~]# rpm -Uvh selinux-policy-targeted-1.17.30-2.42.noarch.rpm >>error: Failed dependencies: >> selinux-policy-targeted = 1.17.30-2.34 is needed by (installed) >>selinux-policy-targeted-sources-1.17.30-2.34.noarch >> >> Nope, you update both the selinux-policy-targeted and selinux-policy-targeted-sources at the same time. thus: rpm -Uvh selinux-policy-targeted-*.rpm HTH Richard From selinux at gmail.com Sat Dec 4 18:48:54 2004 From: selinux at gmail.com (Tom London) Date: Sat, 4 Dec 2004 10:48:54 -0800 Subject: cups wants to write to /usr/lib/python2.4/.../printconf_tui.pyo, etc Message-ID: <4c4ba1530412041048671afa35@mail.gmail.com> Running strict/enforcing, latest Rawhide. When logging in, cups, running in cupsd_config_t wants to write /usr/lib/python/site-packages/printconf_tui.pyo, and /usr/share/printconf/util/printconf_tui.pyo. Strict and Permissive avc's shown below. Two things: 1. Didn't these files get moved to /var under an earlier bugzilla? 2. Can we add a 'dontaudit' to cups.te for this: dontaudit cupsd_config_t lib_t:dir write; dontaudit cupsd_config_t usr_t:dir write; tom Strict avcs: Dec 4 10:20:41 fedora kernel: audit(1102184441.369:0): avc: denied { write } for pid=2844 exe=/usr/bin/python name=util dev=hda2 ino=4309019 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=dir Dec 4 10:20:41 fedora kernel: audit(1102184441.619:0): avc: denied { write } for pid=2844 exe=/usr/bin/python name=site-packages dev=hda2 ino=4525331 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:lib_t tclass=dir Permissive avc: Dec 4 10:35:08 fedora kernel: audit(1102185308.369:0): avc: denied { write } for pid=3591 exe=/usr/bin/python name=util dev=hda2 ino=4309019 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=dir Dec 4 10:35:08 fedora kernel: audit(1102185308.370:0): avc: denied { remove_name } for pid=3591 exe=/usr/bin/python name=printconf_tui.pyo dev=hda2 ino=4309180 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=dir Dec 4 10:35:08 fedora kernel: audit(1102185308.370:0): avc: denied { unlink } for pid=3591 exe=/usr/bin/python name=printconf_tui.pyo dev=hda2 ino=4309180 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:printconf_t tclass=file Dec 4 10:35:08 fedora kernel: audit(1102185308.606:0): avc: denied { add_name } for pid=3591 exe=/usr/bin/python name=printconf_tui.pyo scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=dir Dec 4 10:35:08 fedora kernel: audit(1102185308.606:0): avc: denied { create } for pid=3591 exe=/usr/bin/python name=printconf_tui.pyo scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=file Dec 4 10:35:08 fedora kernel: audit(1102185308.606:0): avc: denied { write } for pid=3591 exe=/usr/bin/python path=/usr/share/printconf/util/printconf_tui.pyo dev=hda2 ino=4309025 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=file -- Tom London From giuseppe.greco at agamura.com Sat Dec 4 20:47:45 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Sat, 04 Dec 2004 21:47:45 +0100 Subject: Understanding SELinux Message-ID: <1102193265.6015.22.camel@gonzo.agamura.com> Hi all, I've lots of problems related to SELinux on FC3... I get tonnes of messages like ... audit(1102179993.228:0): avc: denied { append } for pid=2624 exe=/sbin/syslogd name=boot.log dev=md-6 ino=128104 scontex=root:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file syslog: /var/log/boot.log: Permissin denied ... Same problem with dhcpd, portmap, etc. I've tried this [root at murphy etc]# ls -alZ /var/log/boot.log -rw------- root root /var/log/boot.log ... and then this [root at murphy etc]# chcon -t var_log_t /var/log/boot.log but I always get the error message "chcon: can't apply partial context to unlabeled file boot.log" What I'm trying to understand is why system files like this are not already labeled as they should, and what I've to do to get my boxes working without complying... Thanks for helping a poor novice, j3d. -- ---------------------------------------- Giuseppe Greco ::agamura:: phone: +41 (0)91 604 67 65 mobile: +41 (0)76 390 60 32 email: giuseppe.greco at agamura.com web: www.agamura.com ---------------------------------------- From selinux at gmail.com Sun Dec 5 00:34:24 2004 From: selinux at gmail.com (Tom London) Date: Sat, 4 Dec 2004 16:34:24 -0800 Subject: Understanding SELinux In-Reply-To: <1102193265.6015.22.camel@gonzo.agamura.com> References: <1102193265.6015.22.camel@gonzo.agamura.com> Message-ID: <4c4ba153041204163427b376df@mail.gmail.com> I'm guessing that your filesystem is not labeled at all. You can relabel your entire system by doing touch /.autorelabel and then rebooting or by running fixfiles relabel and then rebooting That should get the labeling done on the boot up. You may want to go get a cup of coffee, it will likely take a while (say, 10-20 minutes). [The 'chcon' is failing because the SELinux label for /var/log/boot.log look something like: 'system_u:object_r:var_log_t'. You were only providing the last component ...] tom -- Tom London From twaugh at redhat.com Sun Dec 5 10:29:16 2004 From: twaugh at redhat.com (Tim Waugh) Date: Sun, 5 Dec 2004 10:29:16 +0000 Subject: cups wants to write to /usr/lib/python2.4/.../printconf_tui.pyo, etc In-Reply-To: <4c4ba1530412041048671afa35@mail.gmail.com> References: <4c4ba1530412041048671afa35@mail.gmail.com> Message-ID: <20041205102916.GI14677@redhat.com> On Sat, Dec 04, 2004 at 10:48:54AM -0800, Tom London wrote: > Running strict/enforcing, latest Rawhide. > > When logging in, cups, running in cupsd_config_t > wants to write /usr/lib/python/site-packages/printconf_tui.pyo, > and /usr/share/printconf/util/printconf_tui.pyo. > Strict and Permissive avc's shown below. *sigh* This comes up periodically. I am still waiting for the rpm configuration bit that fixes this to be turned on. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From giuseppe.greco at agamura.com Sun Dec 5 10:38:04 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Sun, 05 Dec 2004 11:38:04 +0100 Subject: Understanding SELinux In-Reply-To: <4c4ba153041204163427b376df@mail.gmail.com> References: <1102193265.6015.22.camel@gonzo.agamura.com> <4c4ba153041204163427b376df@mail.gmail.com> Message-ID: <1102243085.6015.39.camel@gonzo.agamura.com> Thanks Tom, the situation is now much better... I'm able to start squid, but I still get the following two error messages: Starting squid: audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t tclass=dir audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t tclass=dir It looks like there are problems with directories /boot and /tmp... What's strange is that I get these error messages on a machine where I just upgraded from FC1 to FC3... I've also another machine on which I installed FC3 from scratch and here I've no problems at all. j3d. On Sat, 2004-12-04 at 16:34 -0800, Tom London wrote: > I'm guessing that your filesystem is not labeled at all. > > You can relabel your entire system by doing > touch /.autorelabel > and then rebooting > or by running > fixfiles relabel > and then rebooting > > That should get the labeling done on the boot up. > > You may want to go get a cup of coffee, it will > likely take a while (say, 10-20 minutes). > > [The 'chcon' is failing because the SELinux label > for /var/log/boot.log look something like: > 'system_u:object_r:var_log_t'. You were only > providing the last component ...] > > tom > -- ---------------------------------------- Giuseppe Greco ::agamura:: phone: +41 (0)91 604 67 65 mobile: +41 (0)79 602 99 27 email: giuseppe.greco at agamura.com web: www.agamura.com ---------------------------------------- From n3npq at nc.rr.com Sun Dec 5 14:35:52 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Sun, 05 Dec 2004 09:35:52 -0500 Subject: cups wants to write to /usr/lib/python2.4/.../printconf_tui.pyo, etc In-Reply-To: <20041205102916.GI14677@redhat.com> References: <4c4ba1530412041048671afa35@mail.gmail.com> <20041205102916.GI14677@redhat.com> Message-ID: <41B31CC8.1070704@nc.rr.com> Tim Waugh wrote: >On Sat, Dec 04, 2004 at 10:48:54AM -0800, Tom London wrote: > > > >>Running strict/enforcing, latest Rawhide. >> >>When logging in, cups, running in cupsd_config_t >>wants to write /usr/lib/python/site-packages/printconf_tui.pyo, >>and /usr/share/printconf/util/printconf_tui.pyo. >>Strict and Permissive avc's shown below. >> >> > >*sigh* > >This comes up periodically. I am still waiting for the rpm >configuration bit that fixes this to be turned on. > > Me too. So I'll add brp-python-bytecompile to the automagic build root policy script collection in the macro %__os_install_post within rpm default configuration in my next rpm-4.3.3-2 build. Which is a bit rude, much like inflicting -debuginfo everywhere was a bit rude, and won't get rpm-4.3.3-2 into beehive build trees, and won't rebuild the packages that need to include *.pyo, but perhaps Godot will come along in a bit. 73 de Jeff Index: platform.in =================================================================== RCS file: /cvs/devel/rpm/platform.in,v retrieving revision 2.17 diff -u -b -B -w -p -r2.17 platform.in --- platform.in 8 Jan 2003 21:37:01 -0000 2.17 +++ platform.in 5 Dec 2004 14:27:39 -0000 @@ -57,6 +57,7 @@ @RPMCONFIGDIR@/brp-strip \ @RPMCONFIGDIR@/brp-strip-static-archive \ @RPMCONFIGDIR@/brp-strip-comment-note \ + @RPMCONFIGDIR@/brp-python-bytecompile \ %{nil} %__spec_install_post\ From selinux at gmail.com Sun Dec 5 17:57:19 2004 From: selinux at gmail.com (Tom London) Date: Sun, 5 Dec 2004 09:57:19 -0800 Subject: Understanding SELinux In-Reply-To: <1102243085.6015.39.camel@gonzo.agamura.com> References: <1102193265.6015.22.camel@gonzo.agamura.com> <4c4ba153041204163427b376df@mail.gmail.com> <1102243085.6015.39.camel@gonzo.agamura.com> Message-ID: <4c4ba153041205095747425449@mail.gmail.com> On Sun, 05 Dec 2004 11:38:04 +0100, Giuseppe Greco wrote: > Thanks Tom, > > the situation is now much better... I'm able to start squid, > but I still get the following two error messages: > > Starting squid: audit(1102241826.255.0): avc: denied { getattr } for > pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 > scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t > tclass=dir > > audit(1102241826.255.0): avc: denied { getattr } for > pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 > scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t > tclass=dir > > It looks like there are problems with directories /boot and /tmp... > > What's strange is that I get these error messages on a machine where > I just upgraded from FC1 to FC3... I've also another machine on > which I installed FC3 from scratch and here I've no problems at all. > I'm running strict/enforcing with latest Rawhide packages (selinux-policy-strict-1.19.10-4) If I change to permissive mode (via 'setenforce 0') and start squid (via '/etc/init.d/squid start') I get the following: Dec 5 09:47:34 fedora kernel: audit(1102268854.527:0): avc: denied { write } for pid=3455 exe=/bin/bash name=squid dev=hda2 ino=4457453 scontext=root:system_r:initrc_t tcontext=system_u:object_r:squid_log_t tclass=dir Dec 5 09:47:34 fedora kernel: audit(1102268854.527:0): avc: denied { add_name } for pid=3455 exe=/bin/bash name=squid.out scontext=root:system_r:initrc_t tcontext=system_u:object_r:squid_log_t tclass=dir Dec 5 09:47:34 fedora kernel: audit(1102268854.528:0): avc: denied { create } for pid=3455 exe=/bin/bash name=squid.out scontext=root:system_r:initrc_t tcontext=root:object_r:squid_log_t tclass=file Dec 5 09:47:35 fedora squid[3458]: Squid Parent: child process 3460 started With squid successfully running. This indicates that the policy may need some additional rules, like: allow initrc_t squid_log_t:dir { add_name write }; allow initrc_t squid_log_t:file create; But I don't get the messages you get. I'm running squid-2.5.STABLE7-1. This the same as you? tom -- Tom London From selinux at gmail.com Sun Dec 5 19:11:33 2004 From: selinux at gmail.com (Tom London) Date: Sun, 5 Dec 2004 11:11:33 -0800 Subject: squid.te Message-ID: <4c4ba1530412051111630c5288@mail.gmail.com> Running strict/enforcing, latest Rawhide squid and initrc needs to create/write /var/log/squid/squid.out, etc Suggest adding: allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms; tom -- Tom London From giuseppe.greco at agamura.com Mon Dec 6 06:50:48 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Mon, 6 Dec 2004 07:50:48 +0100 (CET) Subject: squid.te In-Reply-To: <4c4ba1530412051111630c5288@mail.gmail.com> References: <4c4ba1530412051111630c5288@mail.gmail.com> Message-ID: <2487.217.168.41.20.1102315848.squirrel@mail.agamura.com> Tom, Thanks a lot! I'll be back on Friday, and I'll try then. j3d. > Running strict/enforcing, latest Rawhide > > squid and initrc needs to create/write /var/log/squid/squid.out, etc > > Suggest adding: > allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; > allow { squid_t initrc_t } squid_log_t:file create_file_perms; > > tom > -- > Tom London > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > ---------------------------------------- Giuseppe Greco ::agamura:: phone: +41 (0)91 604 67 65 mobile: +41 (0)79 602 99 27 email: giuseppe.greco at agamura.com web: www.agamura.com ---------------------------------------- From rhallyx at mindspring.com Mon Dec 6 11:13:21 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Mon, 06 Dec 2004 06:13:21 -0500 Subject: avc denied from /.autorelabel Message-ID: <41B43ED1.7020305@mindspring.com> Included below are the avc denied messages from trying to do an autorelabel while in enforcing mode with the strict policy. there are also messages about line 64 of rc.sysinit: permission denied. Looks like sysinit(initrc_t) is trying to write to /selinux/enforce with out being allowed to do so. Thus setfiles can not read file_contexts. HTH Richard Hally Dec 6 05:53:56 new2 kernel: audit(1102330419.769:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330419.769:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330420.005:0): avc: denied { read } for pid=1279 exe=/usr/sbin/setfiles name=file_contexts dev=dm-0 ino=3998097 scontext=system_u:system_r:initrc_t tcontext=root:object_r:file_context_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330420.026:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330420.026:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file From astephens at ptera.net Mon Dec 6 18:19:52 2004 From: astephens at ptera.net (Arthur Stephens) Date: Mon, 6 Dec 2004 10:19:52 -0800 Subject: perl/cgi script problem References: <011c01c4d96f$2b386550$c600a8c0@tyliteworker> <41B0BFBE.1050900@redhat.com> Message-ID: <012a01c4dbc0$2e3426b0$c600a8c0@tyliteworker> Ok so I did this upgrade but there must be something else I need to do because I still have the same errors Arthur Stephens Sales Technician Ptera Wireless Internet astephens at ptera.net 509-927-Ptera ----- Original Message ----- From: "Daniel J Walsh" To: "Fedora SELinux support list for users & developers." Sent: Friday, December 03, 2004 11:34 AM Subject: Re: perl/cgi script problem > Arthur Stephens wrote: > > > Ok I thought I had this SELinux thing figured out atleast a little. > > Finally got httpd to startup. > > But now I have perl/cgi script problems. > > When trying to access my Genesis WebAuthoring System the script works > > in the /cgi-bin/genesis/ directory displaying the login screen > > but when I go to log in I get this error message. > > ** > > *Error:* could not write to file > > '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens' > > - Permission denied - Permission denied > > > > Plus these on the console > > Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied > > { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > > { search } for pid=2360 exe=/usr/bin/perl > > scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > > { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied > > { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens > > dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:httpd_sys_content_t tclass=file > > Oh I know what this means so I added this to my custom.fc > > /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t > > > > which is what I saw in file_contexts for /var/www/cgi-bin > > > > make load > > fixfiles relabel > > > > The log shows it relabled everything. > > But now I get... > > > > Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied > > { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied > > { search } for pid=1874 exe=/usr/bin/perl > > scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > > Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied > > { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc > > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:sysctl_t tclass=dir > > Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied > > { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens > > dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file > > So I ran out of what I know to do or maybe I messed things up. > > > > > > Arthur Stephens > > Sales Technician > > Ptera Wireless Internet > > astephens at ptera.net > > 509-927-Ptera > > > >------------------------------------------------------------------------ > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > We have placed an update to the SELinux policy that should fix this problem. > I am not sure it has made it into Fedora-Updates yet. The latest policy > is available at > > ftp://people.redhat.com/dwalsh/SELinux/FC3 > > Dan > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From walters at redhat.com Mon Dec 6 18:19:51 2004 From: walters at redhat.com (Colin Walters) Date: Mon, 06 Dec 2004 13:19:51 -0500 Subject: Understanding SELinux In-Reply-To: <4c4ba153041205095747425449@mail.gmail.com> References: <1102193265.6015.22.camel@gonzo.agamura.com> <4c4ba153041204163427b376df@mail.gmail.com> <1102243085.6015.39.camel@gonzo.agamura.com> <4c4ba153041205095747425449@mail.gmail.com> Message-ID: <1102357191.12147.10.camel@nexus.verbum.private> On Sun, 2004-12-05 at 09:57 -0800, Tom London wrote: > Dec 5 09:47:34 fedora kernel: audit(1102268854.527:0): avc: denied > { write } for pid=3455 exe=/bin/bash name=squid dev=hda2 ino=4457453 > scontext=root:system_r:initrc_t tcontext=system_u:object_r:squid_log_t > tclass=dir > Dec 5 09:47:34 fedora kernel: audit(1102268854.527:0): avc: denied > { add_name } for pid=3455 exe=/bin/bash name=squid.out > scontext=root:system_r:initrc_t tcontext=system_u:object_r:squid_log_t > tclass=dir Is the squid init script messing around with the squid data? It'd be preferable if whatever it was doing was builtin squid functionality, so we don't have to allow initrc_t those privilges. From astephens at ptera.net Mon Dec 6 18:49:13 2004 From: astephens at ptera.net (Arthur Stephens) Date: Mon, 6 Dec 2004 10:49:13 -0800 Subject: perl/cgi script problem References: <011c01c4d96f$2b386550$c600a8c0@tyliteworker><41B0BFBE.1050900@redhat.com> <012a01c4dbc0$2e3426b0$c600a8c0@tyliteworker> Message-ID: <015d01c4dbc4$47ad01d0$c600a8c0@tyliteworker> Then I replaced the filecontents with the filecontents.rpmnew and policy.8 with policy.8.rpm new and now I get theses messages... Dec 6 13:19:21 webmail kernel: audit(1102367961.429:0): avc: denied { unlink } for pid=1959 exe=/usr/sbin/httpd name=ssl_mutex.1959 dev=dm-0 ino=229025 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file Dec 6 13:19:22 webmail httpd: httpd startup succeeded Dec 6 13:19:22 webmail kernel: audit(1102367962.716:0): avc: denied { unlink } for pid=1960 exe=/usr/sbin/httpd name=ssl_mutex.1959 dev=dm-0 ino=229025 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file But httpd is not running because service httpd status yields.. httpd dead but subsys locked : ( Arthur Stephens Sales Technician Ptera Wireless Internet astephens at ptera.net 509-927-Ptera ----- Original Message ----- From: "Arthur Stephens" To: "Fedora SELinux support list for users & developers." Sent: Monday, December 06, 2004 10:19 AM Subject: Re: perl/cgi script problem > Ok so I did this upgrade but there must be something else I need to do > because I still have the same errors > > Arthur Stephens > Sales Technician > Ptera Wireless Internet > astephens at ptera.net > 509-927-Ptera > > ----- Original Message ----- > From: "Daniel J Walsh" > To: "Fedora SELinux support list for users & developers." > > Sent: Friday, December 03, 2004 11:34 AM > Subject: Re: perl/cgi script problem > > > > Arthur Stephens wrote: > > > > > Ok I thought I had this SELinux thing figured out atleast a little. > > > Finally got httpd to startup. > > > But now I have perl/cgi script problems. > > > When trying to access my Genesis WebAuthoring System the script works > > > in the /cgi-bin/genesis/ directory displaying the login screen > > > but when I go to log in I get this error message. > > > ** > > > *Error:* could not write to file > > > '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens' > > > - Permission denied - Permission denied > > > > > > Plus these on the console > > > Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied > > > { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc > > > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_t tclass=dir > > > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > > > { search } for pid=2360 exe=/usr/bin/perl > > > scontext=root:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > > > Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied > > > { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc > > > ino=-268435431 scontext=root:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_t tclass=dir > > > Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied > > > { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens > > > dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:httpd_sys_content_t tclass=file > > > Oh I know what this means so I added this to my custom.fc > > > /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t > > > > > > which is what I saw in file_contexts for /var/www/cgi-bin > > > > > > make load > > > fixfiles relabel > > > > > > The log shows it relabled everything. > > > But now I get... > > > > > > Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied > > > { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc > > > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_t tclass=dir > > > Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied > > > { search } for pid=1874 exe=/usr/bin/perl > > > scontext=user_u:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_kernel_t tclass=dir > > > Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied > > > { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc > > > ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:sysctl_t tclass=dir > > > Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied > > > { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens > > > dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t > > > tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file > > > So I ran out of what I know to do or maybe I messed things up. > > > > > > > > > Arthur Stephens > > > Sales Technician > > > Ptera Wireless Internet > > > astephens at ptera.net > > > 509-927-Ptera > > > > > >------------------------------------------------------------------------ > > > > > >-- > > >fedora-selinux-list mailing list > > >fedora-selinux-list at redhat.com > > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > We have placed an update to the SELinux policy that should fix this > problem. > > I am not sure it has made it into Fedora-Updates yet. The latest policy > > is available at > > > > ftp://people.redhat.com/dwalsh/SELinux/FC3 > > > > Dan > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jorton at redhat.com Mon Dec 6 19:53:00 2004 From: jorton at redhat.com (Joe Orton) Date: Mon, 6 Dec 2004 19:53:00 +0000 Subject: perl/cgi script problem In-Reply-To: <015d01c4dbc4$47ad01d0$c600a8c0@tyliteworker> References: <012a01c4dbc0$2e3426b0$c600a8c0@tyliteworker> <015d01c4dbc4$47ad01d0$c600a8c0@tyliteworker> Message-ID: <20041206195300.GA12131@redhat.com> On Mon, Dec 06, 2004 at 10:49:13AM -0800, Arthur Stephens wrote: > Then I replaced the filecontents with the filecontents.rpmnew > and policy.8 with policy.8.rpm new > and now I get theses messages... > > Dec 6 13:19:21 webmail kernel: audit(1102367961.429:0): avc: denied { > unlink } for pid=1959 exe=/usr/sbin/httpd name=ssl_mutex.1959 dev=dm-0 > ino=229025 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t > tclass=file > Dec 6 13:19:22 webmail httpd: httpd startup succeeded > Dec 6 13:19:22 webmail kernel: audit(1102367962.716:0): avc: denied { > unlink } for pid=1960 exe=/usr/sbin/httpd name=ssl_mutex.1959 dev=dm-0 > ino=229025 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t > tclass=file This shouldn't happen in the default config - did you regenerate your config files using system-config-httpd or something? Find the "SSLMutex" line in /etc/httpd/conf.d/ssl.conf and replace it with: SSLMutex default and you should be OK. joe From selinux at gmail.com Mon Dec 6 20:24:22 2004 From: selinux at gmail.com (Tom London) Date: Mon, 6 Dec 2004 12:24:22 -0800 Subject: Understanding SELinux In-Reply-To: <1102357191.12147.10.camel@nexus.verbum.private> References: <1102193265.6015.22.camel@gonzo.agamura.com> <4c4ba153041204163427b376df@mail.gmail.com> <1102243085.6015.39.camel@gonzo.agamura.com> <4c4ba153041205095747425449@mail.gmail.com> <1102357191.12147.10.camel@nexus.verbum.private> Message-ID: <4c4ba1530412061224ea00faf@mail.gmail.com> On Mon, 06 Dec 2004 13:19:51 -0500, Colin Walters wrote: > On Sun, 2004-12-05 at 09:57 -0800, Tom London wrote: > Is the squid init script messing around with the squid data? It'd be > preferable if whatever it was doing was builtin squid functionality, so > we don't have to allow initrc_t those privilges. > I agree, but the files (e.g., /var/log/squid/squid.out) seem created in the script. Here is a line from /etc/init.d/squid: $SQUID -z -F -D >> /var/log/squid/squid.out 2>&1 So the script running as initrc_t is creating the file on the first run, and opening it for output thereafter, no? After that its written by squid_t. tom -- Tom London From walters at redhat.com Mon Dec 6 21:07:41 2004 From: walters at redhat.com (Colin Walters) Date: Mon, 06 Dec 2004 16:07:41 -0500 Subject: Understanding SELinux In-Reply-To: <4c4ba1530412061224ea00faf@mail.gmail.com> References: <1102193265.6015.22.camel@gonzo.agamura.com> <4c4ba153041204163427b376df@mail.gmail.com> <1102243085.6015.39.camel@gonzo.agamura.com> <4c4ba153041205095747425449@mail.gmail.com> <1102357191.12147.10.camel@nexus.verbum.private> <4c4ba1530412061224ea00faf@mail.gmail.com> Message-ID: <1102367261.12147.25.camel@nexus.verbum.private> On Mon, 2004-12-06 at 12:24 -0800, Tom London wrote: > On Mon, 06 Dec 2004 13:19:51 -0500, Colin Walters wrote: > > On Sun, 2004-12-05 at 09:57 -0800, Tom London wrote: > > > Is the squid init script messing around with the squid data? It'd be > > preferable if whatever it was doing was builtin squid functionality, so > > we don't have to allow initrc_t those privilges. > > > > I agree, but the files (e.g., /var/log/squid/squid.out) > seem created in the script. > > Here is a line from /etc/init.d/squid: > $SQUID -z -F -D >> /var/log/squid/squid.out 2>&1 > > So the script running as initrc_t is creating the file on the > first run, and opening it for output thereafter, no? > After that its written by squid_t. Is this just debugging output or something? Or is that actually how squid writes its normal logging information instead of via syslog? From selinux at gmail.com Mon Dec 6 21:19:13 2004 From: selinux at gmail.com (Tom London) Date: Mon, 6 Dec 2004 13:19:13 -0800 Subject: Understanding SELinux In-Reply-To: <1102367261.12147.25.camel@nexus.verbum.private> References: <1102193265.6015.22.camel@gonzo.agamura.com> <4c4ba153041204163427b376df@mail.gmail.com> <1102243085.6015.39.camel@gonzo.agamura.com> <4c4ba153041205095747425449@mail.gmail.com> <1102357191.12147.10.camel@nexus.verbum.private> <4c4ba1530412061224ea00faf@mail.gmail.com> <1102367261.12147.25.camel@nexus.verbum.private> Message-ID: <4c4ba1530412061319e87ca9b@mail.gmail.com> On Mon, 06 Dec 2004 16:07:41 -0500, Colin Walters wrote: > > Is this just debugging output or something? Or is that actually how > squid writes its normal logging information instead of via syslog? > Colin, I'm not a squid expert, but I suspect that this is there to capture any stdout/stderr from squid. After changing policy as described, starting and stopping squid produces a squid.out file of zero bytes, owned by root and of type squid_log_t. /etc/squid/squid.conf refers to /var/log/squid/access.log, /var/log/squid/cache.log, and /var/log/squid/store.log. These seem to be created properly (aka, owned by squid, type squid_log_t) tom -- Tom London From walters at redhat.com Mon Dec 6 21:37:28 2004 From: walters at redhat.com (Colin Walters) Date: Mon, 06 Dec 2004 16:37:28 -0500 Subject: Understanding SELinux In-Reply-To: <4c4ba1530412061319e87ca9b@mail.gmail.com> References: <1102193265.6015.22.camel@gonzo.agamura.com> <4c4ba153041204163427b376df@mail.gmail.com> <1102243085.6015.39.camel@gonzo.agamura.com> <4c4ba153041205095747425449@mail.gmail.com> <1102357191.12147.10.camel@nexus.verbum.private> <4c4ba1530412061224ea00faf@mail.gmail.com> <1102367261.12147.25.camel@nexus.verbum.private> <4c4ba1530412061319e87ca9b@mail.gmail.com> Message-ID: <1102369048.12147.29.camel@nexus.verbum.private> On Mon, 2004-12-06 at 13:19 -0800, Tom London wrote: > On Mon, 06 Dec 2004 16:07:41 -0500, Colin Walters wrote: > > > > Is this just debugging output or something? Or is that actually how > > squid writes its normal logging information instead of via syslog? > > > Colin, > > I'm not a squid expert, but I suspect that this is > there to capture any stdout/stderr from squid. I'd suggest just removing that from the init script then; in error cases you probably want the output to the terminal anyways, just like how most other daemons work. (Although right now the policy also denies access to the terminal, long term I hope we'll come up with a good general solution for that problem for all daemons). From astephens at ptera.net Tue Dec 7 01:40:07 2004 From: astephens at ptera.net (Arthur Stephens) Date: Mon, 6 Dec 2004 17:40:07 -0800 Subject: http startup problem Message-ID: <01ce01c4dbfd$aecbd7e0$c600a8c0@tyliteworker> I do not know if this a SELinux problem or httpd problem. Upgraded to the latest SELinux and now httpd fails with the following message Dec 6 20:13:03 webmail kernel: audit(1102392783.654:0): avc: denied { unlink } for pid=2005 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file Dec 6 20:13:04 webmail httpd: httpd startup succeeded Dec 6 20:13:04 webmail kernel: audit(1102392784.995:0): avc: denied { unlink } for pid=2006 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file The httpd error log shows [Mon Dec 06 20:13:04 2004] [error] (17)File exists: Cannot create SSLMutex with file `/etc/httpd/logs/ssl_mutex.2005' Configuration Failed ls -Z of the directory shows the ssl_mutex... is being created incorrectly? -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log.2 -rw-r--r-- root root root:object_r:httpd_log_t ssl_mutex.2005 -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_request_log I am confused on where to fix this. Arthur Stephens Sales Technician Ptera Wireless Internet astephens at ptera.net 509-927-Ptera -------------- next part -------------- An HTML attachment was scrubbed... URL: From jorton at redhat.com Tue Dec 7 01:58:19 2004 From: jorton at redhat.com (Joe Orton) Date: Tue, 7 Dec 2004 01:58:19 +0000 Subject: http startup problem In-Reply-To: <01ce01c4dbfd$aecbd7e0$c600a8c0@tyliteworker> References: <01ce01c4dbfd$aecbd7e0$c600a8c0@tyliteworker> Message-ID: <20041207015819.GA19754@redhat.com> On Mon, Dec 06, 2004 at 05:40:07PM -0800, Arthur Stephens wrote: > I do not know if this a SELinux problem or httpd problem. > > Upgraded to the latest SELinux and now httpd fails with the following message > > Dec 6 20:13:03 webmail kernel: audit(1102392783.654:0): avc: denied { > unlink } for pid=2005 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 > ino=228205 scontext=root:system_r:httpd_t > tcontext=root:object_r:httpd_log_t tclass=file Dec 6 20:13:04 webmail > httpd: httpd startup succeeded Dec 6 20:13:04 webmail kernel: > audit(1102392784.995:0): avc: denied { unlink } for pid=2006 > exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205 > scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t > tclass=file > > The httpd error log shows > [Mon Dec 06 20:13:04 2004] [error] (17)File exists: Cannot create SSLMutex with file `/etc/httpd/logs/ssl_mutex.2005' > Configuration Failed To confirm, you are using the stock Fedora httpd and apr packages? Per my previous mail, this really should only happen if you have configured SSLMutex to something other than default setting of "default" in the Fedora /etc/httpd/conf.d/ssl.conf. Can you double-check that? Regards, joe From jorton at redhat.com Tue Dec 7 01:58:19 2004 From: jorton at redhat.com (Joe Orton) Date: Tue, 7 Dec 2004 01:58:19 +0000 Subject: [users@httpd] Re: http startup problem In-Reply-To: <01ce01c4dbfd$aecbd7e0$c600a8c0@tyliteworker> References: <01ce01c4dbfd$aecbd7e0$c600a8c0@tyliteworker> Message-ID: <20041207015819.GA19754@redhat.com> On Mon, Dec 06, 2004 at 05:40:07PM -0800, Arthur Stephens wrote: > I do not know if this a SELinux problem or httpd problem. > > Upgraded to the latest SELinux and now httpd fails with the following message > > Dec 6 20:13:03 webmail kernel: audit(1102392783.654:0): avc: denied { > unlink } for pid=2005 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 > ino=228205 scontext=root:system_r:httpd_t > tcontext=root:object_r:httpd_log_t tclass=file Dec 6 20:13:04 webmail > httpd: httpd startup succeeded Dec 6 20:13:04 webmail kernel: > audit(1102392784.995:0): avc: denied { unlink } for pid=2006 > exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205 > scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t > tclass=file > > The httpd error log shows > [Mon Dec 06 20:13:04 2004] [error] (17)File exists: Cannot create SSLMutex with file `/etc/httpd/logs/ssl_mutex.2005' > Configuration Failed To confirm, you are using the stock Fedora httpd and apr packages? Per my previous mail, this really should only happen if you have configured SSLMutex to something other than default setting of "default" in the Fedora /etc/httpd/conf.d/ssl.conf. Can you double-check that? Regards, joe --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe at httpd.apache.org " from the digest: users-digest-unsubscribe at httpd.apache.org For additional commands, e-mail: users-help at httpd.apache.org From russell at coker.com.au Tue Dec 7 05:33:10 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 7 Dec 2004 16:33:10 +1100 Subject: avc denied from /.autorelabel In-Reply-To: <41B43ED1.7020305@mindspring.com> References: <41B43ED1.7020305@mindspring.com> Message-ID: <200412071633.13364.russell@coker.com.au> On Monday 06 December 2004 22:13, Richard Hally wrote: > Included below are the avc denied messages from trying to do an > autorelabel while in enforcing mode with the strict policy. > there are also messages about line 64 of rc.sysinit: permission denied. > Looks like sysinit(initrc_t) is trying to write to /selinux/enforce with > out being allowed to do so. can_setenforce(initrc_t) We need to add the above to initrc.te inside the ifdef(`distro_redhat' part. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From dwalsh at redhat.com Tue Dec 7 15:24:54 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 07 Dec 2004 10:24:54 -0500 Subject: Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail... In-Reply-To: <200412032012.iB3KCjaT030175@turing-police.cc.vt.edu> References: <200412032012.iB3KCjaT030175@turing-police.cc.vt.edu> Message-ID: <41B5CB46.4020407@redhat.com> Valdis.Kletnieks at vt.edu wrote: >Running Fedora Core Rawhide as of the other night, so fairly recent. >Using 'strict/permissive' at the moment... > >So I set up 'smartd' to monitor the hard drive in my laptop - I *know* there's >one bad spot of about 10 blocks long on it, and want to be told if it decides >to start getting bigger. And sure enough, at boot it tries to e-mail me and >tell me there's bad blocks. Unfortunately, it seems to invoke 'sh -c mail' or >something like that, so even the ugly hack of adding an >exec_auto_trans(sendmail_t) doesn't look like it will help. Any good ideas on >how to deal with this one? > >(And I have *NO* idea why it pops the first 5-6 while trying to find resolv.conf) > >Is it trying to open port 25 to send the mail, and if there's no sendmail running, >it invokes 'sh -c mail'? If so, the solution (or part of it) would simply be to >have smartd start after sendmail does..... > >Oddly curious - the failed read for pipe:[9756] - both ends appear to be fsdaemon_t ;) > > > Can you try this patch diff fs_daemon.te~ fs_daemon.te 6c6 < daemon_domain(fsdaemon, `, fs_domain') --- > daemon_domain(fsdaemon, `, fs_domain, privmail') 15a16 > can_exec(fsdaemon_t, { sbin_t bin_t shell_exec_t } [root at laptop program]# diff -u fs_daemon.te~ fs_daemon.te --- fs_daemon.te~ 2004-12-02 15:06:58.000000000 -0500 +++ fs_daemon.te 2004-12-07 10:18:53.437845410 -0500 @@ -3,7 +3,7 @@ # Author: Russell Coker # X-Debian-Packages: smartmontools -daemon_domain(fsdaemon, `, fs_domain') +daemon_domain(fsdaemon, `, fs_domain, privmail') allow fsdaemon_t self:unix_dgram_socket create_socket_perms; # for config @@ -13,3 +13,4 @@ allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms; allow fsdaemon_t self:capability { sys_rawio sys_admin }; allow fsdaemon_t etc_runtime_t:file { getattr read }; +can_exec(fsdaemon_t, { sbin_t bin_t shell_exec_t } >The messages (almost 70 of them): >Dec 3 11:07:42 turing-police kernel: audit(1102089972.656:0): avc: denied { search } for pid=17328 exe=/usr/sbin/smartd name=/ dev=tmpfs ino=3131 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir >Dec 3 11:07:42 turing-police kernel: audit(1102089972.697:0): avc: denied { write } for pid=17328 exe=/usr/sbin/smartd name=log dev=tmpfs ino=9084 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file >Dec 3 11:07:42 turing-police kernel: audit(1102089974.784:0): avc: denied { read } for pid=17328 exe=/usr/sbin/smartd name=resolv.conf dev=dm-5 ino=24648 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:net_conf_t tclass=file >Dec 3 11:07:42 turing-police kernel: audit(1102089974.784:0): avc: denied { getattr } for pid=17328 exe=/usr/sbin/smartd path=/etc/resolv.conf dev=dm-5 ino=24648 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:net_conf_t tclass=file >Dec 3 11:07:42 turing-police kernel: audit(1102089974.839:0): avc: denied { create } for pid=17328 exe=/usr/sbin/smartd scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=unix_stream_socket >Dec 3 11:07:42 turing-police kernel: audit(1102089974.839:0): avc: denied { connect } for pid=17328 exe=/usr/sbin/smartd scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=unix_stream_socket >Dec 3 11:07:42 turing-police kernel: audit(1102089974.947:0): avc: denied { search } for pid=8202 exe=/usr/sbin/smartd name=bin dev=dm-5 ino=26670 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=dir >Dec 3 11:07:42 turing-police kernel: audit(1102089974.947:0): avc: denied { read } for pid=8202 exe=/usr/sbin/smartd name=sh dev=dm-5 ino=57489 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=lnk_file >Dec 3 11:07:42 turing-police kernel: audit(1102089975.002:0): avc: denied { execute } for pid=8202 exe=/usr/sbin/smartd name=bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file >Dec 3 11:07:42 turing-police kernel: audit(1102089975.002:0): avc: denied { execute_no_trans } for pid=8202 exe=/usr/sbin/smartd path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file >Dec 3 11:07:42 turing-police kernel: audit(1102089975.058:0): avc: denied { read } for pid=8202 exe=/usr/sbin/smartd path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file >Dec 3 11:07:42 turing-police kernel: audit(1102089975.089:0): avc: denied { read } for pid=8202 exe=/bin/bash name=meminfo dev=proc ino=-268435454 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:proc_t tclass=file >Dec 3 11:07:42 turing-police kernel: audit(1102089975.089:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:proc_t tclass=file >Dec 3 11:07:42 turing-police kernel: audit(1102089975.149:0): avc: denied { search } for pid=8202 exe=/bin/bash name=sbin dev=dm-5 ino=47195 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:sbin_t tclass=dir >Dec 3 11:07:42 turing-police kernel: audit(1102089975.149:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/bin/bash dev=dm-5 ino=26747 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:shell_exec_t tclass=file >Dec 3 11:07:42 turing-police kernel: audit(1102089975.213:0): avc: denied { getattr } for pid=17328 exe=/usr/sbin/smartd path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file >Dec 3 11:07:42 turing-police kernel: audit(1102089975.213:0): avc: denied { read } for pid=17328 exe=/usr/sbin/smartd path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file >Dec 3 11:07:42 turing-police kernel: audit(1102089975.280:0): avc: denied { getattr } for pid=8202 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file >Dec 3 11:07:42 turing-police kernel: audit(1102089975.280:0): avc: denied { execute } for pid=8202 exe=/bin/bash name=mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file >Dec 3 11:07:42 turing-police kernel: audit(1102089975.346:0): avc: denied { getattr } for pid=7644 exe=/bin/bash path=/tmp dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir >Dec 3 11:07:42 turing-police kernel: audit(1102089975.346:0): avc: denied { search } for pid=7644 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir >Dec 3 11:07:42 turing-police kernel: audit(1102089975.415:0): avc: denied { write } for pid=7644 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089975.449:0): avc: denied { add_name } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089975.449:0): avc: denied { create } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089975.517:0): avc: denied { write } for pid=7644 exe=/bin/bash path=/tmp/sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089975.567:0): avc: denied { read } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089975.610:0): avc: denied { remove_name } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089975.610:0): avc: denied { unlink } for pid=7644 exe=/bin/bash name=sh-thd-1102109337 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089975.679:0): avc: denied { execute_no_trans } for pid=7644 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089975.679:0): avc: denied { read } for pid=7644 exe=/bin/bash path=/bin/mail dev=dm-5 ino=26730 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:bin_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089975.783:0): avc: denied { setgid } for pid=7644 exe=/bin/mail capability=6 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=capability >Dec 3 11:07:43 turing-police kernel: audit(1102089975.831:0): avc: denied { ioctl } for pid=7644 exe=/bin/mail path=/tmp/sh-thd-1102109337 (deleted) dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089975.866:0): avc: denied { ioctl } for pid=7644 exe=/bin/mail path=pipe:[9756] dev=pipefs ino=9756 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=fifo_file >Dec 3 11:07:43 turing-police kernel: audit(1102089975.901:0): avc: denied { getattr } for pid=7644 exe=/bin/mail path=/tmp/Rsx6eaR5 dev=dm-10 ino=6151 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089976.007:0): avc: denied { execute } for pid=13925 exe=/bin/mail name=sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089976.007:0): avc: denied { execute_no_trans } for pid=13925 exe=/bin/mail path=/usr/sbin/sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089976.091:0): avc: denied { read } for pid=13925 exe=/bin/mail path=/usr/sbin/sendmail dev=dm-1 ino=41557 scontext=system_u:system_r:fsdaemon_t tcontext=root:object_r:sbin_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089976.683:0): avc: denied { create } for pid=13925 exe=/usr/sbin/sendmail scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=tcp_socket >Dec 3 11:07:43 turing-police kernel: audit(1102089976.813:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=mail dev=dm-5 ino=43015 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089976.865:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/etc/mail/submit.cf dev=dm-5 ino=43033 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089976.865:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/etc/mail dev=dm-5 ino=43015 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089976.947:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=submit.cf dev=dm-5 ino=43033 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:etc_mail_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089977.097:0): avc: denied { setuid } for pid=13925 exe=/usr/sbin/sendmail capability=7 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=capability >Dec 3 11:07:43 turing-police kernel: audit(1102089977.174:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=spool dev=dm-3 ino=34821 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:var_spool_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089977.218:0): avc: denied { search } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089977.218:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089977.371:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool dev=dm-3 ino=34821 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:var_spool_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089977.466:0): avc: denied { write } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089977.509:0): avc: denied { add_name } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089977.509:0): avc: denied { create } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089977.580:0): avc: denied { getattr } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089977.580:0): avc: denied { lock } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089977.678:0): avc: denied { write } for pid=13925 exe=/usr/sbin/sendmail path=/var/spool/clientmqueue/dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089977.771:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=dfiB3G6HJS013925 dev=dm-3 ino=55324 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089977.809:0): avc: denied { connect } for pid=13925 exe=/usr/sbin/sendmail scontext=system_u:system_r:fsdaemon_t tcontext=system_u:system_r:fsdaemon_t tclass=tcp_socket >Dec 3 11:07:43 turing-police kernel: audit(1102089977.809:0): avc: denied { tcp_send } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t tclass=netif >Dec 3 11:07:43 turing-police kernel: audit(1102089977.879:0): avc: denied { tcp_send } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t tclass=node >Dec 3 11:07:43 turing-police kernel: audit(1102089977.879:0): avc: denied { send_msg } for pid=13925 exe=/usr/sbin/sendmail saddr=127.0.0.1 src=51192 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket >Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { tcp_recv } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t tclass=netif >Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { tcp_recv } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t tclass=node >Dec 3 11:07:43 turing-police kernel: audit(1102089977.948:0): avc: denied { recv_msg } for pid=3 comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=51192 netif=lo scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket >Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { remove_name } for pid=13925 exe=/usr/sbin/sendmail name=tfiB3G6HJS013925 dev=dm-3 ino=55327 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { rename } for pid=13925 exe=/usr/sbin/sendmail name=tfiB3G6HJS013925 dev=dm-3 ino=55327 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089978.263:0): avc: denied { unlink } for pid=13925 exe=/usr/sbin/sendmail name=qfiB3G6HJS013925 dev=dm-3 ino=55326 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=file >Dec 3 11:07:43 turing-police kernel: audit(1102089978.366:0): avc: denied { read } for pid=13925 exe=/usr/sbin/sendmail name=clientmqueue dev=dm-3 ino=55307 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089978.595:0): avc: denied { getattr } for pid=10722 exe=/bin/bash path=/tmp dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089978.633:0): avc: denied { search } for pid=10722 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir >Dec 3 11:07:43 turing-police kernel: audit(1102089978.633:0): avc: denied { write } for pid=10722 exe=/bin/bash name=/ dev=dm-10 ino=2 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir >Dec 3 11:07:44 turing-police kernel: audit(1102089978.701:0): avc: denied { add_name } for pid=10722 exe=/bin/bash name=sh-thd-1102111169 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir >Dec 3 11:07:44 turing-police kernel: audit(1102089978.701:0): avc: denied { remove_name } for pid=10722 exe=/bin/bash name=sh-thd-1102111169 dev=dm-10 ino=6150 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmp_t tclass=dir >Dec 3 11:36:19 turing-police kernel: audit(1102091779.951:0): avc: denied { search } for pid=16629 exe=/usr/sbin/smartd name=/ dev=tmpfs ino=3131 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir >Dec 3 11:36:20 turing-police kernel: audit(1102091780.816:0): avc: denied { write } for pid=16629 exe=/usr/sbin/smartd name=log dev=tmpfs ino=9084 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file > > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From selinux at gmail.com Tue Dec 7 15:57:58 2004 From: selinux at gmail.com (Tom London) Date: Tue, 7 Dec 2004 07:57:58 -0800 Subject: yum/bootloader avcs? Message-ID: <4c4ba153041207075743d24ae@mail.gmail.com> Running strict, latest Rawhide. I happened to do today's updates in permissive mode, and got the following avcs: Dec 7 07:40:23 fedora kernel: loop: loaded (max 8 devices) Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied { read } for pid=3863 exe=/bin/bash name=.bashrc dev=hda2 ino=1130588 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_t tclass=file Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied { getattr } for pid=3863 exe=/bin/bash path=/root/.bashrc dev=hda2 ino=1130588 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_t tclass=file Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied { read } for pid=3865 exe=/usr/bin/id name=config dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:selinux_config_t tclass=file Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied { getattr } for pid=3865 exe=/usr/bin/id path=/etc/selinux/config dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:selinux_config_t tclass=file The first two of these (ref to /root/.basrc, I believe) is not new, but I don't remember seeing the others. tom -- Tom London From dwalsh at redhat.com Tue Dec 7 16:30:48 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 07 Dec 2004 11:30:48 -0500 Subject: yum/bootloader avcs? In-Reply-To: <4c4ba153041207075743d24ae@mail.gmail.com> References: <4c4ba153041207075743d24ae@mail.gmail.com> Message-ID: <41B5DAB8.1060208@redhat.com> Tom London wrote: >Running strict, latest Rawhide. > >I happened to do today's updates in permissive >mode, and got the following avcs: > >Dec 7 07:40:23 fedora kernel: loop: loaded (max 8 devices) >Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied >{ read } for pid=3863 exe=/bin/bash name=.bashrc dev=hda2 ino=1130588 >scontext=root:sysadm_r:bootloader_t >tcontext=root:object_r:staff_home_t tclass=file >Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied >{ getattr } for pid=3863 exe=/bin/bash path=/root/.bashrc dev=hda2 >ino=1130588 scontext=root:sysadm_r:bootloader_t >tcontext=root:object_r:staff_home_t tclass=file >Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied >{ read } for pid=3865 exe=/usr/bin/id name=config dev=hda2 >ino=4509759 scontext=root:sysadm_r:bootloader_t >tcontext=system_u:object_r:selinux_config_t tclass=file >Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied >{ getattr } for pid=3865 exe=/usr/bin/id path=/etc/selinux/config >dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t >tcontext=system_u:object_r:selinux_config_t tclass=file > >The first two of these (ref to /root/.basrc, I believe) is not new, but >I don't remember seeing the others. > >tom > > > The others are there only because you are running in permissive mode. Basically there is a dontaudit in the polic on searches of /etc/selinux/config, but since you are in permissive mode it allows you to continue and read the selinux files, this would not happen in strict mode. So these are false error messages :^( From Valdis.Kletnieks at vt.edu Tue Dec 7 16:50:27 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 07 Dec 2004 11:50:27 -0500 Subject: Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail... In-Reply-To: Your message of "Tue, 07 Dec 2004 10:24:54 EST." <41B5CB46.4020407@redhat.com> References: <200412032012.iB3KCjaT030175@turing-police.cc.vt.edu> <41B5CB46.4020407@redhat.com> Message-ID: <200412071650.iB7GoSQs014629@turing-police.cc.vt.edu> On Tue, 07 Dec 2004 10:24:54 EST, Daniel J Walsh said: > Can you try this patch Will let you know after I get a chance to test at a reboot, but at first eyeball it looks close to workable, if not elegant. Probably be tomorrow before I have feedback on this one... > +can_exec(fsdaemon_t, { sbin_t bin_t shell_exec_t } Definitely more sledgehammer than elegance here. :) I'm wondering if it would make more sense to push a patch upstream to the kernel-utils crew. Reading the smartd manpage in more detail, it looks like feeding it a '-M exec /usr/sbin/sendmail' (or building with that as the default) would let us only have to add sendmail_exec_t rather than all those. I'll try your patch, and then see where I can get with the 'invoke sendmail directly' route. I'm not sure what we want to do here - even if we fix the flood of avc's for the default case, the smartmontools documentation has examples of invoking arbitrary shell scripts with -M (which of course means the obvious). What direction do we want to take here? Where should sites that need to add other 'can_exec' entries be putting them? