From russell at coker.com.au Fri Oct 1 14:58:36 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 2 Oct 2004 00:58:36 +1000 Subject: "Stateless Linux" project In-Reply-To: <1095100955.5481.14.camel@localhost.localdomain> References: <1095100955.5481.14.camel@localhost.localdomain> Message-ID: <200410020058.36502.russell@coker.com.au> On Tue, 14 Sep 2004 04:42, Havoc Pennington wrote: > Red Hat engineering is starting a new project we're calling > "stateless Linux" for lack of a better name - some components of this One thing that needs to be done early on is to extend rsync to support copying XATTRs so it can set the SE Linux context on the files. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at gmail.com Sat Oct 2 21:28:30 2004 From: selinux at gmail.com (Tom London) Date: Sat, 2 Oct 2004 14:28:30 -0700 Subject: mDNSResponder running in user_t Message-ID: <4c4ba15304100214281727097a@mail.gmail.com> Running strict/enforcing, off of latest Rawhide. 'ps agxZ' yields: system_u:system_r:rpcd_t 2419 ? Ss 0:00 rpc.statd system_u:system_r:rpcd_t 2447 ? Ss 0:00 rpc.idmapd user_u:user_r:user_t 2551 ? Ssl 0:00 mDNSResponder system_u:system_r:fsdaemon_t 2563 ? S 0:00 /usr/sbin/smartd Should mDNSResponder be running as user_u:user_r:user_t? daemon_base_domain() generates a domain_auto_trans(initrc_t, howl_exec_t, howl_t) So, should it be running in howl_t? It gets started from /etc/rc.d/init.d/mDNSResponder: su -s /bin/bash - nobody -c mDNSResponder $OTHER_MDNSRD_OPTS > /dev/null That right? tom -- Tom London From himainu-ynakam at miomio.jp Sat Oct 2 21:49:56 2004 From: himainu-ynakam at miomio.jp (Yuichi Nakamura) Date: Sat, 02 Oct 2004 17:49:56 -0400 Subject: user_t daemons(Re: mDNSResponder running in user_t) In-Reply-To: <4c4ba15304100214281727097a@mail.gmail.com> References: <4c4ba15304100214281727097a@mail.gmail.com> Message-ID: <200410022150.i92LoCpt020920@mms-r00.iijmio.jp> I found iiim(htt_server) is running also "user_t". Daemon programs started using su runs as "user_t". Transition like initrc_t(initrc script)->su_exec_t->initrc_su_t(su)->user_t(daemon) is happening. I think su command or initscripts or daemon should be fixed. Tom London wrote: > Running strict/enforcing, off of latest Rawhide. > > 'ps agxZ' yields: > system_u:system_r:rpcd_t 2419 ? Ss 0:00 rpc.statd > system_u:system_r:rpcd_t 2447 ? Ss 0:00 rpc.idmapd > user_u:user_r:user_t 2551 ? Ssl 0:00 mDNSResponder > system_u:system_r:fsdaemon_t 2563 ? S 0:00 /usr/sbin/smartd > > Should mDNSResponder be running as user_u:user_r:user_t? > daemon_base_domain() generates a > domain_auto_trans(initrc_t, howl_exec_t, howl_t) > > So, should it be running in howl_t? > > It gets started from /etc/rc.d/init.d/mDNSResponder: > su -s /bin/bash - nobody -c mDNSResponder $OTHER_MDNSRD_OPTS > > /dev/null > > That right? > tom > -- > Tom London > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list --- Yuichi Nakamura Japan SELinux Users Group(JSELUG) ??http://www.selinux.gr.jp/ Hitachi Software http://www.selinux.hitachi-sk.co.jp/en The George Washington University From walters at verbum.org Sat Oct 2 22:16:14 2004 From: walters at verbum.org (Colin Walters) Date: Sat, 02 Oct 2004 18:16:14 -0400 Subject: SELinux talk Message-ID: <1096755374.4420.5.camel@nexus.verbum.private> Thanks everyone who attended the SELinux talk at Ohio LinuxFest, there seemed to be a lot of interest from people afterwards about it. I've put the slides up here: http://web.verbum.org/selinux/linuxfest/img0.html Since we ran out of time and couldn't get to any questions, feel free to ask them here, on one of the mailing lists above. Thanks again, hopefully see you next year! From rhally at mindspring.com Sat Oct 2 22:19:34 2004 From: rhally at mindspring.com (Richard Hally) Date: Sat, 02 Oct 2004 18:19:34 -0400 Subject: mDNSResponder running in user_t In-Reply-To: <4c4ba15304100214281727097a@mail.gmail.com> References: <4c4ba15304100214281727097a@mail.gmail.com> Message-ID: <415F2976.4000104@mindspring.com> Tom London wrote: >Running strict/enforcing, off of latest Rawhide. > >'ps agxZ' yields: >system_u:system_r:rpcd_t 2419 ? Ss 0:00 rpc.statd >system_u:system_r:rpcd_t 2447 ? Ss 0:00 rpc.idmapd >user_u:user_r:user_t 2551 ? Ssl 0:00 mDNSResponder >system_u:system_r:fsdaemon_t 2563 ? S 0:00 /usr/sbin/smartd > >Should mDNSResponder be running as user_u:user_r:user_t? >daemon_base_domain() generates a >domain_auto_trans(initrc_t, howl_exec_t, howl_t) > >So, should it be running in howl_t? > >It gets started from /etc/rc.d/init.d/mDNSResponder: > su -s /bin/bash - nobody -c mDNSResponder $OTHER_MDNSRD_OPTS > > >>/dev/null >> >> > >That right? > tom > > Dan Walsh has come up with a new program called "runuser" (in the latest coreutils) that is intended to replace "su" in these situations (e.g. init scripts) . Try replacing "su" with "runuser" in the script and see what happens. HTH Richard Hally From rhally at mindspring.com Sat Oct 2 22:23:21 2004 From: rhally at mindspring.com (Richard Hally) Date: Sat, 02 Oct 2004 18:23:21 -0400 Subject: user_t daemons(Re: mDNSResponder running in user_t) In-Reply-To: <200410022150.i92LoCpt020920@mms-r00.iijmio.jp> References: <4c4ba15304100214281727097a@mail.gmail.com> <200410022150.i92LoCpt020920@mms-r00.iijmio.jp> Message-ID: <415F2A59.7030906@mindspring.com> Yuichi Nakamura wrote: >I found iiim(htt_server) is running also "user_t". >Daemon programs started using su runs as "user_t". > >Transition like >initrc_t(initrc script)->su_exec_t->initrc_su_t(su)->user_t(daemon) >is happening. > >I think su command or initscripts or daemon should be fixed. > > >Tom London wrote: > > > >>Running strict/enforcing, off of latest Rawhide. >> >>'ps agxZ' yields: >>system_u:system_r:rpcd_t 2419 ? Ss 0:00 rpc.statd >>system_u:system_r:rpcd_t 2447 ? Ss 0:00 rpc.idmapd >>user_u:user_r:user_t 2551 ? Ssl 0:00 mDNSResponder >>system_u:system_r:fsdaemon_t 2563 ? S 0:00 /usr/sbin/smartd >> >>Should mDNSResponder be running as user_u:user_r:user_t? >>daemon_base_domain() generates a >>domain_auto_trans(initrc_t, howl_exec_t, howl_t) >> >>So, should it be running in howl_t? >> >>It gets started from /etc/rc.d/init.d/mDNSResponder: >> su -s /bin/bash - nobody -c mDNSResponder $OTHER_MDNSRD_OPTS >> >> >>>/dev/null >>> >>> >>That right? >> tom >>-- >>Tom London >> >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > > >--- >Yuichi Nakamura >Japan SELinux Users Group(JSELUG) >??http://www.selinux.gr.jp/ >Hitachi Software > http://www.selinux.hitachi-sk.co.jp/en >The George Washington University > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > Dan Walsh has come up with a new program called "runuser" (in the latest coreutils) that is intended to replace "su" in these situations (e.g. init scripts) . Try replacing "su" with "runuser" in the script and see what happens. HTH Richard Hally From selinux at gmail.com Sat Oct 2 22:33:56 2004 From: selinux at gmail.com (Tom London) Date: Sat, 2 Oct 2004 15:33:56 -0700 Subject: mDNSResponder running in user_t In-Reply-To: <415F2976.4000104@mindspring.com> References: <4c4ba15304100214281727097a@mail.gmail.com> <415F2976.4000104@mindspring.com> Message-ID: <4c4ba15304100215335e8f92e3@mail.gmail.com> Yup. That seems to fix it. mDNSResponser now transitions to howl_t. I'll file a bugzilla against howl: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134456 thanks, tom On Sat, 02 Oct 2004 18:19:34 -0400, Richard Hally wrote: > > > Tom London wrote: > > >Running strict/enforcing, off of latest Rawhide. > > > >'ps agxZ' yields: > >system_u:system_r:rpcd_t 2419 ? Ss 0:00 rpc.statd > >system_u:system_r:rpcd_t 2447 ? Ss 0:00 rpc.idmapd > >user_u:user_r:user_t 2551 ? Ssl 0:00 mDNSResponder > >system_u:system_r:fsdaemon_t 2563 ? S 0:00 /usr/sbin/smartd > > > >Should mDNSResponder be running as user_u:user_r:user_t? > >daemon_base_domain() generates a > >domain_auto_trans(initrc_t, howl_exec_t, howl_t) > > > >So, should it be running in howl_t? > > > >It gets started from /etc/rc.d/init.d/mDNSResponder: > > su -s /bin/bash - nobody -c mDNSResponder $OTHER_MDNSRD_OPTS > > > > > >>/dev/null > >> > >> > > > >That right? > > tom > > > > > Dan Walsh has come up with a new program called "runuser" (in the > latest coreutils) that is intended to replace "su" in these situations > (e.g. init scripts) . Try replacing "su" with "runuser" in the script > and see what happens. > HTH > Richard Hally > > -- Tom London From himainu-ynakam at miomio.jp Sun Oct 3 00:21:21 2004 From: himainu-ynakam at miomio.jp (Yuichi Nakamura) Date: Sat, 02 Oct 2004 20:21:21 -0400 Subject: user_t daemons(Re: mDNSResponder running in user_t) In-Reply-To: <415F2A59.7030906@mindspring.com> References: <415F2A59.7030906@mindspring.com> Message-ID: <200410030021.i930LaGr029720@mms-r01.iijmio.jp> Richard Hally wrote: > Dan Walsh has come up with a new program called "runuser" (in the > latest coreutils) that is intended to replace "su" in these situations > (e.g. init scripts) . Try replacing "su" with "runuser" in the script > and see what happens. iiimf worked by runuser. Thank you! I replaced su with runuser in /etc/init.d/functions. --- Yuichi Nakamura From russell at coker.com.au Sun Oct 3 20:09:12 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 4 Oct 2004 06:09:12 +1000 Subject: cups and printconf Message-ID: <200410040609.12188.russell@coker.com.au> A python script launched by cups (running in domain cupsd_t) wants to write to the /usr/share/printconf/util/ directory during the boot process. Does anyone know what this is about? Naturally we don't want a domain that listens to network connections to be able to write to usr_t... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at gmail.com Sun Oct 3 20:44:04 2004 From: selinux at gmail.com (Tom London) Date: Sun, 3 Oct 2004 13:44:04 -0700 Subject: cups and printconf In-Reply-To: <200410040609.12188.russell@coker.com.au> References: <200410040609.12188.russell@coker.com.au> Message-ID: <4c4ba1530410031344483c9ed5@mail.gmail.com> I think I filed a bugzilla about this a while ago.... https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129025 Is this the same thing? If so, looks like python is trying to write 'compiled/optimized' .pyc/.pyo files in /usr/share/printconf/util/ According to bugzilla, it was being fixed..... tom On Mon, 4 Oct 2004 06:09:12 +1000, Russell Coker wrote: > A python script launched by cups (running in domain cupsd_t) wants to write to > the /usr/share/printconf/util/ directory during the boot process. > > Does anyone know what this is about? Naturally we don't want a domain that > listens to network connections to be able to write to usr_t... > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- Tom London From russell at coker.com.au Sun Oct 3 20:57:05 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 4 Oct 2004 06:57:05 +1000 Subject: cups and printconf In-Reply-To: <4c4ba1530410031344483c9ed5@mail.gmail.com> References: <200410040609.12188.russell@coker.com.au> <4c4ba1530410031344483c9ed5@mail.gmail.com> Message-ID: <200410040657.05097.russell@coker.com.au> On Mon, 4 Oct 2004 06:44, Tom London wrote: > I think I filed a bugzilla about this a while ago.... > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129025 > > Is this the same thing? If so, looks like python is trying to > write 'compiled/optimized' .pyc/.pyo files in > /usr/share/printconf/util/ That sounds likely. I'll wait until that bugzilla is closed then. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From twaugh at redhat.com Mon Oct 4 09:20:10 2004 From: twaugh at redhat.com (Tim Waugh) Date: Mon, 4 Oct 2004 10:20:10 +0100 Subject: cups and printconf In-Reply-To: <200410040657.05097.russell@coker.com.au> References: <200410040609.12188.russell@coker.com.au> <4c4ba1530410031344483c9ed5@mail.gmail.com> <200410040657.05097.russell@coker.com.au> Message-ID: <20041004092010.GZ21098@redhat.com> On Mon, Oct 04, 2004 at 06:57:05AM +1000, Russell Coker wrote: > > Is this the same thing? If so, looks like python is trying to > > write 'compiled/optimized' .pyc/.pyo files in > > /usr/share/printconf/util/ > > That sounds likely. I'll wait until that bugzilla is closed then. Still waiting for the build system to flip the configuration bit needed for this. Isn't dontaudit a good option for this if it doesn't get fixed before release? Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From sds at epoch.ncsc.mil Mon Oct 4 13:32:31 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 04 Oct 2004 09:32:31 -0400 Subject: checkinstall on Fc3T2 In-Reply-To: <9cde8bff0409260825130739c4@mail.gmail.com> References: <9cde8bff0409260825130739c4@mail.gmail.com> Message-ID: <1096896751.32008.1.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2004-09-26 at 11:25, aq wrote: > I am compiling openbox-3.2 from source code (yes, FC3T2 is test > edition, so nobody makes packages for it). I run "./configure", then > "make". But when I run checkinstall to make a rpm package of openbox, > I got various errors (for ex, "Segmentation fault mkdir data 2 & > > /dev/null). I guess the problem is that the "checkinstall" has > insufficient privilege. > > What should I do to fix this problem? Bug in checkinstall. See http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=114067. -- Stephen Smalley National Security Agency From johnp at redhat.com Sun Oct 3 20:21:18 2004 From: johnp at redhat.com (John (J5) Palmieri) Date: Sun, 03 Oct 2004 16:21:18 -0400 Subject: cups and printconf In-Reply-To: <200410040609.12188.russell@coker.com.au> References: <200410040609.12188.russell@coker.com.au> Message-ID: <1096834878.18248.1.camel@localhost.localdomain> On Sun, 2004-10-03 at 16:09, Russell Coker wrote: > A python script launched by cups (running in domain cupsd_t) wants to write to > the /usr/share/printconf/util/ directory during the boot process. > > Does anyone know what this is about? Naturally we don't want a domain that > listens to network connections to be able to write to usr_t... Most likely this happens after hal is launched, it discovers printers and configures them using printconf-tui. -- J5 From Valdis.Kletnieks at vt.edu Tue Oct 5 01:49:00 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 04 Oct 2004 21:49:00 -0400 Subject: (no subject) Message-ID: <200410050149.i951n1uH010040@turing-police.cc.vt.edu> (Not sure if this is a fedora-selinux or upstream issue, posting to both lists) OK, I see where in recent Fedora-devel RPM's the screensaver is deprecated (as per comments in domains/misc/screensaver.te) . All the same, we probably want the following line in file_contexts to make these binaries be 'bin_t' instead of 'lib_t'... /usr/X11R6/lib/xscreensaver/.* -- system_u:object_r:bin_t -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From jmorris at redhat.com Tue Oct 5 03:07:10 2004 From: jmorris at redhat.com (James Morris) Date: Mon, 4 Oct 2004 23:07:10 -0400 (EDT) Subject: Filesystem Labeling article online Message-ID: I thought it might be useful to mention that an article I've had published in Linux Journal on Filesystem Labeling is online at: http://www.linuxjournal.com/article.php?sid=7426 - James -- James Morris From sds at epoch.ncsc.mil Wed Oct 6 17:27:59 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 06 Oct 2004 13:27:59 -0400 Subject: ReiserFS In-Reply-To: <200409300512.44632.russell@coker.com.au> References: <200409300512.44632.russell@coker.com.au> Message-ID: <1097083678.11370.39.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-09-29 at 15:12, Russell Coker wrote: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134111 > > We are having some discussions of ReiserFS in the Red Hat bugzilla. > > fs_use_xattr reiserfs system_u:object_r:fs_t; > > It seems to me that the easiest solution is to remove the above line from > fs_use and add the following to genfs_contexts: > > genfscon reiserfs / system_u:object_r:nfs_t > > The reason for this hack is that we already have the policy for home > directories on NFS. ReiserFS will never work for a root FS and isn't worth > any more effort than this hack. This seems reasonable, at least until someone chooses to pursue the necessary patches to the reiserfs xattr support to allow proper interaction with SELinux. -- Stephen Smalley National Security Agency From don.patterson at tresys.com Wed Oct 6 20:51:44 2004 From: don.patterson at tresys.com (Don Patterson) Date: Wed, 6 Oct 2004 16:51:44 -0400 Subject: Updated release of setools-1.4.1 Message-ID: <20041006205145.EVIJ1068.mm-ismta3.bizmailsrvcs.net@ICEMAN> An updated release of setools-1.4.1 is now available from our website at http://www.tresys.com/selinux/selinux_policy_tools.html. This is a minor bug fix release to address a problem with rules not being rendered in apol and a few other small bugs that were brought to our attention. Thank you. Don Patterson Tresys Technology http://www.tresys.com From russell at coker.com.au Thu Oct 7 06:34:07 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 7 Oct 2004 16:34:07 +1000 Subject: cups and printconf In-Reply-To: <20041004092010.GZ21098@redhat.com> References: <200410040609.12188.russell@coker.com.au> <200410040657.05097.russell@coker.com.au> <20041004092010.GZ21098@redhat.com> Message-ID: <200410071634.07558.russell@coker.com.au> On Mon, 4 Oct 2004 19:20, Tim Waugh wrote: > On Mon, Oct 04, 2004 at 06:57:05AM +1000, Russell Coker wrote: > > > Is this the same thing? If so, looks like python is trying to > > > write 'compiled/optimized' .pyc/.pyo files in > > > /usr/share/printconf/util/ > > > > That sounds likely. I'll wait until that bugzilla is closed then. > > Still waiting for the build system to flip the configuration bit > needed for this. > > Isn't dontaudit a good option for this if it doesn't get fixed before > release? I don't think that we want to put in dontaudit rules for bugs that impact the operation of the system. Also the process for removing rules is rather painful so I prefer that they don't get included in the first place if they don't make sense. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From twaugh at redhat.com Thu Oct 7 08:30:59 2004 From: twaugh at redhat.com (Tim Waugh) Date: Thu, 7 Oct 2004 09:30:59 +0100 Subject: cups and printconf In-Reply-To: <200410071634.07558.russell@coker.com.au> References: <200410040609.12188.russell@coker.com.au> <200410040657.05097.russell@coker.com.au> <20041004092010.GZ21098@redhat.com> <200410071634.07558.russell@coker.com.au> Message-ID: <20041007083059.GN21098@redhat.com> On Thu, Oct 07, 2004 at 04:34:07PM +1000, Russell Coker wrote: > I don't think that we want to put in dontaudit rules for bugs that > impact the operation of the system. Also the process for removing > rules is rather painful so I prefer that they don't get included in > the first place if they don't make sense. Bugs? "Impact the operation of the system"? I doubt you could time the speed different for the average use of system-config-printer -- lost in the noise of loading foomatic. Anyway, let's just turn on the build system configuration bit for writing out these files and be done with it. I'm bored of asking for this. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From selinux at gmail.com Fri Oct 8 16:08:53 2004 From: selinux at gmail.com (Tom London) Date: Fri, 8 Oct 2004 09:08:53 -0700 Subject: prelink and yum conflict Message-ID: <4c4ba1530410080908a02a768@mail.gmail.com> If prelink is running from cron when you do a 'yum install' of a package that want's to do a ldconfig, you get the following avc Oct 8 08:31:39 fedora kernel: audit(1097249499.123:0): avc: denied { read } for pid=14475 exe=/lib/ld-2.3.3.so name=ld.so.cache dev=hda2 ino=4473477 scontext=system_u:system_r:prelink_t tcontext=root:object_r:etc_t tclass=file and a message from ldconfig complaining about not being able to link ld.so.cache~ I believe (hope?!) that this is harmless. But, does it make sense to prevent this, say by creating a lock files that would be used to prevent prelink and ldconfig from colliding? Or is it safe to allow this access? A 'dontaudit' would still leave curious looking messages during the yum. tom -- Tom London From sds at epoch.ncsc.mil Fri Oct 8 16:14:05 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 08 Oct 2004 12:14:05 -0400 Subject: prelink and yum conflict In-Reply-To: <4c4ba1530410080908a02a768@mail.gmail.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> Message-ID: <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-10-08 at 12:08, Tom London wrote: > If prelink is running from cron when you do a 'yum install' of a package > that want's to do a ldconfig, you get the following avc > > Oct 8 08:31:39 fedora kernel: audit(1097249499.123:0): avc: denied > { read } for pid=14475 exe=/lib/ld-2.3.3.so name=ld.so.cache dev=hda2 > ino=4473477 scontext=system_u:system_r:prelink_t > tcontext=root:object_r:etc_t tclass=file > > and a message from ldconfig complaining about not being able to > link ld.so.cache~ > > I believe (hope?!) that this is harmless. But, does it make sense > to prevent this, say by creating a lock files that would be used to > prevent prelink and ldconfig from colliding? > > Or is it safe to allow this access? A 'dontaudit' would still > leave curious looking messages during the yum. /etc/ld.so.cache is supposed to be labeled ld_so_cache_t. Seems odd that prelink_t isn't allowed to read etc_t, though. -- Stephen Smalley National Security Agency From selinux at gmail.com Fri Oct 8 16:40:18 2004 From: selinux at gmail.com (Tom London) Date: Fri, 8 Oct 2004 09:40:18 -0700 Subject: udev reports 'failed' on boot Message-ID: <4c4ba15304100809404482941e@mail.gmail.com> Running strict/enforcing with lastest from Rawhide. During boot when udev is started, I get: Oct 8 09:31:42 fedora kernel: audit(1097227835.719:0): avc: denied { read } for pid=596 exe=/bin/cat name=hotplug dev=proc ino=-268435400 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:sysctl_hotplug_t tclass=file Oct 8 09:31:42 fedora kernel: audit(1097227837.871:0): avc: denied { search } for pid=932 exe=/usr/bin/rhgb-client name=rhgb dev=hda2 ino=280446 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir and 'udev [FAILED]' on the console. udevd seems to be running, and the system appears to be functioning..... tom -- Tom London From justin.conover at gmail.com Fri Oct 8 17:23:33 2004 From: justin.conover at gmail.com (Justin Conover) Date: Fri, 8 Oct 2004 12:23:33 -0500 Subject: xfs file system w/ selinux? Message-ID: Is there any downside to running xfs with selinux? I'm just testing(playing) with test2 and I was thinking of using lvm/xfs/selinux. Choosing xfs because it is a good fs and easier to grow online than ext3. Plus I'm just testing :) From sds at epoch.ncsc.mil Fri Oct 8 17:29:11 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 08 Oct 2004 13:29:11 -0400 Subject: xfs file system w/ selinux? In-Reply-To: References: Message-ID: <1097256550.16641.192.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-10-08 at 13:23, Justin Conover wrote: > Is there any downside to running xfs with selinux? > > I'm just testing(playing) with test2 and I was thinking of using > lvm/xfs/selinux. Choosing xfs because it is a good fs and easier to > grow online than ext3. Plus I'm just testing :) We haven't tried xfs with SELinux ourselves, but it _should_ work. Please report any problems. It has xattr handlers for the security namespace. There was an earlier problem with xfs preventing SELinux from internally accessing the xattrs, but I believe that has been fixed. -- Stephen Smalley National Security Agency From cpebenito at tresys.com Fri Oct 8 17:51:00 2004 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Fri, 08 Oct 2004 13:51:00 -0400 Subject: xfs file system w/ selinux? In-Reply-To: <1097256550.16641.192.camel@moss-spartans.epoch.ncsc.mil> References: <1097256550.16641.192.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1097257860.3444.49.camel@selinux> On Fri, 2004-10-08 at 13:29 -0400, Stephen Smalley wrote: > On Fri, 2004-10-08 at 13:23, Justin Conover wrote: > > Is there any downside to running xfs with selinux? > > > > I'm just testing(playing) with test2 and I was thinking of using > > lvm/xfs/selinux. Choosing xfs because it is a good fs and easier to > > grow online than ext3. Plus I'm just testing :) > > We haven't tried xfs with SELinux ourselves, but it _should_ work. > Please report any problems. It has xattr handlers for the security > namespace. There was an earlier problem with xfs preventing SELinux > from internally accessing the xattrs, but I believe that has been fixed. The one catch is to use a larger inode size; 512 should be sufficient. XFS stores the xattr in the inode if there's enough space in it. Otherwise it has to allocate a whole block to store the xattr, which incurs a performance penalty and a waste of space. The default size (256) isn't big enough for the context. So when you mkfs, add -i size=512 to the command line options. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From temlakos at comcast.net Fri Oct 8 20:07:48 2004 From: temlakos at comcast.net (Temlakos) Date: Fri, 08 Oct 2004 16:07:48 -0400 Subject: Intro Message-ID: <1097266068.11255.21.camel@erhva.localdomain> Hello. I am an applications developer with an interest in building secure systems. As a former practicing pathologist, I believe I have a good set of "clues" for developing a comprehensive accessioning and reporting application for pathologists. This will necessarily use a database server, plus database clients who might connect either on the same machine or on different machines perhaps even on different sites. That means that the database server must be exposed to the public Internet, though I can certainly use iptables to limit access to a single recommended port. Obviously I'm considering SELinux as the base operating system for the database server, and perhaps also for database client systems. Next week I hope to have a new, experimental box on which I plan to install Fedora Core 3 Test 3 (one test away from general release; how buggy can it really be?) with SELinux switched on, in permissive mode to start with, and hopefully to proceed to full enforcement mode. Is there anything I need to know, beyond what I can glean from Fedora's FAQ or the NSA's FAQ? Is the NSA's document on how to write SELinux policies the best place to get started? What do I need to consider when building and running a new application in an SELinux environment? Those of you out there running SELinux in enforcement mode--do you have any insights you can share with me? Thanks in advance. Temlakos From justin.conover at gmail.com Sat Oct 9 17:37:01 2004 From: justin.conover at gmail.com (Justin Conover) Date: Sat, 9 Oct 2004 12:37:01 -0500 Subject: xfs file system w/ selinux? In-Reply-To: <1097257860.3444.49.camel@selinux> References: <1097256550.16641.192.camel@moss-spartans.epoch.ncsc.mil> <1097257860.3444.49.camel@selinux> Message-ID: How does Fedora handle the size, does it use 256 or 512 be default? If its 256, shouldn't they change this? On Fri, 08 Oct 2004 13:51:00 -0400, Christopher J. PeBenito wrote: > On Fri, 2004-10-08 at 13:29 -0400, Stephen Smalley wrote: > > On Fri, 2004-10-08 at 13:23, Justin Conover wrote: > > > Is there any downside to running xfs with selinux? > > > > > > I'm just testing(playing) with test2 and I was thinking of using > > > lvm/xfs/selinux. Choosing xfs because it is a good fs and easier to > > > grow online than ext3. Plus I'm just testing :) > > > > We haven't tried xfs with SELinux ourselves, but it _should_ work. > > Please report any problems. It has xattr handlers for the security > > namespace. There was an earlier problem with xfs preventing SELinux > > from internally accessing the xattrs, but I believe that has been fixed. > > The one catch is to use a larger inode size; 512 should be sufficient. > XFS stores the xattr in the inode if there's enough space in it. > Otherwise it has to allocate a whole block to store the xattr, which > incurs a performance penalty and a waste of space. The default size > (256) isn't big enough for the context. So when you mkfs, add -i > size=512 to the command line options. > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > > From fedora at andrewfarris.com Sat Oct 9 19:53:43 2004 From: fedora at andrewfarris.com (Andrew Farris) Date: Sat, 09 Oct 2004 12:53:43 -0700 Subject: xfs file system w/ selinux? In-Reply-To: References: <1097256550.16641.192.camel@moss-spartans.epoch.ncsc.mil> <1097257860.3444.49.camel@selinux> Message-ID: <1097351624.17163.4.camel@CirithUngol> On Sat, 2004-10-09 at 12:37 -0500, Justin Conover wrote: > How does Fedora handle the size, does it use 256 or 512 be default? > If its 256, shouldn't they change this? It uses the default 256. I have several filesystems I built with 256 inode size, but I have had no problems running selinux with it.. presumably I do have wasted space and performance decreases but it is not noticeable in normal use. I suspect a benchmark would have to be used to see it. I do notice that compared to my ext3 setup before I do have much lower cpu usage on file moves across filesystems, so I'm pleased with XFS, but the performance difference between them is debatable (and has been here before). Perhaps it should be changed yes, I was unaware of the issue before I created the filesystems. > On Fri, 08 Oct 2004 13:51:00 -0400, Christopher J. PeBenito > wrote: > > On Fri, 2004-10-08 at 13:29 -0400, Stephen Smalley wrote: > > > On Fri, 2004-10-08 at 13:23, Justin Conover wrote: > > > > Is there any downside to running xfs with selinux? > > > > > > > > I'm just testing(playing) with test2 and I was thinking of using > > > > lvm/xfs/selinux. Choosing xfs because it is a good fs and easier to > > > > grow online than ext3. Plus I'm just testing :) > > > > > > We haven't tried xfs with SELinux ourselves, but it _should_ work. > > > Please report any problems. It has xattr handlers for the security > > > namespace. There was an earlier problem with xfs preventing SELinux > > > from internally accessing the xattrs, but I believe that has been fixed. > > > > The one catch is to use a larger inode size; 512 should be sufficient. > > XFS stores the xattr in the inode if there's enough space in it. > > Otherwise it has to allocate a whole block to store the xattr, which > > incurs a performance penalty and a waste of space. The default size > > (256) isn't big enough for the context. So when you mkfs, add -i > > size=512 to the command line options. > > > > -- > > Chris PeBenito > > Tresys Technology, LLC > > (410) 290-1411 x150 > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From russell at coker.com.au Sun Oct 10 05:10:28 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 10 Oct 2004 15:10:28 +1000 Subject: Intro In-Reply-To: <1097266068.11255.21.camel@erhva.localdomain> References: <1097266068.11255.21.camel@erhva.localdomain> Message-ID: <200410101510.28773.russell@coker.com.au> On Sat, 9 Oct 2004 06:07, Temlakos wrote: > What do I need to consider when building > and running a new application in an SELinux environment? Those of you > out there running SELinux in enforcement mode--do you have any insights > you can share with me? Generally a well written program will not have any difficulties at all with SE Linux. But a badly written program that doesn't implement the best practices for secure Unix programming in a DAC environment will have bigger problems with SE Linux. Just do the smart things, don't have the program re-write it's own config files (have a separate process for doing this). Don't put things in /tmp with fixed file names or things that other processes may access, use /var/run/damon-name/whatever for Unix domain sockets. Use a fixed port number even if using Sun RPC for UDP and TCP. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From parklee_sel at yahoo.com Sun Oct 10 19:04:39 2004 From: parklee_sel at yahoo.com (Park Lee) Date: Sun, 10 Oct 2004 12:04:39 -0700 (PDT) Subject: Where to find libselinux-devel-1.11.4-1.src.rpm ? Message-ID: <20041010190439.92095.qmail@web51510.mail.yahoo.com> Hi, I'm doing something in SELinux, and need the libselinux-devel-1.11.4-1.src.rpm. I try to find it on the web, I've tried to search it either in http://fedora.redhat.com/projects/selinux/ or in http://rpmfind.net/. but I would only find libselinux-1.11.4-1.src.rpm, libselinux-1.17.14-1.src.rpm,...... etc. So, would you please tell me where libselinux-devel-1.11.4-1.src.rpm is? And, now I'm using FC2,in which libselinux-1.11.4-1.i386.rpm is installed. Then, can I use the newest libselinux-1.17.14-1.i386.rpm to update my system, while don't update all the other rpm packages? and if I do this, will my FC2 be damaged? Thanks in advance -- Best Regards, Park Lee __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From fedora at andrewfarris.com Mon Oct 11 03:07:32 2004 From: fedora at andrewfarris.com (Andrew Farris) Date: Sun, 10 Oct 2004 20:07:32 -0700 Subject: Where to find libselinux-devel-1.11.4-1.src.rpm ? In-Reply-To: <20041010190439.92095.qmail@web51510.mail.yahoo.com> References: <20041010190439.92095.qmail@web51510.mail.yahoo.com> Message-ID: <1097464052.14869.21.camel@CirithUngol> On Sun, 2004-10-10 at 12:04 -0700, Park Lee wrote: > Hi, > I'm doing something in SELinux, and need the libselinux- > devel-1.11.4-1.src.rpm. I try to find it on the web, I've tried to > search it either in http://fedora.redhat.com/projects/selinux/ or in > http://rpmfind.net/. but I would only find > libselinux-1.11.4-1.src.rpm, libselinux-1.17.14-1.src.rpm,...... etc. > So, would you please tell me where libselinux- > devel-1.11.4-1.src.rpm is? This should be on all the mirrors in the SRPMS directory. ftp://mirror.stanford.edu/pub/mirrors/fedora/linux/core/2/SRPMS /libselinux-1.11.4-1.src.rpm (watch the line break) > And, now I'm using FC2,in which libselinux-1.11.4-1.i386.rpm is > installed. Then, can I use the newest libselinux-1.17.14-1.i386.rpm to > update my system, while don't update all the other rpm packages? and > if I do this, will my FC2 be damaged? You will may have issues using the newer libselinux if you were going to then use an app on FC2 where the older one was installed.. however it should work fine to upgrade your system and then use the newer libselinux. Using the latest policy, kernel, and other selinux packages is usually a good idea as things change, but if you need to deploy to FC2 you may not wish to make that change. I suspect that using the newer version without upgrading the rest of the selinux system may cause you hassle. -andrew From russell at coker.com.au Mon Oct 11 06:34:12 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 11 Oct 2004 16:34:12 +1000 Subject: prelink and yum conflict In-Reply-To: <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200410111634.12567.russell@coker.com.au> On Sat, 9 Oct 2004 02:14, Stephen Smalley wrote: > /etc/ld.so.cache is supposed to be labeled ld_so_cache_t. ldconfig is being executed directly from rpm not via "sh -c ldconfig". This means that it doesn't transition to ldconfig_t. Jeff, please change rpm to use "sh -c" for spawning all scripts including ldconfig and /usr/sbin/glibc_post_upgrade. Should I file a bugzilla against rpm? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From laroche at redhat.com Mon Oct 11 06:52:41 2004 From: laroche at redhat.com (Florian La Roche) Date: Mon, 11 Oct 2004 08:52:41 +0200 Subject: prelink and yum conflict In-Reply-To: <200410111634.12567.russell@coker.com.au> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> Message-ID: <20041011065241.GA5873@dudweiler.stuttgart.redhat.com> On Mon, Oct 11, 2004 at 04:34:12PM +1000, Russell Coker wrote: > On Sat, 9 Oct 2004 02:14, Stephen Smalley wrote: > > /etc/ld.so.cache is supposed to be labeled ld_so_cache_t. > > ldconfig is being executed directly from rpm not via "sh -c ldconfig". This > means that it doesn't transition to ldconfig_t. > > Jeff, please change rpm to use "sh -c" for spawning all scripts including > ldconfig and /usr/sbin/glibc_post_upgrade. Should I file a bugzilla against > rpm? Is this even possible for glibc_post_upgrade? greetings, Florian La Roche From n3npq at nc.rr.com Mon Oct 11 12:39:30 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Mon, 11 Oct 2004 08:39:30 -0400 Subject: prelink and yum conflict In-Reply-To: <200410111634.12567.russell@coker.com.au> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> Message-ID: <416A7F02.9010601@nc.rr.com> Russell Coker wrote: >On Sat, 9 Oct 2004 02:14, Stephen Smalley wrote: > > >>/etc/ld.so.cache is supposed to be labeled ld_so_cache_t. >> >> > >ldconfig is being executed directly from rpm not via "sh -c ldconfig". This >means that it doesn't transition to ldconfig_t. > >Jeff, please change rpm to use "sh -c" for spawning all scripts including >ldconfig and /usr/sbin/glibc_post_upgrade. Should I file a bugzilla against >rpm? > I would if it would "work". This was my reasoning originally for limiting "rpm_script_t" to /bin/sh execution, rather than applying in general. As long as glibc_post_upgrade is a static binary that attempts sshd restart, policy will be a bit more complex than otherwise. The restart of sshd is necessary iff there is a incompatibility in one of the name service modules, a fairly rare event. Making glibc_post_upgrade actions a bit easier to see and change is needed imho. I'd suggest using the embedded lua now in rpm rather than the a statically linked helper. But that is probably a different problem than /etc/ld.so.cache mentioned here. Current behavior is to set "rpm_script_t" for all package interpreters rather than just /bin/sh. What change(s) do you wish? 73 de Jeff From parklee_sel at yahoo.com Mon Oct 11 14:56:56 2004 From: parklee_sel at yahoo.com (Park Lee) Date: Mon, 11 Oct 2004 07:56:56 -0700 (PDT) Subject: Where to find libselinux-devel-1.11.4-1.src.rpm ? In-Reply-To: <1097464052.14869.21.camel@CirithUngol> Message-ID: <20041011145656.10109.qmail@web51509.mail.yahoo.com> On Sun, 10 Oct 2004 20:07, Andrew Farris wrote: >On Sun, 2004-10-10 at 12:04 -0700, Park Lee wrote: >> Hi, >> I'm doing something in SELinux, and need the libselinux- >> devel-1.11.4-1.src.rpm. I try to find it on the web, I've tried to >> search it either in http://fedora.redhat.com/projects/selinux/ or in >> http://rpmfind.net/. but I would only find >> libselinux-1.11.4-1.src.rpm, libselinux-1.17.14-1.src.rpm,...... etc. >> So, would you please tell me where libselinux- >> devel-1.11.4-1.src.rpm is? >This should be on all the mirrors in the SRPMS directory. >ftp://mirror.stanford.edu/pub/mirrors/fedora/linux/core/2/SRPMS >/libselinux-1.11.4-1.src.rpm Thanks a lot. But what I want to get is libselinux-devel-1.11.4-1.src.rpm, not the libselinux-1.11.4-1.src.rpm one. I think these two are not the same thing. Would you please give me a hint about the former one? -- Best Regards, Park Lee __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From selinux at gmail.com Mon Oct 11 15:08:26 2004 From: selinux at gmail.com (Tom London) Date: Mon, 11 Oct 2004 08:08:26 -0700 Subject: prelink and yum conflict In-Reply-To: <416A7F02.9010601@nc.rr.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <416A7F02.9010601@nc.rr.com> Message-ID: <4c4ba15304101108085e38218@mail.gmail.com> I've been running this system strict/enforcing most of the time (running strict/permissive when the policy is wedged). After 'yum update' a few days ago, after observing the 'prelink messages' noted above, lots of stuff started breaking, like gconftool-2, gnome-terminal, bononbo-activation-server, etc. Each would fail with segmentation faults. These could all be repaired by reinstalling the 'appropriate' package (e.g., GConf2, gnome-terminal, libbonobo, ....) via 'rpm -ivh --force yum-cached-package' Following a suggestion from fedora-test-list, I started running 'rpm -V' (in permissive mode) on my installed packages. Many of these fail, e.g.: libuser S.?...... /usr/bin/lchfn S.?...... /usr/bin/lchsh S.?...... /usr/lib/libuser.so.1.1.1 S.?...... /usr/sbin/lchage S.?...... /usr/sbin/lgroupadd S.?...... /usr/sbin/lgroupdel S.?...... /usr/sbin/lgroupmod S.?...... /usr/sbin/lid S.?...... /usr/sbin/lnewusers S.?...... /usr/sbin/lpasswd S.?...... /usr/sbin/luseradd S.?...... /usr/sbin/luserdel S.?...... /usr/sbin/lusermod each with a line like: prelink: /usr/lib/liblwres.so.1.1.2: at least one of file's dependencies has changed since prelinking prelink: /usr/bin/dig: at least one of file's dependencies has changed since prelinking prelink: /usr/bin/host: at least one of file's dependencies has changed since prelinking prelink: /usr/bin/nslookup: at least one of file's dependencies has changed since prelinking prelink: /usr/bin/nsupdate: at least one of file's dependencies has changed since prelinking (there are scads of these, picked this one at random. Sorry, the first set of messages not coordinated with second.). I can 'make these go away' by reinstalling via 'rpm -ivh --force yum-cached-package', and then 'rpm -V' succeeds with no messages. Could yum/rpm/prelink be scribbling? Or am I chasing shadows? tom On Mon, 11 Oct 2004 08:39:30 -0400, Jeff Johnson wrote: > Russell Coker wrote: > > >On Sat, 9 Oct 2004 02:14, Stephen Smalley wrote: > > > > > >>/etc/ld.so.cache is supposed to be labeled ld_so_cache_t. > >> > >> > > > >ldconfig is being executed directly from rpm not via "sh -c ldconfig". This > >means that it doesn't transition to ldconfig_t. > > > >Jeff, please change rpm to use "sh -c" for spawning all scripts including > >ldconfig and /usr/sbin/glibc_post_upgrade. Should I file a bugzilla against > >rpm? > > > I would if it would "work". > > This was my reasoning originally for limiting "rpm_script_t" to /bin/sh > execution, rather than > applying in general. > > As long as glibc_post_upgrade is a static binary that attempts sshd > restart, policy > will be a bit more complex than otherwise. The restart of sshd is necessary > iff there is a incompatibility in one of the name service modules, a fairly > rare event. > > Making glibc_post_upgrade actions a bit easier to see and change is > needed imho. > I'd suggest using the embedded lua now in rpm rather than the a > statically linked > helper. But that is probably a different problem than /etc/ld.so.cache > mentioned here. > > Current behavior is to set "rpm_script_t" for all package interpreters > rather than > just /bin/sh. > > What change(s) do you wish? > > 73 de Jeff > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- Tom London From linux_4ever at yahoo.com Mon Oct 11 15:12:53 2004 From: linux_4ever at yahoo.com (Steve G) Date: Mon, 11 Oct 2004 08:12:53 -0700 (PDT) Subject: Where to find libselinux-devel-1.11.4-1.src.rpm ? In-Reply-To: <20041011145656.10109.qmail@web51509.mail.yahoo.com> Message-ID: <20041011151253.40271.qmail@web50604.mail.yahoo.com> >But what I want to get is libselinux-devel-1.11.4-1.src.rpm, not the >libselinux-1.11.4-1.src.rpm one. I think these two are not the same thing. They are the same thing. The src rpm produces 2 rpm packages. The shared object libraries in one and the headers+static libraries in the devel rpm. There's one source which produces 2 rpms. -Steve Grubb _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com From n3npq at nc.rr.com Mon Oct 11 17:59:01 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Mon, 11 Oct 2004 13:59:01 -0400 Subject: prelink and yum conflict In-Reply-To: <4c4ba15304101108085e38218@mail.gmail.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <416A7F02.9010601@nc.rr.com> <4c4ba15304101108085e38218@mail.gmail.com> Message-ID: <416AC9E5.7010006@nc.rr.com> Tom London wrote: >I've been running this system strict/enforcing most of the time >(running strict/permissive when the policy is wedged). > >After 'yum update' a few days ago, after observing the >'prelink messages' noted above, lots of stuff started >breaking, like gconftool-2, gnome-terminal, bononbo-activation-server, >etc. Each would fail with segmentation faults. > >These could all be repaired by reinstalling the 'appropriate' >package (e.g., GConf2, gnome-terminal, libbonobo, ....) via >'rpm -ivh --force yum-cached-package' > >Following a suggestion from fedora-test-list, I started running >'rpm -V' (in permissive mode) on my installed packages. Many of these >fail, e.g.: > >libuser >S.?...... /usr/bin/lchfn >S.?...... /usr/bin/lchsh >S.?...... /usr/lib/libuser.so.1.1.1 >S.?...... /usr/sbin/lchage >S.?...... /usr/sbin/lgroupadd >S.?...... /usr/sbin/lgroupdel >S.?...... /usr/sbin/lgroupmod >S.?...... /usr/sbin/lid >S.?...... /usr/sbin/lnewusers >S.?...... /usr/sbin/lpasswd >S.?...... /usr/sbin/luseradd >S.?...... /usr/sbin/luserdel >S.?...... /usr/sbin/lusermod > >each with a line like: >prelink: /usr/lib/liblwres.so.1.1.2: at least one of file's >dependencies has changed since prelinking >prelink: /usr/bin/dig: at least one of file's dependencies has changed >since prelinking >prelink: /usr/bin/host: at least one of file's dependencies has >changed since prelinking >prelink: /usr/bin/nslookup: at least one of file's dependencies has >changed since prelinking >prelink: /usr/bin/nsupdate: at least one of file's dependencies has >changed since prelinking > > There are several failure being detected. The '?' means those files were unreadable, so md5 check could not be attempted. The spew from prelink is there because rpm executes prelink --undo in order to verify DSO md5 sums, all that spew is from prelink, not rpm. Rerunning the prelink cron job probably makes the spew go away as well. >(there are scads of these, picked this one at random. >Sorry, the first set of messages not coordinated with second.). > >I can 'make these go away' by reinstalling via >'rpm -ivh --force yum-cached-package', and then >'rpm -V' succeeds with no messages. > >Could yum/rpm/prelink be scribbling? Or am I chasing >shadows? > > Shadows amidst rpm --verify smoke and mirrors, yes ;-) 73 de Jeff >tom > > > From selinux at gmail.com Mon Oct 11 18:24:19 2004 From: selinux at gmail.com (Tom London) Date: Mon, 11 Oct 2004 11:24:19 -0700 Subject: prelink and yum conflict In-Reply-To: <416AC9E5.7010006@nc.rr.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <416A7F02.9010601@nc.rr.com> <4c4ba15304101108085e38218@mail.gmail.com> <416AC9E5.7010006@nc.rr.com> Message-ID: <4c4ba15304101111244c2f4ef3@mail.gmail.com> Thanks. I'll run/wait-for the crond prelink to run and recheck. I still have no notion why packages like GConf2, libbonobo, etc. would start failing. Any thoughts? tom On Mon, 11 Oct 2004 13:59:01 -0400, Jeff Johnson wrote: > Tom London wrote: > > >I've been running this system strict/enforcing most of the time > >(running strict/permissive when the policy is wedged). > > > >After 'yum update' a few days ago, after observing the > >'prelink messages' noted above, lots of stuff started > >breaking, like gconftool-2, gnome-terminal, bononbo-activation-server, > >etc. Each would fail with segmentation faults. > > > >These could all be repaired by reinstalling the 'appropriate' > >package (e.g., GConf2, gnome-terminal, libbonobo, ....) via > >'rpm -ivh --force yum-cached-package' > > > >Following a suggestion from fedora-test-list, I started running > >'rpm -V' (in permissive mode) on my installed packages. Many of these > >fail, e.g.: <<< SNIP >>> > There are several failure being detected. The '?' means those > files were unreadable, so md5 check could not be attempted. > > The spew from prelink is there because rpm executes prelink --undo in > order to verify DSO md5 sums, all that spew is from prelink, not rpm. > > Rerunning the prelink cron job probably makes the spew go away as well. > > >(there are scads of these, picked this one at random. > >Sorry, the first set of messages not coordinated with second.). > > > >I can 'make these go away' by reinstalling via > >'rpm -ivh --force yum-cached-package', and then > >'rpm -V' succeeds with no messages. > > > >Could yum/rpm/prelink be scribbling? Or am I chasing > >shadows? > > > > > > Shadows amidst rpm --verify smoke and mirrors, yes ;-) > > 73 de Jeff > > >tom > > > > > > > > -- Tom London From wolfy at zig-zag.net Mon Oct 11 20:23:46 2004 From: wolfy at zig-zag.net (lonely wolf) Date: Mon, 11 Oct 2004 23:23:46 +0300 Subject: Where to find libselinux-devel-1.11.4-1.src.rpm ? In-Reply-To: <20041011151253.40271.qmail@web50604.mail.yahoo.com> References: <20041011151253.40271.qmail@web50604.mail.yahoo.com> Message-ID: <416AEBD2.8030401@zig-zag.net> Steve G wrote: >>But what I want to get is libselinux-devel-1.11.4-1.src.rpm, not the >>libselinux-1.11.4-1.src.rpm one. I think these two are not the same thing. > > > They are the same thing. The src rpm produces 2 rpm packages. The shared object > libraries in one and the headers+static libraries in the devel rpm. There's one > source which produces 2 rpms. > actually there is NO libselinux-devel-1.11.4-1.src.rpm, but libselinux-devel-1.11.4-1.rpm (binary, obtained together with its twin package libselinux-1.11.4-1.rpm from libselinux-1.11.4-1.src.rpm) As a general rule, the 'whatever.src.rpm' package will produce, as Steve has explained, one package 'whatever.rpm' (runtime if you want) which includes the shared object libraries + executables and - if needed/available - another 'whatever-devel.rpm' ("development" package) From ryan.graham at gmail.com Mon Oct 11 22:32:46 2004 From: ryan.graham at gmail.com (Ryan Graham) Date: Mon, 11 Oct 2004 15:32:46 -0700 Subject: vsftpd cannot access home directories Message-ID: <42efd069041011153267bae012@mail.gmail.com> What am I looking at here? This is a mostly default install on FC2. There were some other changes to vsftpd.conf, but they didnt seem relevant. chroot_local_user=YES pam_service_name=vsftpd userlist_enable=YES #enable for standalone mode listen=YES tcp_wrappers=YES Response: 500 OOPS: cannot change directory:/home/media Response: 500 OOPS: child died audit(1097532459.593:0): avc: denied { getattr } for pid=2281 exe=/usr/sbin/vsftpd path=/proc/2281/mounts dev= ino=149487632 scontext=system_u:system_r:ftpd_t tcontext=system_u:system_r:ftpd_t tclass=file audit(1097532459.653:0): avc: denied { search } for pid=2285 exe=/usr/sbin/vsftpd name=media dev=hda2 ino=5210119 scontext=system_u:system_r:ftpd_t tcontext=system_u:object_r:user_home_dir_t tclass=dir From mitch48 at sbcglobal.net Tue Oct 12 00:53:13 2004 From: mitch48 at sbcglobal.net (Tom Mitchell) Date: Mon, 11 Oct 2004 17:53:13 -0700 Subject: Intro In-Reply-To: <200410101510.28773.russell@coker.com.au> References: <1097266068.11255.21.camel@erhva.localdomain> <200410101510.28773.russell@coker.com.au> Message-ID: <20041012005313.GC8995@xtl1.xtl.tenegg.com> On Sun, Oct 10, 2004 at 03:10:28PM +1000, Russell Coker wrote: > On Sat, 9 Oct 2004 06:07, Temlakos wrote: > > What do I need to consider when building > > and running a new application in an SELinux environment? Those of you > > out there running SELinux in enforcement mode--do you have any insights > > you can share with me? > > Generally a well written program will not have any difficulties at all Since Temlakos mentioned building a database what model of data management should he consider. On the surface SELinux could put a fence around the database and data but if the database had data that rightly belonged in multiple domains I suspect he has a problem that is not clearly addressed by tossing SELinux into the pot. -- T o m M i t c h e l l Me, I would "Rather" Not. From Valdis.Kletnieks at vt.edu Tue Oct 12 01:03:12 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 11 Oct 2004 21:03:12 -0400 Subject: Intro In-Reply-To: Your message of "Mon, 11 Oct 2004 17:53:13 PDT." <20041012005313.GC8995@xtl1.xtl.tenegg.com> References: <1097266068.11255.21.camel@erhva.localdomain> <200410101510.28773.russell@coker.com.au> <20041012005313.GC8995@xtl1.xtl.tenegg.com> Message-ID: <200410120103.i9C13CDf029238@turing-police.cc.vt.edu> On Mon, 11 Oct 2004 17:53:13 PDT, Tom Mitchell said: > Since Temlakos mentioned building a database what model of data > management should he consider. > > On the surface SELinux could put a fence around the database and data > but if the database had data that rightly belonged in multiple domains > I suspect he has a problem that is not clearly addressed by tossing > SELinux into the pot. Well, if his application is well behaved, he can at least ensure that any access to the data in the backend store can only be accessed via means mediated by the application's access control mechanisms. In other words, no trawling the database by using 'strings' (or a more sophisticated program to read Sleepycat/mysql/oracle/whatever formats).... If there's data from multiple security domains inside the database, then of course the database will have to do its own work there. Didn't somebody have a patch/code/trick for getting an Apache server to change contexts when it ran different CGI's, or am I hallucinating? That sounds like it might be applicable here (although I seem to remember it being shot down or died of bit-rot as things evolved).... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From justin.conover at gmail.com Tue Oct 12 05:20:56 2004 From: justin.conover at gmail.com (Justin Conover) Date: Tue, 12 Oct 2004 00:20:56 -0500 Subject: vsftpd cannot access home directories In-Reply-To: <42efd069041011153267bae012@mail.gmail.com> References: <42efd069041011153267bae012@mail.gmail.com> Message-ID: On Mon, 11 Oct 2004 15:32:46 -0700, Ryan Graham wrote: > What am I looking at here? > > This is a mostly default install on FC2. There were some other changes > to vsftpd.conf, but they didnt seem relevant. > > chroot_local_user=YES > pam_service_name=vsftpd > userlist_enable=YES > #enable for standalone mode > listen=YES > tcp_wrappers=YES > > Response: 500 OOPS: cannot change directory:/home/media > Response: 500 OOPS: child died > > audit(1097532459.593:0): avc: denied { getattr } for pid=2281 > exe=/usr/sbin/vsftpd path=/proc/2281/mounts dev= ino=149487632 > scontext=system_u:system_r:ftpd_t tcontext=system_u:system_r:ftpd_t > tclass=file > audit(1097532459.653:0): avc: denied { search } for pid=2285 > exe=/usr/sbin/vsftpd name=media dev=hda2 ino=5210119 > scontext=system_u:system_r:ftpd_t > tcontext=system_u:object_r:user_home_dir_t tclass=dir > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > If you want your local users to access the server, you will need: # Uncomment this to allow local users to log in. local_enable=YES If you want them to write/upload: # Uncomment this to enable any form of FTP write command. write_enable=YES The: # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. chroot_local_user=YES Will keep your user "jailed" so that if someone is snooping your ftp (clear text) they can't get any further than your users dir. From sds at epoch.ncsc.mil Tue Oct 12 12:57:28 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 12 Oct 2004 08:57:28 -0400 Subject: prelink and yum conflict In-Reply-To: <200410111634.12567.russell@coker.com.au> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> Message-ID: <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-10-11 at 02:34, Russell Coker wrote: > On Sat, 9 Oct 2004 02:14, Stephen Smalley wrote: > > /etc/ld.so.cache is supposed to be labeled ld_so_cache_t. > > ldconfig is being executed directly from rpm not via "sh -c ldconfig". This > means that it doesn't transition to ldconfig_t. > > Jeff, please change rpm to use "sh -c" for spawning all scripts including > ldconfig and /usr/sbin/glibc_post_upgrade. Should I file a bugzilla against > rpm? Ironically, this used to work with the older rpm that did not setexeccon to rpm_script_t for binaries, as there was a transition from rpm_t to ldconfig_t in the policy. But since we asked Jeff to change the behavior, the explicit setexeccon takes precedence over the default transition, and ldconfig ends up running in rpm_script_t directly then. -- Stephen Smalley National Security Agency From n3npq at nc.rr.com Tue Oct 12 13:27:21 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Tue, 12 Oct 2004 09:27:21 -0400 Subject: prelink and yum conflict In-Reply-To: <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <416BDBB9.1090309@nc.rr.com> Stephen Smalley wrote: >On Mon, 2004-10-11 at 02:34, Russell Coker wrote: > > >>On Sat, 9 Oct 2004 02:14, Stephen Smalley wrote: >> >> >>>/etc/ld.so.cache is supposed to be labeled ld_so_cache_t. >>> >>> >>ldconfig is being executed directly from rpm not via "sh -c ldconfig". This >>means that it doesn't transition to ldconfig_t. >> >>Jeff, please change rpm to use "sh -c" for spawning all scripts including >>ldconfig and /usr/sbin/glibc_post_upgrade. Should I file a bugzilla against >>rpm? >> >> > >Ironically, this used to work with the older rpm that did not setexeccon >to rpm_script_t for binaries, as there was a transition from rpm_t to >ldconfig_t in the policy. But since we asked Jeff to change the >behavior, the explicit setexeccon takes precedence over the default >transition, and ldconfig ends up running in rpm_script_t directly then. > > Not so much irony as difficult coordination. Compiling "rpm_script_t" into rpm is gonna be difficult coordination, and now that there are two behaviors, support is gonna get messy too. I'm open for better ideas, would like to have the choice of "rpm_script_t" exec type in libselinux even though mechanism is of necessity in rpm. How about a simple routine, I pass the interpreter (i.e. "/bin/sh" or "/sbin/ldconfig"), and libselinux gives me the IDENTITY:ROLE:TYPE to set. Even better, rpm will fork, then give libselinux argv[0] before doing execve. Then libselinux can do whatever it wants. You can have argv, not just argv[0] if you want too. ;-) Sound like a plan? 73 de Jeff From n3npq at nc.rr.com Tue Oct 12 14:03:31 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Tue, 12 Oct 2004 10:03:31 -0400 Subject: prelink and yum conflict In-Reply-To: <416BDBB9.1090309@nc.rr.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> <416BDBB9.1090309@nc.rr.com> Message-ID: <416BE433.3080302@nc.rr.com> Jeff Johnson wrote: > > Not so much irony as difficult coordination. Compiling "rpm_script_t" > into rpm is > gonna be difficult coordination, and now that there are two behaviors, > support > is gonna get messy too. > > I'm open for better ideas, would like to have the choice of > "rpm_script_t" exec type in libselinux > even though mechanism is of necessity in rpm. > > How about a simple routine, I pass the interpreter (i.e. "/bin/sh" or > "/sbin/ldconfig"), and > libselinux gives me the IDENTITY:ROLE:TYPE to set. > > Even better, rpm will fork, then give libselinux argv[0] before doing > execve. Then libselinux > can do whatever it wants. > > You can have argv, not just argv[0] if you want too. ;-) Better still, how about libselinux_execve() clone. no reason why libselinux should not do the execve as well afaict. 73 de Jeff From sds at epoch.ncsc.mil Tue Oct 12 14:05:52 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 12 Oct 2004 10:05:52 -0400 Subject: prelink and yum conflict In-Reply-To: <416BDBB9.1090309@nc.rr.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> <416BDBB9.1090309@nc.rr.com> Message-ID: <1097589952.29271.139.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-10-12 at 09:27, Jeff Johnson wrote: > Not so much irony as difficult coordination. Compiling "rpm_script_t" > into rpm is > gonna be difficult coordination, and now that there are two behaviors, > support > is gonna get messy too. > > I'm open for better ideas, would like to have the choice of > "rpm_script_t" exec type in libselinux > even though mechanism is of necessity in rpm. > > How about a simple routine, I pass the interpreter (i.e. "/bin/sh" or > "/sbin/ldconfig"), and > libselinux gives me the IDENTITY:ROLE:TYPE to set. > > Even better, rpm will fork, then give libselinux argv[0] before doing > execve. Then libselinux > can do whatever it wants. > > You can have argv, not just argv[0] if you want too. ;-) > > Sound like a plan? Sounds reasonable. libselinux would presumably fetch the context of the interpreter/helper via getfilecon(), then call security_compute_create() to see if there is a default transition defined for the interpreter/helper, and if not, then explicitly setexeccon() to rpm_script_t. Might want to also pass the result of the signature verify as a further input in selecting the desired domain. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Tue Oct 12 14:11:00 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 12 Oct 2004 10:11:00 -0400 Subject: prelink and yum conflict In-Reply-To: <416BE433.3080302@nc.rr.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> <416BDBB9.1090309@nc.rr.com> <416BE433.3080302@nc.rr.com> Message-ID: <1097590260.29271.145.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-10-12 at 10:03, Jeff Johnson wrote: > Better still, how about libselinux_execve() clone. no reason why libselinux > should not do the execve as well afaict. Hmmm..that lends itself to interface spread, as people will then want libselinux_execl*, libselinux_execvp, ... and possibly even libselinux_popen, as opposed to just a setexeccon-like function that can be called prior to any of those normal calls. We actually had execve_secure() in the old SELinux API, but were forced to migrate to setexeccon();execve(); as part of mainstream inclusion. -- Stephen Smalley National Security Agency From n3npq at nc.rr.com Tue Oct 12 14:44:32 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Tue, 12 Oct 2004 10:44:32 -0400 Subject: prelink and yum conflict In-Reply-To: <1097590260.29271.145.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> <416BDBB9.1090309@nc.rr.com> <416BE433.3080302@nc.rr.com> <1097590260.29271.145.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <416BEDD0.6050301@nc.rr.com> Stephen Smalley wrote: >On Tue, 2004-10-12 at 10:03, Jeff Johnson wrote: > > >>Better still, how about libselinux_execve() clone. no reason why libselinux >>should not do the execve as well afaict. >> >> > >Hmmm..that lends itself to interface spread, as people will then want >libselinux_execl*, libselinux_execvp, ... and possibly even >libselinux_popen, as opposed to just a setexeccon-like function that can >be called prior to any of those normal calls. We actually had >execve_secure() in the old SELinux API, but were forced to migrate to >setexeccon();execve(); as part of mainstream inclusion. > > Interface spread appreciated, but whether application or library does execve(2) is pehaps not the important issue. A hook called afetr fork(2) to permit libselinux to change the execution environment opaquely is what rpm seeks, execve(2) clone is a rather natural way to define the necessary API imho. But if you want rpm (or application) to do its own execve(2), well, that works too. The issue for rpm is opaqueness, i.e. not compiling "rpm_script_t" and the decision algorithm into rpmlib. 73 de Jeff From n3npq at nc.rr.com Tue Oct 12 15:01:27 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Tue, 12 Oct 2004 11:01:27 -0400 Subject: prelink and yum conflict In-Reply-To: <1097589952.29271.139.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> <416BDBB9.1090309@nc.rr.com> <1097589952.29271.139.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <416BF1C7.1030805@nc.rr.com> Stephen Smalley wrote: >Sounds reasonable. libselinux would presumably fetch the context of the >interpreter/helper via getfilecon(), then call security_compute_create() >to see if there is a default transition defined for the >interpreter/helper, and if not, then explicitly setexeccon() to >rpm_script_t. Might want to also pass the result of the signature >verify as a further input in selecting the desired domain. > Do you want just result or do you want {plaintext,signature,pubkey} triple? I suppose a simple container struct with both could be arranged, something like struct { int verifiedreturncode; /* 0 == OK, 1 == notfound(unused), 2 == verifyfail, 3 == nottrusted 4 == nokey */ byte * plaintext; size_t plaintextlen; enum pktencodingtype /* OpenPGP, X.509, whatever */ byte * signature; size_t signaturelen byte * pubkey; size_t pubkeylen; }; starts to permit reasonably paranoid libselinux extensions into the land of signature verification. Yes, there are a slew of issues involving algorithms and parsing and more that selinux perhaps does not want to bite into quite yet. 73 de Jeff From selinux at gmail.com Tue Oct 12 15:03:27 2004 From: selinux at gmail.com (Tom London) Date: Tue, 12 Oct 2004 08:03:27 -0700 Subject: prelink and yum conflict In-Reply-To: <416BEDD0.6050301@nc.rr.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> <416BDBB9.1090309@nc.rr.com> <416BE433.3080302@nc.rr.com> <1097590260.29271.145.camel@moss-spartans.epoch.ncsc.mil> <416BEDD0.6050301@nc.rr.com> Message-ID: <4c4ba153041012080320a86633@mail.gmail.com> Sorry to belabor this....but running strict/enforcing, here is a subset of the messages from 'yum update' of today's Rawhide: gnome-vfs2 100 % done 3/161 /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: Permission denied error: %post(gnome-vfs2-2.8.2-1.i386) scriptlet failed, exit status 1 gail 100 % done 4/161 mozilla-nspr 100 % done 5/161 error: %post(mozilla-nspr-1.7.3-13.i386) scriptlet failed, exit status 1 eel2 100 % done 6/161 rpm-libs 100 % done 7/161 ImageMagick 100 % done 8/161 grep 100 % done 9/161 pam 100 % done 10/161 /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: Permission denied mozilla-nss 100 % done 11/161 error: %post(mozilla-nss-1.7.3-13.i386) scriptlet failed, exit status 1 mozilla 100 % done 12/161 sane-backends 100 % done 13/161 rpm 100 % done 14/161 /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: Permission denied cups-libs 100 % done 15/161 libuser 100 % done 16/161 /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: Permission denied error: %post(libuser-0.52.5-1.i386) scriptlet failed, exit status 1 ImageMagick-c++ 100 % done 17/161 nautilus 100 % done 78/161 /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: Permission denied nautilus-cd-burner 100 % done 79/161 /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: Permission denied control-center 100 % done 80/161 /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: Permission denied rpm -V of the above packages is non-eventful, except for libuser: .......T. c /etc/libuser.conf ..5....T. /usr/bin/lchfn ..5....T. /usr/bin/lchsh ..5....T. /usr/lib/libuser.so.1.1.1 ..5....T. /usr/lib/libuser/libuser_files.so ..5....T. /usr/lib/libuser/libuser_ldap.so ..5....T. /usr/lib/libuser/libuser_shadow.so S.5....T. /usr/lib/python2.3/site-packages/libusermodule.so ..5....T. /usr/sbin/lchage ..5....T. /usr/sbin/lgroupadd ..5....T. /usr/sbin/lgroupdel ..5....T. /usr/sbin/lgroupmod ..5....T. /usr/sbin/lid ..5....T. /usr/sbin/lnewusers ..5....T. /usr/sbin/lpasswd ..5....T. /usr/sbin/luseradd ..5....T. /usr/sbin/luserdel ..5....T. /usr/sbin/lusermod .......T. /usr/share/locale/ar/LC_MESSAGES/libuser.mo <<>> Is this safe to ignore? Should I reinstall offending packages running in permissive mode? Other? tom On Tue, 12 Oct 2004 10:44:32 -0400, Jeff Johnson wrote: > Stephen Smalley wrote: > > >On Tue, 2004-10-12 at 10:03, Jeff Johnson wrote: > > > > > >>Better still, how about libselinux_execve() clone. no reason why libselinux > >>should not do the execve as well afaict. > >> > >> > > > >Hmmm..that lends itself to interface spread, as people will then want > >libselinux_execl*, libselinux_execvp, ... and possibly even > >libselinux_popen, as opposed to just a setexeccon-like function that can > >be called prior to any of those normal calls. We actually had > >execve_secure() in the old SELinux API, but were forced to migrate to > >setexeccon();execve(); as part of mainstream inclusion. > > > > > > Interface spread appreciated, but whether application or library does > execve(2) is > pehaps not the important issue. > > A hook called afetr fork(2) to permit libselinux to change the execution > environment opaquely > is what rpm seeks, execve(2) clone is a rather natural way to define the > necessary API imho. > > But if you want rpm (or application) to do its own execve(2), well, that > works too. The issue > for rpm is opaqueness, i.e. not compiling "rpm_script_t" and the > decision algorithm into rpmlib. > > 73 de Jeff > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- Tom London From n3npq at nc.rr.com Tue Oct 12 15:21:34 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Tue, 12 Oct 2004 11:21:34 -0400 Subject: prelink and yum conflict In-Reply-To: <4c4ba153041012080320a86633@mail.gmail.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> <416BDBB9.1090309@nc.rr.com> <416BE433.3080302@nc.rr.com> <1097590260.29271.145.camel@moss-spartans.epoch.ncsc.mil> <416BEDD0.6050301@nc.rr.com> <4c4ba153041012080320a86633@mail.gmail.com> Message-ID: <416BF67E.1020800@nc.rr.com> Tom London wrote: > >Is this safe to ignore? Should I reinstall offending packages >running in permissive mode? Other? > > /etc/ld.so* has wrong file context. You should see a 'C' in the last character of the verify output if the ondisk file context does not match whatever is returned by applying selinux regexes. Note that this assumes the files are in a package, that may not be the case for /etc/ld.so.cache. Here's an example of some file context failures: # rpm -Vf /etc/ld.so* ........C /usr/lib/gconv/gconv-modules.cache ........C /usr/lib/gconv/gconv-modules.cache ........C /usr/lib/gconv/gconv-modules.cache file /etc/ld.so.conf.rpmnew is not owned by any package HTH 73 de Jeff From n3npq at nc.rr.com Tue Oct 12 15:47:33 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Tue, 12 Oct 2004 11:47:33 -0400 Subject: prelink and yum conflict In-Reply-To: <416BF67E.1020800@nc.rr.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> <416BDBB9.1090309@nc.rr.com> <416BE433.3080302@nc.rr.com> <1097590260.29271.145.camel@moss-spartans.epoch.ncsc.mil> <416BEDD0.6050301@nc.rr.com> <4c4ba153041012080320a86633@mail.gmail.com> <416BF67E.1020800@nc.rr.com> Message-ID: <416BFC95.6070300@nc.rr.com> Jeff Johnson wrote: > # rpm -Vf /etc/ld.so* > ........C /usr/lib/gconv/gconv-modules.cache > ........C /usr/lib/gconv/gconv-modules.cache > ........C /usr/lib/gconv/gconv-modules.cache > file /etc/ld.so.conf.rpmnew is not owned by any package Actually only one failure repeated three times because of the sloppy glob. 73 de Jeff From sds at epoch.ncsc.mil Tue Oct 12 16:37:57 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 12 Oct 2004 12:37:57 -0400 Subject: prelink and yum conflict In-Reply-To: <416BF1C7.1030805@nc.rr.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> <416BDBB9.1090309@nc.rr.com> <1097589952.29271.139.camel@moss-spartans.epoch.ncsc.mil> <416BF1C7.1030805@nc.rr.com> Message-ID: <1097599076.29271.277.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-10-12 at 11:01, Jeff Johnson wrote: > Do you want just result or do you want {plaintext,signature,pubkey} triple? > > I suppose a simple container struct with both could be arranged, > something like > > struct { > int verifiedreturncode; /* 0 == OK, 1 == notfound(unused), 2 == > verifyfail, 3 == nottrusted 4 == nokey */ > byte * plaintext; > size_t plaintextlen; > enum pktencodingtype /* OpenPGP, X.509, whatever */ > byte * signature; > size_t signaturelen > byte * pubkey; > size_t pubkeylen; > }; > > starts to permit reasonably paranoid libselinux extensions into the land > of signature verification. > > Yes, there are a slew of issues involving algorithms and parsing and > more that selinux perhaps > does not want to bite into quite yet. I'd say just pass the verify return code for now. And any flags passed by the caller that are relevant, e.g. explicit ignore of signature verification by sysadmin. -- Stephen Smalley National Security Agency From jakub at redhat.com Mon Oct 11 07:40:39 2004 From: jakub at redhat.com (Jakub Jelinek) Date: Mon, 11 Oct 2004 03:40:39 -0400 Subject: prelink and yum conflict In-Reply-To: <20041011065241.GA5873@dudweiler.stuttgart.redhat.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <20041011065241.GA5873@dudweiler.stuttgart.redhat.com> Message-ID: <20041011074039.GA31909@devserv.devel.redhat.com> On Mon, Oct 11, 2004 at 08:52:41AM +0200, Florian La Roche wrote: > On Mon, Oct 11, 2004 at 04:34:12PM +1000, Russell Coker wrote: > > On Sat, 9 Oct 2004 02:14, Stephen Smalley wrote: > > > /etc/ld.so.cache is supposed to be labeled ld_so_cache_t. > > > > ldconfig is being executed directly from rpm not via "sh -c ldconfig". This > > means that it doesn't transition to ldconfig_t. > > > > Jeff, please change rpm to use "sh -c" for spawning all scripts including > > ldconfig and /usr/sbin/glibc_post_upgrade. Should I file a bugzilla against > > rpm? > > Is this even possible for glibc_post_upgrade? Nope, at least not until sh is installed. Similarly with libgcc_post_upgrade, plus I think there is a bunch of %post -p /sbin/ldconfig scriptlets that can be installed before shell too. Jakub From wasabi at larvalstage.net Wed Oct 13 01:14:16 2004 From: wasabi at larvalstage.net (Jerry Haltom) Date: Tue, 12 Oct 2004 20:14:16 -0500 Subject: SELinux and the Desktop Message-ID: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> Howdy. I really have nothing at all to do with Fedora, don't use it. Never even seen it. However, you seem to be the only group interested in SELinux for the masses, so I'm going to lay out an idea I've had. SELinux has a place on the desktop. Currently, a large piece is missing from the desktop security landscape. User's can receive, by email or IM, executable files. These can be in the form of actual real binaries, pseudo-binaries (flash), or script languages (javascript, html, etc). Up to now the current attitude has been "don't open files you don't trust, don't go to websites you don't trust, don't run scripts you don't trust". This "rule" ignores one common principle. USERS DONT CARE! It doesn't matter that they SHOULDN"T open an executable their friend or co-worker sends them, they will anyways. Is this so bad? I don't think so. So here's where SELinux comes in. SELinux allows the system to place restrictions on executable programs beyond that offered by the user identity itself. It allows you to audit, and deny syscall execution, which is every programs interface to the world. So why can't one program place SELinux policy's on other software? Why can't a desktop interface listen for faults in SELinux, change those policy's based on the user's actions or requests, and let the program continue, at runtime? Consider the following example: Bob receives an executable from his co-worker Joe. Bob opens it from his email. His email client sets up a policy restricting all access to everything, except maybe /tmp, and the obvious, the program runs. Oh no! It's a virus! The program attempts to establish a connection to Bob's address book (exposed by evolution data server). SELinux detects the programs attempts to open a socket that it was not allowed to do. The program blocks on the syscall. SELinux is configured to continue blocking the program until told otherwise. SELinux locates a D-BUS daemon for Bob and notifies it about the security event. Running as Bob is sec-policy-daemon which is listening to D-BUS for fault notifications. This daemon reads the information Bob's email client attached to the process. The information reads as follows: 1) don't allow the program to do anything except read/write to /tmp 2) do allow the program to open outgoing ports after notifying the user The daemon realizes that the action isn't allowed, but that it could be allowed if the user consents to it, so the daemon pops up on the user's desktop a nice dialog box, "The application Blah has attempted to access the file /tmp/contact-socket (or whatever). Do you want to allow this action?" Most likely t his dialog would ask for the user's password again. Upon receiving a "Yes", SELinux would be instructed to allow the program to access the socket. If the user presses Yes, the process ceases being blocked, and goes on. In the case of No, the process will probably die. ;0 Of course this policy would be configurable. In some offices admins would probably not want the user to even have the option to open outgoing ports from downloaded software, they just don't wnat to take the risk. In some home circumstances, it might be a little bit looser. It's up to you. What this does is let users do what they will do anyways: run the program. You won't stop them, I won't stop them, and we probably shouldn't. We should make it so they CAN without risk to their systems. Do enjoy. I hope you guys do something with this. It's what we need. Jerry Haltom wasabi at larvalstage.net -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 172 bytes Desc: not available URL: From cra at WPI.EDU Wed Oct 13 02:51:14 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Tue, 12 Oct 2004 22:51:14 -0400 Subject: SELinux and the Desktop In-Reply-To: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> Message-ID: <20041013025114.GG17571@angus.ind.WPI.EDU> On Tue, Oct 12, 2004 at 08:14:16PM -0500, Jerry Haltom wrote: > The daemon realizes that the action isn't allowed, but that it could be > allowed if the user consents to it, so the daemon pops up on the user's > desktop a nice dialog box, "The application Blah has attempted to > access the file /tmp/contact-socket (or whatever). Do you want to allow > this action?" Most likely t his dialog would ask for the user's > password again. Upon receiving a "Yes", SELinux would be instructed to > allow the program to access the socket. If the user presses Yes, the > process ceases being blocked, and goes on. In the case of No, the > process will probably die. ;0 [...] > What this does is let users do what they will do anyways: run the > program. You won't stop them, I won't stop them, and we probably > shouldn't. We should make it so they CAN without risk to their systems. What's to stop a user from always clicking "Yes"? What makes you think that those same users who download/open attachments that are executables without thinking/understanding the consequences will be any smarter when they are asked whether or not to allow a program to perform some obscure system internal function that they have even less of a chance understanding? I don't think it is advantageous to give the user choices they don't have any chance of understanding. The current Fedora strict SELinux policy already restricts some network-facing desktop applications, such as Mozilla. From walters at redhat.com Wed Oct 13 13:59:16 2004 From: walters at redhat.com (Colin Walters) Date: Wed, 13 Oct 2004 09:59:16 -0400 Subject: Intro In-Reply-To: <200410120103.i9C13CDf029238@turing-police.cc.vt.edu> References: <1097266068.11255.21.camel@erhva.localdomain> <200410101510.28773.russell@coker.com.au> <20041012005313.GC8995@xtl1.xtl.tenegg.com> <200410120103.i9C13CDf029238@turing-police.cc.vt.edu> Message-ID: <1097675956.13803.18.camel@decepticon.boston.redhat.com> On Mon, 2004-10-11 at 21:03 -0400, Valdis.Kletnieks at vt.edu wrote: > Didn't somebody > have a patch/code/trick for getting an Apache server to change contexts when > it ran different CGI's, or am I hallucinating? You can do that already; just define different domains for your CGI scripts, when Apache executes them it will transition, like it does now for httpd_sys_script_t and httpd_user_script_t. From walters at redhat.com Wed Oct 13 14:22:32 2004 From: walters at redhat.com (Colin Walters) Date: Wed, 13 Oct 2004 10:22:32 -0400 Subject: vsftpd cannot access home directories In-Reply-To: <42efd069041011153267bae012@mail.gmail.com> References: <42efd069041011153267bae012@mail.gmail.com> Message-ID: <1097677352.13803.39.camel@decepticon.boston.redhat.com> On Mon, 2004-10-11 at 15:32 -0700, Ryan Graham wrote: > What am I looking at here? > > This is a mostly default install on FC2. There were some other changes > to vsftpd.conf, but they didnt seem relevant. > > chroot_local_user=YES > pam_service_name=vsftpd > userlist_enable=YES > #enable for standalone mode > listen=YES > tcp_wrappers=YES > > Response: 500 OOPS: cannot change directory:/home/media > Response: 500 OOPS: child died > > audit(1097532459.593:0): avc: denied { getattr } for pid=2281 > exe=/usr/sbin/vsftpd path=/proc/2281/mounts dev= ino=149487632 > scontext=system_u:system_r:ftpd_t tcontext=system_u:system_r:ftpd_t > tclass=file This looks to be fixed in the latest policy. > audit(1097532459.653:0): avc: denied { search } for pid=2285 > exe=/usr/sbin/vsftpd name=media dev=hda2 ino=5210119 > scontext=system_u:system_r:ftpd_t > tcontext=system_u:object_r:user_home_dir_t tclass=dir There is a policy boolean ftp_home_dir which you'd think, if turned on, would allow access, but it appears to be broken. Try inserting allow ftpd_t user_home_dir_type:dir { search getattr }; rw_dir_create_file(ftpd_t,user_home_type); inside the if (ftp_home_dir) {}. From sds at epoch.ncsc.mil Wed Oct 13 14:33:14 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 13 Oct 2004 10:33:14 -0400 Subject: vsftpd cannot access home directories In-Reply-To: <1097677352.13803.39.camel@decepticon.boston.redhat.com> References: <42efd069041011153267bae012@mail.gmail.com> <1097677352.13803.39.camel@decepticon.boston.redhat.com> Message-ID: <1097677994.32468.231.