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From chaky at ciencias.unam.mx Wed Dec 8 00:12:23 2004 From: chaky at ciencias.unam.mx (Chak) Date: Tue, 07 Dec 2004 18:12:23 -0600 Subject: OpenMosix Message-ID: Someone had installed OpenMosix on Fedora Core 3??? I cant!!! Any kind of help will be apreciated. From fjwiguna at goindo.com Wed Dec 8 16:07:01 2004 From: fjwiguna at goindo.com (Foryanto J. Wiguna) Date: Wed, 08 Dec 2004 23:07:01 +0700 Subject: Maximum Hardisk for Fedora Core 3 Message-ID: <41B726A5.1050906@goindo.com> Hello all i just want to know Maximum Hardisk for Fedora Core 3 regards, -Foryanto- From cra at WPI.EDU Wed Dec 8 16:40:21 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Wed, 8 Dec 2004 11:40:21 -0500 Subject: Maximum Hardisk for Fedora Core 3 In-Reply-To: <41B726A5.1050906@goindo.com> References: <41B726A5.1050906@goindo.com> Message-ID: <20041208164021.GQ27024@angus.ind.WPI.EDU> On Wed, Dec 08, 2004 at 11:07:01PM +0700, Foryanto J. Wiguna wrote: > i just want to know Maximum Hardisk for Fedora Core 3 Please, read the release notes. Also, this isn't the correct list for asking such questions. http://fedora.redhat.com/docs/release-notes/ From walters at redhat.com Wed Dec 8 17:08:38 2004 From: walters at redhat.com (Colin Walters) Date: Wed, 08 Dec 2004 12:08:38 -0500 Subject: Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail... In-Reply-To: <200412071650.iB7GoSQs014629@turing-police.cc.vt.edu> References: <200412032012.iB3KCjaT030175@turing-police.cc.vt.edu> <41B5CB46.4020407@redhat.com> <200412071650.iB7GoSQs014629@turing-police.cc.vt.edu> Message-ID: <1102525718.4099.9.camel@nexus.verbum.private> On Tue, 2004-12-07 at 11:50 -0500, Valdis.Kletnieks at vt.edu wrote: > On Tue, 07 Dec 2004 10:24:54 EST, Daniel J Walsh said: > > > Can you try this patch > > Will let you know after I get a chance to test at a reboot, but at first > eyeball it looks close to workable, if not elegant. Probably be tomorrow > before I have feedback on this one... > > > +can_exec(fsdaemon_t, { sbin_t bin_t shell_exec_t } > > Definitely more sledgehammer than elegance here. :) Note that in general allowing a domain to exec a shell or random binary isn't really a big deal; the new binary retains the original domain and all of its restrictions. > I'm wondering if it would make more sense to push a patch upstream to the > kernel-utils crew. Reading the smartd manpage in more detail, it looks like > feeding it a '-M exec /usr/sbin/sendmail' (or building with that as the > default) would let us only have to add sendmail_exec_t rather than all those. It's always useful to reduce the permissions needed for a particular program, but I don't see this particular instance as a large win. Better to spend the time e.g. helping with refactoring HAL to not need direct block device access in the main process. > Where should sites that need to add > other 'can_exec' entries be putting them? On my personal server which still runs FC2, I put most of my rules in domains/misc/local.te, and then try to redo it as a diff later against the latest FC3 policy where applicable. When I'm directly doing development of course I edit the original file and send a direct diff, assuming it will be upstreamed. From markstier at gmail.com Wed Dec 8 08:45:56 2004 From: markstier at gmail.com (Mark Stier) Date: Wed, 8 Dec 2004 09:45:56 +0100 Subject: Request Message-ID: Hello! Could someone please take the strict policy and set a permissive default for unconfigured processes like in the targeted policy? That would be really great. Thanks in advance, Mark -- Signed PGP public key available on key servers. From dwalsh at redhat.com Wed Dec 8 17:43:50 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 08 Dec 2004 12:43:50 -0500 Subject: Request In-Reply-To: References: Message-ID: <41B73D56.7050506@redhat.com> Mark Stier wrote: >Hello! > >Could someone please take the strict policy and set a permissive >default for unconfigured processes like in the targeted policy? That >would be really great. > >Thanks in advance, >Mark > > > Install selinux-policy-strict-sources Run system-config-securitylevel Modify policy and select Admin Turn on Allow rc scripts to run unconfined, including any daemon started by an rc script that does not have a domain transition explicitly defined. Allow xinetd to run unconfined, including any services it starts that do not have a domain transition explicitly defined. Now try to restart the daemon that is broken. Dan From sds at epoch.ncsc.mil Wed Dec 8 17:49:55 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 08 Dec 2004 12:49:55 -0500 Subject: Request In-Reply-To: <41B73D56.7050506@redhat.com> References: <41B73D56.7050506@redhat.com> Message-ID: <1102528195.26951.115.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-12-08 at 12:43, Daniel J Walsh wrote: > Turn on > Allow rc scripts to run unconfined, including any daemon started by an > rc script that does not have a domain transition explicitly defined. > Allow xinetd to run unconfined, including any services it starts that do > not have a domain transition explicitly defined. > > Now try to restart the daemon that is broken. Alternatively, couldn't he just chcon -t unconfined_exec_t /path/to/daemon and re-start it? Then only that daemon will run unconfined, not the rc script or inetd or any other daemon. -- Stephen Smalley National Security Agency From Valdis.Kletnieks at vt.edu Wed Dec 8 02:03:22 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 07 Dec 2004 21:03:22 -0500 Subject: Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail... In-Reply-To: Your message of "Tue, 07 Dec 2004 11:50:27 EST." <200412071650.iB7GoSQs014629@turing-police.cc.vt.edu> References: <200412032012.iB3KCjaT030175@turing-police.cc.vt.edu> <41B5CB46.4020407@redhat.com> <200412071650.iB7GoSQs014629@turing-police.cc.vt.edu> Message-ID: <200412080203.iB823Mhd023488@turing-police.cc.vt.edu> On Tue, 07 Dec 2004 11:50:27 EST, Valdis.Kletnieks at vt.edu said: > I'm wondering if it would make more sense to push a patch upstream to the > kernel-utils crew. Reading the smartd manpage in more detail, it looks like > feeding it a '-M exec /usr/sbin/sendmail' (or building with that as the > default) would let us only have to add sendmail_exec_t rather than all those. Or that *would* work, if the smartd code didn't use popen() to actually run it, giving us a gratuitous '/bin/sh -c'. Looks like some fairly hefty reworking to make it do the whole pipe()/fork()/exec() thing itself. Blech. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From n3npq at nc.rr.com Wed Dec 8 20:24:12 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Wed, 08 Dec 2004 15:24:12 -0500 Subject: cups wants to write to /usr/lib/python2.4/.../printconf_tui.pyo, etc In-Reply-To: <20041205102916.GI14677@redhat.com> References: <4c4ba1530412041048671afa35@mail.gmail.com> <20041205102916.GI14677@redhat.com> Message-ID: <41B762EC.6030107@nc.rr.com> Tim Waugh wrote: >On Sat, Dec 04, 2004 at 10:48:54AM -0800, Tom London wrote: > > > >>Running strict/enforcing, latest Rawhide. >> >>When logging in, cups, running in cupsd_config_t >>wants to write /usr/lib/python/site-packages/printconf_tui.pyo, >>and /usr/share/printconf/util/printconf_tui.pyo. >>Strict and Permissive avc's shown below. >> >> > >*sigh* > >This comes up periodically. I am still waiting for the rpm >configuration bit that fixes this to be turned on. > The automagic brp-python-bytecompile policy is turned on by default in rpm-4.3.3-8, which should be in FC4 tomorrow. Beehive (and redhat-rpm-config) is promised as well. And all python packages are going to need rebuild to acquire Requires: python(abi) = 2.4 so perhaps the problem of associating file contexts with lazily compiled/created *.pyc and *.pyo will finally be headed towards resolution without forcing python to link libselinux. 73 de Jeff From cviniciusm at terra.com.br Wed Dec 8 21:10:13 2004 From: cviniciusm at terra.com.br (Vinicius) Date: Wed, 08 Dec 2004 19:10:13 -0200 Subject: avc: denied ... syslogd and others. Message-ID: <1102540214.3770.4.camel@cviniciusm.no-ip.com> Hello, How to resolve the problems below, please? "Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: denied { read } for pid=2005 exe=/sbin/syslogd name=libc-2.3.3.so dev=hda7 ino=752988 sconte xt=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: denied { geta ttr } for pid=2005 exe=/sbin/syslogd path=/lib/tls/libc-2.3.3.so dev=hda7 ino=7 52988 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclas s=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: denied { exec ute } for pid=2005 path=/lib/tls/libc-2.3.3.so dev=hda7 ino=752988 scontext=use r_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.463:0): avc: denied { appe nd } for pid=2006 exe=/sbin/syslogd name=messages dev=hda7 ino=115590 scontext= user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.463:0): avc: denied { ioct l } for pid=2006 exe=/sbin/syslogd path=/var/log/messages dev=hda7 ino=115590 s context=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied { sear ch } for pid=2021 exe=/sbin/portmap name=/ dev=hda7 ino=2 scontext=user_u:syste m_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied { read } for pid=2021 exe=/sbin/portmap name=libnsl-2.3.3.so dev=hda7 ino=753010 scon text=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied { geta ttr } for pid=2021 exe=/sbin/portmap path=/lib/libnsl-2.3.3.so dev=hda7 ino=753 010 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass= file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied { exec ute } for pid=2021 path=/lib/libnsl-2.3.3.so dev=hda7 ino=753010 scontext=user_ u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file" "# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: error (Success) Policy version: 18 Policy from config file:targeted Policy booleans: ... syslogd_disable_trans inactive ..." TIA, Vinicius. From cviniciusm at terra.com.br Wed Dec 8 22:15:59 2004 From: cviniciusm at terra.com.br (Vinicius) Date: Wed, 08 Dec 2004 20:15:59 -0200 Subject: avc: denied ... syslogd and others. In-Reply-To: <1102540214.3770.4.camel@cviniciusm.no-ip.com> References: <1102540214.3770.4.camel@cviniciusm.no-ip.com> Message-ID: <1102544159.3446.3.camel@cviniciusm.no-ip.com> Em Qua, 2004-12-08 ?s 19:10 -0200, Vinicius escreveu: > Hello, > > How to resolve the problems below, please? > > "Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: > denied { read > ..." > TIA, Vinicius. I did "fixfiles relabel" and problem was resolved. From cviniciusm at terra.com.br Wed Dec 8 22:17:29 2004 From: cviniciusm at terra.com.br (Vinicius) Date: Wed, 08 Dec 2004 20:17:29 -0200 Subject: avc: denied ... syslogd and others. In-Reply-To: <1102540214.3770.4.camel@cviniciusm.no-ip.com> References: <1102540214.3770.4.camel@cviniciusm.no-ip.com> Message-ID: <1102544250.3446.6.camel@cviniciusm.no-ip.com> Em Qua, 2004-12-08 ?s 19:10 -0200, Vinicius escreveu: > Hello, > > How to resolve the problems below, please? > > "Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: > ..." > > TIA, Vinicius. I did "fixfiles relabel" then the problem was resolved. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Esta ? uma parte de mensagem assinada digitalmente URL: From cviniciusm at terra.com.br Wed Dec 8 22:23:58 2004 From: cviniciusm at terra.com.br (Vinicius) Date: Wed, 08 Dec 2004 20:23:58 -0200 Subject: not relabeling "/dev/:0". Message-ID: <1102544639.3446.10.camel@cviniciusm.no-ip.com> Hello, Is the problem below a SELinux related issue, please? If so, how to resolve this, please? /var/log/messages: "... -:0[3004]: Warning! Could not get current context for /dev/:0, not relabeling. ..." TIA, Vinicius. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Esta ? uma parte de mensagem assinada digitalmente URL: From cviniciusm at terra.com.br Wed Dec 8 22:41:16 2004 From: cviniciusm at terra.com.br (Vinicius) Date: Wed, 08 Dec 2004 20:41:16 -0200 Subject: avc: denied ... syslogd and others. In-Reply-To: <1102544250.3446.6.camel@cviniciusm.no-ip.com> References: <1102540214.3770.4.camel@cviniciusm.no-ip.com> <1102544250.3446.6.camel@cviniciusm.no-ip.com> Message-ID: <1102545676.3324.2.camel@cviniciusm.no-ip.com> Em Qua, 2004-12-08 ?s 20:17 -0200, Vinicius escreveu: > Em Qua, 2004-12-08 ?s 19:10 -0200, Vinicius escreveu: > > Hello, > > > > How to resolve the problems below, please? > > > > "Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: > > ..." > > > > TIA, Vinicius. > > I did "fixfiles relabel" then the problem was resolved. Excuse for this duplicate. It's due a misconfiguration (mine of course). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Esta ? uma parte de mensagem assinada digitalmente URL: From walters at redhat.com Wed Dec 8 22:57:31 2004 From: walters at redhat.com (Colin Walters) Date: Wed, 08 Dec 2004 17:57:31 -0500 Subject: not relabeling "/dev/:0". In-Reply-To: <1102544639.3446.10.camel@cviniciusm.no-ip.com> References: <1102544639.3446.10.camel@cviniciusm.no-ip.com> Message-ID: <1102546651.5324.17.camel@nexus.verbum.private> On Wed, 2004-12-08 at 20:23 -0200, Vinicius wrote: > Hello, > > Is the problem below a SELinux related issue, please? If so, how to > resolve this, please? > > /var/log/messages: > "... > -:0[3004]: Warning! Could not get current context for /dev/:0, not > relabeling. > ..." Yes, it's related to SELinux; I think the warning is from fixfiles. But I have no idea what /dev/:0 would be. My system has no such device. From nalin at redhat.com Wed Dec 8 23:09:40 2004 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 8 Dec 2004 18:09:40 -0500 Subject: not relabeling "/dev/:0". In-Reply-To: <1102546651.5324.17.camel@nexus.verbum.private> References: <1102544639.3446.10.camel@cviniciusm.no-ip.com> <1102546651.5324.17.camel@nexus.verbum.private> Message-ID: <20041208230940.GC12203@redhat.com> On Wed, Dec 08, 2004 at 05:57:31PM -0500, Colin Walters wrote: > On Wed, 2004-12-08 at 20:23 -0200, Vinicius wrote: > > Is the problem below a SELinux related issue, please? If so, how to > > resolve this, please? > > > > /var/log/messages: > > "... > > -:0[3004]: Warning! Could not get current context for /dev/:0, not > > relabeling. > > ..." > > Yes, it's related to SELinux; I think the warning is from fixfiles. But > I have no idea what /dev/:0 would be. My system has no such device. I think some piece of code (pam_selinux maybe?) is assuming that prepending "/dev/" to the value of the PAM_TTY item results in a path which can be relabeled. I think gdm sets it to ":0" on at least some platforms, for example. Is there a particular command or program being run when this happens, or is it happening when you log in? Nalin From mike at flyn.org Wed Dec 8 23:13:02 2004 From: mike at flyn.org (W. Michael Petullo) Date: Wed, 8 Dec 2004 17:13:02 -0600 (CST) Subject: Looking for a simple project Message-ID: <3126.66.151.13.71.1102547582.squirrel@66.151.13.71> I am looking for a simple project to use as an example of Java GNOME development. Because I am interested in SELinux, I thought that I could write a GNOME application that was SELinux-related. I am looking for an application that would take about one month to write (working on it part-time). Only the GUI needs to be written in Java. One idea I had was an application that would help parse AVC messages in a system's log files. The program would categorize AVC messages by criteria like scontext and present a expandable list of categories. The categories could be expanded to reveal AVC messages. This might help when debugging a SELinux policy. So, does anyone have any suggestions? As I mentioned, my goal is really to demonstrate the use of Java GNOME, but I would like to do something useful. I would like to hear if there is anything anyone wants to see. -- Mike From jorton at redhat.com Wed Dec 8 23:27:15 2004 From: jorton at redhat.com (Joe Orton) Date: Wed, 8 Dec 2004 23:27:15 +0000 Subject: labelling issues In-Reply-To: <1102081338.29971.37.camel@moss-spartans.epoch.ncsc.mil> References: <20041203080343.GA28886@redhat.com> <1102081001.29971.33.camel@moss-spartans.epoch.ncsc.mil> <1102081338.29971.37.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20041208232715.GA8302@redhat.com> On Fri, Dec 03, 2004 at 08:42:18AM -0500, Stephen Smalley wrote: > BTW, ask people who encounter the mislabeled shared objects to check > their /var/log/prelink.log for errors, particularly "Could not get > security context" or "Could not set security context", as prelink is > supposed to log those errors when it cannot get or set the file context. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142319 is that any use? joe From sds at epoch.ncsc.mil Thu Dec 9 12:54:20 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 09 Dec 2004 07:54:20 -0500 Subject: Looking for a simple project In-Reply-To: <3126.66.151.13.71.1102547582.squirrel@66.151.13.71> References: <3126.66.151.13.71.1102547582.squirrel@66.151.13.71> Message-ID: <1102596859.32175.7.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-12-08 at 18:13, W. Michael Petullo wrote: > I am looking for a simple project to use as an example of Java GNOME > development. Because I am interested in SELinux, I thought that I could > write a GNOME application that was SELinux-related. I am looking for an > application that would take about one month to write (working on it > part-time). Only the GUI needs to be written in Java. > > One idea I had was an application that would help parse AVC messages in a > system's log files. The program would categorize AVC messages by criteria > like scontext and present a expandable list of categories. The categories > could be expanded to reveal AVC messages. This might help when debugging > a SELinux policy. There is a 'seaudit' tool that is part of the setools-gui package, possibly you could extend it in some way. > So, does anyone have any suggestions? As I mentioned, my goal is really > to demonstrate the use of Java GNOME, but I would like to do something > useful. I would like to hear if there is anything anyone wants to see. Higher-level tools that make the policy more accessible to typical admins are always welcome. Not sure if any of them fall into the "simple" category. Take a look at setools-gui/setools, slat, and polgen, and think about what you would want if you were administering a SELinux system. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Dec 9 13:19:36 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 09 Dec 2004 08:19:36 -0500 Subject: labelling issues In-Reply-To: <20041208232715.GA8302@redhat.com> References: <20041203080343.GA28886@redhat.com> <1102081001.29971.33.camel@moss-spartans.epoch.ncsc.mil> <1102081338.29971.37.camel@moss-spartans.epoch.ncsc.mil> <20041208232715.GA8302@redhat.com> Message-ID: <1102598376.32175.22.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-12-08 at 18:27, Joe Orton wrote: > On Fri, Dec 03, 2004 at 08:42:18AM -0500, Stephen Smalley wrote: > > BTW, ask people who encounter the mislabeled shared objects to check > > their /var/log/prelink.log for errors, particularly "Could not get > > security context" or "Could not set security context", as prelink is > > supposed to log those errors when it cannot get or set the file context. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142319 > > is that any use? The 'ls' output indicates that the libpcre shared object is labeled correctly, so I wonder if he had already relabeled it via fixfiles or restorecon prior to running that ls. The prelink.log file does include some 'Could not get security context" errors (with errno ENODATA), which is interesting, but peculiar that there is no such error for the libpcre shared object, since that is the one that is triggering this denial. The lack of any context on those files is very odd unless he ran with SELinux disabled for a while (in which case the files would indeed end up with no context if they were updated while SELinux was disabled and he failed to relabel when he re-enabled SELinux). -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Dec 9 13:26:34 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 09 Dec 2004 08:26:34 -0500 Subject: labelling issues In-Reply-To: <1102598376.32175.22.camel@moss-spartans.epoch.ncsc.mil> References: <20041203080343.GA28886@redhat.com> <1102081001.29971.33.camel@moss-spartans.epoch.ncsc.mil> <1102081338.29971.37.camel@moss-spartans.epoch.ncsc.mil> <20041208232715.GA8302@redhat.com> <1102598376.32175.22.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1102598794.32175.24.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-12-09 at 08:19, Stephen Smalley wrote: > The 'ls' output indicates that the libpcre shared object is labeled > correctly, so I wonder if he had already relabeled it via fixfiles or > restorecon prior to running that ls. > > The prelink.log file does include some 'Could not get security context" > errors (with errno ENODATA), which is interesting, but peculiar that > there is no such error for the libpcre shared object, since that is the > one that is triggering this denial. The lack of any context on those > files is very odd unless he ran with SELinux disabled for a while (in > which case the files would indeed end up with no context if they were > updated while SELinux was disabled and he failed to relabel when he > re-enabled SELinux). Note: I added a comment to the bugzilla entry with this information and also asked the bug reporter several follow-up questions. -- Stephen Smalley National Security Agency From rodrigo.damazio at poli.usp.br Thu Dec 9 13:57:50 2004 From: rodrigo.damazio at poli.usp.br (Rodrigo Damazio) Date: Thu, 09 Dec 2004 11:57:50 -0200 Subject: A few policy changes I had to make In-Reply-To: <419606AF.6010800@redhat.com> References: <4195810A.1080404@poli.usp.br> <419606AF.6010800@redhat.com> Message-ID: <41B859DE.1040103@poli.usp.br> I've made the dontaudit changes you suggested and they everything seems to still work. However, I'm still having problems with apache - I use too many PHP functions which do various things such as executing external programs, opening sockets, connecting to postgres, etc. that generate avc denied errors. I tried, thus, to remove apache.te from domains/program, just to find out that mailman depended on it - it gives me an error about mailman_cgi_exec_t (which, indeed, is only defined if apache.te is defined, but it appears in the mailman.fc file without an ifdef - adding an ifdef made it all work perfectly. I wonder if there's a way to use selinux with apache without limiting php functions. Rodrigo Daniel J Walsh wrote: > Rodrigo Damazio wrote: > >> Hello. I started playing with SELinux on FC2, and recently >> moved to FC3, and I must say it's much better now, with the targeted >> policy. Congrats on this. >> I still had to change a few things in my policies, though. >> Following is a collection of the avc errors justifying my changes. >> I'm not experienced with SElinux yet, so I may be doing something >> wrong...please let me know if these changes are correct or not. Also, >> the unlink allow for httpd_t is because, for some reason, when I try >> to remove a file from within PHP, it uses httpd_t instead of >> httpd_sys_script_t . I would also like a rule(which I'm not sure how >> to write) to allow PHP programs to execute external programs, since I >> have a script which receives an uploaded file, does a lot of >> processing with it through external programs, and stores it in the >> database - when I run that, it gives me avc execute errors trying to >> run bash and the other utilities. >> >> Apache: >> Nov 12 16:50:46 fireball kernel: audit(1100285446.637:0): avc: >> denied { connectto } for pid=2522 exe=/usr/sbin/httpd >> path=/tmp/.s.PGSQL.5432 scontext=user_u:system_r:httpd_t >> tcontext=user_u:system_r:unconfined_t tclass=unix_stream_socket >> >> NTPd: >> Nov 11 19:51:49 fireball kernel: audit(1100209909.743:0): avc: >> denied { create } for pid=2293 exe=/usr/sbin/ntpd >> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t >> tclass=netlink_route_socket >> Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: >> denied { bind } for pid=2293 exe=/usr/sbin/ntpd >> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t >> tclass=netlink_route_socket >> Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: >> denied { getattr } for pid=2293 exe=/usr/sbin/ntpd >> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t >> tclass=netlink_route_socket >> Nov 11 19:51:49 fireball kernel: audit(1100209909.747:0): avc: >> denied { write } for pid=2293 exe=/usr/sbin/ntpd >> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t >> tclass=netlink_route_socket >> Nov 11 19:51:49 fireball kernel: audit(1100209909.749:0): avc: >> denied { net_admin } for pid=2293 exe=/usr/sbin/ntpd capability=12 >> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t >> tclass=capability >> Nov 11 19:51:49 fireball kernel: audit(1100209909.750:0): avc: >> denied { nlmsg_read } for pid=2293 exe=/usr/sbin/ntpd >> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t >> tclass=netlink_route_socket >> Nov 11 19:51:49 fireball kernel: audit(1100209909.752:0): avc: >> denied { read } for pid=2293 exe=/usr/sbin/ntpd >> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t >> tclass=netlink_route_socket >> >> DHCPd: >> Nov 12 23:37:25 fireball kernel: audit(1100309845.314:0): avc: >> denied { create } for pid=10002 exe=/usr/sbin/dhcpd >> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t >> tclass=netlink_route_socket >> Nov 12 23:37:25 fireball kernel: audit(1100309845.317:0): avc: >> denied { bind } for pid=10002 exe=/usr/sbin/dhcpd >> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t >> tclass=netlink_route_socket >> Nov 12 23:37:25 fireball kernel: audit(1100309845.320:0): avc: >> denied { getattr } for pid=10002 exe=/usr/sbin/dhcpd >> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t >> tclass=netlink_route_socket >> Nov 12 23:37:25 fireball kernel: audit(1100309845.323:0): avc: >> denied { write } for pid=10002 exe=/usr/sbin/dhcpd >> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t >> tclass=netlink_route_socket >> Nov 12 23:37:25 fireball kernel: audit(1100309845.325:0): avc: >> denied { net_admin } for pid=10002 exe=/usr/sbin/dhcpd >> capability=12 scontext=root:system_r:dhcpd_t >> tcontext=root:system_r:dhcpd_t tclass=capability >> Nov 12 23:37:25 fireball kernel: audit(1100309845.326:0): avc: >> denied { nlmsg_read } for pid=10002 exe=/usr/sbin/dhcpd >> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t >> tclass=netlink_route_socket >> Nov 12 23:37:25 fireball kernel: audit(1100309845.327:0): avc: >> denied { read } for pid=10002 exe=/usr/sbin/dhcpd >> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t >> tclass=netlink_route_socket >> Nov 12 23:37:25 fireball kernel: audit(1100309845.909:0): avc: >> denied { unlink } for pid=10008 exe=/usr/sbin/dhcpd >> name=dhcpd.leases~ dev=hda1 ino=425472 scontext=root:system_r:dhcpd_t >> tcontext=system_u:object_r:file_t tclass=file >> >> named: >> Nov 12 23:41:25 fireball kernel: audit(1100310085.797:0): avc: >> denied { create } for pid=10183 exe=/usr/sbin/named >> scontext=root:system_r:named_t tcontext=root:system_r:named_t >> tclass=netlink_route_socket >> Nov 12 23:41:25 fireball kernel: audit(1100310085.798:0): avc: >> denied { bind } for pid=10183 exe=/usr/sbin/named >> scontext=root:system_r:named_t tcontext=root:system_r:named_t >> tclass=netlink_route_socket >> Nov 12 23:41:25 fireball kernel: audit(1100310085.799:0): avc: >> denied { getattr } for pid=10183 exe=/usr/sbin/named >> scontext=root:system_r:named_t tcontext=root:system_r:named_t >> tclass=netlink_route_socket >> Nov 12 23:41:25 fireball kernel: audit(1100310085.803:0): avc: >> denied { write } for pid=10183 exe=/usr/sbin/named >> scontext=root:system_r:named_t tcontext=root:system_r:named_t >> tclass=netlink_route_socket >> Nov 12 23:41:25 fireball kernel: audit(1100310085.806:0): avc: >> denied { nlmsg_read } for pid=10183 exe=/usr/sbin/named >> scontext=root:system_r:named_t tcontext=root:system_r:named_t >> tclass=netlink_route_socket >> Nov 12 23:41:25 fireball kernel: audit(1100310085.809:0): avc: >> denied { read } for pid=10183 exe=/usr/sbin/named >> scontext=root:system_r:named_t tcontext=root:system_r:named_t >> tclass=netlink_route_socket >> >> Thanks, >> Rodrigo >> >> ------------------------------------------------------------------------ >> >> diff -ru src.orig/policy/domains/program/apache.te >> src/policy/domains/program/apache.te >> --- src.orig/policy/domains/program/apache.te 2004-11-01 >> 19:36:22.000000000 -0200 >> +++ src/policy/domains/program/apache.te 2004-11-12 >> 23:54:36.127952796 -0200 >> @@ -285,6 +285,8 @@ >> # Allow httpd to work with postgresql >> # >> allow httpd_t tmp_t:sock_file rw_file_perms; >> +allow httpd_t tmp_t:unix_stream_socket rw_file_perms; >> +allow httpd_t unconfined_t:unix_stream_socket rw_file_perms; >> ') dnl targeted policy >> >> > This would allow httpd to talk to any unix_stream_socket (XWindows for > example.) I am going to try to add postgresql.te (As we have with > mysql.te) to targeted policy to see if it fixes this > and does not cause other problems. > >> >> # >> diff -ru src.orig/policy/domains/program/dhcpd.te >> src/policy/domains/program/dhcpd.te >> --- src.orig/policy/domains/program/dhcpd.te 2004-11-01 >> 19:36:22.000000000 -0200 >> +++ src/policy/domains/program/dhcpd.te 2004-11-12 >> 23:38:18.000000000 -0200 >> @@ -33,13 +33,14 @@ >> can_ypbind(dhcpd_t) >> allow dhcpd_t self:unix_dgram_socket create_socket_perms; >> allow dhcpd_t self:unix_stream_socket create_socket_perms; >> +allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms; >> >> >> > Added, but have never seen this before. > >> allow dhcpd_t var_lib_t:dir search; >> >> allow dhcpd_t devtty_t:chr_file { read write }; >> >> # Use capabilities >> -allow dhcpd_t dhcpd_t:capability { net_raw net_bind_service }; >> +allow dhcpd_t dhcpd_t:capability { net_raw net_admin >> net_bind_service }; >> >> >> > net_admin is a strong capability Allows you to bring up and down > network interfaces, iptable rules. Do you have any idea what it is > trying to do that would cause this? Could you try to > dontaudit it and see what happens. > dontaudit dhcpd_t self:capability net_admin; > >> # Allow access to the dhcpd file types >> type dhcp_state_t, file_type, sysadmfile; >> diff -ru src.orig/policy/domains/program/named.te >> src/policy/domains/program/named.te >> --- src.orig/policy/domains/program/named.te 2004-11-01 >> 19:36:22.000000000 -0200 >> +++ src/policy/domains/program/named.te 2004-11-12 >> 23:42:38.000000000 -0200 >> @@ -60,6 +60,7 @@ >> # Bind to the named port. >> allow named_t dns_port_t:udp_socket name_bind; >> allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind; >> +allow named_t self:netlink_route_socket r_netlink_socket_perms; >> >> >> > Added. but again have not seen this. > >> bool named_write_master_zones false; >> >> diff -ru src.orig/policy/domains/program/ntpd.te >> src/policy/domains/program/ntpd.te >> --- src.orig/policy/domains/program/ntpd.te 2004-11-01 >> 19:36:22.000000000 -0200 >> +++ src/policy/domains/program/ntpd.te 2004-11-12 >> 23:33:18.000000000 -0200 >> @@ -22,7 +22,7 @@ >> # for SSP >> allow ntpd_t urandom_device_t:chr_file read; >> >> -allow ntpd_t self:capability { setgid setuid sys_time >> net_bind_service ipc_lock sys_chroot }; >> +allow ntpd_t self:capability { setgid setuid sys_time >> net_bind_service ipc_lock sys_chroot net_admin }; >> >> > This should definitely not be allowed. I can't see why ntpd would > want to modify your network environment. > >> allow ntpd_t self:process { setcap setsched }; >> # ntpdate wants sys_nice >> dontaudit ntpd_t self:capability { fsetid sys_nice }; >> @@ -39,6 +39,7 @@ >> allow ntpd_t ntp_port_t:udp_socket name_bind; >> allow ntpd_t self:unix_dgram_socket create_socket_perms; >> allow ntpd_t self:unix_stream_socket create_socket_perms; >> +allow ntpd_t self:netlink_route_socket r_netlink_socket_perms; >> >> >> > Same as previous comments about netlink_sockets > >> # so the start script can change firewall entries >> allow initrc_t net_conf_t:file { getattr read ioctl }; >> diff -ru src.orig/policy/macros/program/apache_macros.te >> src/policy/macros/program/apache_macros.te >> --- src.orig/policy/macros/program/apache_macros.te 2004-11-01 >> 19:36:22.000000000 -0200 >> +++ src/policy/macros/program/apache_macros.te 2004-11-12 >> 23:01:49.000000000 -0200 >> @@ -106,6 +106,7 @@ >> ############################################################################ >> >> r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t) >> create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t) >> +allow httpd_t { httpd_$1_script_rw_t }:{ file dir lnk_file } { >> unlink }; >> ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t) >> >> if (httpd_enable_cgi) && (httpd_unified) { >> >> >> >> > The update policy has the following which would cover this case. > > r_dir_file(httpd_t, httpd_sys_script_ro_t) > create_dir_file(httpd_t, httpd_sys_script_rw_t) > ra_dir_file(httpd_t, httpd_sys_script_ra_t) > >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From sds at epoch.ncsc.mil Thu Dec 9 13:59:52 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 09 Dec 2004 08:59:52 -0500 Subject: not relabeling "/dev/:0". In-Reply-To: <20041208230940.GC12203@redhat.com> References: <1102544639.3446.10.camel@cviniciusm.no-ip.com> <1102546651.5324.17.camel@nexus.verbum.private> <20041208230940.GC12203@redhat.com> Message-ID: <1102600792.32175.52.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-12-08 at 18:09, Nalin Dahyabhai wrote: > I think some piece of code (pam_selinux maybe?) is assuming that > prepending "/dev/" to the value of the PAM_TTY item results in a path > which can be relabeled. I think gdm sets it to ":0" on at least some > platforms, for example. > > Is there a particular command or program being run when this happens, or > is it happening when you log in? Hmm...I thought that the SELinux patch for gdm was upstreamed and that it no longer needed to use pam_selinux (and I seem to recall pam_selinux not working for gdm anyway since the pam_open_session call was made from the wrong process to set up the exec context), but I still see a pam_selinux entry in /etc/pam.d/gdmsetup. Ok, looking at the gdm SRPM, there is definitely SELinux code in daemon/slave.c to get the user's default context and set the exec context, so I don't see why you'd need pam_selinux for it. -- Stephen Smalley National Security Agency From jorton at redhat.com Thu Dec 9 16:14:33 2004 From: jorton at redhat.com (Joe Orton) Date: Thu, 9 Dec 2004 16:14:33 +0000 Subject: labelling issues In-Reply-To: <1102598794.32175.24.camel@moss-spartans.epoch.ncsc.mil> References: <20041203080343.GA28886@redhat.com> <1102081001.29971.33.camel@moss-spartans.epoch.ncsc.mil> <1102081338.29971.37.camel@moss-spartans.epoch.ncsc.mil> <20041208232715.GA8302@redhat.com> <1102598376.32175.22.camel@moss-spartans.epoch.ncsc.mil> <1102598794.32175.24.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20041209161433.GA11218@redhat.com> On Thu, Dec 09, 2004 at 08:26:34AM -0500, Stephen Smalley wrote: > On Thu, 2004-12-09 at 08:19, Stephen Smalley wrote: > > The 'ls' output indicates that the libpcre shared object is labeled > > correctly, so I wonder if he had already relabeled it via fixfiles or > > restorecon prior to running that ls. > > > > The prelink.log file does include some 'Could not get security context" > > errors (with errno ENODATA), which is interesting, but peculiar that > > there is no such error for the libpcre shared object, since that is the > > one that is triggering this denial. The lack of any context on those > > files is very odd unless he ran with SELinux disabled for a while (in > > which case the files would indeed end up with no context if they were > > updated while SELinux was disabled and he failed to relabel when he > > re-enabled SELinux). > > Note: I added a comment to the bugzilla entry with this information and > also asked the bug reporter several follow-up questions. Thanks Stephen. If you'd rather I just CC you immediately the next time this is reported, or if you have some new questions I should be asking people, then just let me know. joe From dwalsh at redhat.com Thu Dec 9 16:53:26 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 09 Dec 2004 11:53:26 -0500 Subject: avc: denied ... syslogd and others. In-Reply-To: <1102540214.3770.4.camel@cviniciusm.no-ip.com> References: <1102540214.3770.4.camel@cviniciusm.no-ip.com> Message-ID: <41B88306.7090404@redhat.com> Vinicius wrote: >Hello, > >How to resolve the problems below, please? > >"Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: >denied { read > } for pid=2005 exe=/sbin/syslogd name=libc-2.3.3.so dev=hda7 >ino=752988 sconte >xt=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t >tclass=file >Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: denied >{ geta >ttr } for pid=2005 exe=/sbin/syslogd path=/lib/tls/libc-2.3.3.so >dev=hda7 ino=7 >52988 scontext=user_u:system_r:syslogd_t >tcontext=system_u:object_r:file_t tclas >s=file >Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: denied >{ exec >ute } for pid=2005 path=/lib/tls/libc-2.3.3.so dev=hda7 ino=752988 >scontext=use >r_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file >Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.463:0): avc: denied >{ appe >nd } for pid=2006 exe=/sbin/syslogd name=messages dev=hda7 ino=115590 >scontext= >user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file >Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.463:0): avc: denied >{ ioct >l } for pid=2006 exe=/sbin/syslogd path=/var/log/messages dev=hda7 >ino=115590 s >context=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t >tclass=file >Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied >{ sear >ch } for pid=2021 exe=/sbin/portmap name=/ dev=hda7 ino=2 >scontext=user_u:syste >m_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied >{ read > } for pid=2021 exe=/sbin/portmap name=libnsl-2.3.3.so dev=hda7 >ino=753010 scon >text=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t >tclass=file >Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied >{ geta >ttr } for pid=2021 exe=/sbin/portmap path=/lib/libnsl-2.3.3.so dev=hda7 >ino=753 >010 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t >tclass= >file >Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied >{ exec >ute } for pid=2021 path=/lib/libnsl-2.3.3.so dev=hda7 ino=753010 >scontext=user_ >u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file" > >"# sestatus >SELinux status: enabled >SELinuxfs mount: /selinux >Current mode: permissive >Mode from config file: error (Success) >Policy version: 18 >Policy from config file:targeted > >Policy booleans: >... >syslogd_disable_trans inactive >..." > >TIA, Vinicius. > > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Your file system has not been labeled, touch /.autorelabel and reboot. Dan From dwalsh at redhat.com Thu Dec 9 17:02:35 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 09 Dec 2004 12:02:35 -0500 Subject: not relabeling "/dev/:0". In-Reply-To: <1102600792.32175.52.camel@moss-spartans.epoch.ncsc.mil> References: <1102544639.3446.10.camel@cviniciusm.no-ip.com> <1102546651.5324.17.camel@nexus.verbum.private> <20041208230940.GC12203@redhat.com> <1102600792.32175.52.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <41B8852B.6000704@redhat.com> Stephen Smalley wrote: >On Wed, 2004-12-08 at 18:09, Nalin Dahyabhai wrote: > > >>I think some piece of code (pam_selinux maybe?) is assuming that >>prepending "/dev/" to the value of the PAM_TTY item results in a path >>which can be relabeled. I think gdm sets it to ":0" on at least some >>platforms, for example. >> >>Is there a particular command or program being run when this happens, or >>is it happening when you log in? >> >> > >Hmm...I thought that the SELinux patch for gdm was upstreamed and that >it no longer needed to use pam_selinux (and I seem to recall pam_selinux >not working for gdm anyway since the pam_open_session call was made from >the wrong process to set up the exec context), but I still see a >pam_selinux entry in /etc/pam.d/gdmsetup. Ok, looking at the gdm SRPM, >there is definitely SELinux code in daemon/slave.c to get the user's >default context and set the exec context, so I don't see why you'd need >pam_selinux for it. > > > Ok removing from gdm. From dwalsh at redhat.com Thu Dec 9 17:09:03 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 09 Dec 2004 12:09:03 -0500 Subject: A few policy changes I had to make In-Reply-To: <41B859DE.1040103@poli.usp.br> References: <4195810A.1080404@poli.usp.br> <419606AF.6010800@redhat.com> <41B859DE.1040103@poli.usp.br> Message-ID: <41B886AF.7070905@redhat.com> Rodrigo Damazio wrote: > I've made the dontaudit changes you suggested and they > everything seems to still work. However, I'm still having problems > with apache - I use too many PHP functions which do various things > such as executing external programs, opening sockets, connecting to > postgres, etc. that generate avc denied errors. I tried, thus, to > remove apache.te from domains/program, just to find out that mailman > depended on it - it gives me an error about mailman_cgi_exec_t (which, > indeed, is only defined if apache.te is defined, but it appears in the > mailman.fc file without an ifdef - adding an ifdef made it all work > perfectly. I wonder if there's a way to use selinux with apache > without limiting php functions. > > Rodrigo Not really, that is what httpd_unified boolean was to make apache work with most common environments. I would like to see the AVC messages you are getting on these though. Apache should be able to communicate with postgres using the latest policy. Are you running NIS on this machine? Dan From astephens at ptera.net Thu Dec 9 20:04:16 2004 From: astephens at ptera.net (Arthur Stephens) Date: Thu, 9 Dec 2004 12:04:16 -0800 Subject: disable selinux for httpd Message-ID: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> Ok I have given up on getting httpd to work under selinux I would like it disabled it for httpd. I know how to do that temporary with setsebool but how does one make that permanent? Maybe when I have some time to spare :) I can come back to it. Arthur Stephens Senior Sales Technician Ptera Wireless Internet astephens at ptera.net 509-927-Ptera -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Thu Dec 9 20:05:34 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 09 Dec 2004 15:05:34 -0500 Subject: disable selinux for httpd In-Reply-To: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> Message-ID: <41B8B00E.7090400@redhat.com> Arthur Stephens wrote: > Ok I have given up on getting httpd to work under selinux > I would like it disabled it for httpd. > I know how to do that temporary with setsebool but how does one make > that permanent? > > Maybe when I have some time to spare :) I can come back to it. > > Arthur Stephens > Senior Sales Technician > Ptera Wireless Internet > astephens at ptera.net > 509-927-Ptera > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > setsebool -P XYZ=0 permanantly turns off boolean XYZ. system-config-securitylevel also does this. From ad+lists at uni-x.org Thu Dec 9 20:07:00 2004 From: ad+lists at uni-x.org (Alexander Dalloz) Date: Thu, 09 Dec 2004 21:07:00 +0100 Subject: disable selinux for httpd In-Reply-To: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> Message-ID: <1102622820.20556.329.camel@serendipity.dogma.lan> Am Do, den 09.12.2004 schrieb Arthur Stephens um 21:04: > Ok I have given up on getting httpd to work under selinux > I would like it disabled it for httpd. > I know how to do that temporary with setsebool but how does one make that permanent? > > Maybe when I have some time to spare :) I can come back to it. > > Arthur Stephens Use the GUI tool system-config-securitylevel. It's on the second tab. Alexander -- Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp Serendipity 21:05:55 up 3 days, 20:28, load average: 0.75, 0.36, 0.29 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From astephens at ptera.net Thu Dec 9 20:19:41 2004 From: astephens at ptera.net (Arthur Stephens) Date: Thu, 9 Dec 2004 12:19:41 -0800 Subject: disable selinux for httpd References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com> Message-ID: <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> I have no GUI - this is just a server. > setsebool -P XYZ=0 permanantly turns off boolean XYZ. I typed setsebool -P httpd_disable_trans=1 Returned usage: setsebool boolean value > system-config-securitylevel also does this. This gives me only one option firewall : ( Arthur Stephens Senior Sales Technician Ptera Wireless Internet astephens at ptera.net 509-927-Ptera ----- Original Message ----- From: "Daniel J Walsh" To: "Fedora SELinux support list for users & developers." Sent: Thursday, December 09, 2004 12:05 PM Subject: Re: disable selinux for httpd > Arthur Stephens wrote: > > > Ok I have given up on getting httpd to work under selinux > > I would like it disabled it for httpd. > > I know how to do that temporary with setsebool but how does one make > > that permanent? > > > > Maybe when I have some time to spare :) I can come back to it. > > > > Arthur Stephens > > Senior Sales Technician > > Ptera Wireless Internet > > astephens at ptera.net > > 509-927-Ptera > > > >------------------------------------------------------------------------ > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > setsebool -P XYZ=0 permanantly turns off boolean XYZ. > system-config-securitylevel also does this. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From astephens at ptera.net Thu Dec 9 20:20:42 2004 From: astephens at ptera.net (Arthur Stephens) Date: Thu, 9 Dec 2004 12:20:42 -0800 Subject: disable selinux for httpd References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <1102622820.20556.329.camel@serendipity.dogma.lan> Message-ID: <03fb01c4de2c$8ea26070$c600a8c0@tyliteworker> No GUI and system-config-securitylevel gives me only one option firewall ----- Original Message ----- From: "Alexander Dalloz" To: "Fedora SELinux support list for users & developers." Sent: Thursday, December 09, 2004 12:07 PM Subject: Re: disable selinux for httpd > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jorton at redhat.com Thu Dec 9 20:16:53 2004 From: jorton at redhat.com (Joe Orton) Date: Thu, 9 Dec 2004 20:16:53 +0000 Subject: disable selinux for httpd In-Reply-To: <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com> <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> Message-ID: <20041209201653.GA16140@redhat.com> On Thu, Dec 09, 2004 at 12:19:41PM -0800, Arthur Stephens wrote: > I have no GUI - this is just a server. > > setsebool -P XYZ=0 permanantly turns off boolean XYZ. > I typed > setsebool -P httpd_disable_trans=1 > Returned > usage: setsebool boolean value setsebool -P httpd_disable_trans 1 is the correct syntax. joe From dwalsh at redhat.com Thu Dec 9 20:40:54 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 09 Dec 2004 15:40:54 -0500 Subject: disable selinux for httpd In-Reply-To: <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com> <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> Message-ID: <41B8B856.8070408@redhat.com> Arthur Stephens wrote: >I have no GUI - this is just a server. > > >>setsebool -P XYZ=0 permanantly turns off boolean XYZ. >> >> >I typed >setsebool -P httpd_disable_trans=1 >Returned >usage: setsebool boolean value > > > >>system-config-securitylevel also does this. >> >> >This gives me only one option >firewall > > > This sounds like you are not running SELinux or are on a screwed up machine. What does id -Z return? What does sestatus return? >: ( > >Arthur Stephens >Senior Sales Technician >Ptera Wireless Internet >astephens at ptera.net >509-927-Ptera > >----- Original Message ----- >From: "Daniel J Walsh" >To: "Fedora SELinux support list for users & developers." > >Sent: Thursday, December 09, 2004 12:05 PM >Subject: Re: disable selinux for httpd > > > > >>Arthur Stephens wrote: >> >> >> >>>Ok I have given up on getting httpd to work under selinux >>>I would like it disabled it for httpd. >>>I know how to do that temporary with setsebool but how does one make >>>that permanent? >>> >>>Maybe when I have some time to spare :) I can come back to it. >>> >>>Arthur Stephens >>>Senior Sales Technician >>>Ptera Wireless Internet >>>astephens at ptera.net >>>509-927-Ptera >>> >>>------------------------------------------------------------------------ >>> >>>-- >>>fedora-selinux-list mailing list >>>fedora-selinux-list at redhat.com >>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >>> >>setsebool -P XYZ=0 permanantly turns off boolean XYZ. >>system-config-securitylevel also does this. >> >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From dwalsh at redhat.com Thu Dec 9 20:41:58 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 09 Dec 2004 15:41:58 -0500 Subject: disable selinux for httpd In-Reply-To: <20041209201653.GA16140@redhat.com> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com> <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> <20041209201653.GA16140@redhat.com> Message-ID: <41B8B896.2020908@redhat.com> Joe Orton wrote: >On Thu, Dec 09, 2004 at 12:19:41PM -0800, Arthur Stephens wrote: > > >>I have no GUI - this is just a server. >> >> >>>setsebool -P XYZ=0 permanantly turns off boolean XYZ. >>> >>> >>I typed >>setsebool -P httpd_disable_trans=1 >>Returned >>usage: setsebool boolean value >> >> > >setsebool -P httpd_disable_trans 1 > >is the correct syntax. > >joe > > Either should work with libselinux-1.19.1-8. >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From astephens at ptera.net Thu Dec 9 21:21:47 2004 From: astephens at ptera.net (Arthur Stephens) Date: Thu, 9 Dec 2004 13:21:47 -0800 Subject: disable selinux for httpd References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com><03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> <41B8B856.8070408@redhat.com> Message-ID: <043d01c4de35$1769a910$c600a8c0@tyliteworker> > What does id -Z return? root:system_r:unconfined_t > What does sestatus return? SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Policy version: 18 Policy booleans: allow_ypbind active dhcpd_disable_trans inactive httpd_disable_trans active httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive ypbind_disable_trans inactive ----- Original Message ----- From: "Daniel J Walsh" To: "Fedora SELinux support list for users & developers." Sent: Thursday, December 09, 2004 12:40 PM Subject: Re: disable selinux for httpd > Arthur Stephens wrote: > > >I have no GUI - this is just a server. > > > > > >>setsebool -P XYZ=0 permanantly turns off boolean XYZ. > >> > >> > >I typed > >setsebool -P httpd_disable_trans=1 > >Returned > >usage: setsebool boolean value > > > > > > > >>system-config-securitylevel also does this. > >> > >> > >This gives me only one option > >firewall > > > > > > > This sounds like you are not running SELinux or are on a screwed up machine. > > What does id -Z return? > > What does sestatus return? > > > >: ( > > > >Arthur Stephens > >Senior Sales Technician > >Ptera Wireless Internet > >astephens at ptera.net > >509-927-Ptera > > > >----- Original Message ----- > >From: "Daniel J Walsh" > >To: "Fedora SELinux support list for users & developers." > > > >Sent: Thursday, December 09, 2004 12:05 PM > >Subject: Re: disable selinux for httpd > > > > > > > > > >>Arthur Stephens wrote: > >> > >> > >> > >>>Ok I have given up on getting httpd to work under selinux > >>>I would like it disabled it for httpd. > >>>I know how to do that temporary with setsebool but how does one make > >>>that permanent? > >>> > >>>Maybe when I have some time to spare :) I can come back to it. > >>> > >>>Arthur Stephens > >>>Senior Sales Technician > >>>Ptera Wireless Internet > >>>astephens at ptera.net > >>>509-927-Ptera > >>> > >>>------------------------------------------------------------------------ > >>> > >>>-- > >>>fedora-selinux-list mailing list > >>>fedora-selinux-list at redhat.com > >>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>> > >>> > >>> > >>setsebool -P XYZ=0 permanantly turns off boolean XYZ. > >>system-config-securitylevel also does this. > >> > >>-- > >>fedora-selinux-list mailing list > >>fedora-selinux-list at redhat.com > >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> > >> > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jorton at redhat.com Thu Dec 9 21:24:27 2004 From: jorton at redhat.com (Joe Orton) Date: Thu, 9 Dec 2004 21:24:27 +0000 Subject: disable selinux for httpd In-Reply-To: <41B8B896.2020908@redhat.com> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com> <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> <20041209201653.GA16140@redhat.com> <41B8B896.2020908@redhat.com> Message-ID: <20041209212427.GA17348@redhat.com> On Thu, Dec 09, 2004 at 03:41:58PM -0500, Daniel J Walsh wrote: > Joe Orton wrote: > > >On Thu, Dec 09, 2004 at 12:19:41PM -0800, Arthur Stephens wrote: > >>> > >>I typed > >>setsebool -P httpd_disable_trans=1 > >>Returned > >>usage: setsebool boolean value > > > >setsebool -P httpd_disable_trans 1 > > > >is the correct syntax. > > > >joe > > > > > Either should work with libselinux-1.19.1-8. I think Arthur has the original FC3 package for which in fact neither work ;) joe From dmack at leviatron.com Fri Dec 10 01:41:03 2004 From: dmack at leviatron.com (Dave Mack) Date: Thu, 09 Dec 2004 17:41:03 -0800 Subject: disable selinux for httpd In-Reply-To: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> Message-ID: <41B8FEAF.4040302@leviatron.com> I'm curious about the problem with httpd and selinux. I'm running FC3 and Apache-2.0.52 with Selinux in enforcing mode and at least the basic stuff seems to work. What problems are you seeing? Dave Arthur Stephens wrote: > Ok I have given up on getting httpd to work under selinux > I would like it disabled it for httpd. > I know how to do that temporary with setsebool but how does one make > that permanent? > > Maybe when I have some time to spare :) I can come back to it. > > Arthur Stephens > Senior Sales Technician > Ptera Wireless Internet > astephens at ptera.net > 509-927-Ptera > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From giuseppe.greco at agamura.com Fri Dec 10 13:23:45 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Fri, 10 Dec 2004 14:23:45 +0100 Subject: squid.te In-Reply-To: <4c4ba1530412051111630c5288@mail.gmail.com> References: <4c4ba1530412051111630c5288@mail.gmail.com> Message-ID: <1102685026.3257.2.camel@gonzo.agamura.com> ... sorry for my ignorance, but where are *.te files located? I cannot find them... j3d. On Sun, 2004-12-05 at 11:11 -0800, Tom London wrote: > Running strict/enforcing, latest Rawhide > > squid and initrc needs to create/write /var/log/squid/squid.out, etc > > Suggest adding: > allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; > allow { squid_t initrc_t } squid_log_t:file create_file_perms; > > tom -- ---------------------------------------- Giuseppe Greco ::agamura:: phone: +41 (0)91 604 67 65 mobile: +41 (0)79 602 99 27 email: giuseppe.greco at agamura.com web: www.agamura.com ---------------------------------------- From kwade at redhat.com Fri Dec 10 14:30:08 2004 From: kwade at redhat.com (Karsten Wade) Date: Fri, 10 Dec 2004 06:30:08 -0800 Subject: disable selinux for httpd In-Reply-To: <41B8B856.8070408@redhat.com> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com> <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> <41B8B856.8070408@redhat.com> Message-ID: <1102689009.7993.6.camel@erato.phig.org> On Thu, 2004-12-09 at 15:40 -0500, Daniel J Walsh wrote: > Arthur Stephens wrote: > > >I have no GUI - this is just a server. > > > This sounds like you are not running SELinux or are on a screwed up machine. > > What does id -Z return? > > What does sestatus return? system-config-securitylevel-tui does not have the SELinux tab in shipping FC3, right? -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From kwade at redhat.com Fri Dec 10 14:31:02 2004 From: kwade at redhat.com (Karsten Wade) Date: Fri, 10 Dec 2004 06:31:02 -0800 Subject: disable selinux for httpd In-Reply-To: <41B8FEAF.4040302@leviatron.com> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8FEAF.4040302@leviatron.com> Message-ID: <1102689063.7993.8.camel@erato.phig.org> On Thu, 2004-12-09 at 17:41 -0800, Dave Mack wrote: > I'm curious about the problem with httpd and selinux. I'm running FC3 > and Apache-2.0.52 with Selinux in enforcing mode and at least the basic > stuff seems to work. What problems are you seeing? Check the list archives starting 29 November for the full saga. Arthur, sorry it's not working out. :( Better luck in the future, I hope. - Karsten > > Dave > > Arthur Stephens wrote: > > > Ok I have given up on getting httpd to work under selinux > > I would like it disabled it for httpd. > > I know how to do that temporary with setsebool but how does one make > > that permanent? > > > > Maybe when I have some time to spare :) I can come back to it. > > > > Arthur Stephens > > Senior Sales Technician > > Ptera Wireless Internet > > astephens at ptera.net > > 509-927-Ptera > > > >------------------------------------------------------------------------ > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From kwade at redhat.com Fri Dec 10 14:40:39 2004 From: kwade at redhat.com (Karsten Wade) Date: Fri, 10 Dec 2004 06:40:39 -0800 Subject: squid.te In-Reply-To: <1102685026.3257.2.camel@gonzo.agamura.com> References: <4c4ba1530412051111630c5288@mail.gmail.com> <1102685026.3257.2.camel@gonzo.agamura.com> Message-ID: <1102689640.7993.11.camel@erato.phig.org> On Fri, 2004-12-10 at 14:23 +0100, Giuseppe Greco wrote: > ... sorry for my ignorance, but where are *.te files located? > I cannot find them... You have to have selinux-policy--sources (the policy source package) installed. Then you can find everything within /etc/selinux//src/policy. In this case, you want /etc/selinux//src/policy/domains/program/squid.te. - Karsten > > j3d. > > On Sun, 2004-12-05 at 11:11 -0800, Tom London wrote: > > Running strict/enforcing, latest Rawhide > > > > squid and initrc needs to create/write /var/log/squid/squid.out, etc > > > > Suggest adding: > > allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; > > allow { squid_t initrc_t } squid_log_t:file create_file_perms; > > > > tom -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From dwalsh at redhat.com Fri Dec 10 18:29:17 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 10 Dec 2004 13:29:17 -0500 Subject: disable selinux for httpd In-Reply-To: <1102689009.7993.6.camel@erato.phig.org> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com> <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> <41B8B856.8070408@redhat.com> <1102689009.7993.6.camel@erato.phig.org> Message-ID: <41B9EAFD.2040209@redhat.com> Karsten Wade wrote: >On Thu, 2004-12-09 at 15:40 -0500, Daniel J Walsh wrote: > > >>Arthur Stephens wrote: >> >> >> >>>I have no GUI - this is just a server. >>> >>> >>> >>This sounds like you are not running SELinux or are on a screwed up machine. >> >>What does id -Z return? >> >>What does sestatus return? >> >> > >system-config-securitylevel-tui does not have the SELinux tab in >shipping FC3, right? > > > Yes, we only support X-Windows version. From ksnider at flarn.com Fri Dec 10 18:38:55 2004 From: ksnider at flarn.com (Ken Snider) Date: Fri, 10 Dec 2004 13:38:55 -0500 Subject: disable selinux for httpd In-Reply-To: <41B9EAFD.2040209@redhat.com> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com> <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> <41B8B856.8070408@redhat.com> <1102689009.7993.6.camel@erato.phig.org> <41B9EAFD.2040209@redhat.com> Message-ID: <41B9ED3F.8010400@flarn.com> Daniel J Walsh wrote: > Yes, we only support X-Windows version. There *is* a TUI/Command line way to change these settings however.. yes? -- Ken Snider From sds at epoch.ncsc.mil Fri Dec 10 18:42:26 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 10 Dec 2004 13:42:26 -0500 Subject: disable selinux for httpd In-Reply-To: <41B9ED3F.8010400@flarn.com> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com> <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> <41B8B856.8070408@redhat.com> <1102689009.7993.6.camel@erato.phig.org> <41B9EAFD.2040209@redhat.com> <41B9ED3F.8010400@flarn.com> Message-ID: <1102704146.1628.177.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-12-10 at 13:38, Ken Snider wrote: > Daniel J Walsh wrote: > > > Yes, we only support X-Windows version. > > There *is* a TUI/Command line way to change these settings however.. yes? You can always edit /etc/selinux/config or /etc/selinux/(strict|targeted)/booleans directly. setbool also has a -P option to update the booleans file as well as change the current setting. Any particular reason that system-config-securitylevel tui doesn't support SELinux settings? Shouldn't be hard, right? -- Stephen Smalley National Security Agency From pnasrat at redhat.com Fri Dec 10 21:00:15 2004 From: pnasrat at redhat.com (Paul Nasrat) Date: Fri, 10 Dec 2004 16:00:15 -0500 Subject: disable selinux for httpd In-Reply-To: <1102704146.1628.177.camel@moss-spartans.epoch.ncsc.mil> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com> <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> <41B8B856.8070408@redhat.com> <1102689009.7993.6.camel@erato.phig.org> <41B9EAFD.2040209@redhat.com> <41B9ED3F.8010400@flarn.com> <1102704146.1628.177.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1102712416.16317.1.camel@anu.eridu> On Fri, 2004-12-10 at 13:42 -0500, Stephen Smalley wrote: > On Fri, 2004-12-10 at 13:38, Ken Snider wrote: > > Daniel J Walsh wrote: > > > > > Yes, we only support X-Windows version. > > > > There *is* a TUI/Command line way to change these settings however.. yes? > > You can always edit /etc/selinux/config or > /etc/selinux/(strict|targeted)/booleans directly. setbool also has a -P > option to update the booleans file as well as change the current > setting. > > Any particular reason that system-config-securitylevel tui doesn't > support SELinux settings? Shouldn't be hard, right? I imagine just a time issue, I think all the selinux stuff is within selinuxPage rather than lokkit.c. We probably should dump lokkit.c and have a python backend then cli/tui/gui ontop properly. Paul From dwalsh at redhat.com Fri Dec 10 21:36:09 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 10 Dec 2004 16:36:09 -0500 Subject: disable selinux for httpd In-Reply-To: <1102712416.16317.1.camel@anu.eridu> References: <03c301c4de2a$4347ace0$c600a8c0@tyliteworker> <41B8B00E.7090400@redhat.com> <03e701c4de2c$6a32fbf0$c600a8c0@tyliteworker> <41B8B856.8070408@redhat.com> <1102689009.7993.6.camel@erato.phig.org> <41B9EAFD.2040209@redhat.com> <41B9ED3F.8010400@flarn.com> <1102704146.1628.177.camel@moss-spartans.epoch.ncsc.mil> <1102712416.16317.1.camel@anu.eridu> Message-ID: <41BA16C9.10700@redhat.com> Paul Nasrat wrote: >On Fri, 2004-12-10 at 13:42 -0500, Stephen Smalley wrote: > > >>On Fri, 2004-12-10 at 13:38, Ken Snider wrote: >> >> >>>Daniel J Walsh wrote: >>> >>> >>> >>>>Yes, we only support X-Windows version. >>>> >>>> >>>There *is* a TUI/Command line way to change these settings however.. yes? >>> >>> >>You can always edit /etc/selinux/config or >>/etc/selinux/(strict|targeted)/booleans directly. setbool also has a -P >>option to update the booleans file as well as change the current >>setting. >> >>Any particular reason that system-config-securitylevel tui doesn't >>support SELinux settings? Shouldn't be hard, right? >> >> > >I imagine just a time issue, I think all the selinux stuff is within >selinuxPage rather than lokkit.c. We probably should dump lokkit.c and >have a python backend then cli/tui/gui ontop properly. > > > Yup, alot easier to do in python then in "c". >Paul > > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From giuseppe.greco at agamura.com Sat Dec 11 10:44:09 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Sat, 11 Dec 2004 11:44:09 +0100 Subject: squid.te In-Reply-To: <1102689640.7993.11.camel@erato.phig.org> References: <4c4ba1530412051111630c5288@mail.gmail.com> <1102685026.3257.2.camel@gonzo.agamura.com> <1102689640.7993.11.camel@erato.phig.org> Message-ID: <1102761849.3257.81.camel@gonzo.agamura.com> Thanks, now I've added the following two lines to /etc/selinux/targeted/src/policy/domains/program/squid.te: allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms; ... but I still get the following error message when restarting squid: Starting squid: audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t tclass=dir audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t tclass=dir I've also a similar problem with sendmail when accessed via squirrelmail: audit(1102761151.989:0): avc denied { search } for pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir audit(1102761496.288:0): avc denied { getattr } for pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir I don't how to proceed... j3d. On Fri, 2004-12-10 at 06:40 -0800, Karsten Wade wrote: > On Fri, 2004-12-10 at 14:23 +0100, Giuseppe Greco wrote: > > ... sorry for my ignorance, but where are *.te files located? > > I cannot find them... > > You have to have selinux-policy--sources (the policy source > package) installed. Then you can find everything > within /etc/selinux//src/policy. In this case, you > want /etc/selinux//src/policy/domains/program/squid.te. > > - Karsten > > > > j3d. > > > > On Sun, 2004-12-05 at 11:11 -0800, Tom London wrote: > > > Running strict/enforcing, latest Rawhide > > > > > > squid and initrc needs to create/write /var/log/squid/squid.out, etc > > > > > > Suggest adding: > > > allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; > > > allow { squid_t initrc_t } squid_log_t:file create_file_perms; > > > > > > tom -- ---------------------------------------- Giuseppe Greco ::agamura:: phone: +41 (0)91 604 67 65 mobile: +41 (0)79 602 99 27 email: giuseppe.greco at agamura.com web: www.agamura.com ---------------------------------------- From dwalsh at redhat.com Mon Dec 13 14:26:35 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Dec 2004 09:26:35 -0500 Subject: squid.te In-Reply-To: <1102761849.3257.81.camel@gonzo.agamura.com> References: <4c4ba1530412051111630c5288@mail.gmail.com> <1102685026.3257.2.camel@gonzo.agamura.com> <1102689640.7993.11.camel@erato.phig.org> <1102761849.3257.81.camel@gonzo.agamura.com> Message-ID: <41BDA69B.9040900@redhat.com> Giuseppe Greco wrote: >Thanks, > >now I've added the following two lines >to /etc/selinux/targeted/src/policy/domains/program/squid.te: > >allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; >allow { squid_t initrc_t } squid_log_t:file create_file_perms; > >... but I still get the following error message when restarting >squid: > >Starting squid: audit(1102241826.255.0): avc: denied { getattr } for > pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 > scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t > tclass=dir > >audit(1102241826.255.0): avc: denied { getattr } for > pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 > scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t > tclass=dir > >I've also a similar problem with sendmail when accessed via >squirrelmail: > >audit(1102761151.989:0): avc denied { search } for > pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 > scontext=user_u:system_r:httpd_t > tcontext=system_u:object_r:var_spool_t tclass=dir > >audit(1102761496.288:0): avc denied { getattr } for > pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 > scontext=user_u:system_r:httpd_t > tcontext=system_u:object_r:var_spool_t tclass=dir > >I don't how to proceed... >j3d. > > > All of these should be covered by the latest policy files. Have you updated your policy files? Dan From giuseppe.greco at agamura.com Mon Dec 13 14:56:20 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Mon, 13 Dec 2004 15:56:20 +0100 Subject: squid.te In-Reply-To: <41BDA69B.9040900@redhat.com> References: <4c4ba1530412051111630c5288@mail.gmail.com> <1102685026.3257.2.camel@gonzo.agamura.com> <1102689640.7993.11.camel@erato.phig.org> <1102761849.3257.81.camel@gonzo.agamura.com> <41BDA69B.9040900@redhat.com> Message-ID: <1102949780.3478.1.camel@gonzo.agamura.com> On Mon, 2004-12-13 at 09:26 -0500, Daniel J Walsh wrote: > Giuseppe Greco wrote: > > >Thanks, > > > >now I've added the following two lines > >to /etc/selinux/targeted/src/policy/domains/program/squid.te: > > > >allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; > >allow { squid_t initrc_t } squid_log_t:file create_file_perms; > > > >... but I still get the following error message when restarting > >squid: > > > >Starting squid: audit(1102241826.255.0): avc: denied { getattr } for > > pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 > > scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t > > tclass=dir > > > >audit(1102241826.255.0): avc: denied { getattr } for > > pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 > > scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t > > tclass=dir > > > >I've also a similar problem with sendmail when accessed via > >squirrelmail: > > > >audit(1102761151.989:0): avc denied { search } for > > pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 > > scontext=user_u:system_r:httpd_t > > tcontext=system_u:object_r:var_spool_t tclass=dir > > > >audit(1102761496.288:0): avc denied { getattr } for > > pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 > > scontext=user_u:system_r:httpd_t > > tcontext=system_u:object_r:var_spool_t tclass=dir > > > >I don't how to proceed... > >j3d. > > > > > > > All of these should be covered by the latest policy files. Have you > updated your policy files? > Yes, I'm up2date... j3d. > Dan > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Mon Dec 13 14:59:44 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Dec 2004 09:59:44 -0500 Subject: squid.te In-Reply-To: <1102949780.3478.1.camel@gonzo.agamura.com> References: <4c4ba1530412051111630c5288@mail.gmail.com> <1102685026.3257.2.camel@gonzo.agamura.com> <1102689640.7993.11.camel@erato.phig.org> <1102761849.3257.81.camel@gonzo.agamura.com> <41BDA69B.9040900@redhat.com> <1102949780.3478.1.camel@gonzo.agamura.com> Message-ID: <41BDAE60.80005@redhat.com> Giuseppe Greco wrote: >On Mon, 2004-12-13 at 09:26 -0500, Daniel J Walsh wrote: > > >>Giuseppe Greco wrote: >> >> >> >>>Thanks, >>> >>>now I've added the following two lines >>>to /etc/selinux/targeted/src/policy/domains/program/squid.te: >>> >>>allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; >>>allow { squid_t initrc_t } squid_log_t:file create_file_perms; >>> >>>... but I still get the following error message when restarting >>>squid: >>> >>>Starting squid: audit(1102241826.255.0): avc: denied { getattr } for >>> pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 >>> scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t >>> tclass=dir >>> >>>audit(1102241826.255.0): avc: denied { getattr } for >>> pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 >>> scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t >>> tclass=dir >>> >>>I've also a similar problem with sendmail when accessed via >>>squirrelmail: >>> >>>audit(1102761151.989:0): avc denied { search } for >>> pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 >>> scontext=user_u:system_r:httpd_t >>> tcontext=system_u:object_r:var_spool_t tclass=dir >>> >>>audit(1102761496.288:0): avc denied { getattr } for >>> pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 >>> scontext=user_u:system_r:httpd_t >>> tcontext=system_u:object_r:var_spool_t tclass=dir >>> >>>I don't how to proceed... >>>j3d. >>> >>> >>> >>> >>> >>All of these should be covered by the latest policy files. Have you >>updated your policy files? >> >> >> > >Yes, I'm up2date... >j3d. > > What version of selinux-policy-targeted? > > >>Dan >> >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From giuseppe.greco at agamura.com Mon Dec 13 15:12:08 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Mon, 13 Dec 2004 16:12:08 +0100 Subject: squid.te In-Reply-To: <41BDAE60.80005@redhat.com> References: <4c4ba1530412051111630c5288@mail.gmail.com> <1102685026.3257.2.camel@gonzo.agamura.com> <1102689640.7993.11.camel@erato.phig.org> <1102761849.3257.81.camel@gonzo.agamura.com> <41BDA69B.9040900@redhat.com> <1102949780.3478.1.camel@gonzo.agamura.com> <41BDAE60.80005@redhat.com> Message-ID: <1102950728.3478.4.camel@gonzo.agamura.com> On Mon, 2004-12-13 at 09:59 -0500, Daniel J Walsh wrote: > Giuseppe Greco wrote: > > >On Mon, 2004-12-13 at 09:26 -0500, Daniel J Walsh wrote: > > > > > >>Giuseppe Greco wrote: > >> > >> > >> > >>>Thanks, > >>> > >>>now I've added the following two lines > >>>to /etc/selinux/targeted/src/policy/domains/program/squid.te: > >>> > >>>allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; > >>>allow { squid_t initrc_t } squid_log_t:file create_file_perms; > >>> > >>>... but I still get the following error message when restarting > >>>squid: > >>> > >>>Starting squid: audit(1102241826.255.0): avc: denied { getattr } for > >>> pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 > >>> scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t > >>> tclass=dir > >>> > >>>audit(1102241826.255.0): avc: denied { getattr } for > >>> pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 > >>> scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t > >>> tclass=dir > >>> > >>>I've also a similar problem with sendmail when accessed via > >>>squirrelmail: > >>> > >>>audit(1102761151.989:0): avc denied { search } for > >>> pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 > >>> scontext=user_u:system_r:httpd_t > >>> tcontext=system_u:object_r:var_spool_t tclass=dir > >>> > >>>audit(1102761496.288:0): avc denied { getattr } for > >>> pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 > >>> scontext=user_u:system_r:httpd_t > >>> tcontext=system_u:object_r:var_spool_t tclass=dir > >>> > >>>I don't how to proceed... > >>>j3d. > >>> > >>> > >>> > >>> > >>> > >>All of these should be covered by the latest policy files. Have you > >>updated your policy files? > >> > >> > >> > > > >Yes, I'm up2date... > >j3d. > > > > > What version of selinux-policy-targeted? > The version is 1.17.30-2.39 j3d. > > > > > >>Dan > >> > >>-- > >>fedora-selinux-list mailing list > >>fedora-selinux-list at redhat.com > >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> > >> > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From sds at epoch.ncsc.mil Mon Dec 13 19:08:49 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 13 Dec 2004 14:08:49 -0500 Subject: labelling issues In-Reply-To: <20041209161433.GA11218@redhat.com> References: <20041203080343.GA28886@redhat.com> <1102081001.29971.33.camel@moss-spartans.epoch.ncsc.mil> <1102081338.29971.37.camel@moss-spartans.epoch.ncsc.mil> <20041208232715.GA8302@redhat.com> <1102598376.32175.22.camel@moss-spartans.epoch.ncsc.mil> <1102598794.32175.24.camel@moss-spartans.epoch.ncsc.mil> <20041209161433.GA11218@redhat.com> Message-ID: <1102964929.27895.32.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-12-09 at 11:14, Joe Orton wrote: > Thanks Stephen. If you'd rather I just CC you immediately the next time > this is reported, or if you have some new questions I should be asking > people, then just let me know. We should ask people who encounter this behavior if they have ever run with SELinux disabled and then re-enabled SELinux without running fixfiles relabel, as the files may become unlabeled while running with SELinux disabled if they are updated or prelinked during that time. -- Stephen Smalley National Security Agency From giuseppe.greco at agamura.com Tue Dec 14 10:59:04 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Tue, 14 Dec 2004 11:59:04 +0100 Subject: I give up... Message-ID: <1103021944.3478.17.camel@gonzo.agamura.com> Hi all, I think I give up... no way to get my SELinux system working as it should. For the moment, I've just disabled it. I've tried everything, but nothing... What's strange is that I've these problems only on a machine where I updated from FC1 to FC3. Others machines where I installed FC3 from scratch I've no problems at all. j3d. -- ---------------------------------------- Giuseppe Greco ::agamura:: phone: +41 (0)91 604 67 65 mobile: +41 (0)79 602 99 27 email: giuseppe.greco at agamura.com web: www.agamura.com ---------------------------------------- From kwade at redhat.com Tue Dec 14 13:08:46 2004 From: kwade at redhat.com (Karsten Wade) Date: Tue, 14 Dec 2004 05:08:46 -0800 Subject: I give up... In-Reply-To: <1103021944.3478.17.camel@gonzo.agamura.com> References: <1103021944.3478.17.camel@gonzo.agamura.com> Message-ID: <1103029727.3695.148.camel@erato.phig.org> On Tue, 2004-12-14 at 11:59 +0100, Giuseppe Greco wrote: > Hi all, > > I think I give up... no way to get my SELinux > system working as it should. For the moment, > I've just disabled it. Was your problem only with squid? Did you just turn off the squid Boolean (in system-config-securitylevel or with setsebool)? Or did you have to disable SELinux entirely? If you can, it is recommended to leave SELinux running and disable it only for the daemon you are having problems with. > I've tried everything, but nothing... What's strange is > that I've these problems only on a machine where I updated > from FC1 to FC3. Others machines where I installed FC3 > from scratch I've no problems at all. I'm working with an FC1 -> FC3 upgrade (via Anaconda), and although I'm not having SELinux problems, I do have other instabilities. I think that's a fairly big leap to be taking, so it's not surprising that some older, remaining packages are causing me problems. This seems to be a unique situation -- the delta between FC1 and FC3 is much larger than usual. - Karsten -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From giuseppe.greco at agamura.com Tue Dec 14 13:47:04 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Tue, 14 Dec 2004 14:47:04 +0100 Subject: I give up... In-Reply-To: <1103029727.3695.148.camel@erato.phig.org> References: <1103021944.3478.17.camel@gonzo.agamura.com> <1103029727.3695.148.camel@erato.phig.org> Message-ID: <1103032024.3478.27.camel@gonzo.agamura.com> On Tue, 2004-12-14 at 05:08 -0800, Karsten Wade wrote: > On Tue, 2004-12-14 at 11:59 +0100, Giuseppe Greco wrote: > > Hi all, > > > > I think I give up... no way to get my SELinux > > system working as it should. For the moment, > > I've just disabled it. > > Was your problem only with squid? No, I've also problems with squirrelmail when trying to send emails with attachments (simple emails without attachments are OK): audit(1102761151.989:0): avc denied { search } for pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir audit(1102761496.288:0): avc denied { getattr } for pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir > Did you just turn off the squid Boolean (in system-config-securitylevel > or with setsebool)? Or did you have to disable SELinux entirely? I've disabled SELinux entirely in /etc/selinux/config by setting SELINUX=disabled... > If you can, it is recommended to leave SELinux running and disable it > only for the daemon you are having problems with. Yes, that could a much better idea... > > > I've tried everything, but nothing... What's strange is > > that I've these problems only on a machine where I updated > > from FC1 to FC3. Others machines where I installed FC3 > > from scratch I've no problems at all. > > I'm working with an FC1 -> FC3 upgrade (via Anaconda), and although I'm > not having SELinux problems, I do have other instabilities. I think > that's a fairly big leap to be taking, so it's not surprising that some > older, remaining packages are causing me problems. This seems to be a > unique situation -- the delta between FC1 and FC3 is much larger than > usual. What could be the solution? Backup the configuration and reinstall FC3 from scratch? Thanks, j3d. > > - Karsten -- ---------------------------------------- Giuseppe Greco ::agamura:: phone: +41 (0)91 604 67 65 mobile: +41 (0)79 602 99 27 email: giuseppe.greco at agamura.com web: www.agamura.com ---------------------------------------- From marciorg at inf.ufes.br Wed Dec 15 12:55:34 2004 From: marciorg at inf.ufes.br (=?iso-8859-1?b?TeFyY2lv?= da =?iso-8859-1?b?UvNz?= Gomes) Date: Wed, 15 Dec 2004 10:55:34 -0200 Subject: I give up... In-Reply-To: <1103032024.3478.27.camel@gonzo.agamura.com> References: <1103021944.3478.17.camel@gonzo.agamura.com> <1103029727.3695.148.camel@erato.phig.org> <1103032024.3478.27.camel@gonzo.agamura.com> Message-ID: <1103115334.41c034468e5c8@www.inf.ufes.br> > No, I've also problems with squirrelmail when trying to send emails > with attachments (simple emails without attachments are OK): I had a problem like this and the attachment dir (/var/spool/squirrelmail/attach/) had the wrong permissions. I changed the permissions and everything worked as expected with SElinux enabled and enforcing. I think the squirrelmail rpm is not setting the correct permissions on that dir. Below is a note of the squirrelmail config script: ------------------------------- Note: There are a few security considerations regarding this directory: 1. It should have the permission 733 (rwx-wx-wx) to make it impossible for a random person with access to the webserver to list files in this directory. Confidential data might be laying around in there. Depending on your user:group assignments, 730 (rwx-wx---) may be possible, and more secure (e.g. root:apache) 2. Since the webserver is not able to list the files in the content is also impossible for the webserver to delete files lying around there for too long. 3. It should probably be another directory than the data directory specified in option 3. -------------------------------- Maybe this helps, Marcio From jorton at redhat.com Wed Dec 15 14:15:30 2004 From: jorton at redhat.com (Joe Orton) Date: Wed, 15 Dec 2004 14:15:30 +0000 Subject: I give up... In-Reply-To: <1103115334.41c034468e5c8@www.inf.ufes.br> References: <1103021944.3478.17.camel@gonzo.agamura.com> <1103029727.3695.148.camel@erato.phig.org> <1103032024.3478.27.camel@gonzo.agamura.com> <1103115334.41c034468e5c8@www.inf.ufes.br> Message-ID: <20041215141530.GA24315@redhat.com> On Wed, Dec 15, 2004 at 10:55:34AM -0200, M?rcio da R?s Gomes wrote: > > No, I've also problems with squirrelmail when trying to send emails > > with attachments (simple emails without attachments are OK): > > I had a problem like this and the attachment dir > (/var/spool/squirrelmail/attach/) had the wrong permissions. I changed the > permissions and everything worked as expected with SElinux enabled and > enforcing. I think the squirrelmail rpm is not setting the correct permissions > on that dir. The permissions of /var/spool/squirrelmail/attach should be correct out of the box. The policy didn't allow writing to this directory but that was fixed recently, it should be in the current or next update of the FC3 targeted policy package. If not, please file a bug! Regards, joe From francoisdufour at hotmail.com Wed Dec 15 18:34:51 2004 From: francoisdufour at hotmail.com (FRANCOIS Dufour) Date: Wed, 15 Dec 2004 18:34:51 +0000 Subject: sql table under fedora core3 Message-ID: hi to all ! ive got an jsp aplication running on tomcat4 alredy instaled whit sucess using/local folder i add a couple problem seting it up but now its ok my question is i have my sql table created under window os how do i transfer it (copie it were) so my jsp aplication can find its table under fedora core3 the web app only need mysql running whit its table loaded in as far ive read today its a pyton aplication that control mysql thanks in advance friendly francoisdufour at hotmail.com administrateur http://entre-nous.qc.tc From kevymac at yahoo.com Thu Dec 16 03:24:34 2004 From: kevymac at yahoo.com (Kevin McConnell) Date: Wed, 15 Dec 2004 19:24:34 -0800 (PST) Subject: sql table under fedora core3 In-Reply-To: Message-ID: <20041216032434.59156.qmail@web50501.mail.yahoo.com> --- FRANCOIS Dufour wrote: > hi to all ! Hello Francois, > ive got an jsp aplication running on tomcat4 alredy > instaled whit sucess > using/local folder > i add a couple problem seting it up but now its ok > my question is i have my sql table created under > window os > how do i transfer it (copie it were) so my jsp > aplication can find its table > under fedora core3 > the web app only need mysql running whit its table > loaded in > as far ive read today its a pyton aplication that > control mysql First off, I would just like to remind you, that you are posting to the fedora selinux list, which none of the above mentioned applications have anything to do with. In the future, please direct your questions regarding mysql, to the mysql mailing list. That said, the best place for this documentation would be found here: http://dev.mysql.com/doc/mysql/en/mysqlimport.html > thanks in advance > friendly You're welcome. ===== Kevin C. McConnell --RHCE # 805299480800193 since July 2, 1999-- Freedom in software, now freedom in life. http://www.freestateproject.org/ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From giuseppe.greco at agamura.com Thu Dec 16 18:01:19 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Thu, 16 Dec 2004 19:01:19 +0100 Subject: SELinux... a never ending story! Message-ID: <1103220079.6588.8.camel@gonzo.agamura.com> Hi all, to solve the problems I described in my previous emails, I've backed up my configuration and reinstalled FC3 from scratch. Now I'm not able to run squrrelmail... I always get the following error message: audit(1103219472.797:0): avc: denied { read } for pid=25107 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=96012 scontext=root:system_r:httpd_t tcontext=system_u:object_r:bin_t tclass=lnk_file Any idea how to help a poor desperate? j3d. -- ---------------------------------------- Giuseppe Greco ::agamura:: phone: +41 (0)91 604 67 65 mobile: +41 (0)79 602 99 27 email: giuseppe.greco at agamura.com web: www.agamura.com ---------------------------------------- From dwalsh at redhat.com Thu Dec 16 18:11:05 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 16 Dec 2004 13:11:05 -0500 Subject: SELinux... a never ending story! In-Reply-To: <1103220079.6588.8.camel@gonzo.agamura.com> References: <1103220079.6588.8.camel@gonzo.agamura.com> Message-ID: <41C1CFB9.1060405@redhat.com> Giuseppe Greco wrote: >Hi all, > >to solve the problems I described in my previous emails, >I've backed up my configuration and reinstalled FC3 from >scratch. > >Now I'm not able to run squrrelmail... I always get the >following error message: > >audit(1103219472.797:0): avc: denied { read } for pid=25107 > exe=/usr/sbin/httpd name=sh dev=dm-0 ino=96012 > scontext=root:system_r:httpd_t > tcontext=system_u:object_r:bin_t tclass=lnk_file > >Any idea how to help a poor desperate? >j3d. > > > Update your policy file, via yum update. From dwalsh at redhat.com Thu Dec 16 18:24:34 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 16 Dec 2004 13:24:34 -0500 Subject: Experimental Version of Dump available. Message-ID: <41C1D2E2.2060901@redhat.com> I have added a new version of dump/restore to Rawhide to allow dumping and restore of Extended Attributes. Any testing you can do with this code would be appreciated. Version dump-0.4b37-2 Dan From giuseppe.greco at agamura.com Thu Dec 16 20:44:41 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Thu, 16 Dec 2004 21:44:41 +0100 Subject: SELinux... a never ending story! In-Reply-To: <41C1CFB9.1060405@redhat.com> References: <1103220079.6588.8.camel@gonzo.agamura.com> <41C1CFB9.1060405@redhat.com> Message-ID: <1103229882.6588.15.camel@gonzo.agamura.com> On Thu, 2004-12-16 at 13:11 -0500, Daniel J Walsh wrote: > Giuseppe Greco wrote: > > >Hi all, > > > >to solve the problems I described in my previous emails, > >I've backed up my configuration and reinstalled FC3 from > >scratch. > > > >Now I'm not able to run squrrelmail... I always get the > >following error message: > > > >audit(1103219472.797:0): avc: denied { read } for pid=25107 > > exe=/usr/sbin/httpd name=sh dev=dm-0 ino=96012 > > scontext=root:system_r:httpd_t > > tcontext=system_u:object_r:bin_t tclass=lnk_file > > > >Any idea how to help a poor desperate? > >j3d. > > > > > > > Update your policy file, via yum update. done... and now I get audit(1103229440.677.0): avc: denied { unlink } for pid=2671 exe=/usr/sbin/httpd name=ssl_mutex.2670 dev=dm-6 ino=192037 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file j3d. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- ---------------------------------------- Giuseppe Greco ::agamura:: phone: +41 (0)91 604 67 65 mobile: +41 (0)79 602 99 27 email: giuseppe.greco at agamura.com web: www.agamura.com ---------------------------------------- From kwade at redhat.com Fri Dec 17 01:44:02 2004 From: kwade at redhat.com (Karsten Wade) Date: Thu, 16 Dec 2004 17:44:02 -0800 Subject: dhcp_defined Message-ID: <1103247843.3695.260.camel@erato.phig.org> Both dhcpd.fc and dhcpc.fc have an ifdef statement for `dhcp_defined'. It seems to be related to pump usage in dhcpc.fc. I can't find where dhcp_defined gets set to true or false. What is this for and how is it used? Somehow I feel as if I'm missing something obvious. However, this is the only *_defined I can find in the policy. thx - Karsten -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From dwalsh at redhat.com Fri Dec 17 03:47:32 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 16 Dec 2004 22:47:32 -0500 Subject: dhcp_defined In-Reply-To: <1103247843.3695.260.camel@erato.phig.org> References: <1103247843.3695.260.camel@erato.phig.org> Message-ID: <41C256D4.5070509@redhat.com> Karsten Wade wrote: >Both dhcpd.fc and dhcpc.fc have an ifdef statement for `dhcp_defined'. >It seems to be related to pump usage in dhcpc.fc. > >I can't find where dhcp_defined gets set to true or false. What is this >for and how is it used? > >Somehow I feel as if I'm missing something obvious. However, this is >the only *_defined I can find in the policy. > >thx - Karsten > > They both define it. This way if one or the other is not included the dhcpd_state still gets labeled. If they are both included in policy, the file context would get defined twice and the compiler does not like that. Dan From dwalsh at redhat.com Fri Dec 17 03:50:56 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 16 Dec 2004 22:50:56 -0500 Subject: SELinux... a never ending story! In-Reply-To: <1103229882.6588.15.camel@gonzo.agamura.com> References: <1103220079.6588.8.camel@gonzo.agamura.com> <41C1CFB9.1060405@redhat.com> <1103229882.6588.15.camel@gonzo.agamura.com> Message-ID: <41C257A0.2000201@redhat.com> Giuseppe Greco wrote: >On Thu, 2004-12-16 at 13:11 -0500, Daniel J Walsh wrote: > > >>Giuseppe Greco wrote: >> >> >> >>>Hi all, >>> >>>to solve the problems I described in my previous emails, >>>I've backed up my configuration and reinstalled FC3 from >>>scratch. >>> >>>Now I'm not able to run squrrelmail... I always get the >>>following error message: >>> >>>audit(1103219472.797:0): avc: denied { read } for pid=25107 >>> exe=/usr/sbin/httpd name=sh dev=dm-0 ino=96012 >>> scontext=root:system_r:httpd_t >>> tcontext=system_u:object_r:bin_t tclass=lnk_file >>> >>>Any idea how to help a poor desperate? >>>j3d. >>> >>> >>> >>> >>> >>Update your policy file, via yum update. >> >> > >done... and now I get > >audit(1103229440.677.0): avc: denied { unlink } for pid=2671 > exe=/usr/sbin/httpd name=ssl_mutex.2670 dev=dm-6 ino=192037 > scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t > tclass=file > >j3d. > > ugh, Where is this mutex file being created? In the log dir? The probem with this is it allows a hacker to unlink all the log files, if I allow this rule. > > >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> From francoisdufour at hotmail.com Fri Dec 17 06:37:44 2004 From: francoisdufour at hotmail.com (FRANCOIS Dufour) Date: Fri, 17 Dec 2004 06:37:44 +0000 Subject: sql table under fedora core3 In-Reply-To: <20041216032434.59156.qmail@web50501.mail.yahoo.com> Message-ID: thanks kev for your anwser ... im sorry that you cant awser my question regarding to mysql it run pretty well one click away my question was if bundeled whit were do i put my table under your se linux asembly named fedora just tough that you could tell mee were in that uge tree of your should i put my table or do i have to simply reinstall it (sql) in a diferente location just cause the Red Hat Certified Engineer coudent tell me were in their asembly to copie my prebuilded sql table thanks in advance frank or is it just a 40gig to format again? francoisdufour at hotmail.com administrateur http://entre-nous.qc.tc >From: Kevin McConnell >Reply-To: "Fedora SELinux support list for users & developers." > >To: "Fedora SELinux support list for users &, developers." > >Subject: Re: sql table under fedora core3 >Date: Wed, 15 Dec 2004 19:24:34 -0800 (PST) > > >--- FRANCOIS Dufour >wrote: > > > hi to all ! > >Hello Francois, > > > ive got an jsp aplication running on tomcat4 alredy > > instaled whit sucess > > using/local folder > > i add a couple problem seting it up but now its ok > > my question is i have my sql table created under > > window os > > how do i transfer it (copie it were) so my jsp > > aplication can find its table > > under fedora core3 > > the web app only need mysql running whit its table > > loaded in > > as far ive read today its a pyton aplication that > > control mysql > >First off, I would just like to remind you, that you >are posting to the fedora selinux list, which none of >the above mentioned applications have anything to do >with. In the future, please direct your questions >regarding mysql, to the mysql mailing list. >That said, the best place for this documentation would >be found here: >http://dev.mysql.com/doc/mysql/en/mysqlimport.html > > > > thanks in advance > > friendly > >You're welcome. > > >===== >Kevin C. McConnell --RHCE # 805299480800193 since July 2, 1999-- Certified Engineer> >Freedom in software, now freedom in life. >http://www.freestateproject.org/ > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jorton at redhat.com Fri Dec 17 09:55:36 2004 From: jorton at redhat.com (Joe Orton) Date: Fri, 17 Dec 2004 09:55:36 +0000 Subject: SELinux... a never ending story! In-Reply-To: <41C257A0.2000201@redhat.com> References: <1103220079.6588.8.camel@gonzo.agamura.com> <41C1CFB9.1060405@redhat.com> <1103229882.6588.15.camel@gonzo.agamura.com> <41C257A0.2000201@redhat.com> Message-ID: <20041217095536.GA15104@redhat.com> On Thu, Dec 16, 2004 at 10:50:56PM -0500, Daniel J Walsh wrote: > Giuseppe Greco wrote: > >done... and now I get > > > >audit(1103229440.677.0): avc: denied { unlink } for pid=2671 > > exe=/usr/sbin/httpd name=ssl_mutex.2670 dev=dm-6 ino=192037 > > scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t > > tclass=file Giuseppe, can you post your /etc/httpd/conf.d/ssl.conf? This shouldn't happen in the default mod_ssl configuration. > ugh, > > Where is this mutex file being created? In the log dir? The probem > with this is it allows a hacker to unlink all the log files, if I > allow this rule. mod_ssl (and various other bits of httpd) can be configured to use various types of semaphore: these will all be SysV semaphores in the default configuration, but in non-default configurations, can be files with fcntl locking. So the rule shouldn't be needed by default, I'm confused why people are seeing this. joe From bagica at bitdefender.com Fri Dec 17 11:17:44 2004 From: bagica at bitdefender.com (Bogdan Agica) Date: Fri, 17 Dec 2004 13:17:44 +0200 Subject: Problems with sudo Message-ID: <1103282264.10336.85.camel@bagica.dsd.ro> Hi everybody. First of all, let me introduce myself. My name is Bogdan Agica and I'm in the Linux team for the BitDefender Antivirus. I'm responsible with the SELinux integration of BitDefender and I seem to have some issues with dropping privileges. The startup scripts rely on sudo in order to drop privileges in a standard linux system. I have written the test policy for the postfix agent, which works fine if the programs are started as root (not via the startup scripts); however the final policy is supposed to integrate seamlessly with the product. In the /etc/init.d script, the programs (5 of them) are started by comands like: # sudo -u bitdefender /opt/BitDefender/bin/bdcored start I have looked at the files domains/program/sudo.te and macros/program/sudo_macros.te. Unfortunately, the lack of documentation for the sudo_domain() macro was a problem, so I have some questions: 1. What exactly does the sudo_domain() macro do? 2. Is this the tool that I need? (i have tried to integrate it with the policy, but it resulted in errors) I'm using FC3, and the following packages: # rpm -qa | grep -i selinux selinux-policy-strict-1.19.10-2 selinux-policy-targeted-sources-1.17.30-2.51 selinux-doc-1.14.1-1 libselinux-1.19.1-8 selinux-policy-targeted-1.17.30-2.51 selinux-policy-strict-sources-1.19.10-2 Of course, should anyone want to look at the beta policy that I've written, I can provide it, and the software itself is available on the company's ftp site. TIA, -- Bogdan Agica BitDefender Internal Testing Engineer ------------------------------------- SOFTWIN Data Security Division ------------------------------------- email: bagica at bitdefender.com phone: +(4021) 233 18 52; 233 07 80 fax: (+4021) 233.07.63 Bucharest, ROMANIA http://www.bitdefender.com http://www.softwin.ro ------------------------------------- secure your every bit ------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: BitDefender.txt URL: From rhally at mindspring.com Fri Dec 17 12:35:24 2004 From: rhally at mindspring.com (Richard Hally) Date: Fri, 17 Dec 2004 07:35:24 -0500 Subject: Problems with sudo In-Reply-To: <1103282264.10336.85.camel@bagica.dsd.ro> References: <1103282264.10336.85.camel@bagica.dsd.ro> Message-ID: <41C2D28C.7040208@mindspring.com> Bogdan Agica wrote: > >In the /etc/init.d script, the programs (5 of them) are started by >comands like: ># sudo -u bitdefender /opt/BitDefender/bin/bdcored start > >I have looked at the files domains/program/sudo.te and >macros/program/sudo_macros.te. Unfortunately, the lack of documentation >for the sudo_domain() macro was a problem, so I have some questions: > >1. What exactly does the sudo_domain() macro do? >2. Is this the tool that I need? (i have tried to integrate it with the >policy, but it resulted in errors) > > There is a program "runuser" in the coreutils package that was designed and written to be used in place of "su" and possibly "sudo" in this situation. See "man runuser" and postgresql for an example where it is used. HTH Richard Hally From giuseppe.greco at agamura.com Fri Dec 17 12:42:13 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Fri, 17 Dec 2004 13:42:13 +0100 Subject: SELinux... a never ending story! In-Reply-To: <20041217095536.GA15104@redhat.com> References: <1103220079.6588.8.camel@gonzo.agamura.com> <41C1CFB9.1060405@redhat.com> <1103229882.6588.15.camel@gonzo.agamura.com> <41C257A0.2000201@redhat.com> <20041217095536.GA15104@redhat.com> Message-ID: <1103287333.4057.6.camel@gonzo.agamura.com> Joe, here's may ssl.conf... I hope this helps. j3d. On Fri, 2004-12-17 at 09:55 +0000, Joe Orton wrote: > On Thu, Dec 16, 2004 at 10:50:56PM -0500, Daniel J Walsh wrote: > > Giuseppe Greco wrote: > > >done... and now I get > > > > > >audit(1103229440.677.0): avc: denied { unlink } for pid=2671 > > > exe=/usr/sbin/httpd name=ssl_mutex.2670 dev=dm-6 ino=192037 > > > scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t > > > tclass=file > > Giuseppe, can you post your /etc/httpd/conf.d/ssl.conf? This shouldn't > happen in the default mod_ssl configuration. > > > ugh, > > > > Where is this mutex file being created? In the log dir? The probem > > with this is it allows a hacker to unlink all the log files, if I > > allow this rule. > > mod_ssl (and various other bits of httpd) can be configured to use > various types of semaphore: these will all be SysV semaphores in the > default configuration, but in non-default configurations, can be files > with fcntl locking. So the rule shouldn't be needed by default, I'm > confused why people are seeing this. > > joe > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- ---------------------------------------- Giuseppe Greco ::agamura:: phone: +41 (0)91 604 67 65 mobile: +41 (0)79 602 99 27 email: giuseppe.greco at agamura.com web: www.agamura.com ---------------------------------------- -------------- next part -------------- # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see # # For the moment, see for this info. # The documents are still being prepared from material donated by the # modssl project. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # LoadModule ssl_module modules/mod_ssl.so # Until documentation is completed, please check http://www.modssl.org/ # for additional config examples and module docmentation. Directives # and features of mod_ssl are largely unchanged from the mod_ssl project # for Apache 1.3. # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # Listen 443 # # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). #SSLSessionCache none #SSLSessionCache dbm:/var/cache/mod_ssl/scache(512000) SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:logs/ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # # Use "SSLCryptoDevice" to enable any supported hardware # accelerators. Use "openssl engine -v" to list supported # engine names. NOTE: If you enable an accelerator and the # server does not start, consult the error logs and ensure # your accelerator is functioning properly. # SSLCryptoDevice builtin #SSLCryptoDevice ubsec ## ## SSL Virtual Host Context ## # General setup for the virtual host, inherited from global configuration DocumentRoot "/usr/share/squirrelmail" ServerName murphy.agamura.com:443 ServerAdmin webmaster at agamura.com # Use separate log files: ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt #SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key #SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/httpd/conf/ssl.crt #SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/httpd/conf/ssl.crl #SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ # # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire SSLOptions +StdEnvVars SSLOptions +StdEnvVars # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" From jorton at redhat.com Fri Dec 17 12:47:26 2004 From: jorton at redhat.com (Joe Orton) Date: Fri, 17 Dec 2004 12:47:26 +0000 Subject: SELinux... a never ending story! In-Reply-To: <1103287333.4057.6.camel@gonzo.agamura.com> References: <1103220079.6588.8.camel@gonzo.agamura.com> <41C1CFB9.1060405@redhat.com> <1103229882.6588.15.camel@gonzo.agamura.com> <41C257A0.2000201@redhat.com> <20041217095536.GA15104@redhat.com> <1103287333.4057.6.camel@gonzo.agamura.com> Message-ID: <20041217124726.GA18104@redhat.com> On Fri, Dec 17, 2004 at 01:42:13PM +0100, Giuseppe Greco wrote: > Joe, > > here's may ssl.conf... I hope this helps. Ah, you have upgraded from and early FC release. Changing "SSLMutex file:logs/ssl_mutex" to "SSLMutex default" should make this error go away. joe From giuseppe.greco at agamura.com Fri Dec 17 12:59:14 2004 From: giuseppe.greco at agamura.com (Giuseppe Greco) Date: Fri, 17 Dec 2004 13:59:14 +0100 Subject: SELinux... a never ending story! In-Reply-To: <1103287333.4057.6.camel@gonzo.agamura.com> References: <1103220079.6588.8.camel@gonzo.agamura.com> <41C1CFB9.1060405@redhat.com> <1103229882.6588.15.camel@gonzo.agamura.com> <41C257A0.2000201@redhat.com> <20041217095536.GA15104@redhat.com> <1103287333.4057.6.camel@gonzo.agamura.com> Message-ID: <1103288354.4057.20.camel@gonzo.agamura.com> Joe, I've modified line 66 in ssl.conf like this: SSLMutex default (instead of SSLMutex file:logs/ssl_mutex) Now I'm able to send emails via squirrelmail, but SELinux is still complying: audit(1103287307.997:0): avc: denied { search } for pid 7286 exe=/bin/bash name=httpd dev=dm-0 ino=65076 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_config_t tclass=dir I've installed squirrelmail via yum... and then added the change-password plugin from its official web site. Of course, to get the change-password plugin working, I had also to compile and install poppassd (but I don't think this is the problem). j3d. On Fri, 2004-12-17 at 13:42 +0100, Giuseppe Greco wrote: > Joe, > > here's may ssl.conf... I hope this helps. > j3d. > > On Fri, 2004-12-17 at 09:55 +0000, Joe Orton wrote: > > On Thu, Dec 16, 2004 at 10:50:56PM -0500, Daniel J Walsh wrote: > > > Giuseppe Greco wrote: > > > >done... and now I get > > > > > > > >audit(1103229440.677.0): avc: denied { unlink } for pid=2671 > > > > exe=/usr/sbin/httpd name=ssl_mutex.2670 dev=dm-6 ino=192037 > > > > scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t > > > > tclass=file > > > > Giuseppe, can you post your /etc/httpd/conf.d/ssl.conf? This shouldn't > > happen in the default mod_ssl configuration. > > > > > ugh, > > > > > > Where is this mutex file being created? In the log dir? The probem > > > with this is it allows a hacker to unlink all the log files, if I > > > allow this rule. > > > > mod_ssl (and various other bits of httpd) can be configured to use > > various types of semaphore: these will all be SysV semaphores in the > > default configuration, but in non-default configurations, can be files > > with fcntl locking. So the rule shouldn't be needed by default, I'm > > confused why people are seeing this. > > > > joe > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- ---------------------------------------- Giuseppe Greco ::agamura:: phone: +41 (0)91 604 67 65 mobile: +41 (0)79 602 99 27 email: giuseppe.greco at agamura.com web: www.agamura.com ---------------------------------------- From troels at arvin.dk Fri Dec 17 14:14:52 2004 From: troels at arvin.dk (Troels Arvin) Date: Fri, 17 Dec 2004 15:14:52 +0100 Subject: FC3 PostgreSQL update Message-ID: Hello, I installed the updated PostgreSQL for FC3 today. Before the update, there were no problems, but now - when I try to start PostgreSQL - it fails, and I get the following line in my /var/log/messages: kernel: audit(1103292268.189:0): avc: denied { search } for pid=13607 exe=/usr/bin/postgres name=mnt dev=hda5 ino=179521 scontext=root:system_r:postgresql_t tcontext=system_u:object_r:mnt_t tclass=dir Due to a disk-space problem, my /var/lib/pgsql is a symlink to /mnt/hda1/pgsql My /mnt/hda1 is unlabeled, and I guess this should be changed, but to what? - Should my /mnt/hda1 be labeled system_u:object_r:root_t? How come a PostgreSQL update breaks what used to work? -- Greetings from Troels Arvin, Copenhagen, Denmark From cra at WPI.EDU Fri Dec 17 14:44:44 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Fri, 17 Dec 2004 09:44:44 -0500 Subject: FC3 PostgreSQL update In-Reply-To: References: Message-ID: <20041217144444.GC24911@angus.ind.WPI.EDU> On Fri, Dec 17, 2004 at 03:14:52PM +0100, Troels Arvin wrote: > Due to a disk-space problem, my /var/lib/pgsql is a symlink to > /mnt/hda1/pgsql Can you mount hda1 directly on /var/lib/pgsql instead of using a symlink? From wolfy at zig-zag.net Fri Dec 17 14:29:54 2004 From: wolfy at zig-zag.net (lonely wolf) Date: Fri, 17 Dec 2004 16:29:54 +0200 Subject: sql table under fedora core3 In-Reply-To: References: Message-ID: <41C2ED62.2050700@zig-zag.net> FRANCOIS Dufour wrote: > thanks kev for your anwser ... > im sorry that you cant awser my question > regarding to mysql it run pretty well one click away > my question was if bundeled whit were do i put my table under > your se linux asembly named fedora just tough that you could tell > mee were in that uge tree of your should i put my table > or do i have to simply reinstall it (sql) in a diferente location > just cause the Red Hat Certified Engineer coudent tell me were in > their asembly > to copie my prebuilded sql table > > thanks in advance > frank Francois, ta question doit etre mise sur la liste fedora-list, pas sur fedora-selinux. From troels at arvin.dk Fri Dec 17 14:55:55 2004 From: troels at arvin.dk (Troels Arvin) Date: Fri, 17 Dec 2004 15:55:55 +0100 Subject: FC3 PostgreSQL update References: <20041217144444.GC24911@angus.ind.WPI.EDU> Message-ID: On Fri, 17 Dec 2004 09:44:44 -0500, Charles R. Anderson wrote: >> Due to a disk-space problem, my /var/lib/pgsql is a symlink to >> /mnt/hda1/pgsql > > Can you mount hda1 directly on /var/lib/pgsql instead of using a > symlink? No, my /mnt/hda1 holds other directories which aren't PostgreSQL related. -- Greetings from Troels Arvin, Copenhagen, Denmark From selinux at gmail.com Fri Dec 17 16:32:36 2004 From: selinux at gmail.com (Tom London) Date: Fri, 17 Dec 2004 08:32:36 -0800 Subject: Problem installing kernel-2.6.9-1.1037_FC4, mkinitrd, ... Message-ID: <4c4ba15304121708324f2339dd@mail.gmail.com> Running strict/enforcing, latest Rawhide. installing today's kernel reports: Installing: kernel 100 % done 1/1 /bin/bash: /root/.bashrc: Permission denied ln: creating symbolic link `/tmp/initrd.L17712/sbin' to `bin': Permission deniedln: creating symbolic link `/tmp/initrd.L17712/sbin/modprobe' to `/sbin/nash': No such file or directory cp: cannot create regular file `/tmp/initrd.L17712/sbin/udev': No such file or directory ln: creating symbolic link `/tmp/initrd.L17712/sbin/udevstart' to `udev': No such file or directory ln: creating symbolic link `/tmp/initrd.L17712/sbin/hotplug' to `/sbin/nash': No such file or directory with the following AVC; Dec 17 08:25:06 fedora kernel: audit(1103300706.529:0): avc: denied { create } for pid=17723 exe=/bin/ln name=sbin scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:bootloader_tmp_t tclass=lnk_file This patch seems to fix it..... tom --- bootloader.te.old 2004-12-17 08:31:33.195853461 -0800 +++ bootloader.te 2004-12-17 08:27:51.453938491 -0800 @@ -29,7 +29,7 @@ allow bootloader_t { initrc_t privfd }:fd use; tmp_domain(bootloader, `, device_type') -allow bootloader_t bootloader_tmp_t:devfile_class_set create_file_perms; +allow bootloader_t bootloader_tmp_t:{ devfile_class_set lnk_file } create_file_perms; read_locale(bootloader_t) -- Tom London From bagica at bitdefender.com Fri Dec 17 16:48:02 2004 From: bagica at bitdefender.com (Bogdan Agica) Date: Fri, 17 Dec 2004 18:48:02 +0200 Subject: Problems with sudo In-Reply-To: <41C2D28C.7040208@mindspring.com> References: <1103282264.10336.85.camel@bagica.dsd.ro> <41C2D28C.7040208@mindspring.com> Message-ID: <1103302082.10336.132.camel@bagica.dsd.ro> On Fri, 2004-12-17 at 07:35 -0500, Richard Hally wrote: > There is a program "runuser" in the coreutils package that was designed > and written to be used in place of "su" and possibly "sudo" in this > situation. See "man runuser" and postgresql for an example where it is used. Thanx for the answer. runuser seems to be working ok, and we're probably going to replace sudo in the forecoming install scripts. (Actually, from what I've learnt, it's just su without correct_password() ) When do you think runuser goes mainstream? Because, as far as I have checked, it's only in FC3 with selinux (not in Debian, and not in Gentoo). Thanks again for the prompt answer, -- Bogdan Agica BitDefender Internal Testing Engineer ------------------------------------- SOFTWIN Data Security Division ------------------------------------- email: bagica at bitdefender.com phone: +(4021) 233 18 52; 233 07 80 fax: (+4021) 233.07.63 Bucharest, ROMANIA http://www.bitdefender.com http://www.softwin.ro ------------------------------------- secure your every bit ------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: BitDefender.txt URL: From dwalsh at redhat.com Fri Dec 17 17:48:00 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 17 Dec 2004 12:48:00 -0500 Subject: FC3 PostgreSQL update In-Reply-To: <20041217144444.GC24911@angus.ind.WPI.EDU> References: <20041217144444.GC24911@angus.ind.WPI.EDU> Message-ID: <41C31BD0.7060709@redhat.com> Charles R. Anderson wrote: >On Fri, Dec 17, 2004 at 03:14:52PM +0100, Troels Arvin wrote: > > >>Due to a disk-space problem, my /var/lib/pgsql is a symlink to >>/mnt/hda1/pgsql >> >> > >Can you mount hda1 directly on /var/lib/pgsql instead of using a >symlink? > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Or mount -o bind it? From dwalsh at redhat.com Fri Dec 17 21:47:34 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 17 Dec 2004 16:47:34 -0500 Subject: SELinux... a never ending story! In-Reply-To: <1103288354.4057.20.camel@gonzo.agamura.com> References: <1103220079.6588.8.camel@gonzo.agamura.com> <41C1CFB9.1060405@redhat.com> <1103229882.6588.15.camel@gonzo.agamura.com> <41C257A0.2000201@redhat.com> <20041217095536.GA15104@redhat.com> <1103287333.4057.6.camel@gonzo.agamura.com> <1103288354.4057.20.camel@gonzo.agamura.com> Message-ID: <41C353F6.9030709@redhat.com> Giuseppe Greco wrote: >Joe, > >I've modified line 66 in ssl.conf like this: > > SSLMutex default (instead of SSLMutex file:logs/ssl_mutex) > >Now I'm able to send emails via squirrelmail, but SELinux is >still complying: > > audit(1103287307.997:0): avc: denied { search } for pid 7286 > exe=/bin/bash name=httpd dev=dm-0 ino=65076 > scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:httpd_config_t tclass=dir > > > Ok we can probably don't audit this. >I've installed squirrelmail via yum... and then added the >change-password plugin from its official web site. Of course, >to get the change-password plugin working, I had also to >compile and install poppassd (but I don't think this is the >problem). > >j3d. > >On Fri, 2004-12-17 at 13:42 +0100, Giuseppe Greco wrote: > > >>Joe, >> >>here's may ssl.conf... I hope this helps. >>j3d. >> >>On Fri, 2004-12-17 at 09:55 +0000, Joe Orton wrote: >> >> >>>On Thu, Dec 16, 2004 at 10:50:56PM -0500, Daniel J Walsh wrote: >>> >>> >>>>Giuseppe Greco wrote: >>>> >>>> >>>>>done... and now I get >>>>> >>>>>audit(1103229440.677.0): avc: denied { unlink } for pid=2671 >>>>>exe=/usr/sbin/httpd name=ssl_mutex.2670 dev=dm-6 ino=192037 >>>>>scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t >>>>>tclass=fi >>>>> >>>>> >>>Giuseppe, can you post your /etc/httpd/conf.d/ssl.conf? This shouldn't >>>happen in the default mod_ssl configuration. >>> >>> >>> >>>>ugh, >>>> >>>>Where is this mutex file being created? In the log dir? The probem >>>>with this is it allows a hacker to unlink all the log files, if I >>>>allow this rule. >>>> >>>> >>>mod_ssl (and various other bits of httpd) can be configured to use >>>various types of semaphore: these will all be SysV semaphores in the >>>default configuration, but in non-default configurations, can be files >>>with fcntl locking. So the rule shouldn't be needed by default, I'm >>>confused why people are seeing this. >>> >>>joe >>> >>> >>>-- >>>fedora-selinux-list mailing list >>>fedora-selinux-list at redhat.com >>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> From phmo at spray.se Fri Dec 17 23:26:05 2004 From: phmo at spray.se (Moller) Date: Sat, 18 Dec 2004 00:26:05 +0100 Subject: Loadlin Message-ID: <20041217232802.6F43AAD702@lmcodec01.st1.spray.net> Hello! I want to dualboot FedoraCore3 with Win 98. How do I do it ? Philip From jp_espino at hotmail.com Fri Dec 17 23:42:04 2004 From: jp_espino at hotmail.com (Juan Espino) Date: Fri, 17 Dec 2004 23:42:04 +0000 Subject: SELinux on RH3 Message-ID: An HTML attachment was scrubbed... URL: From walters at redhat.com Fri Dec 17 23:55:47 2004 From: walters at redhat.com (Colin Walters) Date: Fri, 17 Dec 2004 18:55:47 -0500 Subject: SELinux on RH3 In-Reply-To: References: Message-ID: <1103327747.12552.158.camel@nexus.verbum.private> On Fri, 2004-12-17 at 23:42 +0000, Juan Espino wrote: > Hello everybody, > > I'm new in SELinux world and I want to know if I can install SELinux > on Red Hat Enterprise 3. Actually I'm using White Box Enterprise and > I'm really interested if I can run SELinux with this linux > distribution or if you think maybe change to another distro like > fedora I really apreciate your recommendation, thanks. I would be a lot of work. My suggestion is to just wait for RHEL4. You can test with Fedora Core 3 in the meantime. From phmo at spray.se Fri Dec 17 23:56:53 2004 From: phmo at spray.se (Moller) Date: Sat, 18 Dec 2004 00:56:53 +0100 Subject: Loadlin. Message-ID: <20041217235850.EB266AB202@lmcodec03.st1.spray.net> Hello! I want to dualboot FedoraCore3 with Win 98. How do I do it ? Here is a sample of my bootmessage that I get when I boot with loadlin: .. NET: Registered protocol family 17 md: Autodetecting RAID arrays. md: autorun ... md: ...autorun DONE. EXT2-f2 warning (device hda3):ext2_fill_super: mounting ext3 filesystem as ext2 VFS: Mounted root (ext2 filesystem) readonly Freeing unused kernel memory: 144k freed Warning: unable to open an initial console. SELinux: Disabled at runtime. SELinux: Unregistering netfilter hooks From barryyupuilee at sbcglobal.net Sat Dec 18 01:09:29 2004 From: barryyupuilee at sbcglobal.net (Barry Yu) Date: Fri, 17 Dec 2004 17:09:29 -0800 Subject: Loadlin. In-Reply-To: <20041217235850.EB266AB202@lmcodec03.st1.spray.net> References: <20041217235850.EB266AB202@lmcodec03.st1.spray.net> Message-ID: <41C38349.5020803@sbcglobal.net> Moller wrote: >Hello! > >I want to dualboot FedoraCore3 with Win 98. >How do I do it ? >Here is a sample of my bootmessage that I get when I boot with loadlin: > .. >NET: Registered protocol family 17 >md: Autodetecting RAID arrays. >md: autorun ... >md: ...autorun DONE. >EXT2-f2 warning (device hda3):ext2_fill_super: mounting ext3 filesystem as ext2 >VFS: Mounted root (ext2 filesystem) readonly >Freeing unused kernel memory: 144k freed >Warning: unable to open an initial console. >SELinux: Disabled at runtime. >SELinux: Unregistering netfilter hooks > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > Install w98 first in a f32 partition, and then secondly install the fc3, the fc3 will auto dectect the existing w98, during insatllation of fc3 at configuartion of boot loader, just take whatever the default setting, when finished, the grub will be the boot up manual for you to select which O/S you want to boot up with (w98 or fc3). Hope I understood your post correctly. From alex at darkhonor.com Sat Dec 18 05:04:45 2004 From: alex at darkhonor.com (Alex Ackerman) Date: Sat, 18 Dec 2004 00:04:45 -0500 Subject: SELinux on RH3 Message-ID: > bounces at redhat.com] On Behalf Of Colin Walters > Sent: Friday, December 17, 2004 6:56 PM > To: fedora-selinux-list at redhat.com > Subject: Re: SELinux on RH3 > > On Fri, 2004-12-17 at 23:42 +0000, Juan Espino wrote: > > Hello everybody, > > > > I'm new in SELinux world and I want to know if I can install SELinux > > on Red Hat Enterprise 3. Actually I'm using White Box Enterprise and > > I'm really interested if I can run SELinux with this linux > > distribution or if you think maybe change to another distro like > > fedora I really apreciate your recommendation, thanks. > > I would be a lot of work. My suggestion is to just wait for RHEL4. You > can test with Fedora Core 3 in the meantime. RHEL 4 Beta 2 is available for download and it uses SELinux. I've heard (don't quote me) that RHEL 4 will go final Feb/Mar timeframe. Alex Ackerman From phmo at spray.se Sat Dec 18 20:07:33 2004 From: phmo at spray.se (Moller) Date: Sat, 18 Dec 2004 21:07:33 +0100 Subject: Boot Fedora with Loadlin in Win98. References: <20041217235850.EB266AB202@lmcodec03.st1.spray.net> <41C38349.5020803@sbcglobal.net> Message-ID: <20041218200929.88D66AB202@lmcodec03.st1.spray.net> Hi ! Thanks for the answer Barry Yu, but it's my fault that I didn't specify more clearly what I meant. I am not using Grub or Lilo as a bootloader because I don't want to mess up my MBR in Windows98, i like to have win98 as first boot. I want to use Loadlin, to load the Fedorakernel into memory from Win98-DOS. I have done what I suppose to do, according to the Loadlin+Win95/98ME mini-HOWTO(http://www.eskimo.com/~praxis/) But it doesn't work properly when I Boot Fedora from Win98-DOS. Here is a sample of my bootmessage that I get when I boot with loadlin from win98 to Fedora : NET: Registered protocol family 17 md: Autodetecting RAID arrays. md: autorun ... md: ...autorun DONE. EXT2-fs: hda3: Couldn't mount because of unsupported optional features (4). Kernel panic - not syncing : VFS: Unable to mount root fs on unknown-block (3,3). Then the system go into halt and I have to push my RESET-button to reboot my system back to win98. So, what to do ? I need help ......... Is there anyone out there, that starts FedoraCore3 with Loadlin in Windows98, that can help me to configure my system properly ? Thanks all. Philip Moller Malmo, Sweden ----- Original Message ----- From: "Barry Yu" To: "Fedora SELinux support list for users &developers." Sent: Saturday, December 18, 2004 2:09 AM Subject: Re: Loadlin. > Moller wrote: > > >Hello! > > > >I want to dualboot FedoraCore3 with Win 98. > >How do I do it ? > >Here is a sample of my bootmessage that I get when I boot with loadlin: > > > >NET: Registered protocol family 17 > >md: Autodetecting RAID arrays. > >md: autorun ... > >md: ...autorun DONE. > >EXT2-f2 warning (device hda3):ext2_fill_super: mounting ext3 filesystem as ext2 > >VFS: Mounted root (ext2 filesystem) readonly > >Freeing unused kernel memory: 144k freed > >Warning: unable to open an initial console. > >SELinux: Disabled at runtime. > >SELinux: Unregistering netfilter hooks > Barry Yu wrote: > Install w98 first in a f32 partition, and then secondly install the fc3, > the fc3 will auto dectect the existing w98, during insatllation of fc3 > at configuartion of boot loader, just take whatever the default > setting, when finished, the grub will be the boot up manual for you to > select which O/S you want to boot up with (w98 or fc3). Hope I > understood your post correctly. From rhally at mindspring.com Sun Dec 19 01:44:47 2004 From: rhally at mindspring.com (Richard Hally) Date: Sat, 18 Dec 2004 20:44:47 -0500 Subject: Boot Fedora with Loadlin in Win98. In-Reply-To: <20041218200929.88D66AB202@lmcodec03.st1.spray.net> References: <20041217235850.EB266AB202@lmcodec03.st1.spray.net> <41C38349.5020803@sbcglobal.net> <20041218200929.88D66AB202@lmcodec03.st1.spray.net> Message-ID: <41C4DD0F.10500@mindspring.com> Moller wrote: >Hi ! > >Thanks for the answer Barry Yu, but it's my fault that I didn't specify more clearly what I meant. > >I am not using Grub or Lilo as a bootloader because I don't want to mess up my MBR in Windows98, i like to have win98 as first boot. >I want to use Loadlin, to load the Fedorakernel into memory from Win98-DOS. >I have done what I suppose to do, according to the Loadlin+Win95/98ME mini-HOWTO(http://www.eskimo.com/~praxis/) >But it doesn't work properly when I Boot Fedora from Win98-DOS. >Here is a sample of my bootmessage that I get when I boot with loadlin from win98 to Fedora : > >NET: Registered protocol family 17 >md: Autodetecting RAID arrays. >md: autorun ... >md: ...autorun DONE. >EXT2-fs: hda3: Couldn't mount because of unsupported optional features (4). >Kernel panic - not syncing : VFS: Unable to mount root fs on unknown-block (3,3). > >Then the system go into halt and I have to push my RESET-button to reboot my system back to win98. > > >So, what to do ? I need help ......... > >Is there anyone out there, that starts FedoraCore3 with Loadlin in Windows98, that can help me to configure my system properly ? > >Thanks all. >Philip Moller >Malmo, Sweden > >----- Original Message ----- >From: "Barry Yu" >To: "Fedora SELinux support list for users &developers." >Sent: Saturday, December 18, 2004 2:09 AM >Subject: Re: Loadlin. > > > > >>Moller wrote: >> >> >> >>>Hello! >>> >>>I want to dualboot FedoraCore3 with Win 98. >>>How do I do it ? >>>Here is a sample of my bootmessage that I get when I boot with loadlin: >>> >>>NET: Registered protocol family 17 >>>md: Autodetecting RAID arrays. >>>md: autorun ... >>>md: ...autorun DONE. >>>EXT2-f2 warning (device hda3):ext2_fill_super: mounting ext3 filesystem as ext2 >>>VFS: Mounted root (ext2 filesystem) readonly >>>Freeing unused kernel memory: 144k freed >>>Warning: unable to open an initial console. >>>SELinux: Disabled at runtime. >>>SELinux: Unregistering netfilter hooks >>> >>> > > > >>Barry Yu wrote: >>Install w98 first in a f32 partition, and then secondly install the fc3, >>the fc3 will auto dectect the existing w98, during insatllation of fc3 >>at configuartion of boot loader, just take whatever the default >>setting, when finished, the grub will be the boot up manual for you to >>select which O/S you want to boot up with (w98 or fc3). Hope I >>understood your post correctly. >> >> > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > You are on the wrong list for these questions! The SE in this list name is for Security Enhanced not Swedish! Security Enhanced Linux: http://www.nsa.gov/selinux/ (Inte Svenska Linuxf?reningen) From jim-cornette at insight.rr.com Sun Dec 19 02:39:48 2004 From: jim-cornette at insight.rr.com (Jim Cornette) Date: Sat, 18 Dec 2004 21:39:48 -0500 Subject: wihbindd avc errors Message-ID: <41C4E9F4.6020307@insight.rr.com> I am trying to run some samba related programs and found that the winbindd program causes some avc errors. I did a touch /.autorelabel and noticed that the errors were still present with this daemon. I did not configure anything for this program. Attached is the avc errors for today. I disabled the daemon and have no errors now. Thanks, Jim -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: winbindd.errors URL: From jvian10 at charter.net Sun Dec 19 06:32:43 2004 From: jvian10 at charter.net (Jeff Vian) Date: Sun, 19 Dec 2004 00:32:43 -0600 Subject: Boot Fedora with Loadlin in Win98. In-Reply-To: <20041218200929.88D66AB202@lmcodec03.st1.spray.net> References: <20041217235850.EB266AB202@lmcodec03.st1.spray.net> <41C38349.5020803@sbcglobal.net> <20041218200929.88D66AB202@lmcodec03.st1.spray.net> Message-ID: <1103437963.3748.24.camel@goliath.lab.net> On Sat, 2004-12-18 at 21:07 +0100, Moller wrote: > Hi ! > > Thanks for the answer Barry Yu, but it's my fault that I didn't specify more clearly what I meant. > > I am not using Grub or Lilo as a bootloader because I don't want to mess up my MBR in Windows98, i like to have win98 as first boot. > I want to use Loadlin, to load the Fedorakernel into memory from Win98-DOS. > I have done what I suppose to do, according to the Loadlin+Win95/98ME mini-HOWTO(http://www.eskimo.com/~praxis/) > But it doesn't work properly when I Boot Fedora from Win98-DOS. > Here is a sample of my bootmessage that I get when I boot with loadlin from win98 to Fedora : > > NET: Registered protocol family 17 > md: Autodetecting RAID arrays. > md: autorun ... > md: ...autorun DONE. > EXT2-fs: hda3: Couldn't mount because of unsupported optional features (4). > Kernel panic - not syncing : VFS: Unable to mount root fs on unknown-block (3,3). > > Then the system go into halt and I have to push my RESET-button to reboot my system back to win98. > > > So, what to do ? I need help ......... > > Is there anyone out there, that starts FedoraCore3 with Loadlin in Windows98, that can help me to configure my system properly ? > > Thanks all. > Philip Moller > Malmo, Sweden > It seems loadlin may not be compatible with either the ext3 filesystems or with SELinux. Since FC3 has the filesystems labeled by SELinux and anything booting to that must be able to handle the differences this may be what you need to investigate. It is extremely easy to use grub or lilo and dual boot without harming your win98 system. I use that regularly and have never had a problem. If you do, a simple boot with a floppy or win98 install CD and using "fdisk /mbr" will always restore the MBR to that expected by a windows install. Using an older tool that very few people actually use is problematic. > ----- Original Message ----- > From: "Barry Yu" > To: "Fedora SELinux support list for users &developers." > Sent: Saturday, December 18, 2004 2:09 AM > Subject: Re: Loadlin. > > > > Moller wrote: > > > > >Hello! > > > > > >I want to dualboot FedoraCore3 with Win 98. > > >How do I do it ? > > >Here is a sample of my bootmessage that I get when I boot with loadlin: > > > > > >NET: Registered protocol family 17 > > >md: Autodetecting RAID arrays. > > >md: autorun ... > > >md: ...autorun DONE. > > >EXT2-f2 warning (device hda3):ext2_fill_super: mounting ext3 filesystem as ext2 > > >VFS: Mounted root (ext2 filesystem) readonly > > >Freeing unused kernel memory: 144k freed > > >Warning: unable to open an initial console. > > >SELinux: Disabled at runtime. > > >SELinux: Unregistering netfilter hooks > > > Barry Yu wrote: > > Install w98 first in a f32 partition, and then secondly install the fc3, > > the fc3 will auto dectect the existing w98, during insatllation of fc3 > > at configuartion of boot loader, just take whatever the default > > setting, when finished, the grub will be the boot up manual for you to > > select which O/S you want to boot up with (w98 or fc3). Hope I > > understood your post correctly. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From ody at inf.its-sby.edu Sun Dec 19 11:58:14 2004 From: ody at inf.its-sby.edu (joe) Date: Sun, 19 Dec 2004 18:58:14 +0700 (WIT) Subject: postgresql error with selinux enabled in FC2 Message-ID: <1025.202.155.107.156.1103457494.squirrel@202.155.84.178> hi, I use FC2 with selinux enabled, as root I can't do "/etc/init.d/postgresql start". Any idea to run postgresql with selinux enabled ? thx -- --- joe From kwade at redhat.com Sun Dec 19 13:42:20 2004 From: kwade at redhat.com (Karsten Wade) Date: Sun, 19 Dec 2004 05:42:20 -0800 Subject: wihbindd avc errors In-Reply-To: <41C4E9F4.6020307@insight.rr.com> References: <41C4E9F4.6020307@insight.rr.com> Message-ID: <1103463740.5565.6.camel@erato.phig.org> On Sat, 2004-12-18 at 21:39 -0500, Jim Cornette wrote: > I am trying to run some samba related programs and found that the > winbindd program causes some avc errors. I did a > touch /.autorelabel > and noticed that the errors were still present with this daemon. I did > not configure anything for this program. Attached is the avc errors for > today. I disabled the daemon and have no errors now. Do you have the latest policy? winbind policy was added, and it appears to allow all the denials you have below. I'm looking at 1.17.30-2.50. I know there was no winbind in 2.43 (iirc). - Karsten > > Thanks, > > Jim > plain text document attachment (winbindd.errors) > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.233:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.234:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.235:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.236:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.236:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.237:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.290:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.290:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.291:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.356:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd_idmap.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.357:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.357:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.358:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.359:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.455:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=netsamlogon_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file > Dec 18 14:16:54 cornette-fc3-lt kernel: audit(1103397414.324:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=winbindd_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file > Dec 18 14:16:54 cornette-fc3-lt kernel: audit(1103397414.324:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:55 cornette-fc3-lt kernel: audit(1103397415.218:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=winbindd scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:var_run_t tclass=dir > Dec 18 14:16:55 cornette-fc3-lt kernel: audit(1103397415.218:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 14:16:55 cornette-fc3-lt kernel: audit(1103397415.218:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:49:07 cornette-fc3-lt dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1 > Dec 18 15:54:00 cornette-fc3-lt dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1 > Dec 18 15:54:12 cornette-fc3-lt dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1 > Dec 18 15:59:09 cornette-fc3-lt kernel: audit(1103403334.306:0): avc: granted { setenforce } for pid=212 exe=/bin/bash scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security > Dec 18 15:59:09 cornette-fc3-lt kernel: audit(1103403523.164:0): avc: granted { setenforce } for pid=212 exe=/bin/bash scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.176:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.177:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.178:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.179:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.179:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.218:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.218:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.219:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.299:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd_idmap.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.300:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.301:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.412:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=netsamlogon_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file > Dec 18 15:59:34 cornette-fc3-lt kernel: audit(1103403574.278:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=winbindd_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file > Dec 18 15:59:34 cornette-fc3-lt kernel: audit(1103403574.278:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:35 cornette-fc3-lt kernel: audit(1103403575.585:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=winbindd scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:var_run_t tclass=dir > Dec 18 15:59:35 cornette-fc3-lt kernel: audit(1103403575.585:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 15:59:35 cornette-fc3-lt kernel: audit(1103403575.586:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file > Dec 18 16:11:18 cornette-fc3-lt dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1 > Dec 18 16:13:54 cornette-fc3-lt dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0 > Dec 18 16:31:46 cornette-fc3-lt dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1 > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From kwade at redhat.com Sun Dec 19 13:44:50 2004 From: kwade at redhat.com (Karsten Wade) Date: Sun, 19 Dec 2004 05:44:50 -0800 Subject: postgresql error with selinux enabled in FC2 In-Reply-To: <1025.202.155.107.156.1103457494.squirrel@202.155.84.178> References: <1025.202.155.107.156.1103457494.squirrel@202.155.84.178> Message-ID: <1103463890.5565.10.camel@erato.phig.org> On Sun, 2004-12-19 at 18:58 +0700, joe wrote: > hi, > I use FC2 with selinux enabled, as root I can't do "/etc/init.d/postgresql > start". > Any idea to run postgresql with selinux enabled ? Other than upgrade to FC3? AIUI, the remaining problems with SELinux in FC2 aren't very fixable, and the general recommendation is to upgrade. The reason is the underlying infrastructure was reworked between FC2 and FC3. - Karsten -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From info at ecorak.de Sun Dec 19 14:17:40 2004 From: info at ecorak.de (Edy Corak) Date: Sun, 19 Dec 2004 15:17:40 +0100 Subject: php script avc denied Message-ID: <41C58D84.2000204@ecorak.de> Hello, after update to selinux-policy-targeted-1.17.30-2.51 i have new error when i try to send a mail from php script. audit(1103462618.203:0): avc: denied { execute } for pid=31581 exe=/usr/sbin/httpd name=bash dev=md0 ino=830748 scontext=root:system_r:httpd_t tcontext=system_u:object_r:shell_exec_t tclass=file I try fixfiles relabel and restorecon but still the same error System FC3, Postfix How to fix this error Thank you for any help. Edy -- Edy Corak E-Mail: info at ecorak.de Internet: http://www.ecorak.net/ ----- From jim-cornette at insight.rr.com Sun Dec 19 19:36:20 2004 From: jim-cornette at insight.rr.com (Jim Cornette) Date: Sun, 19 Dec 2004 14:36:20 -0500 Subject: winbindd avc errors In-Reply-To: <1103463740.5565.6.camel@erato.phig.org> References: <41C4E9F4.6020307@insight.rr.com> <1103463740.5565.6.camel@erato.phig.org> Message-ID: <41C5D834.8010304@insight.rr.com> Karsten Wade wrote: > On Sat, 2004-12-18 at 21:39 -0500, Jim Cornette wrote: > >>I am trying to run some samba related programs and found that the >>winbindd program causes some avc errors. I did a >>touch /.autorelabel >>and noticed that the errors were still present with this daemon. I did >>not configure anything for this program. Attached is the avc errors for >>today. I disabled the daemon and have no errors now. > > > Do you have the latest policy? winbind policy was added, and it appears > to allow all the denials you have below. I'm looking at 1.17.30-2.50. > I know there was no winbind in 2.43 (iirc). These errors are with selinux-policy-targeted-1.17.30-2.51 installed and the system relabelled. I just started the daemon again and have similar errors reported. I then setenforced 0 and started then stopped the service. The startup succeeded and the shutdown service succeded. When in the enforcing mode, startup succeeded, but shutdown failed. Excerpt from the log below. Jim Dec 19 14:29:33 cornette-fc3-lt winbindd[3292]: [2004/12/19 14:29:33, 0] lib/util_sock.c:create_pipe_sock(1079) Dec 19 14:29:33 cornette-fc3-lt winbindd[3292]: bind failed on pipe socket /var/run/winbindd/pipe: Permission denied Dec 19 14:29:33 cornette-fc3-lt kernel: audit(1103484573.789:0): avc: denied { create } for pid=3292 exe=/usr/sbin/winbindd name=pipe scontext=root:system_r:winbind_t tcontext=root:object_r:var_run_t tclass=sock_file Dec 19 14:29:39 cornette-fc3-lt winbind: winbindd shutdown failed > > > - Karsten > >>Thanks, >> >>Jim >>plain text document attachment (winbindd.errors) >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.233:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.234:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.235:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.236:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.236:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.237:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.290:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.290:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.291:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.356:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd_idmap.