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-10-13 at 10:22, Colin Walters wrote: > There is a policy boolean ftp_home_dir which you'd think, if turned on, > would allow access, but it appears to be broken. Try inserting > > allow ftpd_t user_home_dir_type:dir { search getattr }; > rw_dir_create_file(ftpd_t,user_home_type); > > inside the if (ftp_home_dir) {}. Under strict policy, this is handled via the file_type_auto_trans(ftpd_, $1_home_dir_t, $1_home_t) line in user_macros.te, which is wrapped by the conditional. Note that the file type transition rule is important to ensure that files created in the user home directory get the correct type. This reflects a general issue with strict vs. targeted; in many cases, rules to per-userdomain types are granted via the user macros (sometimes indirectly via an included program macro within the user macro) and the user macros are not part of the targeted policy. End result is that targeted policy loses rules that may be important. -- Stephen Smalley National Security Agency From walters at redhat.com Wed Oct 13 15:00:06 2004 From: walters at redhat.com (Colin Walters) Date: Wed, 13 Oct 2004 11:00:06 -0400 Subject: SELinux and the Desktop In-Reply-To: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> Message-ID: <1097679606.13803.67.camel@decepticon.boston.redhat.com> On Tue, 2004-10-12 at 20:14 -0500, Jerry Haltom wrote: > So here's where SELinux comes in. SELinux allows the system to place > restrictions on executable programs beyond that offered by the user > identity itself. It allows you to audit, and deny syscall execution, Not precisely. System calls aren't directly restricted; there are simply hooks placed at security-relevant code paths in the kernel. Not all system calls are restricted, and not all permissions are obviously mappable to one particular system call. Also, you can have userspace policy enforcers like D-BUS that aren't mappable to kernel syscalls at all. > So why can't one program place SELinux policy's on other software? SELinux provides mandatory access control, so the policy is generally controlled centrally by a security administrator. However, it is possible right now for the administrator to allow some discretionary user control over labeling. That's what the Apache policy does. > Why > can't a desktop interface listen for faults in SELinux, change those > policy's based on the user's actions or requests, and let the program > continue, at runtime? The problem with this that I see is that it's very difficult to present this to the user in a meaningful way. Most users will simply have no idea what's going on: > 1) don't allow the program to do anything except read/write to /tmp > 2) do allow the program to open outgoing ports after notifying the user A lot of end users aren't going to know what /tmp, ports, or evolution- data-server are. Or even if they do, it's difficult to say whether the program is actually doing something bad or not. One major problem is that right now, without Security-Enhanced X, as soon as you grant an untrusted application access to your X connection you are screwed. So it's basically impossible to usefully define a "user_untrusted_t" domain that downloaded programs could run in; they wouldn't be able to do anything besides use CPU. I guess you could pop them up in a terminal with a suitable program doing filtering with a pty, but I don't see many people emailing exciting tty-based applications to each other... From 23e9t5t02 at sneakemail.com Wed Oct 13 15:20:10 2004 From: 23e9t5t02 at sneakemail.com (Steve Coleman) Date: Wed, 13 Oct 2004 11:20:10 -0400 Subject: SELinux and the Desktop In-Reply-To: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> Message-ID: <27413-38013@sneakemail.com> Jerry Haltom wasabi-at-larvalstage.net |fedora| wrote: > USERS DONT CARE! It doesn't matter that they SHOULDN"T open an > executable their friend or co-worker sends them, they will anyways. Is > this so bad? In a word, yes. By your own definition they are not security experts, so they don't know what they are supposed to do and they will gladly click on any button that they think will show them what they think they are supposed to see happen. If the "yes" button does not work then they will download it again and try the "no" button instead. Trial and error is not what SELinux is about. > The daemon realizes that the action isn't allowed, but that it could > be allowed if the user consents to it, My congradulations to this user, as they are now a certified security officer (lol), so they *must* know which is the best button to click on. Will that be door number one, ... or door number two? Or you can trade it all for ... a ..BRAND.. NEW.. JOB!! (ding) (ding) (ding). Oh, sorry, got carried away for a sec. ;) Even pavlov's dog understood the suggestive power of repetition, so if they clicked "yes" three times in a row last week there is about a 90% probablility they will click the "yes" button today without even reading the text of the yes/no box. If your going to give them a choice then you are going to have to train them how to be smart about it, or create a *corporate policy*, but then you already said they will just ignore that. > In the case of No, the process will probably die. ;0 I also think the desktop should have some smarts built in, but my vote would be to have the "desktop" send a sigterm to the errant process and put up a "don't do that!" modal dialog box for which the user has to acknowlege in order to continue. Of course I can't ignore the possibility that a user might actually *need* to run a binary given to them, for which I would propose that it be 1) "signed" (just warm fuzzy feeling, but not a true protection methodology) and 2) run in a *real* partitioned Virtual Machine, sandbox a la VMWare/Plex86/etc. or as near as one can get to that, such as a chrooted sandbox with a very restrictive SE policy. This does bring to mind a burning question I have always had reguarding some applications such as Java where the binary itself is too open ended and where as the compiled class files, script file, or data dictate what the runtime will do. I assume that many desktop environments (take your pick) will have some form of builtin scripting support. How does SELinux deal with these VM's? Is there any good docs online that discuss the problems and current solutions that these present? Do they get their security context from the script or data streams? Thanks! From maverickandrea at gmail.com Wed Oct 13 16:43:36 2004 From: maverickandrea at gmail.com (Cigliano Andrea) Date: Wed, 13 Oct 2004 18:43:36 +0200 Subject: (no subject) Message-ID: <524c9b2a041013094363cd6fea@mail.gmail.com> Hi, do u have a sample of trouble shooting exercise in RHCE exam? Thanks From maverickandrea at gmail.com Wed Oct 13 16:45:43 2004 From: maverickandrea at gmail.com (Cigliano Andrea) Date: Wed, 13 Oct 2004 18:45:43 +0200 Subject: RHCE In-Reply-To: <524c9b2a041013094363cd6fea@mail.gmail.com> References: <524c9b2a041013094363cd6fea@mail.gmail.com> Message-ID: <524c9b2a041013094540779dd6@mail.gmail.com> Hi, do u have a sample of trouble shooting exercise in RHCE exam? Thanks From sds at epoch.ncsc.mil Wed Oct 13 17:59:02 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 13 Oct 2004 13:59:02 -0400 Subject: SELinux and the Desktop In-Reply-To: <27413-38013@sneakemail.com> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> Message-ID: <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-10-13 at 11:20, Steve Coleman wrote: > This does bring to mind a burning question I have always had reguarding > some applications such as Java where the binary itself is too open ended > and where as the compiled class files, script file, or data dictate what > the runtime will do. I assume that many desktop environments (take your > pick) will have some form of builtin scripting support. How does SELinux > deal with these VM's? Is there any good docs online that discuss the > problems and current solutions that these present? Do they get their > security context from the script or data streams? >From the program/script. Transitions can occur on scripts (if they are exec'd), but the caller domain needs to be trusted with respect to the new domain (e.g. shedding permissions) in that case due to the lack of safety in script execution. Note that SELinux provides the necessary API to support userland policy enforcers, so a userspace VMM can be modified to use that API to obtain policy decisions to be applied to its internal abstractions which are not directly visible to the OS itself. dbus and X (but unfortunately not the X in Fedora yet) have been modified to use that API to enforce policy over their abstractions. This allows for layered security, with the OS providing process-level confinement and the higher level object managers refining that control. -- Stephen Smalley National Security Agency From walters at redhat.com Wed Oct 13 18:33:02 2004 From: walters at redhat.com (Colin Walters) Date: Wed, 13 Oct 2004 14:33:02 -0400 Subject: SELinux and the Desktop In-Reply-To: <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1097692382.3347.5.camel@decepticon.boston.redhat.com> On Wed, 2004-10-13 at 13:59 -0400, Stephen Smalley wrote: > >From the program/script. Transitions can occur on scripts (if they are > exec'd), but the caller domain needs to be trusted with respect to the > new domain (e.g. shedding permissions) in that case due to the lack of > safety in script execution. The major threat here is environment variables, right? I wonder what all would break if we by changed e.g. bash and python to by default clean the environment before executing the script if it was executed from a domain transition (they could check in the same way glibc does, right?). From ram25gwu at gmail.com Wed Oct 13 18:57:06 2004 From: ram25gwu at gmail.com (Kodungallur Varma) Date: Wed, 13 Oct 2004 14:57:06 -0400 Subject: SELinux and the Desktop In-Reply-To: <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Hi all, I dont know if this makes any sense but can any one tell me if we can set up a policy where a user_r has more previleges than the staff_r (not the sys admin). thanx in advance.. Ram On Wed, 13 Oct 2004 13:59:02 -0400, Stephen Smalley wrote: > On Wed, 2004-10-13 at 11:20, Steve Coleman wrote: > > This does bring to mind a burning question I have always had reguarding > > some applications such as Java where the binary itself is too open ended > > and where as the compiled class files, script file, or data dictate what > > the runtime will do. I assume that many desktop environments (take your > > pick) will have some form of builtin scripting support. How does SELinux > > deal with these VM's? Is there any good docs online that discuss the > > problems and current solutions that these present? Do they get their > > security context from the script or data streams? > > >From the program/script. Transitions can occur on scripts (if they are > exec'd), but the caller domain needs to be trusted with respect to the > new domain (e.g. shedding permissions) in that case due to the lack of > safety in script execution. > > Note that SELinux provides the necessary API to support userland policy > enforcers, so a userspace VMM can be modified to use that API to obtain > policy decisions to be applied to its internal abstractions which are > not directly visible to the OS itself. dbus and X (but unfortunately > not the X in Fedora yet) have been modified to use that API to enforce > policy over their abstractions. This allows for layered security, with > the OS providing process-level confinement and the higher level object > managers refining that control. > > -- > Stephen Smalley > National Security Agency > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From sds at epoch.ncsc.mil Wed Oct 13 18:58:58 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 13 Oct 2004 14:58:58 -0400 Subject: SELinux and the Desktop In-Reply-To: References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1097693937.32468.443.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-10-13 at 14:57, Kodungallur Varma wrote: > I dont know if this makes any sense but can any one tell me if > we can set up a policy where a user_r has more previleges than the > staff_r (not the sys admin). thanx in advance.. Why? The current policy is set up so that staff_r is more privileged than user_r (if the user_canbe_sysadm tunable is disabled); otherwise, user_r and staff_r are essentially equivalent. I'd suggest disabling user_canbe_sysadm and optionally adding further permissions to staff_r, not the other way around. -- Stephen Smalley National Security Agency From walters at redhat.com Wed Oct 13 19:10:32 2004 From: walters at redhat.com (Colin Walters) Date: Wed, 13 Oct 2004 15:10:32 -0400 Subject: SELinux and the Desktop In-Reply-To: References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1097694632.3347.9.camel@decepticon.boston.redhat.com> On Wed, 2004-10-13 at 14:57 -0400, Kodungallur Varma wrote: > Hi all, > > I dont know if this makes any sense but can any one tell me if > we can set up a policy where a user_r has more previleges than the > staff_r (not the sys admin). thanx in advance.. You can grant any additional privileges to user_t that you want; just add them in say domains/misc/local.te. From sopwith at redhat.com Wed Oct 6 19:51:08 2004 From: sopwith at redhat.com (Elliot Lee) Date: Wed, 6 Oct 2004 15:51:08 -0400 Subject: Fedora Project Mailing Lists reminder Message-ID: This is a reminder of the mailing lists for the Fedora Project, and the purpose of each list. You can view this information at http://fedora.redhat.com/participate/communicate/ When you're using these mailing lists, please take the time to choose the one that is most appropriate to your post. If you don't know the right mailing list to use for a question or discussion, please contact me. This will help you get the best possible answer for your question, and keep other list subscribers happy! Mailing Lists Mailing lists are email addresses which send email to all users subscribed to the mailing list. Sending an email to a mailing list reaches all users interested in discussing a specific topic and users available to help other users with the topic. The following mailing lists are available. To subscribe, send email to -request at redhat.com (replace with the desired mailing list name such as fedora-list) with the word subscribe in the subject. fedora-announce-list - Announcements of changes and events. To stay aware of news, subscribe to this list. fedora-list - For users of releases. If you want help with a problem installing or using , this is the list for you. fedora-test-list - For testers of test releases. If you would like to discuss experiences using TEST releases, this is the list for you. fedora-devel-list - For developers, developers, developers. If you are interested in helping create releases, this is the list for you. fedora-docs-list - For participants of the docs project fedora-desktop-list - For discussions about desktop issues such as user interfaces, artwork, and usability fedora-config-list - For discussions about the development of configuration tools fedora-legacy-announce - For announcements about the Fedora Legacy Project fedora-legacy-list - For discussions about the Fedora Legacy Project fedora-selinux-list - For discussions about the Fedora SELinux Project fedora-de-list - For discussions about Fedora in the German language fedora-es-list - For discussions about Fedora in the Spanish language fedora-ja-list - For discussions about Fedora in the Japanese language fedora-i18n-list - For discussions about the internationalization of Fedora Core fedora-trans-list - For discussions about translating the software and documentation associated with the Fedora Project German: fedora-trans-de French: fedora-trans-fr Spanish: fedora-trans-es Italian: fedora-trans-it Brazilian Portuguese: fedora-trans-pt_br Japanese: fedora-trans-ja Korean: fedora-trans-ko Simplified Chinese: fedora-trans-zh_cn Traditional Chinese: fedora-trans-zh_tw From degnan78 at yahoo.com Wed Oct 13 22:16:57 2004 From: degnan78 at yahoo.com (Kevin Degnan) Date: Wed, 13 Oct 2004 15:16:57 -0700 (PDT) Subject: SELinux and Auditing of Security-Relevant Files Message-ID: <20041013221657.17114.qmail@web20228.mail.yahoo.com> Hey folks, I just installed Fedora Core 3 Test 3 with SELinux turned on and in the "targeted" mode. My goal is to simply record unsuccessful attempts to access certain files (such as /etc/shadow and almost everything in /var/log). The targeted mode doesn't cover this since it only covers certain daemons, and the strict mode was way too strict for our needs (I had trouble logging in and it spit out tons of "avc: denied" messages). Is there an easy way to configure SELinux (or another tool) to audit these files and record unsuccessful access attempts? Thanks, Kevin _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com From walters at redhat.com Wed Oct 13 22:31:51 2004 From: walters at redhat.com (Colin Walters) Date: Wed, 13 Oct 2004 18:31:51 -0400 Subject: SELinux and Auditing of Security-Relevant Files In-Reply-To: <20041013221657.17114.qmail@web20228.mail.yahoo.com> References: <20041013221657.17114.qmail@web20228.mail.yahoo.com> Message-ID: <1097706711.3347.33.camel@decepticon.boston.redhat.com> On Wed, 2004-10-13 at 15:16 -0700, Kevin Degnan wrote: > an easy way to configure SELinux (or another > tool) to audit these files and record unsuccessful > access attempts? SELinux is only consulted *after* the normal DAC checks. So unless you're willing to give /etc/passwd world-readable DAC permissions, it won't work. However, the new auditing infrastructure may be able to help: http://people.redhat.com/faith/audit/ Maybe Rik or someone else who knows more about it can comment... From tscherf at redhat.com Thu Oct 14 06:53:13 2004 From: tscherf at redhat.com (Thorsten Scherf) Date: Thu, 14 Oct 2004 08:53:13 +0200 Subject: RHCE In-Reply-To: <524c9b2a041013094540779dd6@mail.gmail.com> References: <524c9b2a041013094363cd6fea@mail.gmail.com> <524c9b2a041013094540779dd6@mail.gmail.com> Message-ID: <1097736793.1523.8.camel@tiffy.rhel.homelinux.com> On Wed, 13.10.2004 Cigliano Andrea wrote: > Hi, do u have a sample of trouble shooting exercise in RHCE exam? Red Hat exams are confidentially. Students who have been taken the exam are not allowed to talk about it. Although neither mailing list is the right place to ask, this one here surely is the wrongest one. cu, thorsten -- Thorsten Scherf GLS Instructor Red Hat GmbH - Global Learning Services Hauptstaetterstr. 58, D-70178 Stuttgart, Germany Tel: +49-711-96437-500, Fax: +49-711-96437-111 eMail: tscherf at redhat.com GPG-Fingerprint: 92BF AA4C 082B F5DD FB28 47CC C1F9 282D 3B92 80BB -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From jmorris at redhat.com Thu Oct 14 14:43:33 2004 From: jmorris at redhat.com (James Morris) Date: Thu, 14 Oct 2004 10:43:33 -0400 (EDT) Subject: User policy problem with strict policy Message-ID: I'm using the latest fedora strict policy sources, and have noticed that the generated policy.conf file is lacking generated policy entries for extra users. I added myself to the users file: # sample for regular user user jmorris roles { user_r }; compiled policy: # make policy.conf But the only entry related to the user is the one I added in the users file: # grep jmorris policy.conf user jmorris roles { user_r }; Have I missed a step or is something wrong in the policy compilation process? - James -- James Morris From sds at epoch.ncsc.mil Thu Oct 14 14:55:27 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 14 Oct 2004 10:55:27 -0400 Subject: User policy problem with strict policy In-Reply-To: References: Message-ID: <1097765727.1529.30.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-14 at 10:43, James Morris wrote: > # grep jmorris policy.conf > user jmorris roles { user_r }; Did you mean to do: grep '^user' policy.conf For me, with selinux-policy-strict-sources-1.17.3-1, that shows system_u, user_u, root, cyrus and any manually added users. -- Stephen Smalley National Security Agency From walters at redhat.com Thu Oct 14 15:06:26 2004 From: walters at redhat.com (Colin Walters) Date: Thu, 14 Oct 2004 11:06:26 -0400 Subject: User policy problem with strict policy In-Reply-To: References: Message-ID: <1097766386.23777.1.camel@decepticon.boston.redhat.com> On Thu, 2004-10-14 at 10:43 -0400, James Morris wrote: > But the only entry related to the user is the one I added in the users > file: > > # grep jmorris policy.conf > user jmorris roles { user_r }; > > > Have I missed a step or is something wrong in the policy compilation > process? It's been that way as long as I can remember; you also need to do: full_user_role(jmorris) From sds at epoch.ncsc.mil Thu Oct 14 15:07:26 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 14 Oct 2004 11:07:26 -0400 Subject: User policy problem with strict policy In-Reply-To: <1097766386.23777.1.camel@decepticon.boston.redhat.com> References: <1097766386.23777.1.camel@decepticon.boston.redhat.com> Message-ID: <1097766446.1529.34.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-14 at 11:06, Colin Walters wrote: > It's been that way as long as I can remember; you also need to do: > full_user_role(jmorris) That would define a separate role/domain for jmorris. Is that what he wants? -- Stephen Smalley National Security Agency From jmorris at redhat.com Thu Oct 14 15:13:09 2004 From: jmorris at redhat.com (James Morris) Date: Thu, 14 Oct 2004 11:13:09 -0400 (EDT) Subject: User policy problem with strict policy In-Reply-To: <1097766386.23777.1.camel@decepticon.boston.redhat.com> Message-ID: On Thu, 14 Oct 2004, Colin Walters wrote: > It's been that way as long as I can remember; you also need to do: > full_user_role(jmorris) Thanks, that worked, but I can't recall doing it before. - James -- James Morris From sds at epoch.ncsc.mil Thu Oct 14 15:15:00 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 14 Oct 2004 11:15:00 -0400 Subject: User policy problem with strict policy In-Reply-To: References: Message-ID: <1097766900.1529.37.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-14 at 11:13, James Morris wrote: > On Thu, 14 Oct 2004, Colin Walters wrote: > > > It's been that way as long as I can remember; you also need to do: > > full_user_role(jmorris) > > Thanks, that worked, but I can't recall doing it before. That only makes sense if you are going to do: user jmorris roles jmorris_r; role jmorris_r types jmorris_t; Otherwise, full_user_role(jmorris) is just going to define some types and rules that aren't ever going to be useable. But why do you want a per-user role/domain? -- Stephen Smalley National Security Agency From jmorris at redhat.com Thu Oct 14 15:19:50 2004 From: jmorris at redhat.com (James Morris) Date: Thu, 14 Oct 2004 11:19:50 -0400 (EDT) Subject: User policy problem with strict policy In-Reply-To: <1097766446.1529.34.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Thu, 14 Oct 2004, Stephen Smalley wrote: > On Thu, 2004-10-14 at 11:06, Colin Walters wrote: > > It's been that way as long as I can remember; you also need to do: > > full_user_role(jmorris) > > That would define a separate role/domain for jmorris. Is that what he > wants? Yes. - James -- James Morris From sds at epoch.ncsc.mil Thu Oct 14 15:28:20 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 14 Oct 2004 11:28:20 -0400 Subject: User policy problem with strict policy In-Reply-To: <1097766900.1529.37.camel@moss-spartans.epoch.ncsc.mil> References: <1097766900.1529.37.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1097767700.1529.49.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-14 at 11:15, Stephen Smalley wrote: > That only makes sense if you are going to do: > user jmorris roles jmorris_r; > role jmorris_r types jmorris_t; Also, if you want to be able to transition from user_r to this role, e.g. via newrole or su, you likely need: role_tty_type_change(user,jmorris) -- Stephen Smalley National Security Agency From fenlason at redhat.com Thu Oct 14 15:36:54 2004 From: fenlason at redhat.com (Jay Fenlason) Date: Thu, 14 Oct 2004 11:36:54 -0400 Subject: Try my experimental rsync with xattr support Message-ID: <20041014153654.GA28678@redhat.com> I've written a patch to rsync that adds support for transferring posix extended attributes. I've put the srpm and an i386 binary rpm at http://people.redhat.com/fenlason/rsync/rsync-2.6.3-2.{src,i386}.rpm These rpms also contain the acl patch. To enable the transfer of extended attributes you need to use the new -X option. Naturally, both the client and server rsyncs must include the extended attribute patch if you use -X. Please try this rpm out, and report whether it works or not. After I get some feedback I'll be sending the patch (or its successor) to the upstream rsync maintainer. -- JF From sds at epoch.ncsc.mil Thu Oct 14 15:50:57 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 14 Oct 2004 11:50:57 -0400 Subject: Try my experimental rsync with xattr support In-Reply-To: <20041014153654.GA28678@redhat.com> References: <20041014153654.GA28678@redhat.com> Message-ID: <1097769057.1529.52.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-14 at 11:36, Jay Fenlason wrote: > I've written a patch to rsync that adds support for transferring posix > extended attributes. I've put the srpm and an i386 binary rpm at > http://people.redhat.com/fenlason/rsync/rsync-2.6.3-2.{src,i386}.rpm > These rpms also contain the acl patch. > > To enable the transfer of extended attributes you need to use the new > -X option. Naturally, both the client and server rsyncs must include > the extended attribute patch if you use -X. > > Please try this rpm out, and report whether it works or not. After I > get some feedback I'll be sending the patch (or its successor) to the > upstream rsync maintainer. Nice, thanks. Trivial test of rsync -aX -e ssh /etc host:/tmp correctly reproduced the SELinux attributes on the /tmp/etc tree on the target host. -- Stephen Smalley National Security Agency From jmorris at redhat.com Thu Oct 14 16:02:13 2004 From: jmorris at redhat.com (James Morris) Date: Thu, 14 Oct 2004 12:02:13 -0400 (EDT) Subject: User policy problem with strict policy In-Reply-To: <1097766900.1529.37.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Thu, 14 Oct 2004, Stephen Smalley wrote: > On Thu, 2004-10-14 at 11:13, James Morris wrote: > > On Thu, 14 Oct 2004, Colin Walters wrote: > > > > > It's been that way as long as I can remember; you also need to do: > > > full_user_role(jmorris) > > > > Thanks, that worked, but I can't recall doing it before. > > That only makes sense if you are going to do: > user jmorris roles jmorris_r; > role jmorris_r types jmorris_t; > > Otherwise, full_user_role(jmorris) is just going to define some types > and rules that aren't ever going to be useable. > > But why do you want a per-user role/domain? I don't know, I just wanted to restore what I thought was normal behavior. So even in strict policy now, all normal users are user_u:user_r:user_t ? - James -- James Morris From walters at redhat.com Thu Oct 14 16:12:32 2004 From: walters at redhat.com (Colin Walters) Date: Thu, 14 Oct 2004 12:12:32 -0400 Subject: Try my experimental rsync with xattr support In-Reply-To: <20041014153654.GA28678@redhat.com> References: <20041014153654.GA28678@redhat.com> Message-ID: <1097770352.23777.2.camel@decepticon.boston.redhat.com> On Thu, 2004-10-14 at 11:36 -0400, Jay Fenlason wrote: > I've written a patch to rsync that adds support for transferring posix > extended attributes. Wooo! You rock! I'll try this today. From sds at epoch.ncsc.mil Thu Oct 14 16:18:29 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 14 Oct 2004 12:18:29 -0400 Subject: User policy problem with strict policy In-Reply-To: References: Message-ID: <1097770709.1529.67.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-14 at 12:02, James Morris wrote: > I don't know, I just wanted to restore what I thought was normal behavior. Separate roles per user were never part of the example policy. It is true that common practice prior to and outside of the Fedora SELinux implementation is to at least maintain separate entries in policy/users for users authorized for staff_r and sysadm_r, and optionally to maintain separate entries for users authorized for user_r to provide stronger user accountability even though they had the same permissions. > So even in strict policy now, all normal users are user_u:user_r:user_t ? That's the default. You can disable user_canbe_sysadm and explicitly authorize users for staff_r/sysadm_r/system_r for better security. Then, user_r users cannot use su/sudo/userhelper to gain privileges, and access to sysadm_r is entirely governed by policy. That doesn't require creating separate roles per user. But the lack of integration of existing user databases and tools with the SELinux users database makes it difficult to disable user_canbe_sysadm by default. -- Stephen Smalley National Security Agency From ram25gwu at gmail.com Thu Oct 14 17:21:42 2004 From: ram25gwu at gmail.com (Kodungallur Varma) Date: Thu, 14 Oct 2004 13:21:42 -0400 Subject: Try my experimental rsync with xattr support In-Reply-To: <1097770352.23777.2.camel@decepticon.boston.redhat.com> References: <20041014153654.GA28678@redhat.com> <1097770352.23777.2.camel@decepticon.boston.redhat.com> Message-ID: Hi all, when I "make load" a new policy I have the following sequence in the console.. ------------------------------------------------- [root at sun policy]# make load mkdir -p /etc/security/selinux /usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf security: 5 users, 7 roles, 1244 types, 1 bools security: 30 classes, 303377 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 17) to /etc/security/selinux/policy.17 /usr/bin/checkpolicy -c 15 -o /etc/security/selinux/policy.15 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf security: 5 users, 7 roles, 1244 types, 1 bools security: 30 classes, 303377 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 15) to /etc/security/selinux/policy.15 warning: discarding booleans and conditional rules /usr/bin/checkpolicy -c 16 -o /etc/security/selinux/policy.16 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf security: 5 users, 7 roles, 1244 types, 1 bools security: 30 classes, 303377 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 16) to /etc/security/selinux/policy.16 /usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers` Can't open '/etc/security/selinux/policy.18': No such file or directory make: *** [tmp/load] Error 2 ---------------------------------------------------- the last two lines...why is it trying to open policy.18...I dont even have it and in the last line it says error. is there some way to fix it. thanx a lot.. Ram On Thu, 14 Oct 2004 12:12:32 -0400, Colin Walters wrote: > On Thu, 2004-10-14 at 11:36 -0400, Jay Fenlason wrote: > > I've written a patch to rsync that adds support for transferring posix > > extended attributes. > > Wooo! You rock! I'll try this today. > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From sds at epoch.ncsc.mil Thu Oct 14 17:47:32 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 14 Oct 2004 13:47:32 -0400 Subject: Try my experimental rsync with xattr support In-Reply-To: References: <20041014153654.GA28678@redhat.com> <1097770352.23777.2.camel@decepticon.boston.redhat.com> Message-ID: <1097776052.1529.95.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-14 at 13:21, Kodungallur Varma wrote: > when I "make load" a new policy I have the following sequence > in the console.. > /usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers` > Can't open '/etc/security/selinux/policy.18': No such file or directory > make: *** [tmp/load] Error 2 > ---------------------------------------------------- > the last two lines...why is it trying to open policy.18...I dont even > have it and in the last line it says error. is there some way to fix > it. thanx a lot.. Are you using Fedora Core 2 with an updated kernel? SELinux support was broken in Fedora Core 2 by a couple of kernel updates due to a lack of any coordinated update to policy and related tools; complain in bugzilla to RedHat. Two different changes occurred in the kernel, I think; new initial SID for re-opening closed descriptors to /dev/null, and new policy version for fine-grained netlink classes. You can workaround the immediate problem by editing your policy Makefile and replacing: $(LOADPOLICY) $(POLICYPATH)/policy.`cat /selinux/policyvers` with: $(LOADPOLICY) $(LOADPATH) But I'd recommend installing Fedora Core 3 / test3 instead, then switch to strict policy via system-config-securitylevel and reboot if you want the strict policy (vs. the default in FC3, the targeted policy). FC2 SELinux support seems to be unmaintained, AFAICS. -- Stephen Smalley National Security Agency From 23e9t5t02 at sneakemail.com Thu Oct 14 17:56:57 2004 From: 23e9t5t02 at sneakemail.com (Steve Coleman) Date: Thu, 14 Oct 2004 13:56:57 -0400 Subject: SELinux and the Desktop In-Reply-To: <1097692382.3347.5.camel@decepticon.boston.redhat.com> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> <1097692382.3347.5.camel@decepticon.boston.redhat.com> Message-ID: <10988-97110@sneakemail.com> Colin Walters walters-at-redhat.com |fedora| wrote: >The major threat here is environment variables, right? > That one is a minor issue in my book, but certainly worth trying to enforce in some way. >I wonder what all >would break if we by changed e.g. bash and python to by default clean >the environment before executing the script if it was executed from a >domain transition > Could be a lot. If you sanitize classpath or PERL5LIB a lot could break, but it you don't you might not be running what you think you are, which leads back to what I was inquiring about. So just to clarify, whats the difference between a user running a script file that does exec "java ./MyClass.class" and a stack overrun causing a browser with a smashed stack to save a MyBackdoor.class to the local file system and execing "java ./MyBackdoor.class -irc blackhathosting.org" ? In both cases its the same user, and in both cases its the same java VM binary. The java binary is likely the only process that knows enought to enforce anything here based on when, what, and where things are run by the user. The browser may try to limit what permissions are passed to the exec call but with a smashed stack overrun can you trust it to? Not me, at least not yet. This looks to me like the java VM needs to be hacked with the SELinux API in order to have any confidence in it, but in some ways that duplicates the java security managers role in life. Perhaps we just need a specialized Java security manager, perhaps much more. Dunno. But its a common issue with desktop actions and shells, as well as Perl, Python, Ruby, just pick your poison... I guess what I was looking for was a phylosophy for how to handle this nebulous issue. The more likely answer is each has its own issues and must be dealt with seperatly in its own special way and must be changed to deal with SE. I am hoping for a better option as there is much in SE I don't know yet and I do want to understand it in great detail some way down the road. Thanks. From sds at epoch.ncsc.mil Thu Oct 14 18:27:23 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 14 Oct 2004 14:27:23 -0400 Subject: SELinux and the Desktop In-Reply-To: <10988-97110@sneakemail.com> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> <1097692382.3347.5.camel@decepticon.boston.redhat.com> <10988-97110@sneakemail.com> Message-ID: <1097778442.1529.125.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-14 at 13:56, Steve Coleman wrote: > Colin Walters walters-at-redhat.com |fedora| wrote: > >The major threat here is environment variables, right? Hmm...didn't get Colin's original message, but I saw this reply. Anyway, if the question is about domain transitions on scripts, then there is a fundamental race condition on script execution. Think: kernel looks up script file and reads header, kernel invokes interpreter with script file path as argument, interpreter looks up script file. Caller can run arbitrary code in the new domain. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Oct 14 18:35:39 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 14 Oct 2004 14:35:39 -0400 Subject: SELinux and the Desktop In-Reply-To: <10988-97110@sneakemail.com> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> <1097692382.3347.5.camel@decepticon.boston.redhat.com> <10988-97110@sneakemail.com> Message-ID: <1097778939.1529.134.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-14 at 13:56, Steve Coleman wrote: > So just to clarify, whats the difference between a user running a script > file that does exec "java ./MyClass.class" and a stack overrun causing a > browser with a smashed stack to save a MyBackdoor.class to the local > file system and execing "java ./MyBackdoor.class -irc > blackhathosting.org" ? Calling context. User is initially in a given domain (e.g. user_t), runs script file that may or may not transition depending on policy. Browser runs in a different domain (e.g. user_mozilla_t) that has a subset of user_t's permissions. Further, files writable by browser domain are not executable by user directly without explicit relabel by user. (Note: I don't know if that is still true in the present Fedora policy, but certainly possible to configure it that way). > In both cases its the same user, and in both cases its the same java VM > binary. SELinux can capture the entire call chain (via execve, not function calls here) if desired, e.g. distinguishing here on the browser, although you typically only encode new domains where you cross a trust boundary. > The java binary is likely the only process that knows enought to > enforce anything here based on when, what, and where things are run by > the user. SELinux can enforce a coarse-grained policy over the maximum access granted to the process. But I agree that the VMM ultimately needs some awareness of security to refine that policy to deal with the finer-grained internal abstractions it manages. Nonetheless, you don't want to rely entirely on the VMM's enforcement, as it may be subverted itself. -- Stephen Smalley National Security Agency From walters at redhat.com Thu Oct 14 18:51:47 2004 From: walters at redhat.com (Colin Walters) Date: Thu, 14 Oct 2004 14:51:47 -0400 Subject: SELinux and the Desktop In-Reply-To: <1097778442.1529.125.camel@moss-spartans.epoch.ncsc.mil> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> <1097692382.3347.5.camel@decepticon.boston.redhat.com> <10988-97110@sneakemail.com> <1097778442.1529.125.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1097779907.23777.22.camel@decepticon.boston.redhat.com> On Thu, 2004-10-14 at 14:27 -0400, Stephen Smalley wrote: > On Thu, 2004-10-14 at 13:56, Steve Coleman wrote: > > Colin Walters walters-at-redhat.com |fedora| wrote: > > > >The major threat here is environment variables, right? > > Hmm...didn't get Colin's original message, but I saw this reply. > Anyway, if the question is about domain transitions on scripts, then > there is a fundamental race condition on script execution. Think: > kernel looks up script file and reads header, kernel invokes interpreter > with script file path as argument, interpreter looks up script file. > Caller can run arbitrary code in the new domain. Well, this is only a threat in the case where the caller can do an unlink in the directory that the script is in, correct? I can see that's a fundamental problem, but personally I'm more interested in trying to for example give someone the ability to run /etc/init.d/* in a secure manner. Say we define a type like 'daemon_admin_t' that has permissions to transition to initrc_t; perhaps we'd need to label certain files in /etc/init.d/ instead of allowing general access to initrc_t. Right now though if you tried to do that a malicious attacker could set many environment variables like PATH or IFS which shell scripts would pick up. Cleaning the environment would close that hole. From sds at epoch.ncsc.mil Thu Oct 14 19:01:21 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 14 Oct 2004 15:01:21 -0400 Subject: SELinux and the Desktop In-Reply-To: <1097779907.23777.22.camel@decepticon.boston.redhat.com> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> <1097692382.3347.5.camel@decepticon.boston.redhat.com> <10988-97110@sneakemail.com> <1097778442.1529.125.camel@moss-spartans.epoch.ncsc.mil> <1097779907.23777.22.camel@decepticon.boston.redhat.com> Message-ID: <1097780481.1529.162.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-14 at 14:51, Colin Walters wrote: > Well, this is only a threat in the case where the caller can do an > unlink in the directory that the script is in, correct? No, because the kernel just passes through the path as provided; it doesn't canonicalize it. So you can use a symlink or hard link in your home directory to the real script, then rewrite that path to refer to something else. > Right now though if you tried to do that a malicious attacker > could set many environment variables like PATH or IFS which shell > scripts would pick up. Cleaning the environment would close that hole. SELinux does enable glibc secure mode upon a domain transition, and glibc does sanitize certain environment variables in that case. So you could possibly add further variables to the list used by glibc to help protect scripts. But that won't resolve the race. I think that Solaris addressed the race by having the kernel open the script file and provide the descriptor to the interpreter, much as Linux already does for the ELF interpreter. Problem with that solution is that userspace expects a path, not a fd, so I think Solaris passes /dev/fd/n as the path. That would seem to almost work, except that /dev/fd/n -> /proc/self/fd/n on Linux becomes inaccessible upon setuid/setgid execution to avoid an information leak. -- Stephen Smalley National Security Agency From pnasrat at redhat.com Thu Oct 14 21:39:26 2004 From: pnasrat at redhat.com (Paul Nasrat) Date: Thu, 14 Oct 2004 22:39:26 +0100 Subject: Try my experimental rsync with xattr support In-Reply-To: <20041014153654.GA28678@redhat.com> References: <20041014153654.GA28678@redhat.com> Message-ID: <1097789966.4039.20.camel@anu.eridu> On Thu, 2004-10-14 at 11:36 -0400, Jay Fenlason wrote: > I've written a patch to rsync that adds support for transferring posix > extended attributes. I've put the srpm and an i386 binary rpm at > http://people.redhat.com/fenlason/rsync/rsync-2.6.3-2.{src,i386}.rpm > These rpms also contain the acl patch. Cool, will play. On a related but tangental note - is (solaris) man 5 fsattr description of cpio + xattr sufficient for an implementation, assuming it doesn't break SUS, etc: http://bama.ua.edu/cgi-bin/man-cgi?fsattr+5 Could be an alternate way of bundling xattrs in rpm. Paul From walters at redhat.com Thu Oct 14 22:02:39 2004 From: walters at redhat.com (Colin Walters) Date: Thu, 14 Oct 2004 18:02:39 -0400 Subject: Try my experimental rsync with xattr support In-Reply-To: <20041014153654.GA28678@redhat.com> References: <20041014153654.GA28678@redhat.com> Message-ID: <1097791359.3321.14.camel@decepticon.boston.redhat.com> On Thu, 2004-10-14 at 11:36 -0400, Jay Fenlason wrote: > I've written a patch to rsync that adds support for transferring posix > extended attributes. I've put the srpm and an i386 binary rpm at > http://people.redhat.com/fenlason/rsync/rsync-2.6.3-2.{src,i386}.rpm > These rpms also contain the acl patch. This works for me too. Nice! One note though - we will want to extend the patch at some point to make it use setfscreatecon for security.selinux attributes to avoid a race condition where permissions could be wider than necessary. > To enable the transfer of extended attributes you need to use the new > -X option. I wonder - is there a reason not to make -a imply -XA? From mr700 at mr700.cjb.net Thu Oct 14 23:32:51 2004 From: mr700 at mr700.cjb.net (Doncho N. Gunchev) Date: Fri, 15 Oct 2004 02:32:51 +0300 Subject: Try my experimental rsync with xattr support In-Reply-To: <1097791359.3321.14.camel@decepticon.boston.redhat.com> References: <20041014153654.GA28678@redhat.com> <1097791359.3321.14.camel@decepticon.boston.redhat.com> Message-ID: <200410150232.52243@-mr700> On 2004-10-15 (Friday) 01:02, Colin Walters wrote: > I wonder - is there a reason not to make -a imply -XA? Why not -X and --XA? -XA should be -X -A based on how rsync handles all other short and long options I think. (rsync -av --rsh="ssh -l ssh-user" ...) -- Regards, Doncho N. Gunchev Registered Linux User #291323 at counter.li.org GPG-Key-ID: 1024D/DA454F79 http://pgp.mit.edu Key fingerprint = 684F 688B C508 C609 0371 5E0F A089 CB15 DA45 4F79 From rhally at mindspring.com Fri Oct 15 07:16:37 2004 From: rhally at mindspring.com (Richard Hally) Date: Fri, 15 Oct 2004 03:16:37 -0400 Subject: prelink and yum conflict In-Reply-To: <4c4ba153041012080320a86633@mail.gmail.com> References: <4c4ba1530410080908a02a768@mail.gmail.com> <1097252045.16641.150.camel@moss-spartans.epoch.ncsc.mil> <200410111634.12567.russell@coker.com.au> <1097585847.29271.98.camel@moss-spartans.epoch.ncsc.mil> <416BDBB9.1090309@nc.rr.com> <416BE433.3080302@nc.rr.com> <1097590260.29271.145.camel@moss-spartans.epoch.ncsc.mil> <416BEDD0.6050301@nc.rr.com> <4c4ba153041012080320a86633@mail.gmail.com> Message-ID: <416F7955.7010205@mindspring.com> Tom London wrote: >Sorry to belabor this....but running strict/enforcing, >here is a subset of the messages from 'yum update' >of today's Rawhide: > >gnome-vfs2 100 % done 3/161 >/sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache >failed: Permission denied >error: %post(gnome-vfs2-2.8.2-1.i386) scriptlet failed, exit status 1 >gail 100 % done 4/161 >mozilla-nspr 100 % done 5/161 >error: %post(mozilla-nspr-1.7.3-13.i386) scriptlet failed, exit status 1 >eel2 100 % done 6/161 >rpm-libs 100 % done 7/161 >ImageMagick 100 % done 8/161 >grep 100 % done 9/161 >pam 100 % done 10/161 >/sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache >failed: Permission denied >mozilla-nss 100 % done 11/161 >error: %post(mozilla-nss-1.7.3-13.i386) scriptlet failed, exit status 1 >mozilla 100 % done 12/161 >sane-backends 100 % done 13/161 >rpm 100 % done 14/161 >/sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache >failed: Permission denied >cups-libs 100 % done 15/161 >libuser 100 % done 16/161 >/sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache >failed: Permission denied >error: %post(libuser-0.52.5-1.i386) scriptlet failed, exit status 1 >ImageMagick-c++ 100 % done 17/161 >nautilus 100 % done 78/161 >/sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache >failed: Permission denied >nautilus-cd-burner 100 % done 79/161 >/sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache >failed: Permission denied >control-center 100 % done 80/161 >/sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache >failed: Permission denied > >rpm -V of the above packages is non-eventful, except for libuser: >.......T. c /etc/libuser.conf >..5....T. /usr/bin/lchfn >..5....T. /usr/bin/lchsh >..5....T. /usr/lib/libuser.so.1.1.1 >..5....T. /usr/lib/libuser/libuser_files.so >..5....T. /usr/lib/libuser/libuser_ldap.so >..5....T. /usr/lib/libuser/libuser_shadow.so >S.5....T. /usr/lib/python2.3/site-packages/libusermodule.so >..5....T. /usr/sbin/lchage >..5....T. /usr/sbin/lgroupadd >..5....T. /usr/sbin/lgroupdel >..5....T. /usr/sbin/lgroupmod >..5....T. /usr/sbin/lid >..5....T. /usr/sbin/lnewusers >..5....T. /usr/sbin/lpasswd >..5....T. /usr/sbin/luseradd >..5....T. /usr/sbin/luserdel >..5....T. /usr/sbin/lusermod >.......T. /usr/share/locale/ar/LC_MESSAGES/libuser.mo ><<>> > >Is this safe to ignore? Should I reinstall offending packages >running in permissive mode? Other? > >tom > > > > > > Is there a bugzilla for this problem? It appears that all these rpm %post scriptlet failures are making are mess of the systems that try to update with SElinux and strict policy. Also, since yum is no longer producing a log file it is hard to determine which packages have been affected. Richard Hally From jsingh at ensim.com Fri Oct 15 11:06:18 2004 From: jsingh at ensim.com (Jaspreet Singh) Date: Fri, 15 Oct 2004 16:36:18 +0530 Subject: Kernel Panic on upgrading libselinux Message-ID: <1097838377.2552.8.camel@jsingh.india.ensim.com> Hi, I wanted to write my own security policies so i upgraded to packages given shipped with FC3 ( libselinux , policy-targeted, policycoreutils , SysVinit and checkpolicy) When i tried to reboot (to 2.6.5-1.358 default with FC2) with SELINUX=enforcing and SELINUXTYPE=targeted .. it says - kernel panic ... No policy loaded ????????? i tried booting to kernel 2.6.8-1.386 .. it booted fine ... Then i also tried to run "fixfiles relabel" and rebooted same problem. also booting with SELINUX=permissive gives the following errors on "ls -Z" Option only possible with selinux enabled kernels ??????? Any clues ??? Jaspreet :-( From sds at epoch.ncsc.mil Fri Oct 15 12:51:20 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 15 Oct 2004 08:51:20 -0400 Subject: Kernel Panic on upgrading libselinux In-Reply-To: <1097838377.2552.8.camel@jsingh.india.ensim.com> References: <1097838377.2552.8.camel@jsingh.india.ensim.com> Message-ID: <1097844679.5277.16.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-10-15 at 07:06, Jaspreet Singh wrote: > When i tried to reboot (to 2.6.5-1.358 default with FC2) with > SELINUX=enforcing and SELINUXTYPE=targeted .. it says - > > kernel panic ... > No policy loaded ????????? > > i tried booting to kernel 2.6.8-1.386 .. it booted fine ... Why do you want to boot the old kernel? In any event, the FC3 policy packages only build the latest policy version (since all FC3 kernels understand that version), whereas the original FC2 kernel used an older policy version. But the latest FC2 update kernels should also accept the new policy version. -- Stephen Smalley National Security Agency From russell at coker.com.au Sat Oct 16 09:44:01 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 16 Oct 2004 19:44:01 +1000 Subject: udev strangeness with latest rawhide Message-ID: <200410161944.02096.russell@coker.com.au> Running the latest rawhide I get AVC messages indicating that /bin/udev (not /sbin/udev) is running in kernel_t during the early stages of system boot. /bin/udev is the file name used in the initrd! So it seems that after the SE Linux policy is loaded (IE after /sbin/init has been run from the main root fs) there is still a copy of udev from the initrd being run. This seems to be a bug in initrd that could lead to inconsistent behaviour. I'm not sure how this comes about (and of course apart from SE Linux messages in the kernel message log all the evidence is gone by the time the system is ready to login). Any suggestions on how to debug this? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From jsingh at ensim.com Sat Oct 16 13:22:13 2004 From: jsingh at ensim.com (Jaspreet Singh) Date: Sat, 16 Oct 2004 18:52:13 +0530 Subject: writing rules to disallow a domain to read particular files Message-ID: <1097932933.7090.18.camel@jsingh.india.ensim.com> Hi, can someone help me with writing policy rules such that - A domain (say apache_d) cannot access files beyond a directory /home/jaspreet/ any clues ??? Jaspreet From Valdis.Kletnieks at vt.edu Thu Oct 14 15:15:57 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 14 Oct 2004 11:15:57 -0400 Subject: SELinux and the Desktop In-Reply-To: Your message of "Wed, 13 Oct 2004 13:59:02 EDT." <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200410141515.i9EFFvtQ028021@turing-police.cc.vt.edu> On Wed, 13 Oct 2004 13:59:02 EDT, Stephen Smalley said: > not directly visible to the OS itself. dbus and X (but unfortunately > not the X in Fedora yet) have been modified to use that API to enforce > policy over their abstractions. Where might one find a patch for this that has a snowball's chance of working on an xorg X source tree? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From alex at darkhonor.com Sat Oct 16 13:56:41 2004 From: alex at darkhonor.com (Alex Ackerman) Date: Sat, 16 Oct 2004 09:56:41 -0400 Subject: SELinux Testing Software/Scripts Message-ID: This may sound like an odd request, but I am currently working on my master's thesis on the topic of SELinux integration into the workplace. Part of the analysis involves testing the security containment capabilities of SELinux; i.e., making sure that SELinux functions as advertised when dealing with events of escalating privilege. Does anyone on this list have any recommendations on scripts or programs which can test these capabilities? My test platforms are Fedora Core 3 (once released) and Red Hat Enterprise Linux v4.0 Beta 1. My current thinking would be to downgrade certain packages (httpd, etc) to a known vulnerable state and test, but would like to know how the members on the list test their systems. Any help would be appreciated. I can be reached at ackermal at jmu dot edu or alex at darkhonor dot com if you would like to discuss this off-list. Thank you for any assistance. Alex Ackerman James Madison University -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Sat Oct 16 14:41:06 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 16 Oct 2004 10:41:06 -0400 Subject: SELinux Testing Software/Scripts In-Reply-To: References: Message-ID: <41713302.5080301@redhat.com> Alex Ackerman wrote: > This may sound like an odd request, but I am currently working on my > master?s thesis on the topic of SELinux integration into the > workplace. Part of the analysis involves testing the security > containment capabilities of SELinux; i.e., making sure that SELinux > functions as advertised when dealing with events of escalating > privilege. Does anyone on this list have any recommendations on > scripts or programs which can test these capabilities? My test > platforms are Fedora Core 3 (once released) and Red Hat Enterprise > Linux v4.0 Beta 1. My current thinking would be to downgrade certain > packages (httpd, etc) to a known vulnerable state and test, but would > like to know how the members on the list test their systems. Any help > would be appreciated. I can be reached at ackermal at jmu dot edu or > alex at darkhonor dot com if you would like to discuss this off-list. > Thank you for any assistance. > > Alex Ackerman > > James Madison University > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > I don't have any test scripts but i think rolling back the packages to one with a known vulerability would work, but since one goal of a hacker is to get a root shell, you could use runcon with a shell script to simulate what would happen if a hacker was successfull. runcon -t httpd_t /bin/sh Of course I can only get this to work in permissive mode. Setting it to enforcing kills the shell since it can not access the tty. Also get an error "execvp: Permission denied" in enforcing. Dan From linux_4ever at yahoo.com Sat Oct 16 14:55:09 2004 From: linux_4ever at yahoo.com (Steve G) Date: Sat, 16 Oct 2004 07:55:09 -0700 (PDT) Subject: SELinux Testing Software/Scripts In-Reply-To: Message-ID: <20041016145509.77843.qmail@web50608.mail.yahoo.com> Hi, This is kind of a difficult question to answer. First, do you want to verify the rules for a given daemon/user/resource are enforced? Or do you want to verify that the rules, as given, are correct? If you want to verify enforcement, I think the way to go for a definitive test is to write a brute force suite that tries all enforced system calls/access all resources, etc and catalogs the ones that succeeds and then compares with the rules. I have seen brute forcers for Linux capabilities and I'm sure people interested in probing SE Linux for weakness will try the exact same thing. As for verifying the rules are correct, that's more difficult. I'm sure it will involve compiling sources & libraries statically (or resolving all library function calls), using nm to pick out system calls. Access of resources might be trickier if it builds the name dynamically or takes it from the command line. I'm sure there's more to it than this. Both of the above are issues that I am interested in figuring out. These tools may already exist, too. I haven't really looked. -Steve Grubb _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com From lkcl at lkcl.net Sat Oct 16 18:04:14 2004 From: lkcl at lkcl.net (Luke Kenneth Casson Leighton) Date: Sat, 16 Oct 2004 19:04:14 +0100 Subject: SELinux Testing Software/Scripts In-Reply-To: References: Message-ID: <20041016180414.GB19398@lkcl.net> On Sat, Oct 16, 2004 at 09:56:41AM -0400, Alex Ackerman wrote: > capabilities of SELinux; i.e., making sure that SELinux functions as > advertised when dealing with events of escalating privilege. just a comment [other than privilege means private law]: as i understand it, there is no "escalation" present in SE/Linux, only that assigned in the minds of us humans. a good analogy for the way that SE/Linux works is door-cards and guards. outside a building, you are given a door-card by a guard: depending on whether you are on a list, your door-card will now give you access a) to an entry point into the building b) the right to go through certain doors inside that building. at _some_ doors inside the building, there will be another guard. if you attempt to go through a door (assuming your card allows you to do that), the guard will, depending on whether you are on a list, TAKE AWAY your present card and GIVE YOU A TOTALLY DIFFERENT ONE. that card might, or might not, give you the right to go back through the door you have just gone through (!). so, you can enter the university building, use your card to get into the lecture theatre, but your card is taken away from you when you enter the lecture theatre, and the card you are given only allows you to go to the toilet or to the exit out the building. in this "world", there is no "escalation" as such. certain rooms are only allowed to be accessed by certain people who have certain cards: you can only get to a certain place via a specific route if you are the right person. that's a bit different from "escalating privilege" because that implies hierarchy, which SE/Linux doesn't have, per-se. l. p.s. if this analogy sounds a bit weird, to help you tie it into selinux, the guards swapping cards at doors is managed by "domain_auto_trans". From lkcl at lkcl.net Sun Oct 17 14:04:20 2004 From: lkcl at lkcl.net (Luke Kenneth Casson Leighton) Date: Sun, 17 Oct 2004 15:04:20 +0100 Subject: SELinux Testing Software/Scripts In-Reply-To: <1097974915.21919.5.camel@wintermute.xmldesign.de> References: <20041016180414.GB19398@lkcl.net> <1097974915.21919.5.camel@wintermute.xmldesign.de> Message-ID: <20041017140420.GE19398@lkcl.net> On Sun, Oct 17, 2004 at 03:01:54AM +0200, Erich Schubert wrote: > Hi, > > > as i understand it, there is no "escalation" present in SE/Linux, > > only that assigned in the minds of us humans. > [...] > > that's a bit different from "escalating privilege" because that implies > > hierarchy, which SE/Linux doesn't have, per-se. > > As long as you have roles with certain higher privileges (for example > writing to configuration files, binding to arbitrary ports, loading a > new policy...) there is privilege escalation. > Privilege escalation just means getting more rights than you were > supposed to get. ohright, okay: then my statement is incorrect and it is more that policy writers need to get their policies right, by not allowing more than is needed! > You usually don't care about losing access rights, > because you could have done things there earlier. Its only about getting > a privilege you want to have. my point is that selinux allows that [to go from one domain to the next, losing all previous rights of the prior domain and gaining those of the next domain]. which is not a "normal" security system so to speak: i'd consider "normal" to be that you get given more privileges by going to a "higher" privileged state [but i'm not saying "normal" is "good"]. l. -- -- Truth, honesty and respect are rare commodities that all spring from the same well: Love. If you love yourself and everyone and everything around you, funnily and coincidentally enough, life gets a lot better. -- lkcl.net
lkcl at lkcl.net
From himainu-ynakam at miomio.jp Sun Oct 17 14:13:53 2004 From: himainu-ynakam at miomio.jp (Yuichi Nakamura) Date: Sun, 17 Oct 2004 10:13:53 -0400 Subject: setools in Fedora Message-ID: <200410171414.i9HEERow013740@mms-r01.iijmio.jp> I tried to use setools in FedoraCore3-test3. I installed from rpm in Fedora project server. setools-1.4.1-5, setools-gui-1.4.1-5 gui tools(apol,sepcut) are very slow before window is shown. In FedoraCore2, it was slow, too. When I used setools in FedoraCore1, setool is fast enough in the same machine. --- Yuichi Nakamura Japan SELinux Users Group(JSELUG) ??http://www.selinux.gr.jp/ Hitachi Software http://www.selinux.hitachi-sk.co.jp/en The George Washington University From sds at epoch.ncsc.mil Mon Oct 18 12:33:58 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 18 Oct 2004 08:33:58 -0400 Subject: SELinux and the Desktop In-Reply-To: <200410141515.i9EFFvtQ028021@turing-police.cc.vt.edu> References: <3389915A-1CB5-11D9-8249-0003939571B4@larvalstage.net> <27413-38013@sneakemail.com> <1097690341.32468.385.camel@moss-spartans.epoch.ncsc.mil> <200410141515.i9EFFvtQ028021@turing-police.cc.vt.edu> Message-ID: <1098102838.27895.4.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-14 at 11:15, Valdis.Kletnieks at vt.edu wrote: > On Wed, 13 Oct 2004 13:59:02 EDT, Stephen Smalley said: > > > not directly visible to the OS itself. dbus and X (but unfortunately > > not the X in Fedora yet) have been modified to use that API to enforce > > policy over their abstractions. > > Where might one find a patch for this that has a snowball's chance of working > on an xorg X source tree? See http://marc.theaimsgroup.com/?l=selinux&m=108483628322478&w=2. It is available in a branch of the xorg CVS tree. But unfortunately, the developer of security-enhanced X has moved on to another office and it hasn't been maintained since July, AFAIK. -- Stephen Smalley National Security Agency From erich at debian.org Sun Oct 17 01:01:54 2004 From: erich at debian.org (Erich Schubert) Date: Sun, 17 Oct 2004 03:01:54 +0200 Subject: SELinux Testing Software/Scripts In-Reply-To: <20041016180414.GB19398@lkcl.net> References: <20041016180414.GB19398@lkcl.net> Message-ID: <1097974915.21919.5.camel@wintermute.xmldesign.de> Hi, > as i understand it, there is no "escalation" present in SE/Linux, > only that assigned in the minds of us humans. [...] > that's a bit different from "escalating privilege" because that implies > hierarchy, which SE/Linux doesn't have, per-se. As long as you have roles with certain higher privileges (for example writing to configuration files, binding to arbitrary ports, loading a new policy...) there is privilege escalation. Privilege escalation just means getting more rights than you were supposed to get. You usually don't care about losing access rights, because you could have done things there earlier. Its only about getting a privilege you want to have. Even in normal Linux, becoming root might give you less access rights in some specific cases. For example with NFS mounts that do root_squash. (Of course there may be ways of circumventing this, these may exist in SELinux, too) Another important aspect in the use of the term "privilege escalation" is doing multiple steps to get the privileges you really want. A typical theoretical example is using a game as nobody to get group access to games, then using this to exploit some game and finally get access to a user account (which could then be used to get futher access rights) - referring to the problem that by itself you wouldn't mind for the "games" group rights, still this may open new points of entry for an attacker. Greetings, Erich Schubert -- erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_ A man doesn't know what he knows until he knows what he doesn't know. //\ Wer keine Zeit mehr mit echten Freunden verbringt, der wird bald V_/_ sein Gleichgewicht verlieren. --- Michael Levine From kmacmillan at tresys.com Mon Oct 18 16:35:18 2004 From: kmacmillan at tresys.com (Karl MacMillan) Date: Mon, 18 Oct 2004 12:35:18 -0400 Subject: SELinux and the Desktop In-Reply-To: <1098102838.27895.4.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200410181635.i9IGZHSf003625@gotham.columbia.tresys.com> > -----Original Message----- > From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list- > bounces at redhat.com] On Behalf Of Stephen Smalley > Sent: Monday, October 18, 2004 8:34 AM > To: Fedora SELinux support list for users & developers. > Subject: Re: SELinux and the Desktop > > On Thu, 2004-10-14 at 11:15, Valdis.Kletnieks at vt.edu wrote: > > On Wed, 13 Oct 2004 13:59:02 EDT, Stephen Smalley said: > > > > > not directly visible to the OS itself. dbus and X (but unfortunately > > > not the X in Fedora yet) have been modified to use that API to enforce > > > policy over their abstractions. > > > > Where might one find a patch for this that has a snowball's chance of > working > > on an xorg X source tree? > > See http://marc.theaimsgroup.com/?l=selinux&m=108483628322478&w=2. It > is available in a branch of the xorg CVS tree. But unfortunately, the > developer of security-enhanced X has moved on to another office and it > hasn't been maintained since July, AFAIK. > You can also view the source here: http://freedesktop.org/cgi-bin/viewcvs.cgi/xc/?root=xorg&only_with_tag=XACE- SELINUX Karl Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134 > -- > Stephen Smalley > National Security Agency > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From kmacmillan at tresys.com Mon Oct 18 17:41:02 2004 From: kmacmillan at tresys.com (Karl MacMillan) Date: Mon, 18 Oct 2004 13:41:02 -0400 Subject: setools in Fedora In-Reply-To: <200410171414.i9HEERow013740@mms-r01.iijmio.jp> Message-ID: <200410181741.i9IHf1Sf004244@gotham.columbia.tresys.com> > -----Original Message----- > From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list- > bounces at redhat.com] On Behalf Of Yuichi Nakamura > Sent: Sunday, October 17, 2004 10:14 AM > To: fedora-selinux-list at redhat.com > Subject: setools in Fedora > > > I tried to use setools in FedoraCore3-test3. > I installed from rpm in Fedora project server. > setools-1.4.1-5, setools-gui-1.4.1-5 > > gui tools(apol,sepcut) are very slow before window is shown. > In FedoraCore2, it was slow, too. > > When I used setools in FedoraCore1, setool is fast enough in the same > machine. > A couple of questions to help narrow things down: * Once the tool is displayed do things seem normal? * How slow is the startup (10 secs, 30 secs, 1 minute, etc)? * Are you passing any command-line parameters? * Do you use any other TCL/TK apps and do they show similar behavior? Karl Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134 > > --- > Yuichi Nakamura > Japan SELinux Users Group(JSELUG) > ??http://www.selinux.gr.jp/ > Hitachi Software > http://www.selinux.hitachi-sk.co.jp/en > The George Washington University > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From himainu-ynakam at miomio.jp Mon Oct 18 18:10:37 2004 From: himainu-ynakam at miomio.jp (Yuichi Nakamura) Date: Mon, 18 Oct 2004 14:10:37 -0400 Subject: setools in Fedora In-Reply-To: <200410181741.i9IHf1Sf004244@gotham.columbia.tresys.com> References: <200410181741.i9IHf1Sf004244@gotham.columbia.tresys.com> Message-ID: <200410181811.i9IIB5v6001771@mms-r00.iijmio.jp> "Karl MacMillan" wrote: > A couple of questions to help narrow things down: > * Do you use any other TCL/TK apps and do they show similar behavior? I ran sample /usr/share/tcl8.4/BWidget-1.4.1/demo. It is slow. It will be problem of tcl/tk or BWidgets. > * Once the tool is displayed do things seem normal? Yes. First time tabs are displayed, it is slow, but after clicking all tabs and displayed all tabs, it seems normal. > * How slow is the startup (10 secs, 30 secs, 1 minute, etc)? In my environment(celeron1.7Ghz, memory 256Mb, Gnome), it takes about 10-20 secs for one tab to be displayed. > * Are you passing any command-line parameters? No command parameters. --- Yuichi Nakamura Japan SELinux Users Group(JSELUG) ??http://www.selinux.gr.jp/ Hitachi Software http://www.selinux.hitachi-sk.co.jp/en The George Washington University From kmacmillan at tresys.com Mon Oct 18 18:58:56 2004 From: kmacmillan at tresys.com (Karl MacMillan) Date: Mon, 18 Oct 2004 14:58:56 -0400 Subject: setools in Fedora In-Reply-To: <200410181811.i9IIB5v6001771@mms-r00.iijmio.jp> Message-ID: <200410181858.i9IIwtSf004946@gotham.columbia.tresys.com> > -----Original Message----- > From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list- > bounces at redhat.com] On Behalf Of Yuichi Nakamura > Sent: Monday, October 18, 2004 2:11 PM > To: Fedora SELinux support list for users & developers. > Subject: Re: setools in Fedora > > > "Karl MacMillan" wrote: > > A couple of questions to help narrow things down: > > * Do you use any other TCL/TK apps and do they show similar behavior? > I ran sample /usr/share/tcl8.4/BWidget-1.4.1/demo. > It is slow. > It will be problem of tcl/tk or BWidgets. > One solution may be to upgrade to a new version of BWidgets and see if that helps. There shouldn't be any problem with the newer versions, we simply distribute 1.4 because it is compatible with the widest range of Tcl/Tk versions. Karl Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134 > > * Once the tool is displayed do things seem normal? > Yes. > First time tabs are displayed, it is slow, > but after clicking all tabs and displayed all tabs, it seems normal. > > > * How slow is the startup (10 secs, 30 secs, 1 minute, etc)? > In my environment(celeron1.7Ghz, memory 256Mb, Gnome), > it takes about 10-20 secs for one tab to be displayed. > > > * Are you passing any command-line parameters? > No command parameters. > > --- > Yuichi Nakamura > Japan SELinux Users Group(JSELUG) > ??http://www.selinux.gr.jp/ > Hitachi Software > http://www.selinux.hitachi-sk.co.jp/en > The George Washington University > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From manelolesa at gmail.com Tue Oct 19 10:24:15 2004 From: manelolesa at gmail.com (Manel Garcia) Date: Tue, 19 Oct 2004 12:24:15 +0200 Subject: (no subject) Message-ID: From himainu-ynakam at miomio.jp Tue Oct 19 20:17:40 2004 From: himainu-ynakam at miomio.jp (Yuichi Nakamura) Date: Tue, 19 Oct 2004 16:17:40 -0400 Subject: setools in Fedora In-Reply-To: <200410181858.i9IIwtSf004946@gotham.columbia.tresys.com> References: <200410181858.i9IIwtSf004946@gotham.columbia.tresys.com> Message-ID: <200410192017.i9JKHwoJ008591@mms-r00.iijmio.jp> "Karl MacMillan" wrote: > One solution may be to upgrade to a new version of BWidgets and see if that > helps. There shouldn't be any problem with the newer versions, we simply > distribute 1.4 because it is compatible with the widest range of Tcl/Tk > versions. I tried BWidget1.7.0, but it is slow too(Samples in Bwidget and setools). Tcl/Tk application not using BWidget seems not slow. Does anyone experienced the same trouble ? --- Yuichi Nakamura Japan SELinux Users Group(JSELUG) ??http://www.selinux.gr.jp/ Hitachi Software http://www.selinux.hitachi-sk.co.jp/en The George Washington University From kmacmillan at tresys.com Wed Oct 20 15:39:33 2004 From: kmacmillan at tresys.com (Karl MacMillan) Date: Wed, 20 Oct 2004 11:39:33 -0400 Subject: setools in Fedora In-Reply-To: <200410192017.i9JKHwoJ008591@mms-r00.iijmio.jp> Message-ID: <200410201539.i9KFdXSf021993@gotham.columbia.tresys.com> We can't reproduce this problem, unfortunately. We will keep a bug open for this in case something comes up in the future. You might try contacting the BWidget developers. Karl Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134 > -----Original Message----- > From: Yuichi Nakamura [mailto:himainu-ynakam at miomio.jp] > Sent: Tuesday, October 19, 2004 4:18 PM > To: Fedora SELinux support list for users & developers. > Cc: 'Selinux-Dev'; himainu-ynakam at miomio.jp > Subject: Re: setools in Fedora > > > "Karl MacMillan" wrote: > > One solution may be to upgrade to a new version of BWidgets and see if > that > > helps. There shouldn't be any problem with the newer versions, we simply > > distribute 1.4 because it is compatible with the widest range of Tcl/Tk > > versions. > I tried BWidget1.7.0, but it is slow too(Samples in Bwidget and setools). > Tcl/Tk application not using BWidget seems not slow. > > Does anyone experienced the same trouble ? > > --- > Yuichi Nakamura > Japan SELinux Users Group(JSELUG) > ??http://www.selinux.gr.jp/ > Hitachi Software > http://www.selinux.hitachi-sk.co.jp/en > The George Washington University From walters at redhat.com Thu Oct 21 17:06:35 2004 From: walters at redhat.com (Colin Walters) Date: Thu, 21 Oct 2004 13:06:35 -0400 Subject: mangled audit messages Message-ID: <1098378395.16197.48.camel@decepticon.boston.redhat.com> On my FC2 server, running strict policy, I am seeing a lot of these: audit(1098309975.693:0): avc: denied { getattr } for pid=12283 exe=/usr/sbin/sshd audit(1098309977.469:0): avc: denied { getattr } for pid=12293 exe=/usr/sbin/sshd audit(1098309984.374:0): avc: denied { getattr } for pid=12319 exe=/usr/sbin/sshd audit(1098309985.817:0): avc: denied { getattr } for pid=12325 exe=/usr/sbin/sshd Note the large amount of odd leading whitespace, and the lack of any additional information. Does anyone know anything about this? From sds at epoch.ncsc.mil Thu Oct 21 17:20:08 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 21 Oct 2004 13:20:08 -0400 Subject: mangled audit messages In-Reply-To: <1098378395.16197.48.camel@decepticon.boston.redhat.com> References: <1098378395.16197.48.camel@decepticon.boston.redhat.com> Message-ID: <1098379208.5486.160.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-21 at 13:06, Colin Walters wrote: > On my FC2 server, running strict policy, I am seeing a lot of these: > > audit(1098309975.693:0): avc: > denied { getattr } for pid=12283 exe=/usr/sbin/sshd > audit(1098309977.469:0): avc: > denied { getattr } for pid=12293 exe=/usr/sbin/sshd > audit(1098309984.374:0): avc: > denied { getattr } for pid=12319 exe=/usr/sbin/sshd > audit(1098309985.817:0): avc: > denied { getattr } for pid=12325 exe=/usr/sbin/sshd > > Note the large amount of odd leading whitespace, and the lack of any > additional information. Does anyone know anything about this? I've seen this before, although not recently, and it has been reported on this list by at least Russell Coker and Tom London. Seems to be difficult to reproduce reliably. I don't know if there is a bugzilla on it. Rik Faith, who wrote the audit framework, thought it looked similar to an earlier bug in the audit code that he had fixed. I think Peter is presently maintaining the code, cc'd. What kernel are you running? -- Stephen Smalley National Security Agency From walters at redhat.com Thu Oct 21 17:31:00 2004 From: walters at redhat.com (Colin Walters) Date: Thu, 21 Oct 2004 13:31:00 -0400 Subject: mangled audit messages In-Reply-To: <1098379208.5486.160.camel@moss-spartans.epoch.ncsc.mil> References: <1098378395.16197.48.camel@decepticon.boston.redhat.com> <1098379208.5486.160.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1098379860.16197.54.camel@decepticon.boston.redhat.com> On Thu, 2004-10-21 at 13:20 -0400, Stephen Smalley wrote: > I've seen this before, although not recently, and it has been reported > on this list by at least Russell Coker and Tom London. Ah, ok. > Seems to be > difficult to reproduce reliably. I don't know if there is a bugzilla on > it. Rik Faith, who wrote the audit framework, thought it looked similar > to an earlier bug in the audit code that he had fixed. I think Peter is > presently maintaining the code, cc'd. > > What kernel are you running? Latest FC2 kernel, AFAIK: 2.6.8-1.521 When FC3 is out I plan to upgrade more or less immediately, so I'll report back if I still see this then. From selinux at gmail.com Thu Oct 21 18:10:53 2004 From: selinux at gmail.com (Tom London) Date: Thu, 21 Oct 2004 11:10:53 -0700 Subject: mangled audit messages In-Reply-To: <1098379860.16197.54.camel@decepticon.boston.redhat.com> References: <1098378395.16197.48.camel@decepticon.boston.redhat.com> <1098379208.5486.160.camel@moss-spartans.epoch.ncsc.mil> <1098379860.16197.54.camel@decepticon.boston.redhat.com> Message-ID: <4c4ba1530410211110791483be@mail.gmail.com> I bugzilla'ed this a while ago: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126515 I tried digging into the code for this one, but uncovered no nuggets. On my system, it seems at least partially correlated with loading new policy files or packages. I don't believe I see this with when running the 'boot policy', but I occasionally see it after I've yum'ed in a new policy packages. I've seen this on almost every Rawhide kernel (currently running .640). tom -- Tom London From selinux at gmail.com Fri Oct 22 16:13:03 2004 From: selinux at gmail.com (Tom London) Date: Fri, 22 Oct 2004 09:13:03 -0700 Subject: realplayer Message-ID: <4c4ba153041022091353bf0e95@mail.gmail.com> Running rawhide, strict/enforcing. After installing the RealPlayer 10 rpm (installs mostly into /usr/local/....), have no problem running realplayer in permissive mode. It did through off the 'ld.so.cache' avc: Oct 18 06:55:58 fedora kernel: audit(1098107758.752:0): avc: denied { execute } for pid=3956 path=/etc/ld.so.cache dev=hda2 ino=4474151 scontext=user_u:user_r:user_t tcontext=system_u:object_r:ld_so_cache_t tclass=file I was not surprised, since the files were not properly labeled. Using the labels from HelixPlayer as a guide, I relabled RealPlayer's installed files (mostly changing .so -> shlib_t, etc.) This fixed the 'ld.so.cache' avc, but now I'm stumped with the following: Oct 22 08:58:36 fedora kernel: audit(1098460716.425:0): avc: denied { execute } for pid=19845 path=/usr/lib/locale/locale-archive dev=hda2 ino=4117048 scontext=user_u:user_r:user_t tcontext=system_u:object_r:locale_t tclass=file Oct 22 08:58:36 fedora kernel: audit(1098460716.426:0): avc: denied { execute } for pid=19845 path=/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION dev=hda2 ino=4444372 scontext=user_u:user_r:user_t tcontext=system_u:object_r:locale_t tclass=file Execute for locale files???? I tried 'strace ./realplay.bin' and got: <<<<>>>> munmap(0xe5d000, 135566) = 0 set_tid_address(0xc5c928) = 19906 rt_sigaction(SIGRTMIN, {0x2c23a0, [], SA_RESTORER|SA_SIGINFO, 0x2c98a0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x2c2410, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x2c98a0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0 _sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xfefff5a8, 31, (nil), 0}) = 0 brk(0) = 0x80d5000 brk(0x80f6000) = 0x80f6000 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=38674048, ...}) = 0 mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES (Permission denied) close(3) = 0 open("/usr/share/locale/locale.alias", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2528, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xe36000 read(3, "# Locale name alias data base.\n#"..., 4096) = 2528 read(3, "", 4096) = 0 close(3) = 0 munmap(0xe36000, 4096) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=365, ...}) = 0 mmap2(NULL, 365, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES (Permission denied) close(3) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Is this related to the previously reported (and fixed, I thought) mmap() problem? Something else? thanks, tom -- Tom London From broom at transcontinentaldirect.com Fri Oct 22 18:46:54 2004 From: broom at transcontinentaldirect.com (Barry Roomberg) Date: Fri, 22 Oct 2004 14:46:54 -0400 Subject: User file access auditing Message-ID: <992869706CCB3842977776032647EA9B0115C318@treexchange.ccgroupnet.com> I have setup a Fedora 2 box with SELinux enabled. I'm able to add users and relabel /home to allow their .ssh keys to work, so I have a baseline install that is working. I would like to create a shared dir tree that certain users have full access to. Every file access that reads or writes data (stat, open, read, write, delete, rename, ???) should be logged, while still allowing the operation to complete. Is SELinux appropriate for that type of tracking? If so, can anyone give me a hint on the way to construct the policy? Thanks. Barry From sds at epoch.ncsc.mil Fri Oct 22 19:18:11 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 22 Oct 2004 15:18:11 -0400 Subject: User file access auditing In-Reply-To: <992869706CCB3842977776032647EA9B0115C318@treexchange.ccgroupnet.com> References: <992869706CCB3842977776032647EA9B0115C318@treexchange.ccgroupnet.com> Message-ID: <1098472691.7614.344.