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.357:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.357:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.358:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.359:0): avc: denied { create } for pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.455:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=netsamlogon_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file >>Dec 18 14:16:54 cornette-fc3-lt kernel: audit(1103397414.324:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=winbindd_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file >>Dec 18 14:16:54 cornette-fc3-lt kernel: audit(1103397414.324:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:55 cornette-fc3-lt kernel: audit(1103397415.218:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=winbindd scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:var_run_t tclass=dir >>Dec 18 14:16:55 cornette-fc3-lt kernel: audit(1103397415.218:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 14:16:55 cornette-fc3-lt kernel: audit(1103397415.218:0): avc: denied { create } for pid=2139 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:49:07 cornette-fc3-lt dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1 >>Dec 18 15:54:00 cornette-fc3-lt dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1 >>Dec 18 15:54:12 cornette-fc3-lt dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1 >>Dec 18 15:59:09 cornette-fc3-lt kernel: audit(1103403334.306:0): avc: granted { setenforce } for pid=212 exe=/bin/bash scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security >>Dec 18 15:59:09 cornette-fc3-lt kernel: audit(1103403523.164:0): avc: granted { setenforce } for pid=212 exe=/bin/bash scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.176:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.177:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.178:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.179:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.179:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.218:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.218:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.219:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.299:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd_idmap.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.300:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.301:0): avc: denied { create } for pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.412:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=netsamlogon_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file >>Dec 18 15:59:34 cornette-fc3-lt kernel: audit(1103403574.278:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=winbindd_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file >>Dec 18 15:59:34 cornette-fc3-lt kernel: audit(1103403574.278:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:35 cornette-fc3-lt kernel: audit(1103403575.585:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=winbindd scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:var_run_t tclass=dir >>Dec 18 15:59:35 cornette-fc3-lt kernel: audit(1103403575.585:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 15:59:35 cornette-fc3-lt kernel: audit(1103403575.586:0): avc: denied { create } for pid=2191 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file >>Dec 18 16:11:18 cornette-fc3-lt dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1 >>Dec 18 16:13:54 cornette-fc3-lt dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0 >>Dec 18 16:31:46 cornette-fc3-lt dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1 >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Anything worth doing is worth overdoing. From selinux at gmail.com Sun Dec 19 19:51:23 2004 From: selinux at gmail.com (Tom London) Date: Sun, 19 Dec 2004 11:51:23 -0800 Subject: multiple spec for '/var/run/dbus(/.*)?' Message-ID: <4c4ba15304121911513bf14abc@mail.gmail.com> Running strict/enforcing, latest Rawhide. Seems to be duplicate specs for /var/run/dbus, one in distros.fc, the other in dbusd.fc. Produces the following harmless warning: WARNING: Multiple same specifications for /var/run/dbus(/.*)?. tom -- Tom London From pza at pza.net.au Mon Dec 20 04:08:59 2004 From: pza at pza.net.au (Phil Anderson) Date: Mon, 20 Dec 2004 15:08:59 +1100 Subject: sending mail with squirrelmail Message-ID: <20041220040858.GC11163@harry.pza.net.au> Is anyone else having problems sending mail with squirrelmail? This is the only remaining problem I have before I'm switching my server to enforcing mode. The attachment problem was fixed in the latest policy update. Unfortunately, squirrelmail fails to send the mail silently... it even puts a copy in the Sent folder :( Dec 20 15:00:48 harry kernel: audit(1103515248.224:0): avc: denied { read } for pid=12496 exe=/usr/sbin/sendmail.sendmail name=urandom dev=tmpfs ino=870 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Any suggestions? Phil From yibble at yibble.org Mon Dec 20 09:02:56 2004 From: yibble at yibble.org (Nathan Lee Reynolds (yibble)) Date: Mon, 20 Dec 2004 09:02:56 +0000 Subject: sending mail with squirrelmail In-Reply-To: <20041220040858.GC11163@harry.pza.net.au> References: <20041220040858.GC11163@harry.pza.net.au> Message-ID: <1103533376.32708.0.camel@wibble.yibble.org> On Mon, 2004-12-20 at 15:08 +1100, Phil Anderson wrote: > Is anyone else having problems sending mail with squirrelmail? This is > the only remaining problem I have before I'm switching my server to > enforcing mode. The attachment problem was fixed in the latest policy > update. --snip-- Same problem here, I have yet to find time to investigate :D -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From maverickandrea at gmail.com Mon Dec 20 11:53:08 2004 From: maverickandrea at gmail.com (Cigliano Andrea) Date: Mon, 20 Dec 2004 12:53:08 +0100 Subject: I have a problem with ATI Radeon 9000 Mobility in RH ES 3 installation. Can u help me? Message-ID: <524c9b2a041220035376e23dc6@mail.gmail.com> I have a problem with ATI Radeon 9000 Mobility in RH ES 3 installation. Can u help me? The RH ES 3 have not recognized the graphic card ATI Radeon 9000 Mobility in my Portable PC (ACER Travelmate). Can u help me? From pza at pza.net.au Mon Dec 20 12:03:26 2004 From: pza at pza.net.au (Phil Anderson) Date: Mon, 20 Dec 2004 23:03:26 +1100 Subject: sending mail with squirrelmail In-Reply-To: <1103533376.32708.0.camel@wibble.yibble.org> References: <20041220040858.GC11163@harry.pza.net.au> <1103533376.32708.0.camel@wibble.yibble.org> Message-ID: <41C6BF8E.4040701@pza.net.au> Nathan Lee Reynolds (yibble) wrote: >On Mon, 2004-12-20 at 15:08 +1100, Phil Anderson wrote: > > >>Is anyone else having problems sending mail with squirrelmail? This is >>the only remaining problem I have before I'm switching my server to >>enforcing mode. The attachment problem was fixed in the latest policy >>update. >> >> >Same problem here, I have yet to find time to investigate :D > > I think this is a TLS problem - not a squirrelmail problem - take a look at the following. I think sendmail needs access the random number generator? Or am I off track? sendmail[4239]: iBJBWAxA004239: Authentication-Warning: xxxx.pza.net.au: apache set sender to xxxx at pza.net.au using -f sendmail[4239]: iBJBWAxA004239: from=xxxx at pza.net.au, size=1042, class=0, nrcpts=1, msgid=<32 at www.pza.net.au>, relay=apache at localhost sendmail[4239]: iBJBWAxA004239: STARTTLS=client, error: connect failed=-1, SSL_error=1, timedout=0, errno=0 sendmail[4239]: STARTTLS=client: 4239:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:503:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html sendmail[4239]: STARTTLS=client: 4239:error:05067003:Diffie-Hellman routines:DH_generate_key:BN lib:dh_key.c:153: sendmail[4239]: STARTTLS=client: 4239:error:14098005:SSL routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:DH lib:s3_clnt.c:1655: sendmail[4239]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake. sendmail[4239]: iBJBWAxA004239: to=xxxx at xxxx, ctladdr=xxxx at pza.net.au (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31042, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake. sendmail[4240]: STARTTLS=server, error: accept failed=0, SSL_error=5, timedout=0, errno=0 sendmail[4240]: iBJBWAHc004240: localhost.localdomain [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA kernel: audit(1103515248.224:0): avc: denied { read } for pid=12496 exe=/usr/sbin/sendmail.sendmail name=urandom dev=tmpfs ino=870 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file From yibble at yibble.org Mon Dec 20 12:32:03 2004 From: yibble at yibble.org (Nathan Lee Reynolds (yibble)) Date: Mon, 20 Dec 2004 12:32:03 +0000 Subject: sending mail with squirrelmail In-Reply-To: <41C6BF8E.4040701@pza.net.au> References: <20041220040858.GC11163@harry.pza.net.au> <1103533376.32708.0.camel@wibble.yibble.org> <41C6BF8E.4040701@pza.net.au> Message-ID: <1103545923.1955.4.camel@wibble.yibble.org> On Mon, 2004-12-20 at 23:03 +1100, Phil Anderson wrote: --snip-- > I think this is a TLS problem - not a squirrelmail problem - take a look > at the following. I think sendmail needs access the random number > generator? Or am I off track? --snip-- I have a fairly default installation of SquirrelMail, and in /etc/squirrelmail/config.php, the default setting for TLS usage is: $use_imap_tls = false; $use_smtp_tls = false; So that might not be the problem. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From yibble at yibble.org Mon Dec 20 12:37:19 2004 From: yibble at yibble.org (Nathan Lee Reynolds (yibble)) Date: Mon, 20 Dec 2004 12:37:19 +0000 Subject: sending mail with squirrelmail In-Reply-To: <1103545923.1955.4.camel@wibble.yibble.org> References: <20041220040858.GC11163@harry.pza.net.au> <1103533376.32708.0.camel@wibble.yibble.org> <41C6BF8E.4040701@pza.net.au> <1103545923.1955.4.camel@wibble.yibble.org> Message-ID: <1103546239.1955.8.camel@wibble.yibble.org> On Mon, 2004-12-20 at 12:32 +0000, Nathan Lee Reynolds (yibble) wrote: > On Mon, 2004-12-20 at 23:03 +1100, Phil Anderson wrote: > --snip-- > > I think this is a TLS problem - not a squirrelmail problem - take a look > > at the following. I think sendmail needs access the random number > > generator? Or am I off track? > --snip-- > > I have a fairly default installation of SquirrelMail, and > in /etc/squirrelmail/config.php, the default setting for TLS usage is: > > $use_imap_tls = false; > $use_smtp_tls = false; > > So that might not be the problem. Replying to my own post *tsk* These look very suspicious... Dec 20 12:33:41 wibble kernel: audit(1103546021.943:0): avc: denied { read append } for pid=2931 exe=/bin/bash path=/var/lib/squirrelmail/prefs/nreynolds.abook dev=dm-0 ino=3046177 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_var_lib_t tclass=file Dec 20 12:33:42 wibble kernel: audit(1103546022.264:0): avc: denied { search } for pid=2931 exe=/usr/sbin/sendmail.sendmail name=spool dev=dm-0 ino=2109446 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir Dec 20 12:33:42 wibble kernel: audit(1103546022.264:0): avc: denied { create } for pid=2931 exe=/usr/sbin/sendmail.sendmail scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket Unfortunately, I'm not aux fait with SELinux, so it's off to do some reading for me. -- "If you suspect someone you know of having nonconformist ideas. Denounce them immediately to a Thought Control Agent, He will know what to do. Do not become an accomplice to these agitators." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From pza at pza.net.au Mon Dec 20 12:39:47 2004 From: pza at pza.net.au (Phil Anderson) Date: Mon, 20 Dec 2004 23:39:47 +1100 Subject: sending mail with squirrelmail In-Reply-To: <1103545923.1955.4.camel@wibble.yibble.org> References: <20041220040858.GC11163@harry.pza.net.au> <1103533376.32708.0.camel@wibble.yibble.org> <41C6BF8E.4040701@pza.net.au> <1103545923.1955.4.camel@wibble.yibble.org> Message-ID: <41C6C813.1080104@pza.net.au> Nathan Lee Reynolds (yibble) wrote: >On Mon, 2004-12-20 at 23:03 +1100, Phil Anderson wrote: >--snip-- > > >>I think this is a TLS problem - not a squirrelmail problem - take a look >>at the following. I think sendmail needs access the random number >>generator? Or am I off track? >> >> >--snip-- > >I have a fairly default installation of SquirrelMail, and >in /etc/squirrelmail/config.php, the default setting for TLS usage is: > >$use_imap_tls = false; >$use_smtp_tls = false; > > I also have use_smtp_tls=false in my config.php but looking at the logs, squirrelmail still starts tls. Maybe a squirrelmail bug? Maybe the config variable is really force_smtp_tls? Disabling tls in my sendmail config fixed the problem for me. Do you get the same behaviour? Do you get the same lines in your /var/log/maillog suggesting a TLS problem? From guhvies at gmail.com Mon Dec 20 13:19:09 2004 From: guhvies at gmail.com (ne...) Date: Mon, 20 Dec 2004 08:19:09 -0500 Subject: I have a problem with ATI Radeon 9000 Mobility in RH ES 3 installation. Can u help me? In-Reply-To: <524c9b2a041220035376e23dc6@mail.gmail.com> References: <524c9b2a041220035376e23dc6@mail.gmail.com> Message-ID: On Mon, 20 Dec 2004 12:53:08 +0100, Cigliano Andrea wrote: > I have a problem with ATI Radeon 9000 Mobility in RH ES 3 > installation. Can u help me? Wromg list. Try the taroon list instead. N.Emile... -- Registered Linux User # 125653 (http://counter.li.org) Certified: 75% bastard, 42% of which is tard. http://www.thespark.com/bastardtest From dwalsh at redhat.com Mon Dec 20 14:56:39 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Dec 2004 09:56:39 -0500 Subject: sending mail with squirrelmail In-Reply-To: <1103546239.1955.8.camel@wibble.yibble.org> References: <20041220040858.GC11163@harry.pza.net.au> <1103533376.32708.0.camel@wibble.yibble.org> <41C6BF8E.4040701@pza.net.au> <1103545923.1955.4.camel@wibble.yibble.org> <1103546239.1955.8.camel@wibble.yibble.org> Message-ID: <41C6E827.7030702@redhat.com> Nathan Lee Reynolds (yibble) wrote: >On Mon, 2004-12-20 at 12:32 +0000, Nathan Lee Reynolds (yibble) wrote: > > >>On Mon, 2004-12-20 at 23:03 +1100, Phil Anderson wrote: >>--snip-- >> >> >>>I think this is a TLS problem - not a squirrelmail problem - take a look >>>at the following. I think sendmail needs access the random number >>>generator? Or am I off track? >>> >>> >>--snip-- >> >>I have a fairly default installation of SquirrelMail, and >>in /etc/squirrelmail/config.php, the default setting for TLS usage is: >> >>$use_imap_tls = false; >>$use_smtp_tls = false; >> >>So that might not be the problem. >> >> > >Replying to my own post *tsk* These look very suspicious... > >Dec 20 12:33:41 wibble kernel: audit(1103546021.943:0): avc: denied >{ read append } for pid=2931 exe=/bin/bash >path=/var/lib/squirrelmail/prefs/nreynolds.abook dev=dm-0 ino=3046177 >scontext=root:system_r:httpd_sys_script_t >tcontext=root:object_r:httpd_var_lib_t tclass=file > > You should relabel /var/lib/squirrelmail restorecon -R /var/lib/squirrelmail >Dec 20 12:33:42 wibble kernel: audit(1103546022.264:0): avc: denied >{ search } for pid=2931 exe=/usr/sbin/sendmail.sendmail name=spool >dev=dm-0 ino=2109446 scontext=root:system_r:httpd_sys_script_t >tcontext=system_u:object_r:var_spool_t tclass=dir > >Dec 20 12:33:42 wibble kernel: audit(1103546022.264:0): avc: denied >{ create } for pid=2931 exe=/usr/sbin/sendmail.sendmail >scontext=root:system_r:httpd_sys_script_t >tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket > > This is strange because sendmail.sendmail should be running under a different context system_mail_t >Unfortunately, I'm not aux fait with SELinux, so it's off to do some >reading for me. > > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From Tom.Browder at fwb.srs.com Mon Dec 20 14:57:32 2004 From: Tom.Browder at fwb.srs.com (Browder, Tom) Date: Mon, 20 Dec 2004 08:57:32 -0600 Subject: FC 3, permissive, strict: Error! Unable to set executable context. Message-ID: I just turned on SELinux on my FC 3 box at home (permissive, strict). No problems and I'm building large /var/log/message file as we speak. However, I did the same thing on a box at work and when I try to login as a normal user I get an error messge on the gdm login screen that says: Error! Unable to set executable context. And it won't let me login. But I can still login as root OK. What am I doing wrong? Thanks. Tom Browder From dwalsh at redhat.com Mon Dec 20 14:59:58 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Dec 2004 09:59:58 -0500 Subject: sending mail with squirrelmail In-Reply-To: <41C6BF8E.4040701@pza.net.au> References: <20041220040858.GC11163@harry.pza.net.au> <1103533376.32708.0.camel@wibble.yibble.org> <41C6BF8E.4040701@pza.net.au> Message-ID: <41C6E8EE.2050104@redhat.com> Phil Anderson wrote: > Nathan Lee Reynolds (yibble) wrote: > >> On Mon, 2004-12-20 at 15:08 +1100, Phil Anderson wrote: >> >> >>> Is anyone else having problems sending mail with squirrelmail? This is >>> the only remaining problem I have before I'm switching my server to >>> enforcing mode. The attachment problem was fixed in the latest policy >>> update. >>> >> >> Same problem here, I have yet to find time to investigate :D >> >> > I think this is a TLS problem - not a squirrelmail problem - take a > look at the following. I think sendmail needs access the random > number generator? Or am I off track? > > sendmail[4239]: iBJBWAxA004239: Authentication-Warning: > xxxx.pza.net.au: apache set sender to xxxx at pza.net.au using -f > sendmail[4239]: iBJBWAxA004239: from=xxxx at pza.net.au, size=1042, > class=0, nrcpts=1, msgid=<32 at www.pza.net.au>, relay=apache at localhost > sendmail[4239]: iBJBWAxA004239: STARTTLS=client, error: connect > failed=-1, SSL_error=1, timedout=0, errno=0 > sendmail[4239]: STARTTLS=client: 4239:error:24064064:random number > generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:503:You need to > read the OpenSSL FAQ, http://www.openssl.org/support/faq.html > sendmail[4239]: STARTTLS=client: 4239:error:05067003:Diffie-Hellman > routines:DH_generate_key:BN lib:dh_key.c:153: > sendmail[4239]: STARTTLS=client: 4239:error:14098005:SSL > routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:DH lib:s3_clnt.c:1655: > sendmail[4239]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], > reject=403 4.7.0 TLS handshake. > sendmail[4239]: iBJBWAxA004239: to=xxxx at xxxx, ctladdr=xxxx at pza.net.au > (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31042, > relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS > handshake. > sendmail[4240]: STARTTLS=server, error: accept failed=0, SSL_error=5, > timedout=0, errno=0 > sendmail[4240]: iBJBWAHc004240: localhost.localdomain [127.0.0.1] did > not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > > kernel: audit(1103515248.224:0): avc: denied { > read } for pid=12496 exe=/usr/sbin/sendmail.sendmail name=urandom > dev=tmpfs ino=870 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:urandom_device_t tclass=chr_file > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list Adding rule to policy. From dwalsh at redhat.com Mon Dec 20 15:01:11 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Dec 2004 10:01:11 -0500 Subject: FC 3, permissive, strict: Error! Unable to set executable context. In-Reply-To: References: Message-ID: <41C6E937.5010607@redhat.com> Browder, Tom wrote: >I just turned on SELinux on my FC 3 box at home (permissive, strict). >No problems and I'm building large /var/log/message file as we speak. > >However, I did the same thing on a box at work and when I try to login >as a normal user I get an error messge on the gdm login screen that >says: > > Error! Unable to set executable context. > >And it won't let me login. But I can still login as root OK. > >What am I doing wrong? > > > You probably need to relabel. touch /.autorelabel and reboot. >Thanks. > >Tom Browder > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From Tom.Browder at fwb.srs.com Mon Dec 20 15:15:08 2004 From: Tom.Browder at fwb.srs.com (Browder, Tom) Date: Mon, 20 Dec 2004 09:15:08 -0600 Subject: FC 3, permissive, strict: Error! Unable to set executable context. Message-ID: > -----Original Message----- > From: fedora-selinux-list-bounces at redhat.com > [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of > Daniel J Walsh > You probably need to relabel. > > touch /.autorelabel and reboot. Dan, my machine is grinding away relabeling. I assume that will take care of the problem. Is that something I will have to do regularly? Thanks. Tom Browder From dwalsh at redhat.com Mon Dec 20 15:20:14 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Dec 2004 10:20:14 -0500 Subject: FC 3, permissive, strict: Error! Unable to set executable context. In-Reply-To: References: Message-ID: <41C6EDAE.70308@redhat.com> Browder, Tom wrote: >>-----Original Message----- >>From: fedora-selinux-list-bounces at redhat.com >>[mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of >>Daniel J Walsh >>You probably need to relabel. >> >>touch /.autorelabel and reboot. >> >> > >Dan, my machine is grinding away relabeling. I assume that will take >care of the problem. > >Is that something I will have to do regularly? > > You shouldn't have to. :^( After finishing relabeling, clear your log file and then if you have a problems post the AVC messages or create a bugzilla. >Thanks. > >Tom Browder > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From selinux at gmail.com Mon Dec 20 15:38:24 2004 From: selinux at gmail.com (Tom London) Date: Mon, 20 Dec 2004 07:38:24 -0800 Subject: udev want to unlink/read/create '/dev/.udev.tdb/block@hda@hda1', etc Message-ID: <4c4ba15304122007387b4335ca@mail.gmail.com> Running strict/enforcing, latest Rawhide. latest udev seems to want to unlink, create, read a horde of device files on boot up, all uncer /dev/.udev.tdb/ This produces a horde of error messages on boot console and many avcs. I attach a few here. This started on Friday's installs, I believe. I noticed a bugzilla for udev describing a problem caused by /dev/.udev.tdb becoming a directory. Is a labeling/policy change also needed? tom Dec 18 10:48:06 fedora kernel: audit(1103366847.891:0): avc: denied { unlink } for pid=435 exe=/bin/rm name=block at ram3 dev=tmpfs ino=906 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=file Dec 18 10:48:06 fedora kernel: audit(1103366847.891:0): avc: denied { unlink } for pid=435 exe=/bin/rm name=block at ram2 dev=tmpfs ino=904 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=file Dec 18 10:48:06 fedora kernel: audit(1103366847.891:0): avc: denied { unlink } for pid=435 exe=/bin/rm name=block at ram15 dev=tmpfs ino=902 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=file Dec 18 10:48:06 fedora kernel: audit(1103366847.891:0): avc: denied { unlink } for pid=435 exe=/bin/rm name=block at ram14 dev=tmpfs ino=900 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=file Dec 18 10:48:13 fedora kernel: audit(1103366861.018:0): avc: denied { read } for pid=1064 exe=/sbin/udev name=class at tty@tty56 dev=tmpfs ino=710 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=file Dec 18 10:48:13 fedora kernel: audit(1103366861.019:0): avc: denied { read } for pid=1064 exe=/sbin/udev name=class at tty@tty55 dev=tmpfs ino=707 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=file Dec 18 10:48:13 fedora kernel: audit(1103366861.019:0): avc: denied { read } for pid=1064 exe=/sbin/udev name=class at tty@tty54 dev=tmpfs ino=704 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=file Dec 18 10:48:13 fedora kernel: audit(1103366861.019:0): avc: denied { read } for pid=1064 exe=/sbin/udev name=class at tty@tty53 dev=tmpfs ino=701 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=file Dec 18 10:48:13 fedora kernel: audit(1103366861.194:0): avc: denied { create } for pid=1069 exe=/sbin/udev name=class at sound@controlC0 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:sound_device_t tclass=file Dec 18 10:48:13 fedora kernel: audit(1103366861.482:0): avc: denied { create } for pid=1064 exe=/sbin/udev name=block at fd0 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=file Dec 18 10:48:13 fedora kernel: audit(1103366861.584:0): avc: denied { create } for pid=1070 exe=/sbin/udev name=class at sound@timer scontext=system_u:system_r:udev_t tcontext=system_u:object_r:sound_device_t tclass=file Dec 18 10:48:13 fedora kernel: audit(1103366861.827:0): avc: denied { create } for pid=1071 exe=/sbin/udev name=class at sound@pcmC0D1c scontext=system_u:system_r:udev_t tcontext=system_u:object_r:sound_device_t tclass=file Dec 18 10:48:13 fedora kernel: audit(1103366861.967:0): avc: denied { create } for pid=1072 exe=/sbin/udev name=class at sound@adsp scontext=system_u:system_r:udev_t tcontext=system_u:object_r:sound_device_t tclass=file -- Tom London From andy at strugglers.net Mon Dec 20 16:32:11 2004 From: andy at strugglers.net (Andy Smith) Date: Mon, 20 Dec 2004 16:32:11 +0000 Subject: Why does this get denied? Message-ID: <20041220163211.GF43390@caffreys.strugglers.net> Hi, Firstly apologies if what I'm about to ask is obvious, I'm kind of new to selinux and I'm trying to read the relevant docs but I don't understand something. If what I ask is covered in a document then I'd appreciate a pointer. Okay so I just installed apache from RPM on fedora core 3 and when I try to start it I get the following: # service httpd start Starting httpd: Syntax error on line 266 of /etc/httpd/conf/httpd.conf: DocumentRoot must be a directory In /var/log/messages: Dec 20 16:28:32 becks kernel: audit(1103560112.198:0): avc: denied { search } for pid=27331 exe=/usr/sbin/httpd name=/ dev=dm-1 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir I am using the targeted policy. Now, the only thing I have changed is, instead of having my document root be /var/www/html I've put it in /data/www. I edited /etc/selinux/targeted/src/policy/file_contexts/program/apache.fc to reflect the fact that my content is in a different place and did do a restorecon to relabel things under /data. What I don't understand is the reference to /. Why is selinux denying httpd searching /? This is a new install and selinux has been enabled from the start so / should be labelled correctly.. What am I missing? Thanks, Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From walters at redhat.com Mon Dec 20 16:37:30 2004 From: walters at redhat.com (Colin Walters) Date: Mon, 20 Dec 2004 11:37:30 -0500 Subject: Why does this get denied? In-Reply-To: <20041220163211.GF43390@caffreys.strugglers.net> References: <20041220163211.GF43390@caffreys.strugglers.net> Message-ID: <1103560650.3135.19.camel@nexus.verbum.private> On Mon, 2004-12-20 at 16:32 +0000, Andy Smith wrote: > Now, the only thing I have changed is, instead of having my document > root be /var/www/html I've put it in /data/www. I edited > /etc/selinux/targeted/src/policy/file_contexts/program/apache.fc to > reflect the fact that my content is in a different place and did do > a restorecon to relabel things under /data. Did you do a 'make -C /etc/selinux/targeted/src/policy reload' ? Note that restorecon works on /etc/selinux/targeted/contexts/file_contexts which is generated from the .fc files. Personally whenever I'm doing policy customizations like this, I generally don't touch the .fc files. I just use chcon to relabel things on the filesystem only. > What I don't understand is the reference to /. Why is selinux > denying httpd searching /? Note that the path reference is relative; it looks to me like it's trying to read / from dm-1, which presumably is your /data partition, which has the default label of file_t. Try this: chcon -R -h -t httpd_sys_content_t /data From walters at redhat.com Mon Dec 20 16:42:06 2004 From: walters at redhat.com (Colin Walters) Date: Mon, 20 Dec 2004 11:42:06 -0500 Subject: postgresql error with selinux enabled in FC2 In-Reply-To: <1103463890.5565.10.camel@erato.phig.org> References: <1025.202.155.107.156.1103457494.squirrel@202.155.84.178> <1103463890.5565.10.camel@erato.phig.org> Message-ID: <1103560926.3135.22.camel@nexus.verbum.private> On Sun, 2004-12-19 at 05:44 -0800, Karsten Wade wrote: > On Sun, 2004-12-19 at 18:58 +0700, joe wrote: > > hi, > > I use FC2 with selinux enabled, as root I can't do "/etc/init.d/postgresql > > start". > > Any idea to run postgresql with selinux enabled ? > > Other than upgrade to FC3? AIUI, the remaining problems with SELinux in > FC2 aren't very fixable, and the general recommendation is to upgrade. > The reason is the underlying infrastructure was reworked between FC2 and > FC3. In particular in FC2, postgresql has no policy. Also, its init scripts still use 'su'. Definitely the best option is to upgrade to FC3, as postgresql is now in the targeted policy with a number of fixes. From andy at strugglers.net Mon Dec 20 17:02:14 2004 From: andy at strugglers.net (Andy Smith) Date: Mon, 20 Dec 2004 17:02:14 +0000 Subject: Why does this get denied? In-Reply-To: <1103560650.3135.19.camel@nexus.verbum.private> References: <20041220163211.GF43390@caffreys.strugglers.net> <1103560650.3135.19.camel@nexus.verbum.private> Message-ID: <20041220170213.GH43390@caffreys.strugglers.net> On Mon, Dec 20, 2004 at 11:37:30AM -0500, Colin Walters wrote: > On Mon, 2004-12-20 at 16:32 +0000, Andy Smith wrote: > > > Now, the only thing I have changed is, instead of having my document > > root be /var/www/html I've put it in /data/www. I edited > > /etc/selinux/targeted/src/policy/file_contexts/program/apache.fc to > > reflect the fact that my content is in a different place and did do > > a restorecon to relabel things under /data. > > Did you do a 'make -C /etc/selinux/targeted/src/policy reload' ? Note > that restorecon works on /etc/selinux/targeted/contexts/file_contexts > which is generated from the .fc files. I did "make load", that would have been enough, right? > > What I don't understand is the reference to /. Why is selinux > > denying httpd searching /? > > Note that the path reference is relative; it looks to me like it's > trying to read / from dm-1, which presumably is your /data partition, > which has the default label of file_t. > > Try this: > > chcon -R -h -t httpd_sys_content_t /data Ah! That makes a lot more sense now, thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From dwalsh at redhat.com Mon Dec 20 20:09:39 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Dec 2004 15:09:39 -0500 Subject: Fedora Targeted List grows on Rawhide. Message-ID: <41C73183.5040209@redhat.com> I have added several targets to Targeted Policy as of selinux-policy-targeted-1.19.14-2. I am attempting to add most of the network daemons to targeted. In order to experiment with this new policy file, you will need to relabel. Or you can just relabel the target you are interested in. The best way to do this is install the policy and then execute rpm -q -l TARGETRPM | restorecon -R -f - Current targets amanda.te apache.te cups.te dhcpd.te dictd.te dovecot.te fingerd.te ftpd.te howl.te i18n_input.te inetd.te innd.te kerberos.te ktalkd.te ldconfig.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te nscd.te ntpd.te portmap.te postgresql.te privoxy.te radius.te radvd.te rpcd.te rshd.te rsync.te samba.te slapd.te snmpd.te spamd.te squid.te stunnel.te syslogd.te tftpd.te winbind.te ypbind.te ypserv.te zebra.te This is not a commitment for this list in FC4, some could be pulled if they don't work well :*). The goal of targeted policy is to protect all network daemons and to allow userspace to run with normal privs. You still need strict policy to confine userspace. From walters at redhat.com Mon Dec 20 20:21:13 2004 From: walters at redhat.com (Colin Walters) Date: Mon, 20 Dec 2004 15:21:13 -0500 Subject: Why does this get denied? In-Reply-To: <20041220170213.GH43390@caffreys.strugglers.net> References: <20041220163211.GF43390@caffreys.strugglers.net> <1103560650.3135.19.camel@nexus.verbum.private> <20041220170213.GH43390@caffreys.strugglers.net> Message-ID: <1103574073.3135.49.camel@nexus.verbum.private> On Mon, 2004-12-20 at 17:02 +0000, Andy Smith wrote: > On Mon, Dec 20, 2004 at 11:37:30AM -0500, Colin Walters wrote: > > On Mon, 2004-12-20 at 16:32 +0000, Andy Smith wrote: > > > > > Now, the only thing I have changed is, instead of having my document > > > root be /var/www/html I've put it in /data/www. I edited > > > /etc/selinux/targeted/src/policy/file_contexts/program/apache.fc to > > > reflect the fact that my content is in a different place and did do > > > a restorecon to relabel things under /data. > > > > Did you do a 'make -C /etc/selinux/targeted/src/policy reload' ? Note > > that restorecon works on /etc/selinux/targeted/contexts/file_contexts > > which is generated from the .fc files. > > I did "make load", that would have been enough, right? >From a glance at the Makefile, I would assume so as the load target indirectly depends on install. Not sure why it didn't work. From Tom.Browder at fwb.srs.com Mon Dec 20 21:11:26 2004 From: Tom.Browder at fwb.srs.com (Browder, Tom) Date: Mon, 20 Dec 2004 15:11:26 -0600 Subject: No Denial Message-ID: I'm using the default strict policy for FC 3 SELinux for testing and learning. I see denial messages when I do 'ls -l /etc/shadow', but nothing when I try to do 'mv /etc/shadow /etc/shadow.save'. Uh, I think I read somewhere that only one of a message type will be seen in some situations, but I can't find it now. How do I ensure that every instance of a specific denial is seen? Thanks. Tom Browder From Tom.Browder at fwb.srs.com Mon Dec 20 21:22:54 2004 From: Tom.Browder at fwb.srs.com (Browder, Tom) Date: Mon, 20 Dec 2004 15:22:54 -0600 Subject: No Denial Message-ID: Sorry, I found it--in the Unofficial SELinux FAQ. Tom Browder From sds at epoch.ncsc.mil Mon Dec 20 21:24:35 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 20 Dec 2004 16:24:35 -0500 Subject: No Denial In-Reply-To: References: Message-ID: <1103577875.6674.127.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-12-20 at 16:11, Browder, Tom wrote: > I'm using the default strict policy for FC 3 SELinux for testing and > learning. > > I see denial messages when I do 'ls -l /etc/shadow', but nothing when I > try to do 'mv /etc/shadow /etc/shadow.save'. Unless your process has uid 0, then the latter command would be prevented by ordinary Linux DAC and never reaches the SELinux permission checks. Hence, you wouldn't see an audit message for it. The former command would be allowed by Linux DAC and thus reaches the SELinux checks (and audit). > Uh, I think I read somewhere that only one of a message type will be > seen in some situations, but I can't find it now. That only occurs in permissive mode, to avoid flooding the logs In enforcing mode, it should always audit each occurrence unless a rate limit is being applied. -- Stephen Smalley National Security Agency From Tom.Browder at fwb.srs.com Mon Dec 20 21:32:39 2004 From: Tom.Browder at fwb.srs.com (Browder, Tom) Date: Mon, 20 Dec 2004 15:32:39 -0600 Subject: No Denial Message-ID: (It would be nice to be able to choose to get logging of all instances of denial in permissive mode.) But the denial is the same whether I do 'ls /etc/shadow' or 'mv /etc/shadow /etc/shadow.save'. Is there a way to show the different system calls? I'm sure there is, but I'm just getting started in the nitty-gritty of this stuff and a few hints would be appreciated. Here's my situation: I have a customer who wants to audit specific commands on specific files and directories, i.e., who's doing what to whom and when. Is there an "easy" way to do something like that? Thanks, and I'll try not to bug you any more. Tom Browder From Tom.Browder at fwb.srs.com Mon Dec 20 21:39:58 2004 From: Tom.Browder at fwb.srs.com (Browder, Tom) Date: Mon, 20 Dec 2004 15:39:58 -0600 Subject: No Denial Message-ID: > -----Original Message----- > From: fedora-selinux-list-bounces at redhat.com > [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of > Stephen Smalley > Unless your process has uid 0, then the latter command would > be prevented by ordinary Linux DAC and never reaches the > SELinux permission checks. Hence, you wouldn't see an audit > message for it. The former command would be allowed by Linux > DAC and thus reaches the SELinux checks (and audit). Thanks, Stephen. Actually, I did a 'make load', rotated my logs to clear them out, and then did 'mv /etc/shadow /etc/shadow.save' as a normal user and got a long denial log message (get_attr). Tom Browder From sds at epoch.ncsc.mil Mon Dec 20 21:40:14 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 20 Dec 2004 16:40:14 -0500 Subject: No Denial In-Reply-To: References: Message-ID: <1103578813.6674.133.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-12-20 at 16:32, Browder, Tom wrote: > But the denial is the same whether I do 'ls /etc/shadow' or 'mv > /etc/shadow /etc/shadow.save'. Is there a way to show the different > system calls? I suspect that you are only getting a getattr denial on the latter for when mv tries to stat the file, but you are never reaching the SELinux permission checks for the rename(2) itself, because Linux DAC will block access unless you are uid 0. In any event, you can enable system call auditing via the audit=1 kernel boot parameter or via auditctl -e 1. > Here's my situation: I have a customer who wants to audit specific > commands on specific files and directories, i.e., who's doing what to > whom and when. > > Is there an "easy" way to do something like that? > > Thanks, and I'll try not to bug you any more. I suspect that you don't actually want SELinux auditing here, as it is just of MAC permission checks, but instead want ordinary system call auditing. There is ongoing work to enhance the existing Linux audit framework and userspace tools toward that end, see the linux-audit mailing list. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Mon Dec 20 21:41:24 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 20 Dec 2004 16:41:24 -0500 Subject: No Denial In-Reply-To: References: Message-ID: <1103578883.6674.135.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-12-20 at 16:39, Browder, Tom wrote: > Actually, I did a 'make load', rotated my logs to clear them out, and > then did 'mv /etc/shadow /etc/shadow.save' as a normal user and got a > long denial log message (get_attr). Yes, but that is just for the stat(2) attempt (stat => getattr), not for the rename(2) call, which would never reach the SELinux checks unless you first pass the Linux DAC checks. -- Stephen Smalley National Security Agency From Tom.Browder at fwb.srs.com Mon Dec 20 22:08:23 2004 From: Tom.Browder at fwb.srs.com (Browder, Tom) Date: Mon, 20 Dec 2004 16:08:23 -0600 Subject: No Denial Message-ID: > -----Original Message----- > From: fedora-selinux-list-bounces at redhat.com > [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of > Stephen Smalley > I suspect that you don't actually want SELinux auditing here, > as it is just of MAC permission checks, but instead want > ordinary system call auditing. There is ongoing work to > enhance the existing Linux audit framework and userspace > tools toward that end, see the linux-audit mailing list. Thanks, Stephen, I'll check it out. In the meantime, I've turned on enforcement and will see if that at least is a temporary fix. A quick test of major programs I use shows no problems. Tom Browder From Tom.Browder at fwb.srs.com Mon Dec 20 23:24:51 2004 From: Tom.Browder at fwb.srs.com (Browder, Tom) Date: Mon, 20 Dec 2004 17:24:51 -0600 Subject: No Denial Message-ID: > -----Original Message----- > From: fedora-selinux-list-bounces at redhat.com > [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of > Stephen Smalley > I suspect that you don't actually want SELinux auditing here, > as it is just of MAC permission checks, but instead want > ordinary system call auditing. There is ongoing work to > enhance the existing Linux audit framework and userspace > tools toward that end, see the linux-audit mailing list. I joined, and took a look. With the audit tools, and audit=1, do I need to keep SELinux turned on? Thanks. Tom Browder From sds at epoch.ncsc.mil Tue Dec 21 12:11:10 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 21 Dec 2004 07:11:10 -0500 Subject: No Denial In-Reply-To: References: Message-ID: <1103631070.19693.6.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-12-20 at 18:24, Browder, Tom wrote: > I joined, and took a look. With the audit tools, and audit=1, do I need > to keep SELinux turned on? Not if all you want is auditing. But note that you'll have to set up audit filters via auditctl to audit what you want, vs. using SELinux policy to enable auditing on particular objects. There is ongoing work to add support for object-based auditing in the audit framework as well, as noted on the linux-audit list. -- Stephen Smalley National Security Agency From Tom.Browder at fwb.srs.com Tue Dec 21 15:17:02 2004 From: Tom.Browder at fwb.srs.com (Browder, Tom) Date: Tue, 21 Dec 2004 09:17:02 -0600 Subject: Snare, SELinux, NISPOM Message-ID: OK, given the current state of things, is anyone satisfying NISPOM auditing requirements on Linux? If so, what are you using for auditing (Linux distribution, add-ons, kernel)? The best I can figure in the short term (right out of the box) is FC 2 and snare 096b with the UT kernel rpms: 2.6.7-1.494.2.2SNARE096b Any better ideas would be appreciated. Thanks. Tom Browder From mkraus at wildtechnology.net Wed Dec 22 00:58:04 2004 From: mkraus at wildtechnology.net (Michael Kraus) Date: Wed, 22 Dec 2004 11:58:04 +1100 Subject: Using SELinux on samba mounted directories Message-ID: <519693398E70CC488E58B299BD11E87ABEA888@wild-svr1.ho.wildtechnology.net> G'day... Previously under RH9, I had mounted a directory from a windows machine, which was web-served by apache. When I tried to do the same under FC3 I found that apache wasn't recognising the directory, and learnt that this was because of SELinux. I tried to "chcon -R -t httpd_sys_content_t " the directory and found I couldn't. The directory was mounted using smb and an entry in /etc/fstab. Is there a way to edit the /etc/fstab file so that the context is set when the directory is mounted? (I hope this is all making sense, I'm new to all of this.) TIA! Regards, Michael S. E. Kraus B. Info. Tech. (CQU), Dip. Business (Computing) Software Developer Wild Technology Pty Ltd _______________________________ ABN 98 091 470 692 Level 4 Tiara, 306/9 Crystal Street, Waterloo NSW 2017, Australia Telephone 1300-13-9453 | Facsimile 1300-88-9453 http://www.wildtechnology.net The information contained in this email message and any attachments may be confidential information and may also be the subject of client legal - legal professional privilege. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. This email and any attachments are also subject to copyright. No part of them may be reproduced, adapted or transmitted without the written permission of the copyright owner. If you have received this email in error, please immediately advise the sender by return email and delete the message from your system. From pza at pza.net.au Wed Dec 22 01:08:31 2004 From: pza at pza.net.au (Phil Anderson) Date: Wed, 22 Dec 2004 12:08:31 +1100 Subject: Using SELinux on samba mounted directories In-Reply-To: <519693398E70CC488E58B299BD11E87ABEA888@wild-svr1.ho.wildtechnology.net> References: <519693398E70CC488E58B299BD11E87ABEA888@wild-svr1.ho.wildtechnology.net> Message-ID: <20041222010830.GA1325@harry.pza.net.au> On Wed, Dec 22, 2004 at 11:58:04AM +1100, Michael Kraus wrote: > Is there a way to edit the /etc/fstab file so that the context is set > when the directory is mounted? (I hope this is all making sense, I'm > new to all of this.) Not sure if this solution works with samba - worth a try: http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id3523296 Phil ---- http://www.pza.net.au/ From rich at storix.com Wed Dec 22 01:10:31 2004 From: rich at storix.com (rich turner) Date: Tue, 21 Dec 2004 17:10:31 -0800 Subject: ldconfig hanging Message-ID: <1103677830.28044.14.camel@rich> i am somewhat of a newbie at selinux so forgive some of my ignorance. i am using fc3 and have created a filesystem using ramdev. in this filesystem i have put a bunch of files, some executables, and would like to update ld.so.cache in this filesystem by running "ldconfig -r /mnt", where /mnt is the mount point of the ramdev. if i put the running systems /etc/ld.so.cache into /mnt/etc/ld.so.cache then the system hangs when running "ldconfig -r /mnt". however, if i dont include the systems /etc/ld.so.cache into /mnt and then run ldconfig, it succeeds. i believe this has something to do with selinux because if i boot with "selinux=0" then it doesnt seem to be an issue either way. it also appears /etc/ld.so.cache is being handled in some way by selinux because there is an entry in /etc/selinux/targeted/contexts/files/file_contexts. i realize the short answer is to not include ld.so.cache in my ramdev, but i would like to know why this is actually happening. anyone have any suggestions? From mkraus at wildtechnology.net Wed Dec 22 01:23:36 2004 From: mkraus at wildtechnology.net (Michael Kraus) Date: Wed, 22 Dec 2004 12:23:36 +1100 Subject: Using SELinux on samba mounted directories Message-ID: <519693398E70CC488E58B299BD11E87ABEA889@wild-svr1.ho.wildtechnology.net> G'day... > > Is there a way to edit the /etc/fstab file so that the > context is set > > when the directory is mounted? (I hope this is all making > Not sure if this solution works with samba - worth a try: > http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id3523296 Based on that advice, I'm trying: //machine/share /mnt/mymountpoint smb context=root:object_r:httpd_sys_content_t,username=myusername,password=m ypass,exec,rw,uid=500,gid=48,fmask=0775 0 0 Unfortunately to no avail. It looks like smbmount ignores the "context=..." part. :( Thanks heaps for your help. Having such a speedy reply is appreciated. Regards, Michael S. E. Kraus B. Info. Tech. (CQU), Dip. Business (Computing) Software Developer Wild Technology Pty Ltd _______________________________ ABN 98 091 470 692 Level 4 Tiara, 306/9 Crystal Street, Waterloo NSW 2017, Australia Telephone 1300-13-9453 | Facsimile 1300-88-9453 http://www.wildtechnology.net The information contained in this email message and any attachments may be confidential information and may also be the subject of client legal - legal professional privilege. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. This email and any attachments are also subject to copyright. No part of them may be reproduced, adapted or transmitted without the written permission of the copyright owner. If you have received this email in error, please immediately advise the sender by return email and delete the message from your system. From kwade at redhat.com Wed Dec 22 02:34:40 2004 From: kwade at redhat.com (Karsten Wade) Date: Tue, 21 Dec 2004 18:34:40 -0800 Subject: Using SELinux on samba mounted directories In-Reply-To: <519693398E70CC488E58B299BD11E87ABEA889@wild-svr1.ho.wildtechnology.net> References: <519693398E70CC488E58B299BD11E87ABEA889@wild-svr1.ho.wildtechnology.net> Message-ID: <1103682880.3686.44.camel@erato.phig.org> On Wed, 2004-12-22 at 12:23 +1100, Michael Kraus wrote: > G'day... > > > > Is there a way to edit the /etc/fstab file so that the > > context is set > > > when the directory is mounted? (I hope this is all making > > > Not sure if this solution works with samba - worth a try: > > http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id3523296 > > Based on that advice, I'm trying: > > //machine/share /mnt/mymountpoint smb > context=root:object_r:httpd_sys_content_t,username=myusername,password=m > ypass,exec,rw,uid=500,gid=48,fmask=0775 0 0 > > Unfortunately to no avail. It looks like smbmount ignores the > "context=..." part. :( I don't think the context mounting is working yet for Samba. Would it be a sick idea to smbmount the share, then export it to localhost as an NFS mount, then mount that with an SELinux context? Just looking for stop-gap ideas until the Samba context stuff is working. - Karsten -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From mkraus at wildtechnology.net Wed Dec 22 05:45:05 2004 From: mkraus at wildtechnology.net (Michael Kraus) Date: Wed, 22 Dec 2004 16:45:05 +1100 Subject: Using SELinux on samba mounted directories Message-ID: <519693398E70CC488E58B299BD11E87ABEA88C@wild-svr1.ho.wildtechnology.net> > Would it be a sick idea to smbmount the share, then export it > to localhost as an NFS mount, then mount that with an SELinux context? > Just looking for stop-gap ideas until the Samba context stuff > is working. Probably, but it's also probably the kludge that'll work! Thanks Karsten. Regards, Michael S. E. Kraus B. Info. Tech. (CQU), Dip. Business (Computing) Software Developer Wild Technology Pty Ltd _______________________________ ABN 98 091 470 692 Level 4 Tiara, 306/9 Crystal Street, Waterloo NSW 2017, Australia Telephone 1300-13-9453 | Facsimile 1300-88-9453 http://www.wildtechnology.net The information contained in this email message and any attachments may be confidential information and may also be the subject of client legal - legal professional privilege. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. This email and any attachments are also subject to copyright. No part of them may be reproduced, adapted or transmitted without the written permission of the copyright owner. If you have received this email in error, please immediately advise the sender by return email and delete the message from your system. From dwalsh at redhat.com Wed Dec 22 15:12:49 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 22 Dec 2004 10:12:49 -0500 Subject: Using SELinux on samba mounted directories In-Reply-To: <1103682880.3686.44.camel@erato.phig.org> References: <519693398E70CC488E58B299BD11E87ABEA889@wild-svr1.ho.wildtechnology.net> <1103682880.3686.44.camel@erato.phig.org> Message-ID: <41C98EF1.9020503@redhat.com> Karsten Wade wrote: >On Wed, 2004-12-22 at 12:23 +1100, Michael Kraus wrote: > > >>G'day... >> >> >> >>>>Is there a way to edit the /etc/fstab file so that the >>>> >>>> >>>context is set >>> >>> >>>>when the directory is mounted? (I hope this is all making >>>> >>>> >>>Not sure if this solution works with samba - worth a try: >>>http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id3523296 >>> >>> >>Based on that advice, I'm trying: >> >>//machine/share /mnt/mymountpoint smb >>context=root:object_r:httpd_sys_content_t,username=myusername,password=m >>ypass,exec,rw,uid=500,gid=48,fmask=0775 0 0 >> >>Unfortunately to no avail. It looks like smbmount ignores the >>"context=..." part. :( >> >> > >I don't think the context mounting is working yet for Samba. > >Would it be a sick idea to smbmount the share, then export it to >localhost as an NFS mount, then mount that with an SELinux context? >Just looking for stop-gap ideas until the Samba context stuff is >working. > >- Karsten > > What AVC messages are you seeing? From dwalsh at redhat.com Wed Dec 22 15:14:16 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 22 Dec 2004 10:14:16 -0500 Subject: ldconfig hanging In-Reply-To: <1103677830.28044.14.camel@rich> References: <1103677830.28044.14.camel@rich> Message-ID: <41C98F48.9070008@redhat.com> rich turner wrote: >i am somewhat of a newbie at selinux so forgive some of my ignorance. i >am using fc3 and have created a filesystem using ramdev. in this >filesystem i have put a bunch of files, some executables, and would like >to update ld.so.cache in this filesystem by running "ldconfig -r /mnt", >where /mnt is the mount point of the ramdev. > >if i put the running systems /etc/ld.so.cache into /mnt/etc/ld.so.cache >then the system hangs when running "ldconfig -r /mnt". however, if i >dont include the systems /etc/ld.so.cache into /mnt and then run >ldconfig, it succeeds. > >i believe this has something to do with selinux because if i boot with >"selinux=0" then it doesnt seem to be an issue either way. > >it also appears /etc/ld.so.cache is being handled in some way by selinux >because there is an entry in >/etc/selinux/targeted/contexts/files/file_contexts. > >i realize the short answer is to not include ld.so.cache in my ramdev, >but i would like to know why this is actually happening. > >anyone have any suggestions? > > > What is your log file showing? SELinux reports errors in /var/log/messages with AVC prefix. Dan >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From cra at WPI.EDU Wed Dec 22 15:20:06 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Wed, 22 Dec 2004 10:20:06 -0500 Subject: Using SELinux on samba mounted directories In-Reply-To: <519693398E70CC488E58B299BD11E87ABEA88C@wild-svr1.ho.wildtechnology.net> References: <519693398E70CC488E58B299BD11E87ABEA88C@wild-svr1.ho.wildtechnology.net> Message-ID: <20041222152006.GB27739@angus.ind.WPI.EDU> On Wed, Dec 22, 2004 at 04:45:05PM +1100, Michael Kraus wrote: > > Would it be a sick idea to smbmount the share, then export it > > to localhost as an NFS mount, then mount that with an SELinux context? > > Just looking for stop-gap ideas until the Samba context stuff > > is working. > > Probably, but it's also probably the kludge that'll work! I don't think you can re-export SMB filesystems. From rich at storix.com Wed Dec 22 16:04:11 2004 From: rich at storix.com (rich turner) Date: Wed, 22 Dec 2004 08:04:11 -0800 Subject: ldconfig hanging In-Reply-To: <41C98F48.9070008@redhat.com> References: <1103677830.28044.14.camel@rich> <41C98F48.9070008@redhat.com> Message-ID: <1103731450.28044.17.camel@rich> i dont really see anything that stands out related to ldconfig or my ramdisk. perhaps you see something differently. [root at redhat ~]# grep avc /var/log/messages Dec 21 15:46:03 redhat kernel: audit(1103672763.346:0): avc: granted { setenforce } for pid=15023 exe=/bin/bash scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Dec 21 15:51:56 redhat kernel: audit(1103673116.843:0): avc: granted { setenforce } for pid=3416 exe=/bin/bash scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Dec 21 16:15:28 redhat kernel: audit(1103674528.036:0): avc: granted { setenforce } for pid=5529 exe=/usr/bin/setenforce scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Dec 21 16:23:45 redhat kernel: audit(1103675025.790:0): avc: granted { setenforce } for pid=5515 exe=/usr/bin/setenforce scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Dec 21 16:29:12 redhat dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1 On Wed, 2004-12-22 at 07:14, Daniel J Walsh wrote: > rich turner wrote: > > >i am somewhat of a newbie at selinux so forgive some of my ignorance. i > >am using fc3 and have created a filesystem using ramdev. in this > >filesystem i have put a bunch of files, some executables, and would like > >to update ld.so.cache in this filesystem by running "ldconfig -r /mnt", > >where /mnt is the mount point of the ramdev. > > > >if i put the running systems /etc/ld.so.cache into /mnt/etc/ld.so.cache > >then the system hangs when running "ldconfig -r /mnt". however, if i > >dont include the systems /etc/ld.so.cache into /mnt and then run > >ldconfig, it succeeds. > > > >i believe this has something to do with selinux because if i boot with > >"selinux=0" then it doesnt seem to be an issue either way. > > > >it also appears /etc/ld.so.cache is being handled in some way by selinux > >because there is an entry in > >/etc/selinux/targeted/contexts/files/file_contexts. > > > >i realize the short answer is to not include ld.so.cache in my ramdev, > >but i would like to know why this is actually happening. > > > >anyone have any suggestions? > > > > > > > What is your log file showing? SELinux reports errors in > /var/log/messages with AVC prefix. > > Dan > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Wed Dec 22 17:39:43 2004 From: selinux at gmail.com (Tom London) Date: Wed, 22 Dec 2004 09:39:43 -0800 Subject: 'allow XXXX udev_tdb_t:dir r_dir_perms' needed... Message-ID: <4c4ba15304122209392e586bb0@mail.gmail.com> Running strict/enforcing, latest Rawhide.... X fails to come up, etc. Looks like allow XXXX udev_tdb_t:dir r_dir_perms; is needed pretty generally, especially for xdm_t, xdm_server_t, ptal_t, pam_console_t, lvm_t, hald_t, gpm_t, cupsd_t. Even user_t seems to want it for configuring esd. Should this be added to macros somewhere? tom -- Tom London From dwalsh at redhat.com Wed Dec 22 17:58:23 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 22 Dec 2004 12:58:23 -0500 Subject: 'allow XXXX udev_tdb_t:dir r_dir_perms' needed... In-Reply-To: <4c4ba15304122209392e586bb0@mail.gmail.com> References: <4c4ba15304122209392e586bb0@mail.gmail.com> Message-ID: <41C9B5BF.50009@redhat.com> Tom London wrote: >Running strict/enforcing, latest Rawhide.... > >X fails to come up, etc. > >Looks like > allow XXXX udev_tdb_t:dir r_dir_perms; >is needed pretty generally, especially >for xdm_t, xdm_server_t, ptal_t, pam_console_t, >lvm_t, hald_t, gpm_t, cupsd_t. Even >user_t seems to want it for configuring esd. > >Should this be added to macros somewhere? > >tom > > Does this solve the problem? diff -u global_macros.te~ global_macros.te --- global_macros.te~ 2004-12-22 11:18:14.000000000 -0500 +++ global_macros.te 2004-12-22 12:56:43.883461279 -0500 @@ -242,7 +242,7 @@ allow $1_t { self proc_t }:dir r_dir_perms; allow $1_t { self proc_t }:lnk_file read; -allow $1_t device_t:dir { getattr search }; +r_dir_file($1_t, device_t) allow $1_t null_device_t:chr_file rw_file_perms; dontaudit $1_t console_device_t:chr_file rw_file_perms; dontaudit $1_t unpriv_userdomain:fd use; From selinux at gmail.com Wed Dec 22 18:48:44 2004 From: selinux at gmail.com (Tom London) Date: Wed, 22 Dec 2004 10:48:44 -0800 Subject: 'allow XXXX udev_tdb_t:dir r_dir_perms' needed... In-Reply-To: <41C9B5BF.50009@redhat.com> References: <4c4ba15304122209392e586bb0@mail.gmail.com> <41C9B5BF.50009@redhat.com> Message-ID: <4c4ba153041222104861f0bde9@mail.gmail.com> On Wed, 22 Dec 2004 12:58:23 -0500, Daniel J Walsh wrote: > Tom London wrote: > > Does this solve the problem? > > diff -u global_macros.te~ global_macros.te > --- global_macros.te~ 2004-12-22 11:18:14.000000000 -0500 > +++ global_macros.te 2004-12-22 12:56:43.883461279 -0500 > @@ -242,7 +242,7 @@ > allow $1_t { self proc_t }:dir r_dir_perms; > allow $1_t { self proc_t }:lnk_file read; > > -allow $1_t device_t:dir { getattr search }; > +r_dir_file($1_t, device_t) > allow $1_t null_device_t:chr_file rw_file_perms; > dontaudit $1_t console_device_t:chr_file rw_file_perms; > dontaudit $1_t unpriv_userdomain:fd use; > > Dan, I'm at work, so I'll test this later. Since the AVCs had read/getattr denials for udev_tdb_t (not device_t), I would think that we would need a fix like this: > +r_dir_file($1_t, { device_t udev_tdb_t }) Am I missing something obvious? tom -- Tom London From dwalsh at redhat.com Wed Dec 22 18:52:36 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 22 Dec 2004 13:52:36 -0500 Subject: 'allow XXXX udev_tdb_t:dir r_dir_perms' needed... In-Reply-To: <4c4ba153041222104861f0bde9@mail.gmail.com> References: <4c4ba15304122209392e586bb0@mail.gmail.com> <41C9B5BF.50009@redhat.com> <4c4ba153041222104861f0bde9@mail.gmail.com> Message-ID: <41C9C274.2090006@redhat.com> Tom London wrote: >On Wed, 22 Dec 2004 12:58:23 -0500, Daniel J Walsh wrote: > > >>Tom London wrote: >> >>Does this solve the problem? >> >>diff -u global_macros.te~ global_macros.te >>--- global_macros.te~ 2004-12-22 11:18:14.000000000 -0500 >>+++ global_macros.te 2004-12-22 12:56:43.883461279 -0500 >>@@ -242,7 +242,7 @@ >> allow $1_t { self proc_t }:dir r_dir_perms; >> allow $1_t { self proc_t }:lnk_file read; >> >>-allow $1_t device_t:dir { getattr search }; >>+r_dir_file($1_t, device_t) >> allow $1_t null_device_t:chr_file rw_file_perms; >> dontaudit $1_t console_device_t:chr_file rw_file_perms; >> dontaudit $1_t unpriv_userdomain:fd use; >> >> >> >> > >Dan, > >I'm at work, so I'll test this later. > >Since the AVCs had read/getattr denials >for udev_tdb_t (not device_t), I would think >that we would need a fix like this: > > > >>+r_dir_file($1_t, { device_t udev_tdb_t }) >> >> > >Am I missing something obvious? > >tom > > > > No but I am :^) r_dir_file($1_t, udev_tdb_t) is probably sufficient From sopwith at redhat.com Wed Dec 22 20:12:58 2004 From: sopwith at redhat.com (Elliot Lee) Date: Wed, 22 Dec 2004 15:12:58 -0500 Subject: Fedora Project Mailing Lists reminder Message-ID: This is a reminder of the mailing lists for the Fedora Project, and the purpose of each list. You can view this information at http://fedora.redhat.com/participate/communicate/ When you're using these mailing lists, please take the time to choose the one that is most appropriate to your post. If you don't know the right mailing list to use for a question or discussion, please contact me. This will help you get the best possible answer for your question, and keep other list subscribers happy! Mailing Lists Mailing lists are email addresses which send email to all users subscribed to the mailing list. Sending an email to a mailing list reaches all users interested in discussing a specific topic and users available to help other users with the topic. The following mailing lists are available. To subscribe, send email to -request at redhat.com (replace with the desired mailing list name such as fedora-list) with the word subscribe in the subject. fedora-announce-list - Announcements of changes and events. To stay aware of news, subscribe to this list. fedora-list - For users of releases. If you want help with a problem installing or using , this is the list for you. fedora-test-list - For testers of test releases. If you would like to discuss experiences using TEST releases, this is the list for you. fedora-devel-list - For developers, developers, developers. If you are interested in helping create releases, this is the list for you. fedora-docs-list - For participants of the docs project fedora-desktop-list - For discussions about desktop issues such as user interfaces, artwork, and usability fedora-config-list - For discussions about the development of configuration tools fedora-tools-list - For discussions about the toolchain (gcc, gdb, etc...) within Fedora fedora-patches-list - For submitting patches to Fedora maintainers, and used in line with BugWeek fedora-legacy-announce - For announcements about the Fedora Legacy Project fedora-legacy-list - For discussions about the Fedora Legacy Project fedora-selinux-list - For discussions about the Fedora SELinux Project fedora-marketing-list - For discussions about marketing and expanding the Fedora user base fedora-de-list - For discussions about Fedora in the German language fedora-es-list - For discussions about Fedora in the Spanish language fedora-ja-list - For discussions about Fedora in the Japanese language fedora-i18n-list - For discussions about the internationalization of Fedora Core fedora-trans-list - For discussions about translating the software and documentation associated with the Fedora Project German: fedora-trans-de French: fedora-trans-fr Spanish: fedora-trans-es Italian: fedora-trans-it Brazilian Portuguese: fedora-trans-pt_br Japanese: fedora-trans-ja Korean: fedora-trans-ko Simplified Chinese: fedora-trans-zh_cn Traditional Chinese: fedora-trans-zh_tw From mkraus at wildtechnology.net Wed Dec 22 22:48:33 2004 From: mkraus at wildtechnology.net (Michael Kraus) Date: Thu, 23 Dec 2004 09:48:33 +1100 Subject: Using SELinux on samba mounted directories Message-ID: <519693398E70CC488E58B299BD11E87ABEA890@wild-svr1.ho.wildtechnology.net> > What AVC messages are you seeing? AVC messages? (Could you elucidate please?) Thanks Regards, Michael S. E. Kraus B. Info. Tech. (CQU), Dip. Business (Computing) Software Developer Wild Technology Pty Ltd _______________________________ ABN 98 091 470 692 Level 4 Tiara, 306/9 Crystal Street, Waterloo NSW 2017, Australia Telephone 1300-13-9453 | Facsimile 1300-88-9453 http://www.wildtechnology.net The information contained in this email message and any attachments may be confidential information and may also be the subject of client legal - legal professional privilege. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. This email and any attachments are also subject to copyright. No part of them may be reproduced, adapted or transmitted without the written permission of the copyright owner. If you have received this email in error, please immediately advise the sender by return email and delete the message from your system. From kwade at redhat.com Thu Dec 23 00:11:59 2004 From: kwade at redhat.com (Karsten Wade) Date: Wed, 22 Dec 2004 16:11:59 -0800 Subject: ldconfig hanging In-Reply-To: <1103731450.28044.17.camel@rich> References: <1103677830.28044.14.camel@rich> <41C98F48.9070008@redhat.com> <1103731450.28044.17.camel@rich> Message-ID: <1103760719.4536.27.camel@erato.phig.org> On Wed, 2004-12-22 at 08:04 -0800, rich turner wrote: > i dont really see anything that stands out related to ldconfig or my > ramdisk. perhaps you see something differently. One thing I notice is that your setenforce is in /usr/bin, which is the location set in the libselinux package that shipped with FC3 (iirc). However, this has moved to /usr/sbin since then in updates. Is your system otherwise updated? - Karsten > [root at redhat ~]# grep avc /var/log/messages > Dec 21 15:46:03 redhat kernel: audit(1103672763.346:0): avc: granted { > setenforce } for pid=15023 exe=/bin/bash > scontext=user_u:system_r:unconfined_t > tcontext=system_u:object_r:security_t tclass=security > Dec 21 15:51:56 redhat kernel: audit(1103673116.843:0): avc: granted { > setenforce } for pid=3416 exe=/bin/bash > scontext=root:system_r:unconfined_t > tcontext=system_u:object_r:security_t tclass=security > Dec 21 16:15:28 redhat kernel: audit(1103674528.036:0): avc: granted { > setenforce } for pid=5529 exe=/usr/bin/setenforce > scontext=root:system_r:unconfined_t > tcontext=system_u:object_r:security_t tclass=security > Dec 21 16:23:45 redhat kernel: audit(1103675025.790:0): avc: granted { > setenforce } for pid=5515 exe=/usr/bin/setenforce > scontext=root:system_r:unconfined_t > tcontext=system_u:object_r:security_t tclass=security > Dec 21 16:29:12 redhat dbus: avc: 1 AV entries and 1/512 buckets used, > longest chain length 1 > > > On Wed, 2004-12-22 at 07:14, Daniel J Walsh wrote: > > rich turner wrote: > > > > >i am somewhat of a newbie at selinux so forgive some of my ignorance. i > > >am using fc3 and have created a filesystem using ramdev. in this > > >filesystem i have put a bunch of files, some executables, and would like > > >to update ld.so.cache in this filesystem by running "ldconfig -r /mnt", > > >where /mnt is the mount point of the ramdev. > > > > > >if i put the running systems /etc/ld.so.cache into /mnt/etc/ld.so.cache > > >then the system hangs when running "ldconfig -r /mnt". however, if i > > >dont include the systems /etc/ld.so.cache into /mnt and then run > > >ldconfig, it succeeds. > > > > > >i believe this has something to do with selinux because if i boot with > > >"selinux=0" then it doesnt seem to be an issue either way. > > > > > >it also appears /etc/ld.so.cache is being handled in some way by selinux > > >because there is an entry in > > >/etc/selinux/targeted/contexts/files/file_contexts. > > > > > >i realize the short answer is to not include ld.so.cache in my ramdev, > > >but i would like to know why this is actually happening. > > > > > >anyone have any suggestions? > > > > > > > > > > > What is your log file showing? SELinux reports errors in > > /var/log/messages with AVC prefix. > > > > Dan > > > > >-- > > >fedora-selinux-list mailing list > > >fedora-selinux-list at redhat.com > > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From kwade at redhat.com Thu Dec 23 00:16:57 2004 From: kwade at redhat.com (Karsten Wade) Date: Wed, 22 Dec 2004 16:16:57 -0800 Subject: Using SELinux on samba mounted directories In-Reply-To: <519693398E70CC488E58B299BD11E87ABEA890@wild-svr1.ho.wildtechnology.net> References: <519693398E70CC488E58B299BD11E87ABEA890@wild-svr1.ho.wildtechnology.net> Message-ID: <1103761017.4536.29.camel@erato.phig.org> On Thu, 2004-12-23 at 09:48 +1100, Michael Kraus wrote: > > What AVC messages are you seeing? > > AVC messages? (Could you elucidate please?) Access vector cache errors in /var/log/messages, e.g.: Dec 22 16:16:02 urania kernel: audit(1103760962.583:0): avc: denied { associate } for pid=2461 exe=/usr/bin/chcon name=foo dev=hdb2 ino=355526 scontext=user_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t tclass=filesystem - Karsten -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From selinux at gmail.com Thu Dec 23 04:12:10 2004 From: selinux at gmail.com (Tom London) Date: Wed, 22 Dec 2004 20:12:10 -0800 Subject: 'allow XXXX udev_tdb_t:dir r_dir_perms' needed... In-Reply-To: <41C9C274.2090006@redhat.com> References: <4c4ba15304122209392e586bb0@mail.gmail.com> <41C9B5BF.50009@redhat.com> <4c4ba153041222104861f0bde9@mail.gmail.com> <41C9C274.2090006@redhat.com> Message-ID: <4c4ba15304122220126f50456d@mail.gmail.com> On Wed, 22 Dec 2004 13:52:36 -0500, Daniel J Walsh wrote: > > > > > No but I am :^) r_dir_file($1_t, udev_tdb_t) is probably sufficient > Dan, Sorry, but that didn't quite work. Here's what seems to get rhgb and X running again: global_macros.te: allow $1_t { self proc_t }:dir r_dir_perms; allow $1_t { self proc_t }:lnk_file read; +allow $1_t { device_t udev_tdb_t }:dir { getattr search }; allow $1_t null_device_t:chr_file rw_file_perms; dontaudit $1_t console_device_t:chr_file rw_file_perms; dontaudit $1_t unpriv_userdomain:fd use; udev.te: allow udev_t etc_t:file ioctl; ifdef(`xdm.te', ` allow udev_t xdm_var_run_t:file { getattr read }; +allow xdm_xserver_t udev_tdb_t:dir r_dir_perms; ') However, still get lots of AVCs for udev_tdb_t for lvm_t, pam_console_t, ptal_t, xdm_t, and user_t Does it make sense to add it base_user_domain()? full_user_role()? (they already has access to device_t). daemon_base_domain()? [I'm sure I'm making this too complicated, but I'm trying to avoide adding an 'allow ... udev_tdb_t:dir' to each seperate .te file .....] tom -- Tom London From parklee_sel at yahoo.com Thu Dec 23 05:59:09 2004 From: parklee_sel at yahoo.com (Park Lee) Date: Wed, 22 Dec 2004 21:59:09 -0800 (PST) Subject: Where is the SID stored in file system and process respectively? Message-ID: <20041223055909.94522.qmail@web51507.mail.yahoo.com> Hi, As we know, In SELinux, when we first access a file, the file system should first send the security context of the file from its extended attribute to security server. the security server will give a SID back to the file for later use. Since then, every time when we access the file, there is no need for the file system to send the security context of the file again. instead, it will send the SID of the file to security server. But, Where is the SID (which is assigned by security server for the file) stored in the file system? and How is the SID calculated? As for process in selinux, Where is the SID (which also is assigned by security server ) stored with the process? Is the security context of the process only exist in the selinux security server and the process only need to deal with the SID that is related to the security context? Will the process itself handle its own security context? Thank you. ===== Best Regards, Park Lee __________________________________ Do you Yahoo!? Dress up your holiday email, Hollywood style. Learn more. http://celebrity.mail.yahoo.com From russell at coker.com.au Thu Dec 23 10:36:42 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 23 Dec 2004 21:36:42 +1100 Subject: 'allow XXXX udev_tdb_t:dir r_dir_perms' needed... In-Reply-To: <4c4ba15304122220126f50456d@mail.gmail.com> References: <4c4ba15304122209392e586bb0@mail.gmail.com> <41C9C274.2090006@redhat.com> <4c4ba15304122220126f50456d@mail.gmail.com> Message-ID: <200412232136.46185.russell@coker.com.au> On Thursday 23 December 2004 15:12, Tom London wrote: > Here's what seems to get rhgb and X running again: > > global_macros.te: > allow $1_t { self proc_t }:dir r_dir_perms; > allow $1_t { self proc_t }:lnk_file read; > > +allow $1_t { device_t udev_tdb_t }:dir { getattr search }; The problem is that the directory should have type device_t not udev_tdb_t. The recent trend has been to label all directories under /dev as device_t. -file_type_auto_trans(udev_t, device_t, udev_tdb_t, { file dir }) +file_type_auto_trans(udev_t, device_t, udev_tdb_t, file) If the above change is made to udev.te and the below change is made to udev.fc then everything will work well. This is the easiest and simplest change that preserves expected functionality. -/dev/\.udev\.tdb(/.*)? system_u:object_r:udev_tdb_t +/dev/\.udev\.tdb/.* -- system_u:object_r:udev_tdb_t I assume that the file names in directory /dev/.udev.tdb don't give anything away - otherwise the directory surely wouldn't have mode 0755... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Thu Dec 23 11:55:22 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 23 Dec 2004 22:55:22 +1100 Subject: FC3 PostgreSQL update In-Reply-To: References: Message-ID: <200412232255.26217.russell@coker.com.au> On Saturday 18 December 2004 01:14, Troels Arvin wrote: > Due to a disk-space problem, my /var/lib/pgsql is a symlink to > /mnt/hda1/pgsql Sym-links interfere with SE Linux labelling. If you were to run "restorecon -R /var/lib/pgsql/something" then it should work. But the best thing to do is to just not do that. This is one of the reasons why I often promove LVM. LVM allows you to more effectively manage your storage without those sym-link hacks that cause so much trouble with SE Linux (and lots of other things too). This isn't going to fix your current problem, but may help you next time. LVM is really good anyway and is something you will benefit from a lot even if you don't use SE Linux. > How come a PostgreSQL update breaks what used to work? I don't know how it could have worked previously without PostgreSQL having search access to mnt_t. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at gmail.com Thu Dec 23 15:11:42 2004 From: selinux at gmail.com (Tom London) Date: Thu, 23 Dec 2004 07:11:42 -0800 Subject: 'allow XXXX udev_tdb_t:dir r_dir_perms' needed... In-Reply-To: <200412232136.46185.russell@coker.com.au> References: <4c4ba15304122209392e586bb0@mail.gmail.com> <41C9C274.2090006@redhat.com> <4c4ba15304122220126f50456d@mail.gmail.com> <200412232136.46185.russell@coker.com.au> Message-ID: <4c4ba15304122307114dfe08de@mail.gmail.com> On Thu, 23 Dec 2004 21:36:42 +1100, Russell Coker wrote: > On Thursday 23 December 2004 15:12, Tom London wrote: > > Here's what seems to get rhgb and X running again: > > > > global_macros.te: > > allow $1_t { self proc_t }:dir r_dir_perms; > > allow $1_t { self proc_t }:lnk_file read; > > > > +allow $1_t { device_t udev_tdb_t }:dir { getattr search }; > > The problem is that the directory should have type device_t not udev_tdb_t. > The recent trend has been to label all directories under /dev as device_t. > > -file_type_auto_trans(udev_t, device_t, udev_tdb_t, { file dir }) > +file_type_auto_trans(udev_t, device_t, udev_tdb_t, file) > > If the above change is made to udev.te and the below change is made to udev.fc > then everything will work well. This is the easiest and simplest change that > preserves expected functionality. > > -/dev/\.udev\.tdb(/.*)? system_u:object_r:udev_tdb_t > +/dev/\.udev\.tdb/.* -- system_u:object_r:udev_tdb_t > > I assume that the file names in directory /dev/.udev.tdb don't give anything > away - otherwise the directory surely wouldn't have mode 0755... > > -- > Russell, Dan, Yes, this fixes it, even the user_t accesses. Thanks! tom -- Tom London From selinux at gmail.com Thu Dec 23 15:41:45 2004 From: selinux at gmail.com (Tom London) Date: Thu, 23 Dec 2004 07:41:45 -0800 Subject: ldconfig and var? Message-ID: <4c4ba15304122307414f069fdf@mail.gmail.com> Running strict/enforcing, latest Rawhide. Actually during today's 'yum update': Running Transaction Installing: kernel 100 % done 1/39 /bin/bash: /root/.bashrc: Permission denied Updating: guile 100 % done 2/39 /sbin/ldconfig: relative path `2' used to build cache error: %post(guile-1.6.4-16.i386) scriptlet failed, exit status 1 Updating: inews 100 % done 3/39 Log shows the following AVC: Dec 23 07:34:52 fedora kernel: audit(1103816092.011:0): avc: denied { search } for pid=8079 exe=/sbin/ldconfig name=var dev=hda2 ino=4456449 scontext=root:sysadm_r:ldconfig_t tcontext=system_u:object_r:var_t tclass=dir ldconfig.te has: ifdef(`distro_suse', ` # because of libraries in /var/lib/samba/bin allow ldconfig_t { var_t var_lib_t }:dir search; ') For fedora too? guile rpm broken? tom -- Tom London From parklee_sel at yahoo.com Thu Dec 23 05:59:09 2004 From: parklee_sel at yahoo.com (Park Lee) Date: Wed, 22 Dec 2004 21:59:09 -0800 (PST) Subject: Where is the SID stored in file system and process respectively? Message-ID: <20041223055909.94522.qmail@web51507.mail.yahoo.com> Hi, As we know, In SELinux, when we first access a file, the file system should first send the security context of the file from its extended attribute to security server. the security server will give a SID back to the file for later use. Since then, every time when we access the file, there is no need for the file system to send the security context of the file again. instead, it will send the SID of the file to security server. But, Where is the SID (which is assigned by security server for the file) stored in the file system? and How is the SID calculated? As for process in selinux, Where is the SID (which also is assigned by security server ) stored with the process? Is the security context of the process only exist in the selinux security server and the process only need to deal with the SID that is related to the security context? Will the process itself handle its own security context? Thank you. ===== Best Regards, Park Lee __________________________________ Do you Yahoo!? Dress up your holiday email, Hollywood style. Learn more. http://celebrity.mail.yahoo.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From justin.conover at gmail.com Fri Dec 24 16:24:04 2004 From: justin.conover at gmail.com (Justin Conover) Date: Fri, 24 Dec 2004 10:24:04 -0600 Subject: system-config-securitylevel error? In-Reply-To: References: Message-ID: I re-enabled SELinux and then did the following: cd /etc/selinux/targeted/src/policy make make relabel reboot /sbin/restorecon -v -R /sbin/fixfiles relabel reboot to init 3 I didn't seen any avc errors so installed the nvidia drivers and then got some errors again Had to do with /sbin/ldconfig And if I go to init 5, gdm loads but users and root get the following error trying to login: Cannot start the session due to some internal errors. So I can't get into X On Fri, 24 Dec 2004 09:41:32 -0600, Justin Conover wrote: > About 2 days ago I did an update and I was getting so many avc errors > and had to get some work done so I dropped SELinux for the moment. I > simply edited /etc/sysconfig/selinux and changed it to "disabled" but > when I run "system-config-securitylevel" I get the following error: > > # system-config-securitylevel > Traceback (most recent call last): > File "/usr/share/system-config-securitylevel/system-config-securitylevel.py", > line 17, in ? > app = securitylevel.childWindow() > File "/usr/share/system-config-securitylevel/securitylevel.py", line > 87, in __init__ > self.trustedList = checklist.CheckList(1) > NameError: global name 'checklist' is not defined > > My systems is the following: > > FC3 x86_64 updated to Rawhide. > > thx, > > btw, I've attached the avc errors out of /var/log/messages If I > decide to turn SELinux back on, what is the best approach as far a > re-labeling: > > /sbin/restorecon -v -R > /sbin/fixfiles relabel > > ? > > > From parklee_sel at yahoo.com Fri Dec 24 18:30:55 2004 From: parklee_sel at yahoo.com (Park Lee) Date: Fri, 24 Dec 2004 10:30:55 -0800 (PST) Subject: About security field in struct sk_buff Message-ID: <20041224183055.44205.qmail@web51507.mail.yahoo.com> Hi, In /usr/src/linux/security/selinux/include/objsec.h, there seems no SELinux security data structure for struct sk_buff. Does this means that SELinux doesn't use the security field (i.e. the unsigned short security) in struct sk_buff at all? Thank you. ===== Best Regards, Park Lee __________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com From selinux at gmail.com Fri Dec 24 20:00:12 2004 From: selinux at gmail.com (Tom London) Date: Fri, 24 Dec 2004 12:00:12 -0800 Subject: adds for latest policy...cups.te, udev.te? Message-ID: <4c4ba153041224120017763d5a@mail.gmail.com> Running strict/enforcing, latest rawhide. Rebooting after updating to latest policy (selinux-policy-strict-1.19.15-7), noticed the following AVCs: Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc: denied { connect } for pid=2679 exe=/usr/sbin/hal_lpadmin scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket and Dec 24 11:50:52 fedora kernel: audit(1103917852.996:0): avc: denied { connect } for pid=3070 exe=/usr/bin/lpoptions scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket Adding the following seems to fix it: allow cupsd_config_t self:tcp_socket connect; Also: Dec 24 11:47:51 fedora kernel: IPv6 over IPv4 tunneling driver Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora kernel: audit(1103888840.736:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora kernel: audit(1103888840.737:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora last message repeated 3 times Dec 24 11:47:51 fedora kernel: audit(1103888840.738:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora last message repeated 4 times Dec 24 11:47:51 fedora kernel: ACPI: Power Button (FF) [PWRF] The following change seems to fix: allow udev_t mnt_t:dir search; to allow udev_t mnt_t:dir r_dir_perms; But I'm not sure why pam_console_apply wants to read /mnt. Should this be a dontaudit? tom -- Tom London From russell at coker.com.au Sat Dec 25 01:31:40 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 25 Dec 2004 12:31:40 +1100 Subject: adds for latest policy...cups.te, udev.te? In-Reply-To: <4c4ba153041224120017763d5a@mail.gmail.com> References: <4c4ba153041224120017763d5a@mail.gmail.com> Message-ID: <200412251231.44388.russell@coker.com.au> On Saturday 25 December 2004 07:00, Tom London wrote: > Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc: denied > { connect } for pid=2679 exe=/usr/sbin/hal_lpadmin > scontext=system_u:system_r:cupsd_config_t > tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket can_network_server_tcp(cupsd_config_t) It looks like we need to change the above to the below: can_network_tcp(cupsd_config_t) Also I suggest the change in the attached file net.diff to remove redundancy in the policy.conf file. > Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc: denied > { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 > ino=1114113 scontext=system_u:system_r:udev_t > tcontext=system_u:object_r:mnt_t tclass=dir The attached patch udev.diff (which I sent to the SE Linux mailing list at about the same time as your message was posted) should fix this. > The following change seems to fix: > allow udev_t mnt_t:dir search; > to > allow udev_t mnt_t:dir r_dir_perms; > But I'm not sure why pam_console_apply wants > to read /mnt. Should this be a dontaudit? We could have done that. But I think that pam_console_apply should run in domain pam_console_t when launched by udev. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- A non-text attachment was scrubbed... Name: net.diff Type: text/x-diff Size: 542 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: udev.diff Type: text/x-diff Size: 450 bytes Desc: not available URL: From selinux at gmail.com Sat Dec 25 01:56:15 2004 From: selinux at gmail.com (Tom London) Date: Fri, 24 Dec 2004 17:56:15 -0800 Subject: adds for latest policy...cups.te, udev.te? In-Reply-To: <200412251231.44388.russell@coker.com.au> References: <4c4ba153041224120017763d5a@mail.gmail.com> <200412251231.44388.russell@coker.com.au> Message-ID: <4c4ba15304122417561d8310e7@mail.gmail.com> On Sat, 25 Dec 2004 12:31:40 +1100, Russell Coker wrote: > On Saturday 25 December 2004 07:00, Tom London wrote: > > can_network_server_tcp(cupsd_config_t) > It looks like we need to change the above to the below: > can_network_tcp(cupsd_config_t) > > Also I suggest the change in the attached file net.diff to remove redundancy > in the policy.conf file. > > The attached patch udev.diff (which I sent to the SE Linux mailing list at > about the same time as your message was posted) should fix this. > > We could have done that. But I think that pam_console_apply should run in > domain pam_console_t when launched by udev. > > -- Russell, Thanks. These work. tom -- Tom London From ejprinz at austin.rr.com Sun Dec 26 01:18:41 2004 From: ejprinz at austin.rr.com (Erwin J. Prinz) Date: Sat, 25 Dec 2004 19:18:41 -0600 Subject: FC3 " avc: denied" issue Message-ID: <41CE1171.5030404@austin.rr.com> I have a fully upgraded (as of today) FC3 system on which I always could install the NVIDIA drivers. But, to get a successful install after the last upgrade (today) (which included selinux-policy-targeted.noarch 1.17.30-2.58) I now have to "setenforce 0" before installing the NVIDIA drivers. Otherwise, the install fails due to several access denied issues, e.g.: Dec 25 18:51:34 tiger kernel: audit(1104022294.445:0): avc: denied { write } for pid=3956 exe=/sbin/ldconfig path=/var/log/nvidia-installer.log dev=hda6 ino=517383 scontext=root:system_r:ldconfig_t tcontext=system_u:object_r:var_log_t tclass=file Dec 25 18:51:34 tiger kernel: audit(1104022294.801:0): avc: denied { read } for pid=3956 exe=/sbin/ldconfig name=libXvMCNVIDIA.so.1.0.6629 dev=hda4 ino=194830 scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Dec 25 18:51:35 tiger kernel: audit(1104022295.012:0): avc: denied { getattr } for pid=3956 exe=/sbin/ldconfig path=/usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 dev=hda4 ino=194830 scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Dec 25 18:51:38 tiger kernel: audit(1104022298.997:0): avc: denied { getattr } for pid=3956 exe=/sbin/ldconfig path=/usr/lib/libGL.so.1.0.6629 dev=hda4 ino=521611 scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file/avc The initial context of root is "root:system_r:unconfined_t" and I can't change to "root:sysadm_r:sysadm_t". I did a "fixfiles relabel" and reboot without changing the outcome. I don't think the issue is with the NVIDIA drivers as they worked on FC3 before, and as "setenforce 0" "fixes" the issue. I would appreciate pointers to what could be wrong. Best regards, Erwin From russell at coker.com.au Mon Dec 27 10:42:03 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 27 Dec 2004 21:42:03 +1100 Subject: FC3 " avc: denied" issue In-Reply-To: <41CE1171.5030404@austin.rr.com> References: <41CE1171.5030404@austin.rr.com> Message-ID: <200412272142.06733.russell@coker.com.au> On Sunday 26 December 2004 12:18, "Erwin J. Prinz" wrote: > Dec 25 18:51:34 tiger kernel: audit(1104022294.445:0): avc: denied { > write } for pid=3956 exe=/sbin/ldconfig > path=/var/log/nvidia-installer.log dev=hda6 ino=517383 > scontext=root:system_r:ldconfig_t tcontext=system_u:object_r:var_log_t > tclass=file Looks like the command is "ldconfig >> /var/log/nvidia-installer.log", this is no problem, ldconfig generally doesn't give any interesting output. > Dec 25 18:51:35 tiger kernel: audit(1104022295.012:0): avc: denied { > getattr } for pid=3956 exe=/sbin/ldconfig > path=/usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 dev=hda4 ino=194830 > scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file The file contexts seem OK for that. I guess that you installed it from a .tar file not an rpm package and didn't use restorecon to fix it's label. > Dec 25 18:51:38 tiger kernel: audit(1104022298.997:0): avc: denied { > getattr } for pid=3956 exe=/sbin/ldconfig > path=/usr/lib/libGL.so.1.0.6629 dev=hda4 ino=521611 > scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t > tclass=file Report a bug to whoever provided the collection of files that their install script should do the following: restorecon /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 restorecon /usr/lib/libGL.so.1.0.6629 > I don't think the issue is with the NVIDIA drivers as they worked on FC3 > before, and as "setenforce 0" "fixes" the issue. FC3 has SE Linux enabled by default. Anything that is designed for FC3 has to be designed to work with SE Linux. It seems that the NVIDIA driver archive is not designed to do so. It would be much easier if they just provided a RPM. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From Valdis.Kletnieks at vt.edu Mon Dec 27 11:14:55 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 27 Dec 2004 06:14:55 -0500 Subject: FC3 " avc: denied" issue In-Reply-To: Your message of "Mon, 27 Dec 2004 21:42:03 +1100." <200412272142.06733.russell@coker.com.au> References: <41CE1171.5030404@austin.rr.com> <200412272142.06733.russell@coker.com.au> Message-ID: <200412271114.iBRBEuYW005403@turing-police.cc.vt.edu> On Mon, 27 Dec 2004 21:42:03 +1100, Russell Coker said: > Report a bug to whoever provided the collection of files that their install > script should do the following: > restorecon /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 > restorecon /usr/lib/libGL.so.1.0.6629 also you may need this: restorecon /dev/nvidia* (this one is already in the Fedora .fc files, but you may have mislabeled versions until you relabel them...) > FC3 has SE Linux enabled by default. Anything that is designed for FC3 has to > be designed to work with SE Linux. It seems that the NVIDIA driver archive > is not designed to do so. It would be much easier if they just provided a > RPM. The problem is that they didn't drink the "All Linux is RedHat RPM-based" kool-aid. They're additionally hobbled by the fact that they have a userspace component (where the .so's came from) and a kernel module - and if either userspace and module, or module and kernel, get out of sync, things Fail Very Badly. Currently, they ship *one* release that will work out-of-the-box for literally 134 or so different distro/release/kernel combos. For *JUST* the Fedora releases, they have: fedora1boot_2.4.22-1.2115.nptl_i386 fedora1boot_2.4.22-1.2188.nptl_i386 fedora1smp_2.4.22-1.2115.nptl_athlon fedora1smp_2.4.22-1.2115.nptl_i686 fedora1smp_2.4.22-1.2188.nptl_athlon fedora1smp_2.4.22-1.2188.nptl_i686 fedora1up_2.4.22-1.2115.nptl_athlon fedora1up_2.4.22-1.2115.nptl_i586 fedora1up_2.4.22-1.2115.nptl_i686 fedora1up_2.4.22-1.2188.nptl_athlon fedora1up_2.4.22-1.2188.nptl_i586 fedora1up_2.4.22-1.2188.nptl_i686 fedora2smp_2.6.5-1.358_i586 fedora2smp_2.6.5-1.358_i686 fedora2smp_2.6.8-1.521_i586 fedora2smp_2.6.8-1.521_i686 fedora2up_2.6.5-1.358_i586 fedora2up_2.6.5-1.358_i686 fedora2up_2.6.8-1.521_i586 fedora2up_2.6.8-1.521_i686 There's also RH 7.2->9.0 and RHEL 3.0 and Mandrake 8.1->10 and Suse prebuilts. Currently, *any* of those users can get *the same package*, run the installer, and things Just Work. Otherwise, they get the support problem of shipping 134 different RPM's (which is not THAT bad, really), and making sure the people actually download the *RIGHT* one (can you say "help desk nightmare"?) In fact, once upon a time, they *did* ship RPMs. And the support issues were why they went to shipping an installer instead... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From russell at coker.com.au Mon Dec 27 12:12:42 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 27 Dec 2004 23:12:42 +1100 Subject: FC3 " avc: denied" issue In-Reply-To: <200412271114.iBRBEuYW005403@turing-police.cc.vt.edu> References: <41CE1171.5030404@austin.rr.com> <200412272142.06733.russell@coker.com.au> <200412271114.iBRBEuYW005403@turing-police.cc.vt.edu> Message-ID: <200412272312.45938.russell@coker.com.au> On Monday 27 December 2004 22:14, Valdis.Kletnieks at vt.edu wrote: > > FC3 has SE Linux enabled by default. Anything that is designed for FC3 > > has to be designed to work with SE Linux. It seems that the NVIDIA > > driver archive is not designed to do so. It would be much easier if they > > just provided a RPM. > > The problem is that they didn't drink the "All Linux is RedHat RPM-based" > kool-aid. Do you think that I have drunk such kool-aid? I was a Debian developer for many years before joining Red Hat. > They're additionally hobbled by the fact that they have a userspace > component (where the .so's came from) and a kernel module - and if either > userspace and module, or module and kernel, get out of sync, things Fail > Very Badly. They designed it badly. Keeping interfaces synchronised isn't that difficult, all the code that gets into the main-line kernel keeps the interfaces the same for long periods of time. Interface changes have version numbers and applications can (if necessary) support both interfaces. >From what you are telling me the first thing that they need to do is to design an interface between user-space and the kernel code. > Currently, they ship *one* release that will work out-of-the-box for > literally 134 or so different distro/release/kernel combos. For *JUST* the > Fedora releases, they have: > > There's also RH 7.2->9.0 and RHEL 3.0 and Mandrake 8.1->10 and Suse > prebuilts. If they are producing multiple packages for each distribution then they must have the builds automated. It should be quite easy to make an automatic build script that builds RPMs, Debian packages, and any other types of package that seem necessary. > Currently, *any* of those users can get *the same package*, run the > installer, and things Just Work. Otherwise, they get the support problem > of shipping 134 different RPM's (which is not THAT bad, really), and making > sure the people actually download the *RIGHT* one (can you say "help desk > nightmare"?) If the interface between kernel and user-space doesn't change then all they need to do is have one RPM for the shared objects and a set of RPMs that install .ko's in the correct places for each kernel. You would just have to make sure that every time you upgrade your kernel you install the matching drivers. If you didn't install the drivers then the symptom would be a lack of 3D graphics which would be easy to fix. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Mon Dec 27 14:00:15 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 28 Dec 2004 01:00:15 +1100 Subject: initrc, md0, mapper In-Reply-To: <4c4ba15304120308345888bb62@mail.gmail.com> References: <4c4ba15304120308345888bb62@mail.gmail.com> Message-ID: <200412280100.20007.russell@coker.com.au> On Saturday 04 December 2004 03:34, Tom London wrote: > Running strict/enforcing, latest rawhide > (selinux-policy-strict-1.19.10-1) > > Booting produces following avc: It seems that you never got a reply to this one. > Dec 3 08:23:45 fedora kernel: audit(1102090997.316:0): avc: denied > { create } for pid=1348 exe=/sbin/nash name=md0 > scontext=system_u:system_r:initrc_t > tcontext=system_u:object_r:device_t tclass=blk_file Dec 3 08:23:45 > fedora kernel: device-mapper: 4.1.0-ioctl (2003-12-10) initialised: > dm at uk.sistina.com This is something that still needs a good solution. We don't want initrc_t to be able to do such things in the strict policy, so udev seems to be the best way of doing it. Maybe getting it added to /sbin/start_udev would be the best solution? start_udev already creates a bunch of other device nodes that are too inconvenient to do in other ways. Of course due to the usual shell script issues udev_t isn't safe from initrc_t. But it's a start at isolating it, we can improve later. > Dec 3 08:23:45 fedora kernel: audit(1102090997.383:0): avc: denied > { create } for pid=1354 exe=/sbin/nash name=mapper > scontext=system_u:system_r:initrc_t > tcontext=system_u:object_r:device_t tclass=dir That one should have been fixed quite some time ago, before your message was posted. Either you hadn't updated to all the latest packages or there is a corner case we missed. In either case let me know if it still happens with the latest rawhide. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Mon Dec 27 14:10:31 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 28 Dec 2004 01:10:31 +1100 Subject: initrc/ptal ... In-Reply-To: <4c4ba1530412020855782e8505@mail.gmail.com> References: <4c4ba1530412020855782e8505@mail.gmail.com> Message-ID: <200412280110.34395.russell@coker.com.au> On Friday 03 December 2004 03:55, Tom London wrote: > Running strict/enforcing off of latest Rawhide: > > initrc runs hpoj which runs /usr/sbin/ptal-init > which produces the following avc's. > > [I tried changing the type of /usr/sbin/ptal-init > to ptal_exec_t, but that didn't work ;-( ] How did it not work? > Dec 2 06:45:39 fedora kernel: audit(1101998713.227:0): avc: denied > { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series > dev=hda2 ino=38214 scontext=system_u:system_r:initrc_t > tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Mon Dec 27 14:55:37 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 28 Dec 2004 01:55:37 +1100 Subject: Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail... In-Reply-To: <200412080203.iB823Mhd023488@turing-police.cc.vt.edu> References: <200412032012.iB3KCjaT030175@turing-police.cc.vt.edu> <200412071650.iB7GoSQs014629@turing-police.cc.vt.edu> <200412080203.iB823Mhd023488@turing-police.cc.vt.edu> Message-ID: <200412280155.40742.russell@coker.com.au> On Wednesday 08 December 2004 13:03, Valdis.Kletnieks at vt.edu wrote: > On Tue, 07 Dec 2004 11:50:27 EST, Valdis.Kletnieks at vt.edu said: > > I'm wondering if it would make more sense to push a patch upstream to the > > kernel-utils crew. Reading the smartd manpage in more detail, it looks > > like feeding it a '-M exec /usr/sbin/sendmail' (or building with that as > > the default) would let us only have to add sendmail_exec_t rather than > > all those. > > Or that *would* work, if the smartd code didn't use popen() to actually run > it, giving us a gratuitous '/bin/sh -c'. Looks like some fairly hefty > reworking to make it do the whole pipe()/fork()/exec() thing itself. In spite of what Colin says I think it would be good to get such a change in smartd. There are other benefits too. Imagine that we get a bad sector on the part of disk that contains /bin/bash or one of the many shared objects it uses. Bummer if this causes smartd not to do anything and this delay in notification causes the administrator to lose other data as the hard disk slowly dies. Another issue is that hard disk errors are probably more likely than average in times of high disk load. Anything that you can do to reduce the disk use in performing an operation at such times will give a faster result. NB Linux tends to give very long delays on file read or process execute if there is a large write queue. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Mon Dec 27 15:15:30 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 28 Dec 2004 02:15:30 +1100 Subject: ldconfig and var? In-Reply-To: <4c4ba15304122307414f069fdf@mail.gmail.com> References: <4c4ba15304122307414f069fdf@mail.gmail.com> Message-ID: <200412280215.33224.russell@coker.com.au> On Friday 24 December 2004 02:41, Tom London wrote: > Updating: guile 100 % done 2/39 > /sbin/ldconfig: relative path `2' used to build cache > error: %post(guile-1.6.4-16.i386) scriptlet failed, exit status 1 > Updating: inews 100 % done 3/39 > > Log shows the following AVC: > > Dec 23 07:34:52 fedora kernel: audit(1103816092.011:0): avc: denied > { search } for pid=8079 exe=/sbin/ldconfig name=var dev=hda2 > ino=4456449 scontext=root:sysadm_r:ldconfig_t > tcontext=system_u:object_r:var_t tclass=dir What is it trying to do under /var? It seems that the postinst script just calls "ldconfig" with no parameters. Do you have a reference to /var in /etc/ld.so*? > For fedora too? guile rpm broken? I can't see how guile can be doing anything to cause this. Unless you have a different version of guile to me (I have 1.6.4-17). My guess at the moment is that there is something unusual about your system. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From Valdis.Kletnieks at vt.edu Mon Dec 27 15:27:05 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 27 Dec 2004 10:27:05 -0500 Subject: FC3 " avc: denied" issue In-Reply-To: Your message of "Mon, 27 Dec 2004 23:12:42 +1100." <200412272312.45938.russell@coker.com.au> References: <41CE1171.5030404@austin.rr.com> <200412272142.06733.russell@coker.com.au> <200412271114.iBRBEuYW005403@turing-police.cc.vt.edu> <200412272312.45938.russell@coker.com.au> Message-ID: <200412271527.iBRFR6VP005427@turing-police.cc.vt.edu> On Mon, 27 Dec 2004 23:12:42 +1100, Russell Coker said: > If they are producing multiple packages for each distribution then they must > have the builds automated. It should be quite easy to make an automatic > build script that builds RPMs, Debian packages, and any other types of > package that seem necessary. As I said, that's the easy part. > If the interface between kernel and user-space doesn't change then all they > need to do is have one RPM for the shared objects and a set of RPMs that > install .ko's in the correct places for each kernel. You would just have to > make sure that every time you upgrade your kernel you install the matching > drivers. If you didn't install the drivers then the symptom would be a lack > of 3D graphics which would be easy to fix. The reason why "they" did it the way "they" did, with one installer for everybody, was precisely because all the "you" out there would encounter issues with "install the matching drivers" - what qualifies as "easy to fix" for most readers of this list results in a call to the vendor for Joe Sixpack. (Hell, just the last 48 hours I had a mysterious X.org issue caused by two conflicting NVidia libraries, a crufty one in one directory, a current version in another, and the symptoms depended on what order ldconfig found things in ld.so.conf....) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From russell at coker.com.au Mon Dec 27 15:36:07 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 28 Dec 2004 02:36:07 +1100 Subject: FC3 " avc: denied" issue In-Reply-To: <200412271527.iBRFR6VP005427@turing-police.cc.vt.edu> References: <41CE1171.5030404@austin.rr.com> <200412272312.45938.russell@coker.com.au> <200412271527.iBRFR6VP005427@turing-police.cc.vt.edu> Message-ID: <200412280236.11361.russell@coker.com.au> On Tuesday 28 December 2004 02:27, Valdis.Kletnieks at vt.edu wrote: > > If the interface between kernel and user-space doesn't change then all > > they need to do is have one RPM for the shared objects and a set of RPMs > > that install .ko's in the correct places for each kernel. You would just > > have to make sure that every time you upgrade your kernel you install the > > matching drivers. If you didn't install the drivers then the symptom > > would be a lack of 3D graphics which would be easy to fix. > > The reason why "they" did it the way "they" did, with one installer for > everybody, was precisely because all the "you" out there would encounter > issues with "install the matching drivers" - what qualifies as "easy to > fix" for most readers of this list results in a call to the vendor for Joe > Sixpack. So what do they do instead? Force a binary-only module to be loaded into a kernel of a version other than the one it was created for? That's a recipe for disaster! I hope that the users of the NVidia drivers don't have any important data on their machines... > (Hell, just the last 48 hours I had a mysterious X.org issue caused by two > conflicting NVidia libraries, a crufty one in one directory, a current > version in another, and the symptoms depended on what order ldconfig found > things in ld.so.conf....) It seems that the NVidia drivers suck in many ways. What's the best option for 3D graphics in Linux nowadays? Not NVidia I guess. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From Valdis.Kletnieks at vt.edu Mon Dec 27 16:04:45 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 27 Dec 2004 11:04:45 -0500 Subject: FC3 " avc: denied" issue In-Reply-To: Your message of "Tue, 28 Dec 2004 02:36:07 +1100." <200412280236.11361.russell@coker.com.au> References: <41CE1171.5030404@austin.rr.com> <200412272312.45938.russell@coker.com.au> <200412271527.iBRFR6VP005427@turing-police.cc.vt.edu> <200412280236.11361.russell@coker.com.au> Message-ID: <200412271604.iBRG4jlw029708@turing-police.cc.vt.edu> On Tue, 28 Dec 2004 02:36:07 +1100, Russell Coker said: > So what do they do instead? Force a binary-only module to be loaded into a > kernel of a version other than the one it was created for? That's a recipe > for disaster! I hope that the users of the NVidia drivers don't have any > important data on their machines... No, what they do is a big binary-only blob, and a little 30K shim for each kernel version (even compiling one from source if it's a kernel it doesn't know but there's a usable source tree to build against). >> (Hell, just the last 48 hours I had a mysterious X.org issue caused by two >> conflicting NVidia libraries, a crufty one in one directory, a current >> version in another, and the symptoms depended on what order ldconfig found >> things in ld.so.conf....) > It seems that the NVidia drivers suck in many ways. No, this one was self-inflicted. :) Merely intended to point out the sort of user screw-ups they need to worry about (what, you don't think some user is going to say 'rpm -Uvh --force' to get the wrong version installed and then call for help? ;) NVidia *is* trying to DTRT thing here - they're hampered by the fact that a lot of their code is licensed from others. The most productive thing to do here is to collectively figure out what NVidia's installer needs to do to cooperate with the FC3/4 environment (there's several SELinux gotchas, and it probably needs to leave the right clues for udev - after the latest udev RPM went on my laptop this weekend, my /dev/nvidia* devices didn't show up at next reboot). It looks like the SELinux policy already has all the needed hooks for NVidia, just their installer needs to make sure it nails *all* the right 'restorecon' commands (at least for SELinux issues). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From walters at redhat.com Mon Dec 27 16:32:41 2004 From: walters at redhat.com (Colin Walters) Date: Mon, 27 Dec 2004 11:32:41 -0500 Subject: FC3 " avc: denied" issue In-Reply-To: <200412272142.06733.russell@coker.com.au> References: <41CE1171.5030404@austin.rr.com> <200412272142.06733.russell@coker.com.au> Message-ID: <1104165161.3234.7.camel@nexus.verbum.private> On Mon, 2004-12-27 at 21:42 +1100, Russell Coker wrote: > Report a bug to whoever provided the collection of files that their install > script should do the following: > restorecon /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 > restorecon /usr/lib/libGL.so.1.0.6629 Dan recently worked on a patch for coreutils to make the 'install' command do this internally. I don't think we can ask every ISV to insert restorecon commands at arbitrary points in their code. Saying however that they must use the 'install' command (or RPM) to install software is a much more defensible position, IMO. From Valdis.Kletnieks at vt.edu Mon Dec 27 16:44:10 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 27 Dec 2004 11:44:10 -0500 Subject: FC3 " avc: denied" issue In-Reply-To: Your message of "Mon, 27 Dec 2004 11:32:41 EST." <1104165161.3234.7.camel@nexus.verbum.private> References: <41CE1171.5030404@austin.rr.com> <200412272142.06733.russell@coker.com.au> <1104165161.3234.7.camel@nexus.verbum.private> Message-ID: <200412271644.iBRGiA1a027240@turing-police.cc.vt.edu> On Mon, 27 Dec 2004 11:32:41 EST, Colin Walters said: > Dan recently worked on a patch for coreutils to make the 'install' > command do this internally. I don't think we can ask every ISV to > insert restorecon commands at arbitrary points in their code. Saying > however that they must use the 'install' command (or RPM) to install > software is a much more defensible position, IMO. Any opinions on how they should integrate their current 'mknod' commands, which currently need a restorecon? Should mknod handle it, or is that part still NVidia's problem? (I suppose it would be OK to push *that* one back at the sofware - many packages install dozens or even hundreds of regular files, but rarely use mknod (even the NVidia one has some 35 files and only 7 mknod's) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From russell at coker.com.au Mon Dec 27 16:47:26 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 28 Dec 2004 03:47:26 +1100 Subject: FC3 " avc: denied" issue In-Reply-To: <1104165161.3234.7.camel@nexus.verbum.private> References: <41CE1171.5030404@austin.rr.com> <200412272142.06733.russell@coker.com.au> <1104165161.3234.7.camel@nexus.verbum.private> Message-ID: <200412280347.29269.russell@coker.com.au> On Tuesday 28 December 2004 03:32, Colin Walters wrote: > On Mon, 2004-12-27 at 21:42 +1100, Russell Coker wrote: > > Report a bug to whoever provided the collection of files that their > > install script should do the following: > > restorecon /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 > > restorecon /usr/lib/libGL.so.1.0.6629 > > Dan recently worked on a patch for coreutils to make the 'install' > command do this internally. I don't think we can ask every ISV to > insert restorecon commands at arbitrary points in their code. Saying > however that they must use the 'install' command (or RPM) to install > software is a much more defensible position, IMO. Valdis just said that they have specific builds for different distributions and different versions of the various distributions. As they already have such a variation, adding another simple thing such as restorecon is not asking a lot (IMHO). Also if they would just use RPMs to deliver their software then many of these issues would get solved for them. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From walters at redhat.com Mon Dec 27 16:59:56 2004 From: walters at redhat.com (Colin Walters) Date: Mon, 27 Dec 2004 11:59:56 -0500 Subject: FC3 " avc: denied" issue In-Reply-To: <200412271644.iBRGiA1a027240@turing-police.cc.vt.edu> References: <41CE1171.5030404@austin.rr.com> <200412272142.06733.russell@coker.com.au> <1104165161.3234.7.camel@nexus.verbum.private> <200412271644.iBRGiA1a027240@turing-police.cc.vt.edu> Message-ID: <1104166796.3234.23.camel@nexus.verbum.private> On Mon, 2004-12-27 at 11:44 -0500, Valdis.Kletnieks at vt.edu wrote: > On Mon, 27 Dec 2004 11:32:41 EST, Colin Walters said: > > > Dan recently worked on a patch for coreutils to make the 'install' > > command do this internally. I don't think we can ask every ISV to > > insert restorecon commands at arbitrary points in their code. Saying > > however that they must use the 'install' command (or RPM) to install > > software is a much more defensible position, IMO. > > Any opinions on how they should integrate their current 'mknod' commands, > which currently need a restorecon? Should mknod handle it, or is that > part still NVidia's problem? (I suppose it would be OK to push *that* > one back at the sofware - many packages install dozens or even hundreds > of regular files, but rarely use mknod (even the NVidia one has some 35 > files and only 7 mknod's) Yeah; I think anything that calls mknod is a special case, since it is very low-level and inherently Linux-specific. Asking those ISVs to suffix mknod invocations with something like: test -x /sbin/restorecon && /sbin/restorecon /dev/nvidia isn't too onerous. At least until we have some sort of API for these vendors to add device files. (Although it's unclear to me why they need to create device files at all; shouldn't udev be creating it dynamically when their kernel module is inserted?) But the larger issue here of breaking the general './configure;make;make install' is very bad; I hope Dan's patch will fix this. From walters at redhat.com Mon Dec 27 17:14:22 2004 From: walters at redhat.com (Colin Walters) Date: Mon, 27 Dec 2004 12:14:22 -0500 Subject: FC3 " avc: denied" issue In-Reply-To: <200412280347.29269.russell@coker.com.au> References: <41CE1171.5030404@austin.rr.com> <200412272142.06733.russell@coker.com.au> <1104165161.3234.7.camel@nexus.verbum.private> <200412280347.29269.russell@coker.com.au> Message-ID: <1104167662.3234.36.camel@nexus.verbum.private> On Tue, 2004-12-28 at 03:47 +1100, Russell Coker wrote: > Valdis just said that they have specific builds for different distributions > and different versions of the various distributions. As they already have > such a variation, adding another simple thing such as restorecon is not > asking a lot (IMHO). If you just view this in the specific context of NVidia, sure, we could probably browbeat them into adding a bit more goo to their code. But the larger issue here is keeping 'make install' working for the vast majority of software out there (the ones that don't create device files, etc). I see tons of reports in Bugzilla from people confused as to why this breaks on Fedora, and for good reason. You need to think of our existing software infrastructure, from filesystem paths like "/usr/local/lib" to tools like "install" and "ldconfig" as an API. We've told ISVs (and I'm not just talking about proprietary software here; an ISV could also be software like a Xine tarball) that they can integrate with our system by using 'install' to a few filesystem paths, and running the magic command 'ldconfig'. If we all of a sudden tell them that they have to run some additional magic command, we are breaking that API. And that's wrong, *especially* in this case because the breakage is mostly needless; I think Dan's patch for "install" should cover the vast majority of cases. Breaking this API is wrong because not only will it lead to a higher support burden for us (and if you watch Bugzilla, it clearly *has* lead to that), it will also lead to people recommending to turn off SELinux. From russell at coker.com.au Mon Dec 27 18:46:06 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 28 Dec 2004 05:46:06 +1100 Subject: FC3 " avc: denied" issue In-Reply-To: <1104167662.3234.36.camel@nexus.verbum.private> References: <41CE1171.5030404@austin.rr.com> <200412280347.29269.russell@coker.com.au> <1104167662.3234.36.camel@nexus.verbum.private> Message-ID: <200412280546.09625.russell@coker.com.au> On Tuesday 28 December 2004 04:14, Colin Walters wrote: > On Tue, 2004-12-28 at 03:47 +1100, Russell Coker wrote: > > Valdis just said that they have specific builds for different > > distributions and different versions of the various distributions. As > > they already have such a variation, adding another simple thing such as > > restorecon is not asking a lot (IMHO). > > If you just view this in the specific context of NVidia, sure, we could > probably browbeat them into adding a bit more goo to their code. They certainly need to add more "goo". The issue of udev that was mentioned is another thing that they need to fix. > But the larger issue here is keeping 'make install' working for the vast I agree that adding such support to install is a good thing. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at gmail.com Mon Dec 27 20:51:18 2004 From: selinux at gmail.com (Tom London) Date: Mon, 27 Dec 2004 12:51:18 -0800 Subject: initrc/ptal ... In-Reply-To: <200412280110.34395.russell@coker.com.au> References: <4c4ba1530412020855782e8505@mail.gmail.com> <200412280110.34395.russell@coker.com.au> Message-ID: <4c4ba15304122712512b8d2da2@mail.gmail.com> On Tue, 28 Dec 2004 01:10:31 +1100, Russell Coker wrote: > On Friday 03 December 2004 03:55, Tom London wrote: > > Running strict/enforcing off of latest Rawhide: > > > > initrc runs hpoj which runs /usr/sbin/ptal-init > > which produces the following avc's. > > > > [I tried changing the type of /usr/sbin/ptal-init > > to ptal_exec_t, but that didn't work ;-( ] > > How did it not work? > > > Dec 2 06:45:39 fedora kernel: audit(1101998713.227:0): avc: denied > > { unlink } for pid=1414 exe=/bin/rm name=mlc_usb_PSC_900_Series > > dev=hda2 ino=38214 scontext=system_u:system_r:initrc_t > > tcontext=system_u:object_r:ptal_var_run_t tclass=fifo_file > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > Russell, If I remember correctly, this caused many more AVCs for other things..... The current policy has this working correctly. tom -- Tom London From selinux at gmail.com Mon Dec 27 20:54:42 2004 From: selinux at gmail.com (Tom London) Date: Mon, 27 Dec 2004 12:54:42 -0800 Subject: initrc, md0, mapper In-Reply-To: <200412280100.20007.russell@coker.com.au> References: <4c4ba15304120308345888bb62@mail.gmail.com> <200412280100.20007.russell@coker.com.au> Message-ID: <4c4ba1530412271254104b3f01@mail.gmail.com> On Tue, 28 Dec 2004 01:00:15 +1100, Russell Coker wrote: > On Saturday 04 December 2004 03:34, Tom London wrote: > > Booting produces following avc: > > It seems that you never got a reply to this one. > > > Dec 3 08:23:45 fedora kernel: audit(1102090997.316:0): avc: denied > > { create } for pid=1348 exe=/sbin/nash name=md0 > > scontext=system_u:system_r:initrc_t > > tcontext=system_u:object_r:device_t tclass=blk_file Dec 3 08:23:45 > > fedora kernel: device-mapper: 4.1.0-ioctl (2003-12-10) initialised: > > dm at uk.sistina.com > > This is something that still needs a good solution. We don't want initrc_t to > be able to do such things in the strict policy, so udev seems to be the best > way of doing it. Maybe getting it added to /sbin/start_udev would be the > best solution? start_udev already creates a bunch of other device nodes that > are too inconvenient to do in other ways. > > Of course due to the usual shell script issues udev_t isn't safe from > initrc_t. But it's a start at isolating it, we can improve later. > > > Dec 3 08:23:45 fedora kernel: audit(1102090997.383:0): avc: denied > > { create } for pid=1354 exe=/sbin/nash name=mapper > > scontext=system_u:system_r:initrc_t > > tcontext=system_u:object_r:device_t tclass=dir > > That one should have been fixed quite some time ago, before your message was > posted. Either you hadn't updated to all the latest packages or there is a > corner case we missed. In either case let me know if it still happens with > the latest rawhide. > > -- Russell, This one also has been fixed. Don't remember exactly when.... tom -- Tom London From selinux at gmail.com Mon Dec 27 20:57:30 2004 From: selinux at gmail.com (Tom London) Date: Mon, 27 Dec 2004 12:57:30 -0800 Subject: ldconfig and var? In-Reply-To: <200412280215.33224.russell@coker.com.au> References: <4c4ba15304122307414f069fdf@mail.gmail.com> <200412280215.33224.russell@coker.com.au> Message-ID: <4c4ba1530412271257e2d7d75@mail.gmail.com> On Tue, 28 Dec 2004 02:15:30 +1100, Russell Coker wrote: > On Friday 24 December 2004 02:41, Tom London wrote: > > I can't see how guile can be doing anything to cause this. Unless you have a > different version of guile to me (I have 1.6.4-17). My guess at the moment > is that there is something unusual about your system. > Russell, This seemed to be a problem with the earilier package, guile-1.6.4-16. Got fixed the next day or so with -17, I think.... tom -- Tom London From russell at coker.com.au Tue Dec 28 07:37:43 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 28 Dec 2004 18:37:43 +1100 Subject: xfs file system w/ selinux? In-Reply-To: <1097351624.17163.4.camel@CirithUngol> References: <1097351624.17163.4.camel@CirithUngol> Message-ID: <200412281837.47169.russell@coker.com.au> On Sunday 10 October 2004 05:53, Andrew Farris wrote: > On Sat, 2004-10-09 at 12:37 -0500, Justin Conover wrote: > > How does Fedora handle the size, does it use 256 or 512 be default? > > If its 256, shouldn't they change this? > > It uses the default 256. I have several filesystems I built with 256 > inode size, but I have had no problems running selinux with it.. > presumably I do have wasted space and performance decreases but it is > not noticeable in normal use. That depends on your situation. I first heard of the issue when someone reported on IRC that they tried installing SE Linux on an XFS system and it used up all their free disk space and made their system virtually unusable as a result. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120622 Above is a bug report I filed requesting that 512 bytes be the default. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at gmail.com Tue Dec 28 16:21:32 2004 From: selinux at gmail.com (Tom London) Date: Tue, 28 Dec 2004 08:21:32 -0800 Subject: firefox and timidity... Message-ID: <4c4ba15304122808216824f4bf@mail.gmail.com> Running strict/enforcing, latest Rawhide. If i click on, say, a pdf URL in firefox, I get the following AVC: Dec 28 08:11:05 fedora kernel: audit(1104250265.322:0): avc: denied { getattr } for pid=3067 exe=/usr/lib/firefox-1.0/firefox-bin path=/usr/bin/timidity dev=hda2 ino=427077 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:timidity_exec_t tclass=file implying that user_mozilla needs allow user_mozilla_t timidity_exec_t:file getattr; If I set permissive mode, I get the same (and only) AVC. Since it doesn't seem to affect anything, my inclination would be to dontaudit user_mozilla_t timidity_exec_t:file getattr; Would this break firefox sounds? Something else? tom -- Tom London From O.Museyko at dp.uz.gov.ua Tue Dec 28 19:43:01 2004 From: O.Museyko at dp.uz.gov.ua (Oleg Museyko) Date: Tue, 28 Dec 2004 21:43:01 +0200 Subject: transition problems Message-ID: <15112846892.20041228214301@dp.uz.gov.ua> Hello, Although innd.te is the usual example of policy, i still can't get it start right from the init-script. (Fedora Core 2, policy-sources-1.11.3-3). The problem is near the 'su', IMHO. Namely, when innd runs from script as su -s /bin/bash - news -c /etc/rc.news it obtains context user_u:user_r:user_t and no domain_auto_trans together with default_contexts tuning could resolve it, until i've added the new user: user news roles system_r; After that the context of innd became user_u:system_r:innd_t (not news:system_r:innd_t, as i hoped, but anyway...) Besides, the same problem in other place occured to be more persistent: regular cron job running nntpsend leads to the following (permissive mode): avc: denied { transition } for pid=24801 exe=/bin/su path=/bin/bash dev=sda1 ino=895926 scontext=system_u:system_r:system_crond_su_t tcontext=user_u:sysadm_r:sysadm_t tclass=process avc: denied { siginh } for pid=24801 exe=/bin/bash scontext=system_u:system_r:system_crond_su_t tcontext=user_u:sysadm_r:sysadm_t tclass=process (same for 'rlimitinh' and 'noatsecure'). This caused by su - news -c "unset LANG; unset LC_COLLATE; /usr/lib/news/bin/nntpsend" I've tried to force the domain_auto_trans to initrc_t etc, also added corresponding records to default_contexts system_r:system_crond_su_t system_r:initrc_t but without any effect! (And no conflicts with other policy rules, as far as i could see). I'm eager to get any help on this, please. Also, i'd like to ask the reason of why some file type transitions doesn't work on sockets. E.g., when winbindd (runs in smbd_t) creates the socket in the directory of samba_var_t type and clients try to use it, the log file are full of deny { connectto } unix_stream_socket with smbd_t in tcontext. At the same time the /path/to/socket/file has correct samba_var_t type. The situation doesn't change if i write file_type_auto_trans(smbd_t, samba_var_t, samba_var_t, sock_file) The unix domain socket still has smbd_t, not samba_var_t, when someone tries to 'connectto'. Same situation with some other sockets of different domains. Is it the possible to change this behavior, or unix domain socket always has the type of creating process ? -- Best regards, Oleg From sds at epoch.ncsc.mil Tue Dec 28 19:50:25 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 28 Dec 2004 14:50:25 -0500 Subject: transition problems In-Reply-To: <15112846892.20041228214301@dp.uz.gov.ua> References: <15112846892.20041228214301@dp.uz.gov.ua> Message-ID: <1104263425.21391.133.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-12-28 at 14:43, Oleg Museyko wrote: > Although innd.te is the usual example of policy, i still can't > get it start right from the init-script. The example was likely written up pre-Fedora, and having 'su' change the security context (via pam_selinux) was introduced by Fedora. > (Fedora Core 2, > policy-sources-1.11.3-3). > The problem is near the 'su', IMHO. Namely, when innd runs from > script as > > su -s /bin/bash - news -c /etc/rc.news In FC3, this has been addressed by introducing a separate 'runuser' program, I believe. Using su in this manner isn't a good idea even without SELinux in the picture. > This caused by > su - news -c "unset LANG; unset LC_COLLATE; /usr/lib/news/bin/nntpsend" Likewise, using 'su' in this manner considered harmful. > Also, i'd like to ask the reason of why some file type > transitions doesn't work on sockets. E.g., when > winbindd (runs in smbd_t) creates the socket in the > directory of samba_var_t type and clients try to use it, > the log file are full of deny { connectto } unix_stream_socket > with smbd_t in tcontext. At the same time the /path/to/socket/file > has correct samba_var_t type. The situation doesn't > change if i write > file_type_auto_trans(smbd_t, samba_var_t, samba_var_t, sock_file) A Unix domain socket has two separate but related objects: the socket itself and the file by which it is named. They are separate objects with separate permission checks applied. The socket is labeled based on the creating process and the connectto permission check lets you establish a direct relationship between the peers. The file is labeled in accordance with the usual file typing rules, and the normal file write check is applied to it. The can_unix_connect() macro is typically used to grant the peer-to-peer permission. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Tue Dec 28 20:11:16 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 28 Dec 2004 15:11:16 -0500 Subject: transition problems In-Reply-To: <15112846892.20041228214301@dp.uz.gov.ua> References: <15112846892.20041228214301@dp.uz.gov.ua> Message-ID: <1104264676.21391.136.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-12-28 at 14:43, Oleg Museyko wrote: > Although innd.te is the usual example of policy, i still can't > get it start right from the init-script. (Fedora Core 2, > policy-sources-1.11.3-3). BTW, upgrading to FC 3 is strongly recommended for SELinux users, both due to improved integration of SELinux in FC 3 and due to compatibility problems that have crept into FC 2 from kernel updates without corresponding policy updates. -- Stephen Smalley National Security Agency From diegows at xtech.com.ar Tue Dec 28 22:07:39 2004 From: diegows at xtech.com.ar (Diego Woitasen) Date: Tue, 28 Dec 2004 19:07:39 -0300 Subject: .te and .fc files for postfix and fedora Message-ID: <1104271660.3049.3.camel@localhost.localdomain> Somebody have the policy files for postfix? I tried with Debian ones but fails in policy compilation. Where can i get these files? thanks!!! -- Diego Woitasen XTECH From dwalsh at redhat.com Tue Dec 28 23:27:39 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 28 Dec 2004 18:27:39 -0500 Subject: .te and .fc files for postfix and fedora In-Reply-To: <1104271660.3049.3.camel@localhost.localdomain> References: <1104271660.3049.3.camel@localhost.localdomain> Message-ID: <41D1EBEB.4000609@redhat.com> Diego Woitasen wrote: >Somebody have the policy files for postfix? I tried with Debian ones but >fails in policy compilation. > >Where can i get these files? > > >thanks!!! > > > > > selinux-policy-strict-sources has the files. Dan From diegows at xtech.com.ar Wed Dec 29 13:54:57 2004 From: diegows at xtech.com.ar (Diego Woitasen) Date: Wed, 29 Dec 2004 10:54:57 -0300 Subject: .te and .fc files for postfix and fedora In-Reply-To: <41D1EBEB.4000609@redhat.com> References: <1104271660.3049.3.camel@localhost.localdomain> <41D1EBEB.4000609@redhat.com> Message-ID: <1104328497.3049.6.camel@localhost.localdomain> and for example, if i want to add postfix to targeted policy, copying the .te and .fc files from strict-sources to targeted-sources should be work? or i need to change anything else? On Tue, 2004-12-28 at 18:27 -0500, Daniel J Walsh wrote: > Diego Woitasen wrote: > > >Somebody have the policy files for postfix? I tried with Debian ones but > >fails in policy compilation. > > > >Where can i get these files? > > > > > >thanks!!! > > > > > > > > > > > selinux-policy-strict-sources has the files. > > Dan > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Wed Dec 29 15:30:34 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Dec 2004 10:30:34 -0500 Subject: .te and .fc files for postfix and fedora In-Reply-To: <1104328497.3049.6.camel@localhost.localdomain> References: <1104271660.3049.3.camel@localhost.localdomain> <41D1EBEB.4000609@redhat.com> <1104328497.3049.6.camel@localhost.localdomain> Message-ID: <41D2CD9A.8060702@redhat.com> Diego Woitasen wrote: >and for example, if i want to add postfix to targeted policy, copying >the .te and .fc files from strict-sources to targeted-sources should be >work? or i need to change anything else? > > > Yes. But you will need to relabel the files that are touched by postfix.fc There might be other problems with other modules that are doing ifdef(`postfix.te', `...') Or if postfix.te does some things expecting a strict policy environment. Dan > >On Tue, 2004-12-28 at 18:27 -0500, Daniel J Walsh wrote: > > >>Diego Woitasen wrote: >> >> >> >>>Somebody have the policy files for postfix? I tried with Debian ones but >>>fails in policy compilation. >>> >>>Where can i get these files? >>> >>> >>>thanks!!! >>> >>> >>> >>> >>> >>> >>> >>selinux-policy-strict-sources has the files. >> >>Dan >> >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From diegows at xtech.com.ar Wed Dec 29 16:36:58 2004 From: diegows at xtech.com.ar (Diego Woitasen) Date: Wed, 29 Dec 2004 13:36:58 -0300 Subject: .te and .fc files for postfix and fedora In-Reply-To: <41D2CD9A.8060702@redhat.com> References: <1104271660.3049.3.camel@localhost.localdomain> <41D1EBEB.4000609@redhat.com> <1104328497.3049.6.camel@localhost.localdomain> <41D2CD9A.8060702@redhat.com> Message-ID: <1104338218.3049.10.camel@localhost.localdomain> yeah... i seee some macros are not defined in targeted, like can_network_[server| client]. I solved this problem, but now when i do make policy i get this msg: domains/program/postfix.te:190:ERROR 'unknown type sysadm_mail_t' at token ';' on line 16044: any ideas? On Wed, 2004-12-29 at 10:30 -0500, Daniel J Walsh wrote: > Diego Woitasen wrote: > > >and for example, if i want to add postfix to targeted policy, copying > >the .te and .fc files from strict-sources to targeted-sources should be > >work? or i need to change anything else? > > > > > > > Yes. But you will need to relabel the files that are touched by > postfix.fc There might be other problems with other modules that are doing > ifdef(`postfix.te', `...') > Or if postfix.te does some things expecting a strict policy environment. > > Dan > > > > >On Tue, 2004-12-28 at 18:27 -0500, Daniel J Walsh wrote: > > > > > >>Diego Woitasen wrote: > >> > >> > >> > >>>Somebody have the policy files for postfix? I tried with Debian ones but > >>>fails in policy compilation. > >>> > >>>Where can i get these files? > >>> > >>> > >>>thanks!!! > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>selinux-policy-strict-sources has the files. > >> > >>Dan > >> > >>-- > >>fedora-selinux-list mailing list > >>fedora-selinux-list at redhat.com > >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> > >> > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Wed Dec 29 17:11:39 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Dec 2004 12:11:39 -0500 Subject: .te and .fc files for postfix and fedora In-Reply-To: <1104338218.3049.10.camel@localhost.localdomain> References: <1104271660.3049.3.camel@localhost.localdomain> <41D1EBEB.4000609@redhat.com> <1104328497.3049.6.camel@localhost.localdomain> <41D2CD9A.8060702@redhat.com> <1104338218.3049.10.camel@localhost.localdomain> Message-ID: <41D2E54B.5060400@redhat.com> Diego Woitasen wrote: >yeah... i seee > >some macros are not defined in targeted, like can_network_[server| >client]. I solved this problem, but now when i do make policy i get this >msg: > >domains/program/postfix.te:190:ERROR 'unknown type sysadm_mail_t' at >token ';' on line 16044: > >any ideas? > > > >On Wed, 2004-12-29 at 10:30 -0500, Daniel J Walsh wrote: > > >>Diego Woitasen wrote: >> >> >> >>>and for example, if i want to add postfix to targeted policy, copying >>>the .te and .fc files from strict-sources to targeted-sources should be >>>work? or i need to change anything else? >>> >>> >>> >>> >>> >>Yes. But you will need to relabel the files that are touched by >>postfix.fc There might be other problems with other modules that are doing >>ifdef(`postfix.te', `...') >>Or if postfix.te does some things expecting a strict policy environment. >> >>Dan >> >> >> >>>On Tue, 2004-12-28 at 18:27 -0500, Daniel J Walsh wrote: >>> >>> >>> >>> >>>>Diego Woitasen wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Somebody have the policy files for postfix? I tried with Debian ones but >>>>>fails in policy compilation. >>>>> >>>>>Where can i get these files? >>>>> >>>>> >>>>>thanks!!! >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>selinux-policy-strict-sources has the files. >>>> >>>>Dan >>>> >>>>-- >>>>fedora-selinux-list mailing list >>>>fedora-selinux-list at redhat.com >>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> >>>> >>>> >>>-- >>>fedora-selinux-list mailing list >>>fedora-selinux-list at redhat.com >>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >>> >>> >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Try sucking in mta.te also. From diegows at xtech.com.ar Wed Dec 29 17:26:06 2004 From: diegows at xtech.com.ar (Diego Woitasen) Date: Wed, 29 Dec 2004 14:26:06 -0300 Subject: .te and .fc files for postfix and fedora In-Reply-To: <41D2E54B.5060400@redhat.com> References: <1104271660.3049.3.camel@localhost.localdomain> <41D1EBEB.4000609@redhat.com> <1104328497.3049.6.camel@localhost.localdomain> <41D2CD9A.8060702@redhat.com> <1104338218.3049.10.camel@localhost.localdomain> <41D2E54B.5060400@redhat.com> Message-ID: <1104341166.3049.12.camel@localhost.localdomain> no, the same message... On Wed, 2004-12-29 at 12:11 -0500, Daniel J Walsh wrote: > Diego Woitasen wrote: > > >yeah... i seee > > > >some macros are not defined in targeted, like can_network_[server| > >client]. I solved this problem, but now when i do make policy i get this > >msg: > > > >domains/program/postfix.te:190:ERROR 'unknown type sysadm_mail_t' at > >token ';' on line 16044: > > > >any ideas? > > > > > > > >On Wed, 2004-12-29 at 10:30 -0500, Daniel J Walsh wrote: > > > > > >>Diego Woitasen wrote: > >> > >> > >> > >>>and for example, if i want to add postfix to targeted policy, copying > >>>the .te and .fc files from strict-sources to targeted-sources should be > >>>work? or i need to change anything else? > >>> > >>> > >>> > >>> > >>> > >>Yes. But you will need to relabel the files that are touched by > >>postfix.fc There might be other problems with other modules that are doing > >>ifdef(`postfix.te', `...') > >>Or if postfix.te does some things expecting a strict policy environment. > >> > >>Dan > >> > >> > >> > >>>On Tue, 2004-12-28 at 18:27 -0500, Daniel J Walsh wrote: > >>> > >>> > >>> > >>> > >>>>Diego Woitasen wrote: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>>Somebody have the policy files for postfix? I tried with Debian ones but > >>>>>fails in policy compilation. > >>>>> > >>>>>Where can i get these files? > >>>>> > >>>>> > >>>>>thanks!!! > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>selinux-policy-strict-sources has the files. > >>>> > >>>>Dan > >>>> > >>>>-- > >>>>fedora-selinux-list mailing list > >>>>fedora-selinux-list at redhat.com > >>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>> > >>>> > >>>> > >>>> > >>>-- > >>>fedora-selinux-list mailing list > >>>fedora-selinux-list at redhat.com > >>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>> > >>> > >>> > >>> > >>-- > >>fedora-selinux-list mailing list > >>fedora-selinux-list at redhat.com > >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> > >> > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > Try sucking in mta.te also. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Wed Dec 29 17:46:44 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Dec 2004 12:46:44 -0500 Subject: .te and .fc files for postfix and fedora In-Reply-To: <1104341166.3049.12.camel@localhost.localdomain> References: <1104271660.3049.3.camel@localhost.localdomain> <41D1EBEB.4000609@redhat.com> <1104328497.3049.6.camel@localhost.localdomain> <41D2CD9A.8060702@redhat.com> <1104338218.3049.10.camel@localhost.localdomain> <41D2E54B.5060400@redhat.com> <1104341166.3049.12.camel@localhost.localdomain> Message-ID: <41D2ED84.8070202@redhat.com> Diego Woitasen wrote: >no, the same message... > > > > Try these two. Replace unconfied.te with this one and use this postfix.te. Dan -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: unconfined.te URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: postfix.te URL: From diegows at xtech.com.ar Wed Dec 29 19:20:54 2004 From: diegows at xtech.com.ar (Diego Woitasen) Date: Wed, 29 Dec 2004 16:20:54 -0300 Subject: .te and .fc files for postfix and fedora In-Reply-To: <41D2ED84.8070202@redhat.com> References: <1104271660.3049.3.camel@localhost.localdomain> <41D1EBEB.4000609@redhat.com> <1104328497.3049.6.camel@localhost.localdomain> <41D2CD9A.8060702@redhat.com> <1104338218.3049.10.camel@localhost.localdomain> <41D2E54B.5060400@redhat.com> <1104341166.3049.12.camel@localhost.localdomain> <41D2ED84.8070202@redhat.com> Message-ID: <1104348054.3049.14.camel@localhost.localdomain> dan, thanks... these files works very fine. regards, diegows On Wed, 2004-12-29 at 12:46 -0500, Daniel J Walsh wrote: > Diego Woitasen wrote: > > >no, the same message... > > > > > > > > > Try these two. > > Replace unconfied.te with this one and use this postfix.te. > > Dan > plain text document attachment (unconfined.te) > #DESC Unconfined - The unconfined domain > > # This is the initial domain, and is used for everything that > # is not explicitly confined. It has no restrictions. > # It needs to be carefully protected from the confined domains. > > type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem; > role system_r types unconfined_t; > role user_r types unconfined_t; > role sysadm_r types unconfined_t; > unconfined_domain(unconfined_t) > > # Define some type aliases to help with compatibility with > # macros and domains from the "strict" policy. > typealias bin_t alias su_exec_t; > typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t }; > type mount_t, domain; > type initrc_devpts_t, ptyfile; > define(`admin_tty_type', `{ tty_device_t devpts_t }') > > # User home directory type. > type user_home_t, file_type, sysadmfile; > type user_home_dir_t, file_type, sysadmfile; > file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir) > file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t) > > define(`user_typealias', ` > ifelse($1,`user',`',` > typealias user_home_t alias $1_home_t; > typealias user_home_dir_t alias $1_home_dir_t; > ') > typealias tty_device_t alias $1_tty_device_t; > typealias devpts_t alias $1_devpts_t; > ') > user_typealias(sysadm) > user_typealias(staff) > user_typealias(user) > > allow unconfined_t unlabeled_t:filesystem *; > allow unlabeled_t unlabeled_t:filesystem associate; > bool read_default_t false; > plain text document attachment (postfix.te) > #DESC Postfix - Mail server > # > # Author: Russell Coker > # X-Debian-Packages: postfix > # Depends: mta.te > # > > # Type for files created during execution of postfix. > type postfix_var_run_t, file_type, sysadmfile, pidfile; > > type postfix_etc_t, file_type, sysadmfile; > typealias postfix_etc_t alias etc_postfix_t; > type postfix_exec_t, file_type, sysadmfile, exec_type; > type postfix_public_t, file_type, sysadmfile; > type postfix_private_t, file_type, sysadmfile; > type postfix_spool_t, file_type, sysadmfile; > type postfix_spool_maildrop_t, file_type, sysadmfile; > type postfix_spool_flush_t, file_type, sysadmfile; > type postfix_prng_t, file_type, sysadmfile; > typealias system_mail_t alias sysadm_mail_t; > > # postfix needs this for newaliases > allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr; > > ################################# > # > # Rules for the postfix_$1_t domain. > # > # postfix_$1_exec_t is the type of the postfix_$1 executables. > # > define(`postfix_domain', ` > daemon_core_rules(postfix_$1, `$2') > allow postfix_$1_t self:process setpgid; > allow postfix_$1_t postfix_master_t:process sigchld; > allow postfix_master_t postfix_$1_t:process signal; > > allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms; > allow postfix_$1_t postfix_etc_t:file r_file_perms; > read_locale(postfix_$1_t) > allow postfix_$1_t etc_t:file { getattr read }; > allow postfix_$1_t self:unix_dgram_socket create_socket_perms; > allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; > allow postfix_$1_t self:unix_stream_socket connectto; > > allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms; > allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read }; > allow postfix_$1_t shell_exec_t:file rx_file_perms; > allow postfix_$1_t { var_t var_spool_t }:dir { search getattr }; > allow postfix_$1_t postfix_exec_t:file rx_file_perms; > allow postfix_$1_t devtty_t:chr_file rw_file_perms; > allow postfix_$1_t etc_runtime_t:file r_file_perms; > allow postfix_$1_t proc_t:dir r_dir_perms; > allow postfix_$1_t proc_t:file r_file_perms; > allow postfix_$1_t postfix_exec_t:dir r_dir_perms; > allow postfix_$1_t fs_t:filesystem getattr; > can_exec(postfix_$1_t, postfix_$1_exec_t) > > allow postfix_$1_t tmp_t:dir getattr; > > file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file) > > allow postfix_$1_t { sysctl_t sysctl_kernel_t }:dir search; > allow postfix_$1_t sysctl_kernel_t:file { getattr read }; > > ')dnl end postfix_domain > > ifdef(`crond.te', > `allow system_mail_t crond_t:tcp_socket { read write create };') > > postfix_domain(master, `, mail_server_domain') > rhgb_domain(postfix_master_t) > > read_sysctl(postfix_master_t) > > ifdef(`direct_sysadm_daemon', ` > dontaudit postfix_master_t admin_tty_type:chr_file { read write }; > ') > > domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t) > allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh }; > ifdef(`direct_sysadm_daemon', ` > domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t) > allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh }; > role_transition sysadm_r postfix_master_exec_t system_r; > domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t) > allow system_mail_t sysadm_t:process sigchld; > allow system_mail_t privfd:fd use; > ')dnl end direct_sysadm_daemon > > allow postfix_master_t privfd:fd use; > ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;') > allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms; > > # postfix does a "find" on startup for some reason - keep it quiet > dontaudit postfix_master_t selinux_config_t:dir search; > can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t) > ifdef(`distro_redhat', ` > file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t) > ', ` > file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t) > ') > allow postfix_master_t sendmail_exec_t:file r_file_perms; > allow postfix_master_t sbin_t:lnk_file { getattr read }; > ifdef(`pppd.te', ` > domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t) > ') > can_exec(postfix_master_t, { ls_exec_t sbin_t }) > allow postfix_master_t sysctl_kernel_t:dir r_dir_perms; > allow postfix_master_t sysctl_kernel_t:file r_file_perms; > allow postfix_master_t self:fifo_file rw_file_perms; > allow postfix_master_t usr_t:file r_file_perms; > can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t }) > # chown is to set the correct ownership of queue dirs > allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; > allow postfix_master_t postfix_public_t:fifo_file create_file_perms; > allow postfix_master_t postfix_public_t:sock_file create_file_perms; > allow postfix_master_t postfix_public_t:dir rw_dir_perms; > allow postfix_master_t postfix_private_t:dir rw_dir_perms; > allow postfix_master_t postfix_private_t:sock_file create_file_perms; > allow postfix_master_t postfix_private_t:fifo_file create_file_perms; > can_network(postfix_master_t) > can_ypbind(postfix_master_t) > allow postfix_master_t smtp_port_t:tcp_socket name_bind; > allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; > allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; > allow postfix_master_t postfix_prng_t:file getattr; > allow postfix_master_t privfd:fd use; > allow postfix_master_t etc_aliases_t:file rw_file_perms; > > ifdef(`saslauthd.te',` > allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr }; > allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write }; > can_unix_connect(postfix_smtpd_t,saslauthd_t) > ') > > create_dir_file(postfix_master_t, postfix_spool_flush_t) > allow postfix_master_t random_device_t:chr_file { read getattr }; > allow postfix_master_t postfix_prng_t:file rw_file_perms; > # for ls to get the current context > allow postfix_master_t self:file { getattr read }; > ifdef(`direct_sysadm_daemon', ` > allow postfix_master_t postfix_etc_t:file rw_file_perms; > allow postfix_master_t devpts_t:dir search; > ') > > # for SSP > allow postfix_master_t urandom_device_t:chr_file read; > > # allow access to deferred queue and allow removing bogus incoming entries > allow postfix_master_t postfix_spool_t:dir create_dir_perms; > allow postfix_master_t postfix_spool_t:file create_file_perms; > > dontaudit postfix_master_t man_t:dir search; > > define(`postfix_server_domain', ` > postfix_domain($1, `$2') > domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) > allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; > allow postfix_$1_t self:capability { setuid setgid dac_override }; > can_network(postfix_$1_t) > can_ypbind(postfix_$1_t) > ') > > postfix_server_domain(smtp, `, mail_server_sender') > allow postfix_smtp_t postfix_spool_t:file rw_file_perms; > allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search; > allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write; > allow postfix_smtp_t urandom_device_t:chr_file { getattr read }; > allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; > # if you have two different mail servers on the same host let them talk via > # SMTP, also if one mail server wants to talk to itself then allow it and let > # the SMTP protocol sort it out (SE Linux is not to prevent mail server > # misconfiguration) > can_tcp_connect(postfix_smtp_t, mail_server_domain) > > postfix_server_domain(smtpd) > allow postfix_smtpd_t urandom_device_t:chr_file { getattr read }; > allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; > allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search; > allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms; > allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto; > # for OpenSSL certificates > r_dir_file(postfix_smtpd_t,usr_t) > allow postfix_smtpd_t etc_aliases_t:file r_file_perms; > > # for prng_exch > allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; > > allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms; > > postfix_server_domain(local, `, mta_delivery_agent') > ifdef(`procmail.te', ` > domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t) > # for a bug in the postfix local program > dontaudit procmail_t postfix_local_t:tcp_socket { read write }; > dontaudit procmail_t postfix_master_t:fd use; > ') > allow postfix_local_t etc_aliases_t:file r_file_perms; > allow postfix_local_t self:fifo_file rw_file_perms; > allow postfix_local_t self:process setrlimit; > allow postfix_local_t postfix_spool_t:file rw_file_perms; > # for .forward - maybe we need a new type for it? > allow postfix_local_t postfix_private_t:dir search; > allow postfix_local_t postfix_private_t:sock_file rw_file_perms; > allow postfix_local_t postfix_master_t:unix_stream_socket connectto; > allow postfix_local_t postfix_public_t:dir search; > allow postfix_local_t postfix_public_t:sock_file write; > can_exec(postfix_local_t, shell_exec_t) > ifdef(`arpwatch.te', ` > allow postfix_local_t arpwatch_data_t:dir { search }; > ') > > define(`postfix_public_domain',` > postfix_server_domain($1) > allow postfix_$1_t postfix_public_t:dir search; > ') > > postfix_public_domain(cleanup) > create_dir_file(postfix_cleanup_t, postfix_spool_t) > allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms; > allow postfix_cleanup_t postfix_public_t:sock_file { getattr write }; > allow postfix_cleanup_t postfix_private_t:dir search; > allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms; > allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto; > allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms; > allow postfix_cleanup_t self:process setrlimit; > > allow user_mail_domain postfix_spool_t:dir r_dir_perms; > allow user_mail_domain postfix_etc_t:dir r_dir_perms; > allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms; > allow user_mail_domain self:capability dac_override; > > define(`postfix_user_domain', ` > postfix_domain($1, `$2') > domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t) > in_user_role(postfix_$1_t) > role sysadm_r types postfix_$1_t; > allow postfix_$1_t userdomain:process sigchld; > allow postfix_$1_t userdomain:fifo_file { write getattr }; > allow postfix_$1_t { userdomain privfd }:fd use; > allow postfix_$1_t self:capability dac_override; > ') > > postfix_user_domain(postqueue) > allow postfix_postqueue_t postfix_public_t:dir search; > allow postfix_postqueue_t postfix_public_t:fifo_file getattr; > allow postfix_postqueue_t self:udp_socket { create ioctl }; > allow postfix_master_t postfix_postqueue_exec_t:file getattr; > domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) > allow postfix_postqueue_t initrc_t:process sigchld; > allow postfix_postqueue_t initrc_t:fd use; > > # to write the mailq output, it really should not need read access! > allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr }; > ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;') > > # wants to write to /var/spool/postfix/public/showq > allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms; > allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto; > # write to /var/spool/postfix/public/qmgr > allow postfix_postqueue_t postfix_public_t:fifo_file write; > dontaudit postfix_postqueue_t net_conf_t:file r_file_perms; > > postfix_user_domain(showq) > # the following auto_trans is usually in postfix server domain > domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) > allow postfix_showq_t self:udp_socket { create ioctl }; > r_dir_file(postfix_showq_t, postfix_spool_maildrop_t) > domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) > allow postfix_showq_t self:capability { setuid setgid }; > allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; > allow postfix_showq_t postfix_spool_t:file r_file_perms; > allow postfix_showq_t self:tcp_socket create_socket_perms; > allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write }; > dontaudit postfix_showq_t net_conf_t:file r_file_perms; > > postfix_user_domain(postdrop, `, mta_user_agent') > allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; > allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms; > allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms; > allow postfix_postdrop_t postfix_public_t:dir search; > allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms; > dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write }; > dontaudit postfix_postdrop_t net_conf_t:file r_file_perms; > allow postfix_master_t postfix_postdrop_exec_t:file getattr; > ifdef(`crond.te', > `allow postfix_postdrop_t { crond_t system_crond_t }:fd use; > allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;') > # usually it does not need a UDP socket > allow postfix_postdrop_t self:udp_socket create_socket_perms; > allow postfix_postdrop_t self:capability sys_resource; > > postfix_public_domain(pickup) > allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms; > allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms; > allow postfix_pickup_t postfix_private_t:dir search; > allow postfix_pickup_t postfix_private_t:sock_file write; > allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto; > allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms; > allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms; > allow postfix_pickup_t postfix_spool_maildrop_t:file unlink; > allow postfix_pickup_t self:tcp_socket create_socket_perms; > > postfix_public_domain(qmgr) > allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms; > allow postfix_qmgr_t postfix_public_t:sock_file write; > allow postfix_qmgr_t postfix_private_t:dir search; > allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms; > allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto; > > # for /var/spool/postfix/active > create_dir_file(postfix_qmgr_t, postfix_spool_t) > > postfix_public_domain(bounce) > type postfix_spool_bounce_t, file_type, sysadmfile; > create_dir_file(postfix_bounce_t, postfix_spool_bounce_t) > create_dir_file(postfix_bounce_t, postfix_spool_t) > allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms; > allow postfix_master_t postfix_spool_bounce_t:file getattr; > allow postfix_bounce_t self:capability dac_read_search; > allow postfix_bounce_t postfix_public_t:sock_file write; > allow postfix_bounce_t self:tcp_socket create_socket_perms; > > r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t) > > postfix_public_domain(pipe) > allow postfix_pipe_t postfix_spool_t:dir search; > allow postfix_pipe_t postfix_spool_t:file rw_file_perms; > allow postfix_pipe_t self:fifo_file { read write }; > allow postfix_pipe_t postfix_private_t:dir search; > allow postfix_pipe_t postfix_private_t:sock_file write; > ifdef(`procmail.te', ` > domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t) > ') > ifdef(`sendmail.te', ` > allow sendmail_t postfix_etc_t:dir search; > ') > > # Program for creating database files > application_domain(postfix_map) > base_file_read_access(postfix_map_t) > allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read }; > tmp_domain(postfix_map) > create_dir_file(postfix_map_t, postfix_etc_t) > allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; > dontaudit postfix_map_t proc_t:dir { getattr read search }; > ifdef(`login.te', > dontaudit postfix_map_t local_login_t:fd use; > ') > allow postfix_master_t postfix_map_exec_t:file rx_file_perms; > read_locale(postfix_map_t) > allow postfix_map_t self:capability setgid; > allow postfix_map_t self:unix_dgram_socket create_socket_perms; > dontaudit postfix_map_t var_t:dir search; > can_network(postfix_map_t) > allow postfix_local_t mail_spool_t:dir { remove_name }; > allow postfix_local_t mail_spool_t:file { unlink }; > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From cra at WPI.EDU Thu Dec 30 02:42:17 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Wed, 29 Dec 2004 21:42:17 -0500 Subject: new kernel, new policy installed as .rpmnew Message-ID: <20041230024217.GA5001@angus.ind.WPI.EDU> I just yum updated, and got the latest testing kernel and policy files: Install: kernel.i686 0:2.6.9-1.715_FC3 Install: kernel-smp.i686 0:2.6.9-1.715_FC3 [...] Update: selinux-policy-targeted.noarch 0:1.17.30-2.58 Update: selinux-policy-targeted-sources.noarch 0:1.17.30-2.58 [...] Installing: kernel-smp 100 % done 1/160 warning: /etc/selinux/targeted/contexts/files/file_contexts created as /etc/selinux/targeted/contexts/files/file_contexts.rpmnew warning: /etc/selinux/targeted/policy/policy.18 created as /etc/selinux/targeted/policy/policy.18.rpmnew Updating: selinux-policy-targeted 100 % done 2/160 The FAQ says that the policy reloads automatically, and that a manual relabel may be necessary. It doesn't say anything about fixing the filenames that were named .rpmnew. How can the policy automatically reload when the file isn't named correctly? Since policy is tied to the kernel, what happens when I have more than one kernel installed, and I boot an older one from grub? From bobk at ocf.berkeley.edu Thu Dec 30 04:27:09 2004 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Wed, 29 Dec 2004 20:27:09 -0800 Subject: SELinux error with yum --installroot Message-ID: <1104380829.3448.15.camel@chaucer> When I run: yum -y --installroot=/testroot groupinstall "Base" I get all kinds of errors like this: error: %post(libuser-0.52.5-1.i386) scriptlet failed, exit status 255 error: %post(gnupg-1.2.6-1.i386) scriptlet failed, exit status 255 If I turn selinux off there are no errors. Any ideas why this is happening? FC3 fully updated. yum-2.1.12-0.fc3 libselinux-1.19.1-8 selinux-policy-targeted-1.17.30-2.58 Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From mjc at avtechpulse.com Thu Dec 30 15:36:18 2004 From: mjc at avtechpulse.com (Dr. Michael J. Chudobiak) Date: Thu, 30 Dec 2004 10:36:18 -0500 Subject: postgresql pg_dump won't run Message-ID: <41D42072.2090304@avtechpulse.com> Hi, I've just installed selinux on my FC3 server using the targeted policy, and everything went well except that I can no longer run /usr/bin/pg_dumpall as a root cron job for backing up postgresql databases. I get this sort of log message, even if I run pg_dump/pg_dumpall as the postgres user: Dec 30 10:17:01 server2 kernel: audit(1104419821.285:0): avc: denied { execute_no_trans } for pid=24740 exe=/bin/bash path=/usr/bin/pg_dump dev=md0 ino=346137 scontext=user_u:system_r:postgresql_t tcontext=system_u:object_r:postgresql_exec_t tclass=file For now, I've disabled the postgres protection using system-config-security-level, and it works fine - but postgresql is unprotected of course. Is there a way of running pg_dump and pg_dumpall under selinux, without abandoning or rewriting the targeted policy? - Mike From steve at adsi-m4.com Thu Dec 30 16:03:58 2004 From: steve at adsi-m4.com (Steve Friedman) Date: Thu, 30 Dec 2004 11:03:58 -0500 (EST) Subject: syslog-ng non-standard install generating AVC Message-ID: I recently installed FC3 on a machine (we had previously been using FC1), so this is my first exposure to selinux. Consequently, we are running the targeted policy in permissive mode. We use syslog-ng (rather than sysklogd) and have updated the syslog-ng.conf to monitor/log/distribute log events on a number of other ports beyond the standard syslog distribution. Among other things that we do in syslog-ng include: - open non-standard UDP/TCP ports - open non-standard files - call non-standard routines As a complete newbie to selinux, I don't know whether it is easier/simpler/better/(or even how) to modify the syslog policy or the attributes of the executables/files/directories that it touches. I would appreciate some advice and guidance. AVC log events: Dec 27 04:02:17 gsi10 kernel: audit(1104138137.142:0): avc: denied { write } for pid=16201 exe=/sbin/syslog-ng name=kmsg dev=proc ino=-268435446 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file Dec 27 04:02:17 gsi10 kernel: audit(1104138137.145:0): avc: denied { read } for pid=16202 exe=/bin/bash name=mtab dev=dm-0 ino=7146016 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Dec 27 04:02:17 gsi10 kernel: audit(1104138137.145:0): avc: denied { getattr } for pid=16202 exe=/bin/bash path=/etc/mtab dev=dm-0 ino=7146016 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Dec 27 04:02:17 gsi10 kernel: audit(1104138137.150:0): avc: denied { write } for pid=16202 exe=_executable_1_ name=status dev=dm-0 ino=166481 scontext=system_u:system_r:syslogd_t tcontext=user_u:object_r:usr_t tclass=file Dec 27 04:02:17 gsi10 kernel: audit(1104138137.150:0): avc: denied { getattr } for pid=16202 exe=_executable_1_ path=_file_1_ dev=dm-0 ino=166481 scontext=system_u:system_r:syslogd_t tcontext=user_u:object_r:usr_t tclass=file Dec 27 10:47:27 gsi10 kernel: audit(1104162447.513:0): avc: denied { sys_admin } for pid=16201 exe=/sbin/syslog-ng capability=21 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { write } for pid=16201 exe=/sbin/syslog-ng name=log dev=dm-0 ino=166417 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { add_name } for pid=16201 exe=/sbin/syslog-ng name=e27.log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { create } for pid=16201 exe=/sbin/syslog-ng name=e27.log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { setattr } for pid=16201 exe=/sbin/syslog-ng name=e27.log dev=dm-0 ino=166450 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { chown } for pid=16201 exe=/sbin/syslog-ng capability=0 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { fowner } for pid=16201 exe=/sbin/syslog-ng capability=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { fsetid } for pid=16201 exe=/sbin/syslog-ng capability=4 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { append } for pid=16201 exe=/sbin/syslog-ng path=_file_2_ dev=dm-0 ino=166450 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { write } for pid=16202 exe=_executable_1_ path=_file_3_ dev=dm-0 ino=166444 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { getattr } for pid=16202 exe=_executable_1_ path=_file_4_ dev=dm-0 ino=166472 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { read } for pid=16202 exe=_executable_1_ path=_file_5_ dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { remove_name } for pid=16202 exe=_executable_1_ name=delete_next dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { unlink } for pid=16202 exe=_executable_1_ name=delete_next dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { search } for pid=1633 exe=_executable_1_ name=bin dev=dm-0 ino=1245185 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=dir Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { read } for pid=1633 exe=_executable_1_ name=sh dev=dm-0 ino=3850242 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=lnk_file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { execute } for pid=1633 exe=_executable_1_ name=bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.320:0): avc: denied { execute_no_trans } for pid=1633 exe=_executable_1_ path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.320:0): avc: denied { read } for pid=1633 exe=_executable_1_ path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.321:0): avc: denied { read } for pid=1633 exe=/bin/bash name=meminfo dev=proc ino=-268435454 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.321:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.322:0): avc: denied { search } for pid=1633 exe=/bin/bash name=sbin dev=dm-0 ino=7356417 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sbin_t tclass=dir Dec 27 16:16:35 gsi10 kernel: audit(1104182195.322:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { execute } for pid=1633 exe=/bin/bash name=rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { execute_no_trans } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { read } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file Steve Friedman From walters at redhat.com Thu Dec 30 17:04:06 2004 From: walters at redhat.com (Colin Walters) Date: Thu, 30 Dec 2004 12:04:06 -0500 Subject: new kernel, new policy installed as .rpmnew In-Reply-To: <20041230024217.GA5001@angus.ind.WPI.EDU> References: <20041230024217.GA5001@angus.ind.WPI.EDU> Message-ID: <1104426247.4115.4.camel@nexus.verbum.private> On Wed, 2004-12-29 at 21:42 -0500, Charles R. Anderson wrote: > I just yum updated, and got the latest testing kernel and policy > files: > > Install: kernel.i686 0:2.6.9-1.715_FC3 > Install: kernel-smp.i686 0:2.6.9-1.715_FC3 > [...] > Update: selinux-policy-targeted.noarch 0:1.17.30-2.58 > Update: selinux-policy-targeted-sources.noarch 0:1.17.30-2.58 > [...] > Installing: kernel-smp 100 % done 1/160 > warning: /etc/selinux/targeted/contexts/files/file_contexts created as /etc/selinux/targeted/contexts/files/file_contexts.rpmnew > warning: /etc/selinux/targeted/policy/policy.18 created as /etc/selinux/targeted/policy/policy.18.rpmnew > Updating: selinux-policy-targeted 100 % done 2/160 > > The FAQ says that the policy reloads automatically, and that a manual > relabel may be necessary. It doesn't say anything about fixing the > filenames that were named .rpmnew. How can the policy automatically > reload when the file isn't named correctly? This can happen when you have selinux-policy-targeted-sources installed. It's complicated to solve; I think we ended up deciding that if you have -sources installed, it's up to you to do a policy rebuild for new versions. > Since policy is tied to the kernel, what happens when I have more than > one kernel installed, and I boot an older one from grub? If you don't need to customize policy, deinstall the -sources package, and move the .rpmnew files over the non-.rpmnew versions. Then this problem goes away. If you do need to customize policy, then you're probably best off booting in non-enforcing mode after an update to test and ensure that your changes work with the latest package. Keeping a custom policy is nontrivial at the moment, and it's something I'd like to fix. From mike at navi.cx Thu Dec 30 20:31:29 2004 From: mike at navi.cx (Mike Hearn) Date: Thu, 30 Dec 2004 20:31:29 +0000 Subject: FC3 " avc: denied" issue References: <41CE1171.5030404@austin.rr.com> <200412272312.45938.russell@coker.com.au> <200412271527.iBRFR6VP005427@turing-police.cc.vt.edu> <200412280236.11361.russell@coker.com.au> Message-ID: On Tue, 28 Dec 2004 02:36:07 +1100, Russell Coker wrote: > It seems that the NVidia drivers suck in many ways. What's the best option > for 3D graphics in Linux nowadays? Not NVidia I guess. nVidia has been the best option for 3D on Linux for a very long time now. Their drivers are high quality and Just Work to a far greater extent than the only real competitions, ATIs. They also allow unlimited redistribution of their drivers, so eg I get mine via yum. thanks -mike From mike at navi.cx Thu Dec 30 21:05:25 2004 From: mike at navi.cx (Mike Hearn) Date: Thu, 30 Dec 2004 21:05:25 +0000 Subject: SELinux and third party installers Message-ID: Hi, I have a couple of questions. The first is that in the FC3 targetted policy, it appears that ldconfig cannot write to user_home_t directories. Why is this? It appears to be a restriction with no purpose, and some programs rely on this to work. In fact I see from the archives that ldconfig not being able to write or search certain directories has come up before. The second question is what impact SELinux will have on third party installers. It seems from the nVidia thread that currently if you copy files onto the system using "cp", this is the wrong way to do it and it will break peoples SELinux setups. This surely cannot be correct: that'd break every pretty much every third party installer (eg Loki Setup, etc) out there! If this is the case and this rather questionable decision is not reversed, is using "install" the correct way to go about things on *every* SELinux enabled distro, or is that a Fedora custom thing? It's a bit worrying how much Fedora SELinux seems to differ from upstream, is this something that will get better with time? thanks -mike From dhart275 at offramp.com Thu Dec 30 22:26:24 2004 From: dhart275 at offramp.com (David Hart) Date: Thu, 30 Dec 2004 16:26:24 -0600 Subject: Head-banging targets, please Message-ID: <1104445584.3312.100.camel@Eng-Lab-002> I need help understanding SELinux! I've read just about every on-line SELinux article I can find, and I am getting progressively more confused as I read more. Following along in these articles on a Fedora Core 3 system, reading documents written for Fedora Core 2 Test 3 and before, is confusing. The older the document, the more my installation fails to match the documentation. I need a starting place, some things to look at once I have my Fedora Core 3 installation running. Some simple things, some that work correctly, some that fail and I can learn how to track down and fix. And, the answers to some basic questions: 1) Why does a Fedora Core 3 installation, with SELinux "Active" or "Warn", not install selinux-policy-targeted-sources? I kept pulling my hair out (little that there is) when trying to find: /etc/selinux/targeted/src/policy All the documents referred to this directory, and it was VERY confusing not to find it. This directory should at least be an empty directory after a fresh install. 2) Are the setools and setools-gui packages required to be used on a SELinux enabled system? If so, why are they not installed when SELinux is installed? In particular, I am very confused about how to create new users and new groups. It looks like I need to update our in-house instructions to use seuseradd, seuserdel, etc. instead of useradd and userdel? 3) Where the heck is the SELinux audit file? Try as much as I could, I can't find it. Every document references it, but none I have found actually refer to it by path/filename. 4) I know you guys discuss policy problems all the time, from the viewpoint of their AVC log events, but I'd like to see what one of these AVC log events looks like on my system. In particular, I have a Fedora Core 3 Workstation installation running the targeted policy in enforcing mode. I'd appreciate a simple test I could perform that would generate an AVC log entry, some idea on how to look for the log entry, and some idea about how to analyze the log entry. I know, blasphemy. But there are three ways that adults learn: 1. Visual: people who learn by seeing it done. 2. Auditory: people who learn by hearing. 3. Kenesthetic: people who learn by doing (touch and body movement). I'm a #3. 5) Does it make sense to have a Workstation installation with the "strict" policy? Under what circumstances? I am putting instructions together for people in my Lab on how to install and use Fedora Core 3. One of the early lessons I want to document is some simple instructions on how to use SELinux. Then, as other instructions are written for other Lab-oriented tasks, I would integrate SELinux into these instructions. The people in the Lab are responsible for maintaining their various computers, so knowledge about SELinux appears necessary. If I can't understand it and explain it to them, things are going to get messy. Thanks for the help. -- David Hart From mike at navi.cx Thu Dec 30 22:43:03 2004 From: mike at navi.cx (Mike Hearn) Date: Thu, 30 Dec 2004 22:43:03 +0000 Subject: Head-banging targets, please References: <1104445584.3312.100.camel@Eng-Lab-002> Message-ID: On Thu, 30 Dec 2004 16:26:24 -0600, David Hart wrote: > I need help understanding SELinux! Me too! But I seem to be a bit further along, so I'll see if I can help. > I've read just about every on-line SELinux article I can find, and I am > getting progressively more confused as I read more. Following along in > these articles on a Fedora Core 3 system, reading documents written for > Fedora Core 2 Test 3 and before, is confusing. The older the document, > the more my installation fails to match the documentation. Yes it is unfortunate that the documentation ages so quickly, but this is I think unavoidable. SELinux is still quite a new technology and has a lot of maturing to do. It also doesn't help that Fedora have patched upstream SElinux extensively in the process of actually making it usable, for instance they've made a lot of stuff more automatic. I believe these patches are being folded back in upstream, but the problem with doing it "upside down" like this is that the official docs which most people find first do not correspond to an actual FC3 installation, which is what most people are actually playing with SELinux on. I do not know why these patches weren't developed upstream then pulled down as they became ready. I guess there are good reasons. > And, the answers to some basic questions: > 1) Why does a Fedora Core 3 installation, with SELinux "Active" or > "Warn", not install selinux-policy-targeted-sources? I kept > pulling my hair out (little that there is) when trying to find: > /etc/selinux/targeted/src/policy > All the documents referred to this directory, and it was VERY > confusing not to find it. This directory should at least be an > empty directory after a fresh install. They're quite large and not needed for SELinux to function. It's unfortunate that the docs assume it's installed, but it's quite a common mistake (eg instructions that tell you to compile software assuming the dev tools are installed, very common Linux newbie mistake). > 2) Are the setools and setools-gui packages required to be used on a > SELinux enabled system? If so, why are they not installed when > SELinux is installed? In particular, I am very confused about how > to create new users and new groups. It looks like I need to update > our in-house instructions to use seuseradd, seuserdel, etc. instead > of useradd and userdel? I don't think they are required. On Fedora I think the standard commands like su etc were patched to use SELinux automatically, so a standard "useradd" should do the trick. > 3) Where the heck is the SELinux audit file? Try as much as I could, > I can't find it. Every document references it, but none I have > found actually refer to it by path/filename. If you mean where AVCs are logged that'd be /var/log/messages. > 4) I know you guys discuss policy problems all the time, from the > viewpoint of their AVC log events, but I'd like to see what one of > these AVC log events looks like on my system. Here is one from mine: Dec 30 22:40:39 littlegreen kernel: audit(1104446439.698:0): avc: denied { search } for pid=4659 exe=/sbin/ldconfig name=lib dev=hdd2 ino=4244688 scontext=user_u:system_r:ldconfig_t tcontext=user_u:object_r:file_t tclass=dir You can get the same error by creating a directory eg ~/.local/lib, dropping a library in there then running: /sbin/ldconfig -n . which should create some magic symlinks for the linker to use, but with policy as of December 30th 2004 this generates an AVC. > 5) Does it make sense to have a Workstation installation with the > "strict" policy? Under what circumstances? Probably not. Strict seems to be under heavy development still. There seem to be issues with targetted policy still judging by the above test! That ldconfig command should not have failed. > I am putting instructions together for people in my Lab on how to > install and use Fedora Core 3. One of the early lessons I want to > document is some simple instructions on how to use SELinux. Then, as > other instructions are written for other Lab-oriented tasks, I would > integrate SELinux into these instructions. The people in the Lab are > responsible for maintaining their various computers, so knowledge about > SELinux appears necessary. If I can't understand it and explain it to > them, things are going to get messy. For now I think it's best to ignore SELinux and assume it'll work in the background, even if sometimes it doesn't for whatever reason. You need to know about SELinux for effective system administration, or will in future, and perhaps also for software development. But regular users should be able to ignore it and just enjoy the benefits. thanks -mike From kwade at redhat.com Fri Dec 31 01:03:40 2004 From: kwade at redhat.com (Karsten Wade) Date: Thu, 30 Dec 2004 17:03:40 -0800 Subject: Head-banging targets, please In-Reply-To: <1104445584.3312.100.camel@Eng-Lab-002> References: <1104445584.3312.100.camel@Eng-Lab-002> Message-ID: <1104455021.29100.30.camel@erato.phig.org> On Thu, 2004-12-30 at 16:26 -0600, David Hart wrote: > I need help understanding SELinux! > > I've read just about every on-line SELinux article I can find, and I am > getting progressively more confused as I read more. Following along in > these articles on a Fedora Core 3 system, reading documents written for > Fedora Core 2 Test 3 and before, is confusing. The older the document, > the more my installation fails to match the documentation. The Fedora docs project needs writers and content. While the FAQ is (relatively) up-to-date for FC3, we need more HOWTO documentation. If you know any writers who want to tackle SELinux tutorials, send them over to fedora-docs-list, I'll do what I can to get them started. > I need a starting place, some things to look at once I have my Fedora > Core 3 installation running. Some simple things, some that work > correctly, some that fail and I can learn how to track down and fix. > > And, the answers to some basic questions: > 1) Why does a Fedora Core 3 installation, with SELinux "Active" or > "Warn", not install selinux-policy-targeted-sources? I kept > pulling my hair out (little that there is) when trying to find: > /etc/selinux/targeted/src/policy > All the documents referred to this directory, and it was VERY > confusing not to find it. This directory should at least be > an empty directory after a fresh install. In the first "Tip" near the top of http://fedora.redhat.com/docs/selinux-faq-fc3/ is a link to a pre-filled "bugzilla template". Use that to fill out a bug, severity: Feature. I'll then include this question in the FAQ. To answer you, there are several reasons for the policy source not being installed by default: * As with the rest of Fedora Core, SELinux needs to be able to run with just a binary policy present and no source installed. This is why they are separate packages. * Updating the policy does different things depending on if you have the source installed. If you have only the binary policy, i.e., the default supported environment, you only have to update the binary policy at /etc/selinux/targeted/policy/policy.version. If you have the policy source installed, it may be because you are customizing the policy, and rpm needs to be careful not to clobber you changes. Others can contribute further reasons. > 2) Are the setools and setools-gui packages required to be used on a > SELinux enabled system? If so, why are they not installed when > SELinux is installed? In particular, I am very confused about how > to create new users and new groups. It looks like I need to update > our in-house instructions to use seuseradd, seuserdel, etc. instead > of useradd and userdel? You do not, unless you plan on customizing policy to divide users to be controlled by SELinux. SELinux maintains its own set of users, e.g., all untrusted users are part of user_u. Under the targeted policy, aiui the user is generally not controlled. > 3) Where the heck is the SELinux audit file? Try as much as I could, > I can't find it. Every document references it, but none I have > found actually refer to it by path/filename. aiui, this is just /var/log/messages. Flask is a framework, and the documentation tends to be vague about particulars like where you choose to put audit logs. SELinux, the implementation of Flask, generally uses /var/log/messages, but I'm sure even that could be different if you wanted. > 4) I know you guys discuss policy problems all the time, from the > viewpoint of their AVC log events, but I'd like to see what one of > these AVC log events looks like on my system. In particular, I > have a Fedora Core 3 Workstation installation running the targeted > policy in enforcing mode. I'd appreciate a simple test I could > perform that would generate an AVC log entry, some idea on how to > look for the log entry, and some idea about how to analyze the log > entry. This should work with a default targeted policy: 1. In one terminal, 'su - root' and 'tail -f /var/log/messages' 2. In another term, as a normal user, type 'chcon -t unlabeled_t /etc/httpd/conf/httpd.conf' -- this is trying to change the file context of httpd.conf, specifically the type attribute. You should get an error such as: [auser at urania ~]$ chcon -t unlabeled_t /etc/httpd/conf/httpd.conf chcon: failed to change context of /etc/httpd/conf/httpd.conf to system_u:object_r:unlabeled_t: Operation not permitted 3. You'll notice that no error is generated in /var/log/messages. This is because normal UNIX security has intercepted the command; normal user permissions has blocked the user from writing to the file attributes. SELinux is not reached, so no AVC error is generated. 4. In the second term, 'su - root' and 'chcon -t unlabeled_t /etc/httpd/conf/httpd.conf'. You should get an error such as: [root at urania policy]# chcon -t unlabeled_t /etc/httpd/conf/httpd.conf chcon: failed to change context of /etc/httpd/conf/httpd.conf to system_u:object_r:unlabeled_t: Permission denied Note the permission denied -- UNIX ownership said it was OK to change this file, but SELinux rules said no. 5. Look in the log and you will see this denial message: Dec 30 15:01:40 urania kernel: audit(1104447700.246:0): avc: denied { associate } for pid=26444 exe=/usr/bin/chcon name=httpd.conf dev=dm-0 ino=1018443 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t tclass=filesystem * The action denied is an "associate", i.e., trying to associate a new file attribute with the target file. * The process is exe=/usr/bin/chcon * The file acted upon (object) is name=httpd.conf at ino=1018443 (sometimes it's useful to have the inode). * The source context scontext=system_u:object_r:unlabeled_t is trying to be associated with a target context tcontext=system_u:object_r:fs_t. fs_t is the default type for conventional file systems. AIUI, the policy does not allow a user to change the type of a file on the file system to unlabeled_t. The denial is happening at the file system level before getting to the file itself. [This is where someone with more understanding of the policy specifics steps in with the final detail ;-) ] The reason I picked httpd.conf is that it is a file that the user is denied UNIX permissions, but root should be able to manipulate. > I know, blasphemy. But there are three ways that adults > learn: > 1. Visual: people who learn by seeing it done. > 2. Auditory: people who learn by hearing. > 3. Kenesthetic: people who learn by doing (touch and body > movement). > I'm a #3. In a freeform, off-topic discussion, I'd posit more than three. :) > 5) Does it make sense to have a Workstation installation with the > "strict" policy? Under what circumstances? I can think of usage scenarios. 1. Kiosks 2. Library Web browser machines 3. Specific lab usages The first two seem reasonable right now, based on my understanding of the policy for Mozilla et al. In fact, strict policy will likely just work for a machine dedicated to Web browsing, email, and light office productivity. YMMV. :) The third would require a tight requirement spec and work to customize the policy, I'd reckon. > I am putting instructions together for people in my Lab on how to > install and use Fedora Core 3. One of the early lessons I want to > document is some simple instructions on how to use SELinux. Then, as > other instructions are written for other Lab-oriented tasks, I would > integrate SELinux into these instructions. The people in the Lab are > responsible for maintaining their various computers, so knowledge about > SELinux appears necessary. If I can't understand it and explain it to > them, things are going to get messy. There is not much they should bump up against. Said as a user of FC3 with SELinux. If you want to have them serve content from ~/public_html, you may need to educate them on using 'chcon' to fix the labels on files they put in there. If you want to have them execute their own Web scripts, you can likely configure it so that it mainly works from their standpoint. - Karsten -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From dwalsh at redhat.com Fri Dec 31 03:43:54 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 30 Dec 2004 22:43:54 -0500 Subject: syslog-ng non-standard install generating AVC In-Reply-To: References: Message-ID: <41D4CAFA.2040601@redhat.com> You could add these lines to syslog.te can_exec(syslog_t, { bin_t shell_exec_t } ) allow syslogd_t etc_runtime_t:file { getattr read }; allow syslogd_t proc_kmsg_t:file write; allow syslogd_t proc_t:file { getattr read }; allow syslogd_t sbin_t:dir search; allow syslogd_t self:capability { chown fowner fsetid sys_admin }; There is some directory in /usr that needs to be relabeled syslogd_var_run_t to eliminate the following allow syslogd_t usr_t:dir { add_name remove_name write }; allow syslogd_t usr_t:file { append create getattr read setattr unlink write }; From dwalsh at redhat.com Fri Dec 31 03:52:02 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 30 Dec 2004 22:52:02 -0500 Subject: SELinux and third party installers In-Reply-To: References: Message-ID: <41D4CCE2.4030200@redhat.com> Mike Hearn wrote: >Hi, > >I have a couple of questions. The first is that in the FC3 targetted >policy, it appears that ldconfig cannot write to user_home_t directories. >Why is this? It appears to be a restriction with no purpose, and some >programs rely on this to work. In fact I see from the archives that >ldconfig not being able to write or search certain directories has come up >before. > >The second question is what impact SELinux will have on third party >installers. It seems from the nVidia thread that currently if you copy >files onto the system using "cp", this is the wrong way to do it and it >will break peoples SELinux setups. This surely cannot be correct: that'd >break every pretty much every third party installer (eg Loki Setup, >etc) out there! > > > Yes install and rpm are the only options right now. Not sure how dpkg works on debian. Your other option is to use cp and the run restorecon. The problem is similar to DAC, in that you have to specify the file context associated with the file, the same way you need to specify file permission for Descretionary Access Control. In most cases the default behavior is that the file picks up the protection of the directory that you are copying into. Or the context of the file you are replacying. The problem is that sometimes file like share libraries need a different file context (shlib_t) than the directory they are being copied to (lib_t). RPM and now install have the smarts to handle this. mv and cp do not. And it is arguable that they shouldn't. Imagine using cp/mv to copy a sensitive piece of data. If they changed the context without you knowing they could allow the sensitive data to be exposed. >If this is the case and this rather questionable decision is not reversed, >is using "install" the correct way to go about things on *every* SELinux >enabled distro, or is that a Fedora custom thing? It's a bit worrying how >much Fedora SELinux seems to differ from upstream, is this something that >will get better with time? > > What do you base this on? Fedora is where most of the SELinux development has been going on. >thanks -mike > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From dwalsh at redhat.com Fri Dec 31 03:59:55 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 30 Dec 2004 22:59:55 -0500 Subject: postgresql pg_dump won't run In-Reply-To: <41D42072.2090304@avtechpulse.com> References: <41D42072.2090304@avtechpulse.com> Message-ID: <41D4CEBB.7070600@redhat.com> Dr. Michael J. Chudobiak wrote: > Hi, > > I've just installed selinux on my FC3 server using the targeted > policy, and everything went well except that I can no longer run > /usr/bin/pg_dumpall as a root cron job for backing up postgresql > databases. I get this sort of log message, even if I run > pg_dump/pg_dumpall as the postgres user: > > > Dec 30 10:17:01 server2 kernel: audit(1104419821.285:0): avc: denied > { execute_no_trans } for pid=24740 exe=/bin/bash > path=/usr/bin/pg_dump dev=md0 ino=346137 > scontext=user_u:system_r:postgresql_t > tcontext=system_u:object_r:postgresql_exec_t tclass=file > > > For now, I've disabled the postgres protection using > system-config-security-level, and it works fine - but postgresql is > unprotected of course. > > Is there a way of running pg_dump and pg_dumpall under selinux, > without abandoning or rewriting the targeted policy? > > > - Mike > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list Grab selinux-policy-targeted-1.17.30-2.62 off of ftp://people.redhat.com/dwalsh/SELinux/FC3 From uproot at sbcglobal.net Fri Dec 31 04:25:40 2004 From: uproot at sbcglobal.net (Vincent) Date: Thu, 30 Dec 2004 20:25:40 -0800 Subject: Head-banging targets, please In-Reply-To: <1104445584.3312.100.camel@Eng-Lab-002> References: <1104445584.3312.100.camel@Eng-Lab-002> Message-ID: <1104467140.8264.9.camel@turtle.localdomain> On Thu, 2004-12-30 at 16:26 -0600, David Hart wrote: > I need help understanding SELinux! > > I've read just about every on-line SELinux article I can find, and I am > getting progressively more confused as I read more. Following along in > these articles on a Fedora Core 3 system, reading documents written for > Fedora Core 2 Test 3 and before, is confusing. The older the document, > the more my installation fails to match the documentation. > > I need a starting place, some things to look at once I have my Fedora > Core 3 installation running. Some simple things, some that work > correctly, some that fail and I can learn how to track down and fix. Have you read "NSA's Open Source Security Enhanced Linux" By O'reilly? http://www.oreilly.com/catalog/selinux/ I have the E-book and you can find it on google with little trouble. Someone was suppose to get it for me for Christmas, but low and behold.. socks! From mike at navi.cx Fri Dec 31 13:42:48 2004 From: mike at navi.cx (Mike Hearn) Date: Fri, 31 Dec 2004 13:42:48 +0000 Subject: SELinux and third party installers References: <41D4CCE2.4030200@redhat.com> Message-ID: On Thu, 30 Dec 2004 22:52:02 -0500, Daniel J Walsh wrote: > The problem is that sometimes file like share libraries need a different > file context (shlib_t) > than the directory they are being copied to (lib_t). RPM and now > install have the smarts to handle this. mv and cp do not. I see. What happens if you create a file in a lib_t directory using the standard POSIX APIs? I looked at the Loki setup sources and it doesn't use "cp" directly of course, it just opens files and copies them using a read/write loop. What happens if a library is put in a directory that isn't lib_t, and the DSO is not marked as shlib_t? Does the linker refuse to link it? Or is it just that ldconfig cannot read them. I have a game here where it uses libraries marked as file_t, and it seems to work when using LD_LIBRARY_PATH which makes me happier :) Most third party programs do not rely on the linker cache anyway, so I suppose this is a good thing. > What do you base this on? Fedora is where most of the SELinux > development has been going on. Yes, I mean it's hard to find out how Fedora differs from Debian or Gentoo SELinux-wise. If I use "install" does this only work on Fedora? Or is this something that will eventually be merged into other distributions too. What about the pam_selinux module, is that used elsewhere or on other distros must I remember to use the SELinux su equivalent as well? (I forgot it's name ...) thanks -mike From kwade at redhat.com Fri Dec 31 18:50:09 2004 From: kwade at redhat.com (Karsten Wade) Date: Fri, 31 Dec 2004 10:50:09 -0800 Subject: syslog-ng non-standard install generating AVC In-Reply-To: <41D4CAFA.2040601@redhat.com> References: <41D4CAFA.2040601@redhat.com> Message-ID: <1104519010.29100.50.camel@erato.phig.org> On Thu, 2004-12-30 at 22:43 -0500, Daniel J Walsh wrote: > You could add these lines to syslog.te Will it work to add them to local.te? > can_exec(syslog_t, { bin_t shell_exec_t } ) > allow syslogd_t etc_runtime_t:file { getattr read }; > allow syslogd_t proc_kmsg_t:file write; > allow syslogd_t proc_t:file { getattr read }; > allow syslogd_t sbin_t:dir search; > allow syslogd_t self:capability { chown fowner fsetid sys_admin }; I see these and a few more from using audit2allow. How did you decide which to use? Does can_exec() replace some of the rules? These ones, at least: allow syslogd_t bin_t:file { execute execute_no_trans getattr read }; allow syslogd_t shell_exec_t:file { execute execute_no_trans getattr read }; > There is some directory in /usr that needs to be relabeled > syslogd_var_run_t to eliminate the following > > allow syslogd_t usr_t:dir { add_name remove_name write }; > allow syslogd_t usr_t:file { append create getattr read setattr unlink > write }; In other words, relabel the directory in /usr so that these rules are not needed? thx - Karsten -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41