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-10-22 at 14:46, Barry Roomberg wrote: > I would like to create a shared dir tree that certain users have full > access to. Every file access that reads or writes data (stat, open, > read, write, delete, rename, ???) should be logged, while still allowing > the operation to complete. > > Is SELinux appropriate for that type of tracking? > > If so, can anyone give me a hint on the way to construct the policy? First, I'd recommend adding "audit=1" to the kernel command line in your /etc/grub.conf, so that the kernel audit framework will also emit a syscall audit record upon syscall exit whenever SELinux generates an audit message during the processing of a syscall. The audit messages will be separate, but will share the same timestamp/serial number so that they can be correlated. Then, under /etc/security/selinux/src/policy, you can add your policy statements, something like the below rules, possibly as a domains/misc/local.te file to avoid conflicts with any future policy updates to the rest of the policy: # Define a type for files to be audited. type audited_file_t, file_type, sysadmfile; # Allow all user domains to create and modify these files. allow userdomain audited_file_t:dir create_dir_perms; allow userdomain audited_file_t:{ file lnk_file } create_file_perms; # Audit all accesses by user domains to these files. auditallow userdomain audited_file_t:{ dir file lnk_file } *; That might not be exactly what you want, e.g. you might want to limit access to a specific user role/domain, and you may not want to audit everything in truth (e.g. searches of directories), but gives you the idea. One caveat: SELinux permission checks and auditing only occur after the existing Linux DAC checks, so if Linux DAC denies access (due to file ownership/mode), you'll never reach SELinux at all and won't get an audit message from it. But if these files are intended to be accessible to these users, that shouldn't be a problem, I would think. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Fri Oct 22 19:23:30 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 22 Oct 2004 15:23:30 -0400 Subject: User file access auditing In-Reply-To: <1098472691.7614.344.camel@moss-spartans.epoch.ncsc.mil> References: <992869706CCB3842977776032647EA9B0115C318@treexchange.ccgroupnet.com> <1098472691.7614.344.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1098473010.7614.349.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-10-22 at 15:18, Stephen Smalley wrote: > Then, under /etc/security/selinux/src/policy, you can add your policy > statements, something like the below rules, possibly as a > domains/misc/local.te file to avoid conflicts with any future policy > updates to the rest of the policy: > # Define a type for files to be audited. > type audited_file_t, file_type, sysadmfile; > # Allow all user domains to create and modify these files. > allow userdomain audited_file_t:dir create_dir_perms; > allow userdomain audited_file_t:{ file lnk_file } create_file_perms; > # Audit all accesses by user domains to these files. > auditallow userdomain audited_file_t:{ dir file lnk_file } *; I forgot to mention: after adding this to your policy sources, you need to compile the new policy and load it and then apply the type to the desired directory tree, e.g. cd /etc/security/selinux/src/policy make load chcon -R -t audited_file_t -- Stephen Smalley National Security Agency From broom at transcontinentaldirect.com Fri Oct 22 19:30:46 2004 From: broom at transcontinentaldirect.com (Barry Roomberg) Date: Fri, 22 Oct 2004 15:30:46 -0400 Subject: User file access auditing Message-ID: <992869706CCB3842977776032647EA9B0115C321@treexchange.ccgroupnet.com> I have setup a Fedora 2 box with SELinux enabled. I'm able to add users and relabel /home to allow their .ssh keys to work, so I have a baseline install that is working. I would like to create a shared dir tree that certain users have full access to. Every file access that reads or writes data (stat, open, read, write, delete, rename, ???) should be logged, while still allowing the operation to complete. Is SELinux appropriate for that type of tracking? If so, can anyone give me a hint on the way to construct the policy? Thanks. Barry Note to moderator: I have just been given a new address so the last email got sent to you. Please ignore it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From phlpleo at yahoo.com Sat Oct 23 08:58:54 2004 From: phlpleo at yahoo.com (Philip Leo) Date: Sat, 23 Oct 2004 01:58:54 -0700 (PDT) Subject: Ask for suggestions Message-ID: <20041023085854.93844.qmail@web90105.mail.scd.yahoo.com> Hi, I am a postgraduate student and is doing my master's thesis, I am interesting in Linux security and have learnt SELinux for several months. I want to do some work in SELinux, and thus to finish my thesis. But there are so many aspects in SELinux. So, Would you please give me some suggestions on where to start? Thanks a lot. -- Best regards, Philip Leo --------------------------------- Do you Yahoo!? vote.yahoo.com - Register online to vote today! -------------- next part -------------- An HTML attachment was scrubbed... URL: From mehulr at gmail.com Sun Oct 24 17:32:44 2004 From: mehulr at gmail.com (Mehul) Date: Sun, 24 Oct 2004 13:32:44 -0400 Subject: Cant Login after installing Fedora, screen keeps flickering Message-ID: <88a8511c04102410321272c12a@mail.gmail.com> Hello, I installed Fedora on my Tohisba A70 Laptop yesterday and I am not able to get into it. The installation worked fine, but when I try to boot into fedora I can c a dialog box which has a text say "show details", just after that my screen starts fickering. I am guessing that this issue is realted to my Graphics card. How do I install the the new driver coz I cant even get to the command prompt? Can somebody please tell me how to get into command prompt while booting fedora?. I mean is there a set of key sequences which would directly get me into command prompt Please help Mehul From wolfy at zig-zag.net Sun Oct 24 18:11:42 2004 From: wolfy at zig-zag.net (lonely wolf) Date: Sun, 24 Oct 2004 21:11:42 +0300 Subject: Cant Login after installing Fedora, screen keeps flickering In-Reply-To: <88a8511c04102410321272c12a@mail.gmail.com> References: <88a8511c04102410321272c12a@mail.gmail.com> Message-ID: <417BF05E.9000301@zig-zag.net> Mehul wrote: > Hello, > > I installed Fedora on my Tohisba A70 Laptop yesterday and I am not > able to get into it. The installation worked fine, but when I try to > boot into fedora I can c a dialog box which has a text say "show > details", just after that my screen starts fickering. I am guessing > that this issue is realted to my Graphics card. How do I install the > the new driver coz I cant even get to the command prompt? > > Can somebody please tell me how to get into command prompt while > booting fedora?. I mean is there a set of key sequences which would > directly get me into command prompt First of all, this question should go to fedora-users list, not to fedora-selinux to boot in text mode, press 'e' (like in edit) on the initial grub boot menu, select the entry saying something similar to kernel /vmlinuz-2.6.8-1.521 ro root=LABEL=/ press again "e" then add a " 3" (without the quotes) at the end of the line. then press enter to validate the modification, followed by "b" (like in boot) From mrevanka at gmu.edu Sun Oct 24 16:51:21 2004 From: mrevanka at gmu.edu (Mehul) Date: Sun, 24 Oct 2004 12:51:21 -0400 Subject: Cant Login after installing Fedora, screen keeps flickering Message-ID: <417BDD89.1050900@gmu.edu> Hello, I installed Fedora on my Tohisba A70 Laptop yesterday and I am not able to get into it. The installation worked fine, but when I try to boot into fedora I can c a dialog box which has a text say "show details", just after that my screen starts fickering. I am guessing that this issue is realted to my Graphics card. How do I install the the new driver coz I cant even get to the command prompt? Can somebody please tell me how to get into command prompt while booting fedora?. I mean is there a set of key sequences which would directly get me into command prompt Please help Mehul From predrag.petrovic at lol.ba Sun Oct 24 18:07:42 2004 From: predrag.petrovic at lol.ba (Predrag Petrovic) Date: Sun, 24 Oct 2004 20:07:42 +0200 Subject: Cant Login after installing Fedora, screen keeps flickering Message-ID: Hi Mehul, Well try booting the rescue cd. After everything it boots linux enter: chroot /mnt/sysimage and try to debug. Also try booting into single user mode by adding single in the boot string of grub. ________________________________ From: fedora-selinux-list-bounces at redhat.com on behalf of Mehul Sent: Sun 10/24/2004 7:32 PM To: fedora-selinux-list at redhat.com Subject: Cant Login after installing Fedora, screen keeps flickering Hello, I installed Fedora on my Tohisba A70 Laptop yesterday and I am not able to get into it. The installation worked fine, but when I try to boot into fedora I can c a dialog box which has a text say "show details", just after that my screen starts fickering. I am guessing that this issue is realted to my Graphics card. How do I install the the new driver coz I cant even get to the command prompt? Can somebody please tell me how to get into command prompt while booting fedora?. I mean is there a set of key sequences which would directly get me into command prompt Please help Mehul -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 4268 bytes Desc: not available URL: From russell at coker.com.au Mon Oct 25 15:42:04 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 26 Oct 2004 01:42:04 +1000 Subject: Ask for suggestions In-Reply-To: <20041023085854.93844.qmail@web90105.mail.scd.yahoo.com> References: <20041023085854.93844.qmail@web90105.mail.scd.yahoo.com> Message-ID: <200410260142.04895.russell@coker.com.au> On Sat, 23 Oct 2004 18:58, Philip Leo wrote: > I am a postgraduate student and is doing my master's thesis, I am > interesting in Linux security and have learnt SELinux for several months. I > want to do some work in SELinux, and thus to finish my thesis. But there > are so many aspects in SELinux. So, Would you please give me some > suggestions on where to start? Thanks a lot. SE Linux is a big project involving many areas. To advise you on where to work we would need some ideas about your skills, interests, and the amount of work that you plan to do. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From justin.conover at gmail.com Mon Oct 25 18:49:29 2004 From: justin.conover at gmail.com (Justin Conover) Date: Mon, 25 Oct 2004 13:49:29 -0500 Subject: What to do after building a kernel. Message-ID: After I built a new kernel based of of ck-overloaded, I rebooted and a ton of SELinux errors/messages, kept comeing across the screen? What do need to do to make a home-grown-kernel work with SELinux. From walters at redhat.com Mon Oct 25 19:03:54 2004 From: walters at redhat.com (Colin Walters) Date: Mon, 25 Oct 2004 15:03:54 -0400 Subject: What to do after building a kernel. In-Reply-To: References: Message-ID: <1098731034.18825.5.camel@decepticon.boston.redhat.com> On Mon, 2004-10-25 at 13:49 -0500, Justin Conover wrote: > After I built a new kernel based of of ck-overloaded, I rebooted and a > ton of SELinux errors/messages, kept comeing across the screen? I recommend you don't rebuild arbitrary kernel versions and patch sets with SELinux enabled. The security of the system depends on tight coordination between the kernel, policy, and various packages. In Fedora we do the integration ensure that this all just works. > What > do need to do to make a home-grown-kernel work with SELinux. Most likely you're missing the tmpfs xattr patch in this case. From justin.conover at gmail.com Mon Oct 25 19:21:21 2004 From: justin.conover at gmail.com (Justin Conover) Date: Mon, 25 Oct 2004 14:21:21 -0500 Subject: What to do after building a kernel. In-Reply-To: <1098731034.18825.5.camel@decepticon.boston.redhat.com> References: <1098731034.18825.5.camel@decepticon.boston.redhat.com> Message-ID: Thats fine, I really just wanted to build a reiser4 dir to chroot a different linux install. I'll just use ext3/xfs instead. Well, atleast SElinux worked for saying NO to a different kenrel ;-) On Mon, 25 Oct 2004 15:03:54 -0400, Colin Walters wrote: > On Mon, 2004-10-25 at 13:49 -0500, Justin Conover wrote: > > After I built a new kernel based of of ck-overloaded, I rebooted and a > > ton of SELinux errors/messages, kept comeing across the screen? > > I recommend you don't rebuild arbitrary kernel versions and patch sets > with SELinux enabled. The security of the system depends on tight > coordination between the kernel, policy, and various packages. In > Fedora we do the integration ensure that this all just works. > > > What > > do need to do to make a home-grown-kernel work with SELinux. > > Most likely you're missing the tmpfs xattr patch in this case. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From selinux at gmail.com Tue Oct 26 15:23:46 2004 From: selinux at gmail.com (Tom London) Date: Tue, 26 Oct 2004 08:23:46 -0700 Subject: USB printer disconnect... Message-ID: <4c4ba1530410260823746e209e@mail.gmail.com> Running strict/enforcing with latest Rawhide (.643, ...) Disconnecting a USB printer after the system has booted up in graphical mode produces an avc for 'alternatives' followed by a host of avc for 'killall': Oct 26 08:07:08 fedora ptal-mlcd: ERROR at ExMgr.cpp:3209, dev=, pid=2440, e=19, t=1098803228 llioSubprocess: llioRead returns -1, expected=6! Oct 26 08:07:08 fedora udev[3858]: removing device node '/dev/usb/lp0' Oct 26 08:07:08 fedora kernel: usb 3-2: USB disconnect, address 2 Oct 26 08:07:08 fedora ptal-mlcd: ERROR at ExMgr.cpp:2820, dev=, pid=2417, e=11, t=1098803228 llioService: fdRead returns 0, expected=6! Oct 26 08:07:08 fedora ptal-mlcd: ERROR at ExMgr.cpp:871, dev=, pid=2417, e=32, t=1098803228 exClose(reason=0x0010) Oct 26 08:07:08 fedora kernel: drivers/usb/class/usblp.c: usblp0: removed Oct 26 08:07:12 fedora kernel: audit(1098803232.090:0): avc: denied { getattr } for pid=3902 exe=/usr/sbin/alternatives path=/var/lib/alternatives dev=hda2 ino=4456489 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir Oct 26 08:07:12 fedora kernel: audit(1098803232.111:0): avc: denied { search } for pid=3903 exe=/usr/bin/killall name=selinux dev=hda2 ino=4509743 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:selinux_config_t tclass=dir Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied { search } for pid=3903 exe=/usr/bin/killall name=1 dev=proc ino=65538 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:init_t tclass=dir Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied { search } for pid=3903 exe=/usr/bin/killall name=2 dev=proc ino=131074 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:kernel_t tclass=dir Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied { search } for pid=3903 exe=/usr/bin/killall name=3 dev=proc ino=196610 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:kernel_t tclass=dir Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied { search } for pid=3903 exe=/usr/bin/killall name=4 dev=proc ino=262146 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:kernel_t tclass=dir Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied { search } for pid=3903 exe=/usr/bin/killall name=5 dev=proc ino=327682 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:kernel_t tclass=dir Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied { search } for pid=3903 exe=/usr/bin/killall name=22 dev=proc ino=1441794 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:kernel_t tclass=dir Oct 26 08:07:12 fedora kernel: audit(1098803232.114:0): avc: denied { search } for pid=3903 exe=/usr/bin/killall name=32 dev=proc ino=2097154 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:kernel_t tclass=dir <<< SNIP about 100 avc's like the above>>>> Oct 26 08:07:29 fedora kernel: ohci_hcd 0000:00:03.1: wakeup tom -- Tom London From walters at redhat.com Tue Oct 26 15:30:56 2004 From: walters at redhat.com (Colin Walters) Date: Tue, 26 Oct 2004 11:30:56 -0400 Subject: USB printer disconnect... In-Reply-To: <4c4ba1530410260823746e209e@mail.gmail.com> References: <4c4ba1530410260823746e209e@mail.gmail.com> Message-ID: <1098804656.8613.10.camel@decepticon.boston.redhat.com> On Tue, 2004-10-26 at 08:23 -0700, Tom London wrote: > Running strict/enforcing with latest Rawhide (.643, ...) > > Disconnecting a USB printer after the system has booted up > in graphical mode produces an avc for 'alternatives' followed > by a host of avc for 'killall': What version of hal-cups-utils? Are you running the latest version of cups which has a pid file? Try restarting your cupsd. From selinux at gmail.com Tue Oct 26 15:38:39 2004 From: selinux at gmail.com (Tom London) Date: Tue, 26 Oct 2004 08:38:39 -0700 Subject: USB printer disconnect... In-Reply-To: <1098804656.8613.10.camel@decepticon.boston.redhat.com> References: <4c4ba1530410260823746e209e@mail.gmail.com> <1098804656.8613.10.camel@decepticon.boston.redhat.com> Message-ID: <4c4ba15304102608384fc33a68@mail.gmail.com> On Tue, 26 Oct 2004 11:30:56 -0400, Colin Walters wrote: > What version of hal-cups-utils? Are you running the latest version of > cups which has a pid file? Try restarting your cupsd. > Running hal-cups-utils-0.5.2-8, cups-1.1.22-0.rc1.5. (believe all latest rawhide (execpt for today's redhat-menu problem). I had just rebooted after today's rawhide update to .643. Restarting cupsd has no effect. Same results..... tom -- Tom London From justin.conover at gmail.com Tue Oct 26 15:48:24 2004 From: justin.conover at gmail.com (Justin Conover) Date: Tue, 26 Oct 2004 10:48:24 -0500 Subject: What to do after building a kernel. In-Reply-To: References: <1098731034.18825.5.camel@decepticon.boston.redhat.com> Message-ID: So basically I can install the .src.rpm for the latest Fedora Kernel and use the patch from my /rpmbuild/SOURCES/patch--2.6.9-final.bz2 or bk2 or both? On Mon, 25 Oct 2004 14:21:21 -0500, Justin Conover wrote: > Thats fine, I really just wanted to build a reiser4 dir to chroot a > different linux install. I'll just use ext3/xfs instead. Well, > atleast SElinux worked for saying NO to a different kenrel ;-) > > > > > On Mon, 25 Oct 2004 15:03:54 -0400, Colin Walters wrote: > > On Mon, 2004-10-25 at 13:49 -0500, Justin Conover wrote: > > > After I built a new kernel based of of ck-overloaded, I rebooted and a > > > ton of SELinux errors/messages, kept comeing across the screen? > > > > I recommend you don't rebuild arbitrary kernel versions and patch sets > > with SELinux enabled. The security of the system depends on tight > > coordination between the kernel, policy, and various packages. In > > Fedora we do the integration ensure that this all just works. > > > > > What > > > do need to do to make a home-grown-kernel work with SELinux. > > > > Most likely you're missing the tmpfs xattr patch in this case. > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > From selinux at gmail.com Tue Oct 26 16:32:17 2004 From: selinux at gmail.com (Tom London) Date: Tue, 26 Oct 2004 09:32:17 -0700 Subject: USB printer disconnect... In-Reply-To: <4c4ba15304102608384fc33a68@mail.gmail.com> References: <4c4ba1530410260823746e209e@mail.gmail.com> <1098804656.8613.10.camel@decepticon.boston.redhat.com> <4c4ba15304102608384fc33a68@mail.gmail.com> Message-ID: <4c4ba1530410260932186755ec@mail.gmail.com> I tried changing cups.te to 'r_dir_file(cupsd_config_t, rpm_var_lib_t), but this generated more problems shown below (killall avcs remain too). Not sure what broke..... Below is a 'permissive' set of avcs after adding 'r_dir_file(cupsd_config_t, rpm_var_lib_t)' to cups.te tom Oct 26 09:28:03 fedora udev[5101]: removing device node '/dev/usb/lp0' Oct 26 09:28:03 fedora kernel: usb 3-2: USB disconnect, address 5 Oct 26 09:28:03 fedora kernel: drivers/usb/class/usblp.c: usblp0: removed Oct 26 09:28:03 fedora dbus: avc: received setenforce notice (enforcing=0) Oct 26 09:28:06 fedora kernel: audit(1098808086.993:0): avc: denied { getattr } for pid=5145 exe=/usr/sbin/alternatives path=/etc/rc.d/init.d/cups dev=hda2 ino=4473100 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:initrc_exec_t tclass=file Oct 26 09:28:08 fedora kernel: audit(1098808088.697:0): avc: denied { ioctl } for pid=5146 exe=/usr/bin/perl path=/usr/share/foomatic/db/oldprinterids dev=hda2 ino=4277183 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=file Oct 26 09:28:09 fedora kernel: audit(1098808089.932:0): avc: denied { execute } for pid=5154 exe=/usr/bin/perl name=hostname dev=hda2 ino=229432 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:hostname_exec_t tclass=file Oct 26 09:28:09 fedora kernel: audit(1098808089.933:0): avc: denied { execute_no_trans } for pid=5154 exe=/usr/bin/perl path=/bin/hostname dev=hda2 ino=229432 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:hostname_exec_t tclass=file Oct 26 09:28:09 fedora kernel: audit(1098808089.933:0): avc: denied { read } for pid=5154 exe=/usr/bin/perl path=/bin/hostname dev=hda2 ino=229432 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:hostname_exec_t tclass=file Oct 26 09:28:12 fedora kernel: audit(1098808092.679:0): avc: denied { search } for pid=5166 exe=/usr/bin/killall name=selinux dev=hda2 ino=4509743 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:selinux_config_t tclass=dir Oct 26 09:28:12 fedora kernel: audit(1098808092.679:0): avc: denied { read } for pid=5166 exe=/usr/bin/killall name=config dev=hda2 ino=4509759 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:selinux_config_t tclass=file Oct 26 09:28:12 fedora kernel: audit(1098808092.679:0): avc: denied { getattr } for pid=5166 exe=/usr/bin/killall path=/etc/selinux/config dev=hda2 ino=4509759 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:selinux_config_t tclass=file Oct 26 09:28:12 fedora kernel: audit(1098808092.680:0): avc: denied { search } for pid=5166 exe=/usr/bin/killall name=1 dev=proc ino=65538 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:init_t tclass=dir Oct 26 09:28:12 fedora kernel: audit(1098808092.680:0): avc: denied { read } for pid=5166 exe=/usr/bin/killall name=stat dev=proc ino=65549 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:init_t tclass=file Oct 26 09:28:12 fedora kernel: audit(1098808092.681:0): avc: denied { getattr } for pid=5166 exe=/usr/bin/killall path=/proc/1/stat dev=proc ino=65549 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:init_t tclass=file <<<>>> -- Tom London From russell at coker.com.au Tue Oct 26 16:48:50 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 27 Oct 2004 02:48:50 +1000 Subject: mangled audit messages In-Reply-To: <1098379208.5486.160.camel@moss-spartans.epoch.ncsc.mil> References: <1098378395.16197.48.camel@decepticon.boston.redhat.com> <1098379208.5486.160.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200410270248.50226.russell@coker.com.au> On Fri, 22 Oct 2004 03:20, Stephen Smalley wrote: > I've seen this before, although not recently, and it has been reported > on this list by at least Russell Coker and Tom London. Seems to be > difficult to reproduce reliably. I don't know if there is a bugzilla on It's happening to me all the time on 2.6.9-1.639. It doesn't seem to be difficult to reproduce, just run a machine for a while and it will happen. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From justin.conover at gmail.com Tue Oct 26 21:04:23 2004 From: justin.conover at gmail.com (Justin Conover) Date: Tue, 26 Oct 2004 16:04:23 -0500 Subject: What to do after building a kernel. In-Reply-To: References: <1098731034.18825.5.camel@decepticon.boston.redhat.com> Message-ID: FYI... Just incase anyone wants to create there own kernel running on there box. Grabbing and applying all the patches from the latest kernel.src.rpm worked for me on a ck2 kernel. On Tue, 26 Oct 2004 10:48:24 -0500, Justin Conover wrote: > So basically I can install the .src.rpm for the latest Fedora Kernel > and use the patch from my /rpmbuild/SOURCES/patch--2.6.9-final.bz2 or > bk2 or both? > > > > > On Mon, 25 Oct 2004 14:21:21 -0500, Justin Conover > wrote: > > Thats fine, I really just wanted to build a reiser4 dir to chroot a > > different linux install. I'll just use ext3/xfs instead. Well, > > atleast SElinux worked for saying NO to a different kenrel ;-) > > > > > > > > > > On Mon, 25 Oct 2004 15:03:54 -0400, Colin Walters wrote: > > > On Mon, 2004-10-25 at 13:49 -0500, Justin Conover wrote: > > > > After I built a new kernel based of of ck-overloaded, I rebooted and a > > > > ton of SELinux errors/messages, kept comeing across the screen? > > > > > > I recommend you don't rebuild arbitrary kernel versions and patch sets > > > with SELinux enabled. The security of the system depends on tight > > > coordination between the kernel, policy, and various packages. In > > > Fedora we do the integration ensure that this all just works. > > > > > > > What > > > > do need to do to make a home-grown-kernel work with SELinux. > > > > > > Most likely you're missing the tmpfs xattr patch in this case. > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > From fedora at andrewfarris.com Tue Oct 26 23:50:07 2004 From: fedora at andrewfarris.com (Andrew Farris) Date: Tue, 26 Oct 2004 16:50:07 -0700 Subject: What to do after building a kernel. In-Reply-To: References: <1098731034.18825.5.camel@decepticon.boston.redhat.com> Message-ID: <1098834607.4327.43.camel@andrewfarris.dev> On Tue, 2004-10-26 at 16:04 -0500, Justin Conover wrote: > FYI... > > Just incase anyone wants to create there own kernel running on there > box. Grabbing and applying all the patches from the latest > kernel.src.rpm worked for me on a ck2 kernel. Better yet put your kernel tarball or patchsets into the kernel srpm and specfile then rebuild so that your have maintained a valid rpm database understanding of your system, kernels installed, and related files. This is fairly simple to do, but you'll want to remove the config files for other architectures and specific patches for them (and a few related things in the spec). > On Tue, 26 Oct 2004 10:48:24 -0500, Justin Conover > wrote: > > So basically I can install the .src.rpm for the latest Fedora Kernel > > and use the patch from my /rpmbuild/SOURCES/patch--2.6.9-final.bz2 or > > bk2 or both? > > > > > > > > > > On Mon, 25 Oct 2004 14:21:21 -0500, Justin Conover > > wrote: > > > Thats fine, I really just wanted to build a reiser4 dir to chroot a > > > different linux install. I'll just use ext3/xfs instead. Well, > > > atleast SElinux worked for saying NO to a different kenrel ;-) > > > > > > > > > > > > > > > On Mon, 25 Oct 2004 15:03:54 -0400, Colin Walters wrote: > > > > On Mon, 2004-10-25 at 13:49 -0500, Justin Conover wrote: > > > > > After I built a new kernel based of of ck-overloaded, I rebooted and a > > > > > ton of SELinux errors/messages, kept comeing across the screen? > > > > > > > > I recommend you don't rebuild arbitrary kernel versions and patch sets > > > > with SELinux enabled. The security of the system depends on tight > > > > coordination between the kernel, policy, and various packages. In > > > > Fedora we do the integration ensure that this all just works. > > > > > > > > > What > > > > > do need to do to make a home-grown-kernel work with SELinux. > > > > > > > > Most likely you're missing the tmpfs xattr patch in this case. > > > > > > > > -- > > > > fedora-selinux-list mailing list > > > > fedora-selinux-list at redhat.com > > > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From russell at coker.com.au Wed Oct 27 14:39:52 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 28 Oct 2004 00:39:52 +1000 Subject: realplayer In-Reply-To: <4c4ba153041022091353bf0e95@mail.gmail.com> References: <4c4ba153041022091353bf0e95@mail.gmail.com> Message-ID: <200410280039.52542.russell@coker.com.au> On Sat, 23 Oct 2004 02:13, Tom London wrote: > mmap2(NULL, 365, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES (Permission > denied) close(3) = 0 > --- SIGSEGV (Segmentation fault) @ 0 (0) --- > +++ killed by SIGSEGV +++ > > Is this related to the previously reported (and fixed, I thought) > mmap() problem? Something else? Looks like the mmap() problem. What kernel version are you running? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at epoch.ncsc.mil Wed Oct 27 14:50:58 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 27 Oct 2004 10:50:58 -0400 Subject: realplayer In-Reply-To: <200410280039.52542.russell@coker.com.au> References: <4c4ba153041022091353bf0e95@mail.gmail.com> <200410280039.52542.russell@coker.com.au> Message-ID: <1098888658.30470.147.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-10-27 at 10:39, Russell Coker wrote: > On Sat, 23 Oct 2004 02:13, Tom London wrote: > > mmap2(NULL, 365, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES (Permission > > denied) close(3) = 0 > > --- SIGSEGV (Segmentation fault) @ 0 (0) --- > > +++ killed by SIGSEGV +++ > > > > Is this related to the previously reported (and fixed, I thought) > > mmap() problem? Something else? > > Looks like the mmap() problem. What kernel version are you running? Legacy binaries have their mmap(PROT_READ) requests translated to PROT_READ|PROT_EXEC automatically by the kernel for backward compatibility. Not an SELinux issue; SELinux is just checking permissions based on what is being passed to it by the core kernel. -- Stephen Smalley National Security Agency From broom at transcontinentaldirect.com Wed Oct 27 17:13:26 2004 From: broom at transcontinentaldirect.com (Barry Roomberg) Date: Wed, 27 Oct 2004 13:13:26 -0400 Subject: Truncated log entries Message-ID: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> I'm running Fedora Core 2 Kernel: 2.6.5-1.358 I'm logging activity in a directory (thanks Stephen). I occasionally get what look like to be truncated log entries such as: Oct 27 11:24:21 mstoppel1 kernel: audit(1098890661.257:8894633): avc: granted { read } for pid=17834 exed=500 fsuid=500 egid=500 sgid=500 fsgid=500 "exed=500" ??? also: Oct 27 11:26:47 mstoppel1 kernel: =500 fsgid=500 Any idea why? They are rare and interspersed with good entries. From Valdis.Kletnieks at vt.edu Wed Oct 27 17:24:42 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 27 Oct 2004 13:24:42 -0400 Subject: Truncated log entries In-Reply-To: Your message of "Wed, 27 Oct 2004 13:13:26 EDT." <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> Message-ID: <200410271724.i9RHOgRh003221@turing-police.cc.vt.edu> On Wed, 27 Oct 2004 13:13:26 EDT, Barry Roomberg said: > "exed=500" ??? Typo in a kprintf? ;) > also: > Oct 27 11:26:47 mstoppel1 kernel: =500 fsgid=500 > > > Any idea why? They are rare and interspersed with good entries. Are you perchance on an SMP system (which includes a 1-CPU HT)? There's a few race conditions when processes on both/multiple processors printk() at the same time. Other possibility is a burst of traffic wrapped the kernel syslog buffer before klogd read it. On recent kernels, you can tune how big the buffer is at kernel build time with CONFIG_LOG_BUF_SHIFT (16 for a 64K buffer, 17 for 128K, etc). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From sds at epoch.ncsc.mil Wed Oct 27 17:24:37 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 27 Oct 2004 13:24:37 -0400 Subject: Truncated log entries In-Reply-To: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> Message-ID: <1098897877.30470.165.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-10-27 at 13:13, Barry Roomberg wrote: > I'm running Fedora Core 2 Kernel: 2.6.5-1.358 > I'm logging activity in a directory (thanks Stephen). > > I occasionally get what look like to be truncated log entries such as: > > Oct 27 11:24:21 mstoppel1 kernel: audit(1098890661.257:8894633): > avc: granted { read } for pid=17834 exed=500 fsuid=500 egid=500 > sgid=500 fsgid=500 > > "exed=500" ??? > > also: > Oct 27 11:26:47 mstoppel1 kernel: =500 fsgid=500 > > > Any idea why? They are rare and interspersed with good entries. /me guesses that the kernel audit framework isn't SMP-safe. Is anyone at RedHat looking into this? It was already bugzilla'd by Tom London. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Wed Oct 27 17:26:35 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 27 Oct 2004 13:26:35 -0400 Subject: Truncated log entries In-Reply-To: <200410271724.i9RHOgRh003221@turing-police.cc.vt.edu> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> <200410271724.i9RHOgRh003221@turing-police.cc.vt.edu> Message-ID: <1098897995.30470.167.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-10-27 at 13:24, Valdis.Kletnieks at vt.edu wrote: > Are you perchance on an SMP system (which includes a 1-CPU HT)? There's a few > race conditions when processes on both/multiple processors printk() at the same > time. Other possibility is a burst of traffic wrapped the kernel syslog buffer > before klogd read it. On recent kernels, you can tune how big the buffer is at > kernel build time with CONFIG_LOG_BUF_SHIFT (16 for a 64K buffer, 17 for 128K, > etc). SELinux was migrated from using printk to using the kernel audit framework developed by RedHat a while back. We started getting bug reports about truncated audit messages not long after... -- Stephen Smalley National Security Agency From selinux at gmail.com Wed Oct 27 17:54:49 2004 From: selinux at gmail.com (Tom London) Date: Wed, 27 Oct 2004 10:54:49 -0700 Subject: Truncated log entries In-Reply-To: <1098897995.30470.167.camel@moss-spartans.epoch.ncsc.mil> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> <200410271724.i9RHOgRh003221@turing-police.cc.vt.edu> <1098897995.30470.167.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4c4ba153041027105421793d90@mail.gmail.com> I get this problem on my simple little uniprocessor box.... I may be creating a pattern out of noise, but this problem appears to be weakly correlated with loading a new policy. I spent a bit of time looking at the code to see if I could find a stale pointer in the audit interface. Didn't see anything... Has anyone noticed this running the 'boot policy" (i.e., the same policy the system booted with)? tom -- Tom London From sds at epoch.ncsc.mil Wed Oct 27 18:02:02 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 27 Oct 2004 14:02:02 -0400 Subject: Truncated log entries In-Reply-To: <4c4ba153041027105421793d90@mail.gmail.com> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> <200410271724.i9RHOgRh003221@turing-police.cc.vt.edu> <1098897995.30470.167.camel@moss-spartans.epoch.ncsc.mil> <4c4ba153041027105421793d90@mail.gmail.com> Message-ID: <1098900122.30470.208.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-10-27 at 13:54, Tom London wrote: > I get this problem on my simple little uniprocessor box.... > > I may be creating a pattern out of noise, but this problem > appears to be weakly correlated with loading a new > policy. > > I spent a bit of time looking at the code to see if I could find > a stale pointer in the audit interface. Didn't see anything... > > Has anyone noticed this running the 'boot policy" > (i.e., the same policy the system booted with)? I actually haven't seen it recently at all, even while after doing massive numbers of policy reloads at the same time as running tests while testing/debugging the RCU scalability work. -- Stephen Smalley National Security Agency From broom at transcontinentaldirect.com Wed Oct 27 18:16:37 2004 From: broom at transcontinentaldirect.com (Barry Roomberg) Date: Wed, 27 Oct 2004 14:16:37 -0400 Subject: Generic roles in selinux Message-ID: <992869706CCB3842977776032647EA9B0115C44B@treexchange.ccgroupnet.com> Either I'm very confused or my system is very broken. When I add a new user to my system via the adduser script, they get tagged with "Generic" for their policy type. When I examine (using seuser -X) the users, I see that all the Generics (there are a lot) have roles of sysadm_r, system_r, and user_r. Which means to me that all these users can assume sysadm_r by executing the newrole command. Is this appropriate? Shouldn't sysadm_r be reserved for administrators? From russell at coker.com.au Wed Oct 27 18:29:33 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 28 Oct 2004 04:29:33 +1000 Subject: realplayer In-Reply-To: <1098888658.30470.147.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba153041022091353bf0e95@mail.gmail.com> <200410280039.52542.russell@coker.com.au> <1098888658.30470.147.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200410280429.33207.russell@coker.com.au> On Thu, 28 Oct 2004 00:50, Stephen Smalley wrote: > On Wed, 2004-10-27 at 10:39, Russell Coker wrote: > > On Sat, 23 Oct 2004 02:13, Tom London wrote: > > > mmap2(NULL, 365, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES (Permission > > > denied) close(3) = 0 > > > --- SIGSEGV (Segmentation fault) @ 0 (0) --- > > > +++ killed by SIGSEGV +++ > > > > > > Is this related to the previously reported (and fixed, I thought) > > > mmap() problem? Something else? > > > > Looks like the mmap() problem. What kernel version are you running? > > Legacy binaries have their mmap(PROT_READ) requests translated to > PROT_READ|PROT_EXEC automatically by the kernel for backward > compatibility. Not an SELinux issue; SELinux is just checking > permissions based on what is being passed to it by the core kernel. So what is the solution? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at epoch.ncsc.mil Wed Oct 27 18:27:54 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 27 Oct 2004 14:27:54 -0400 Subject: Generic roles in selinux In-Reply-To: <992869706CCB3842977776032647EA9B0115C44B@treexchange.ccgroupnet.com> References: <992869706CCB3842977776032647EA9B0115C44B@treexchange.ccgroupnet.com> Message-ID: <1098901674.30470.226.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-10-27 at 14:16, Barry Roomberg wrote: > Either I'm very confused or my system is very broken. > > When I add a new user to my system via the adduser script, they get > tagged > with "Generic" for their policy type. > > When I examine (using seuser -X) the users, I see that all the Generics > (there are a lot) have roles of sysadm_r, system_r, and user_r. > > Which means to me that all these users can assume sysadm_r by executing > the newrole command. > > Is this appropriate? Shouldn't sysadm_r be reserved for administrators? Disable the user_canbe_sysadm tunable in your policy (after authorizing yourself for staff_r), or update to the FC3 policy (even there, it isn't a bad idea to disable that tunable and explicitly authorize people for staff_r). -- Stephen Smalley National Security Agency From Valdis.Kletnieks at vt.edu Wed Oct 27 18:32:23 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 27 Oct 2004 14:32:23 -0400 Subject: Truncated log entries In-Reply-To: Your message of "Wed, 27 Oct 2004 13:26:35 EDT." <1098897995.30470.167.camel@moss-spartans.epoch.ncsc.mil> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> <200410271724.i9RHOgRh003221@turing-police.cc.vt.edu> <1098897995.30470.167.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200410271832.i9RIWNqF028114@turing-police.cc.vt.edu> On Wed, 27 Oct 2004 13:26:35 EDT, Stephen Smalley said: > SELinux was migrated from using printk to using the kernel audit > framework developed by RedHat a while back. We started getting bug > reports about truncated audit messages not long after... There's this code in kernel/audit.c, in audit_log_drain(): if (!audit_pid) { /* No daemon */ int offset = ab->nlh ? NLMSG_SPACE(0) : 0; int len = skb->len - offset; printk(KERN_ERR "%*.*s\n", len, len, skb->data + offset); } That len/offset look racy to me. It's called from audit_log_end_fast(), which checks for calls in IRQ context, but I'm not seeing where we do any SMP or PREEMPT locking. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From sds at epoch.ncsc.mil Wed Oct 27 18:30:16 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 27 Oct 2004 14:30:16 -0400 Subject: realplayer In-Reply-To: <200410280429.33207.russell@coker.com.au> References: <4c4ba153041022091353bf0e95@mail.gmail.com> <200410280039.52542.russell@coker.com.au> <1098888658.30470.147.camel@moss-spartans.epoch.ncsc.mil> <200410280429.33207.russell@coker.com.au> Message-ID: <1098901815.30470.229.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-10-27 at 14:29, Russell Coker wrote: > > Legacy binaries have their mmap(PROT_READ) requests translated to > > PROT_READ|PROT_EXEC automatically by the kernel for backward > > compatibility. Not an SELinux issue; SELinux is just checking > > permissions based on what is being passed to it by the core kernel. > > So what is the solution? You might be able to use execstack -c to explicitly mark the legacy binary, or failing that, you have to rebuild it with a modern toolchain. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Wed Oct 27 18:34:57 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 27 Oct 2004 14:34:57 -0400 Subject: Truncated log entries In-Reply-To: <200410271832.i9RIWNqF028114@turing-police.cc.vt.edu> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> <200410271724.i9RHOgRh003221@turing-police.cc.vt.edu> <1098897995.30470.167.camel@moss-spartans.epoch.ncsc.mil> <200410271832.i9RIWNqF028114@turing-police.cc.vt.edu> Message-ID: <1098902096.30470.232.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-10-27 at 14:32, Valdis.Kletnieks at vt.edu wrote: > There's this code in kernel/audit.c, in audit_log_drain(): > > if (!audit_pid) { /* No daemon */ > int offset = ab->nlh ? NLMSG_SPACE(0) : 0; > int len = skb->len - offset; > printk(KERN_ERR "%*.*s\n", > len, len, skb->data + offset); > } > > That len/offset look racy to me. It's called from audit_log_end_fast(), > which checks for calls in IRQ context, but I'm not seeing where we do any SMP > or PREEMPT locking. I think that's ok, as it is acting upon an audit buffer that was necessarily allocated by and only accessible to the same thread (by audit_log_start). -- Stephen Smalley National Security Agency From selinux at gmail.com Wed Oct 27 18:42:16 2004 From: selinux at gmail.com (Tom London) Date: Wed, 27 Oct 2004 11:42:16 -0700 Subject: realplayer In-Reply-To: <1098901815.30470.229.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba153041022091353bf0e95@mail.gmail.com> <200410280039.52542.russell@coker.com.au> <1098888658.30470.147.camel@moss-spartans.epoch.ncsc.mil> <200410280429.33207.russell@coker.com.au> <1098901815.30470.229.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4c4ba15304102711423bb5bd70@mail.gmail.com> 'execstack -c' didn't seem to work, at least on realplay.bin: [root at fedora RealPlayer]# execstack -c realplay.bin execstack: realplay.bin: Reshuffling of objects to make room for program header entry only supported for shared libraries [root at fedora RealPlayer]# execstack -q realplay.bin ? realplay.bin [root at fedora RealPlayer]# Is the best we can do to flag this in the release notes, etc.? tom -- Tom London From sds at epoch.ncsc.mil Wed Oct 27 18:59:20 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 27 Oct 2004 14:59:20 -0400 Subject: realplayer In-Reply-To: <4c4ba15304102711423bb5bd70@mail.gmail.com> References: <4c4ba153041022091353bf0e95@mail.gmail.com> <200410280039.52542.russell@coker.com.au> <1098888658.30470.147.camel@moss-spartans.epoch.ncsc.mil> <200410280429.33207.russell@coker.com.au> <1098901815.30470.229.camel@moss-spartans.epoch.ncsc.mil> <4c4ba15304102711423bb5bd70@mail.gmail.com> Message-ID: <1098903560.30470.252.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-10-27 at 14:42, Tom London wrote: > 'execstack -c' didn't seem to work, at least on realplay.bin: > [root at fedora RealPlayer]# execstack -c realplay.bin > execstack: realplay.bin: Reshuffling of objects to make room for > program header entry only supported for shared libraries > [root at fedora RealPlayer]# execstack -q realplay.bin > ? realplay.bin > [root at fedora RealPlayer]# > > Is the best we can do to flag this in the > release notes, etc.? Probably. Or ask the provider to rebuild it with a modern toolchain. One could write a simple domain for such legacy binaries that allows wider execute access for them. -- Stephen Smalley National Security Agency From broom at transcontinentaldirect.com Thu Oct 28 04:40:51 2004 From: broom at transcontinentaldirect.com (Barry Roomberg) Date: Thu, 28 Oct 2004 00:40:51 -0400 Subject: Version change failure Message-ID: <992869706CCB3842977776032647EA9B0115C475@treexchange.ccgroupnet.com> I've just updated (via yum) a newly installed fedora box. It thinks my policy should be version 18. But my make load produced 17. Ooops. What to I need to do to synchronize them? -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at epoch.ncsc.mil Thu Oct 28 12:28:20 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 28 Oct 2004 08:28:20 -0400 Subject: Version change failure In-Reply-To: <992869706CCB3842977776032647EA9B0115C475@treexchange.ccgroupnet.com> References: <992869706CCB3842977776032647EA9B0115C475@treexchange.ccgroupnet.com> Message-ID: <1098966500.6211.25.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-10-28 at 00:40, Barry Roomberg wrote: > I?ve just updated (via yum) a newly installed fedora box. > > It thinks my policy should be version 18. > > But my make load produced 17. > > Ooops. > > > > What to I need to do to synchronize them? You can workaround this problem by patching your policy Makefile to load the policy version it just built rather than the one the kernel is requesting. A corresponding patch for our policy Makefile is below, but you will likely have to apply by hand as it has diverged from the FC2 one. Newer kernels do accept older policy versions for backward compatibility. But you would likely do better to just install FC3 at this point, switch to strict policy, relabel, and reboot, as SELinux support in FC2 seems to be stale and unmaintained (not entirely surprising, since SELinux was disabled by default in it, unlike FC3). Index: policy/Makefile =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/Makefile,v retrieving revision 1.54 diff -u -r1.54 Makefile --- policy/Makefile 6 Oct 2004 20:15:11 -0000 1.54 +++ policy/Makefile 14 Oct 2004 17:30:44 -0000 @@ -106,7 +106,7 @@ $(SETFILES) -q -c $(POLICYVER) $(FC) reload tmp/load: install - $(LOADPOLICY) $(POLICYPATH)/policy.`cat /selinux/policyvers` + $(LOADPOLICY) $(LOADPATH) touch tmp/load load: tmp/load -- Stephen Smalley National Security Agency From broom at transcontinentaldirect.com Thu Oct 28 16:14:00 2004 From: broom at transcontinentaldirect.com (Barry Roomberg) Date: Thu, 28 Oct 2004 12:14:00 -0400 Subject: Truncated log entries Message-ID: <992869706CCB3842977776032647EA9B0115C4AD@treexchange.ccgroupnet.com> Single CPU box. No multi-threading. But ignore this for now, single I need to go to FC 3 anyway. From selinux at gmail.com Fri Oct 29 14:31:56 2004 From: selinux at gmail.com (Tom London) Date: Fri, 29 Oct 2004 07:31:56 -0700 Subject: ldconfig, /etc/ld.so.cache and prelink ? Message-ID: <4c4ba153041029073169fb430d@mail.gmail.com> Running strict/enforcing off of Rawhide. While doing today's rawhide installs (yum), I monitored the label of /etc/ld.so.cache via ls -lZ /etc/ld.so.cache Several times during the installation of packages, the label of this file changed from system_u:object_r:ld_so_cache_t to root:object_r:ld_so_cache_t [OK, I think] or to root:object_r:etc_t [Not OK, I think] Each time it changed to etc_t, I ran restorecon -vv /etc/ld.so.cache a few seconds later and got the typical restorecon reset context /etc/ld.so.cache->system_u:object_r:ld_so_cache_t I'm guessing that when a package updates /etc/ld.so.cache, it may leave the label in a funny state, presuming that yum will fix it at the end. Does this explain the 'intermittant' prelink error messages generated during package installations? tom -- Tom London From dwalsh at redhat.com Fri Oct 29 14:44:01 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 29 Oct 2004 10:44:01 -0400 Subject: ldconfig, /etc/ld.so.cache and prelink ? In-Reply-To: <4c4ba153041029073169fb430d@mail.gmail.com> References: <4c4ba153041029073169fb430d@mail.gmail.com> Message-ID: <41825731.2060308@redhat.com> Tom London wrote: >Running strict/enforcing off of Rawhide. > >While doing today's rawhide installs (yum), >I monitored the label of /etc/ld.so.cache via > ls -lZ /etc/ld.so.cache > >Several times during the installation of packages, >the label of this file changed from > system_u:object_r:ld_so_cache_t >to > root:object_r:ld_so_cache_t >[OK, I think] >or to > root:object_r:etc_t >[Not OK, I think] > >Each time it changed to etc_t, I ran > restorecon -vv /etc/ld.so.cache >a few seconds later and got the typical > restorecon reset context /etc/ld.so.cache->system_u:object_r:ld_so_cache_t > >I'm guessing that when a package updates >/etc/ld.so.cache, it may leave the label >in a funny state, presuming that yum >will fix it at the end. > >Does this explain the 'intermittant' prelink >error messages generated during package installations? > >tom > > There is a bug in rpm that will be fixed after FC3 ships. Basically RPM sets the default context of any execed script to be rpm_script_t. This works fine for most applications because the post install scripts run in a shell and process transitions work properly. The problem is that in certain situations rpm exec ldconfig which also runs in rpm_script_t, as opposed to ldconfig_t. As such it does not have the rules to create the ld_so_cache_t correctly. In order to fix this problem we have added a new library function to libselinux rpm_exec. This function will take a command and figure out if it should run under a specific context (ldconfig_t) or just execute it under rpm_exec_t. Dan From sds at epoch.ncsc.mil Fri Oct 29 14:46:43 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 29 Oct 2004 10:46:43 -0400 Subject: ldconfig, /etc/ld.so.cache and prelink ? In-Reply-To: <4c4ba153041029073169fb430d@mail.gmail.com> References: <4c4ba153041029073169fb430d@mail.gmail.com> Message-ID: <1099061203.19703.138.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-10-29 at 10:31, Tom London wrote: > Running strict/enforcing off of Rawhide. > > While doing today's rawhide installs (yum), > I monitored the label of /etc/ld.so.cache via > ls -lZ /etc/ld.so.cache > > Several times during the installation of packages, > the label of this file changed from > system_u:object_r:ld_so_cache_t > to > root:object_r:ld_so_cache_t > [OK, I think] > or to > root:object_r:etc_t > [Not OK, I think] > > Each time it changed to etc_t, I ran > restorecon -vv /etc/ld.so.cache > a few seconds later and got the typical > restorecon reset context /etc/ld.so.cache->system_u:object_r:ld_so_cache_t > > I'm guessing that when a package updates > /etc/ld.so.cache, it may leave the label > in a funny state, presuming that yum > will fix it at the end. > > Does this explain the 'intermittant' prelink > error messages generated during package installations? The problem is that ldconfig is presently being run in rpm_script_t rather than ldconfig_t, and thus /etc/ld.so.cache is not being labeled properly when it is re-created by ldconfig. ldconfig is run from %post as a helper. I provided a rpm_execcon() libselinux function to avoid this problem, but it isn't included in Fedora yet. History of the problem is: 1) Originally, rpm only ran /bin/sh helpers in rpm_script_t; all others ran with default transitions, so ldconfig ran in ldconfig_t (as desired) but glibc_post_upgrade ran in rpm_t (and this ultimately led to sshd being run in rpm_t upon the /etc/init.d/sshd condrestart). 2) rpm was changed to run all helpers in rpm_script_t to avoid the glibc_post_upgrade problem. 3) ldconfig is now being run in rpm_script_t. Oops. 4) I created a rpm_execcon function that checks for a default transition for the helper and only sets explicitly to rpm_script_t if no automatic transition is defined. This puts ldconfig into ldconfig_t as desired and everything else in rpm_script_t. -- Stephen Smalley National Security Agency From selinux at gmail.com Fri Oct 29 16:53:37 2004 From: selinux at gmail.com (Tom London) Date: Fri, 29 Oct 2004 09:53:37 -0700 Subject: hwbrowser Message-ID: <4c4ba15304102909536278b269@mail.gmail.com> Just happen to notice this running strict/enforcing: hwbrowser produces the following avcs, and doesn't display anything for 'Hard Drives' (sorry, got hit with the truncated avc message...): [Does it really need write access to fixed_device_t?] tom Oct 29 09:45:17 fedora kernel: audit(1099068317.291:0): avc: denied { write } for pid=14626 exe=/bin/bash path=pipe:[51083] dev=pipefs ino=51083 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:xdm_t tclass=fifo_file Oct 29 09:45:17 fedora kernel: audit(1099068317.291:0): avc: denied { write } for pid=14626 exe=/bin/bash path=pipe:[51083] dev=pipefs ino=51083 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:xdm_t tclass=fifo_file Oct 29 09:45:18 fedora kernel: audit(1099068318.321:0): avc: denied { unix_read unix_write } for pid=3299 exe=/usr/X11R6/bin/Xorg Oct 29 09:45:19 fedora kernel: audit(1099068319.206:0): avc: denied { read write } for pid=14627 exe=/usr/bin/python name=hda dev=tmpfs ino=1024 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file Oct 29 09:45:19 fedora kernel: audit(1099068319.208:0): avc: denied { read } for pid=14627 exe=/usr/bin/python name=hda dev=tmpfs ino=1024 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file -- Tom London From selinux at gmail.com Fri Oct 29 16:55:42 2004 From: selinux at gmail.com (Tom London) Date: Fri, 29 Oct 2004 09:55:42 -0700 Subject: Truncated log entries In-Reply-To: <1098902096.30470.232.camel@moss-spartans.epoch.ncsc.mil> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> <200410271724.i9RHOgRh003221@turing-police.cc.vt.edu> <1098897995.30470.167.camel@moss-spartans.epoch.ncsc.mil> <200410271832.i9RIWNqF028114@turing-police.cc.vt.edu> <1098902096.30470.232.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4c4ba15304102909553e0c8a2f@mail.gmail.com> OK.... answered my own question: This is NOT connected with loading new policies. I just got it running the 'boot policy'. tom -- Tom London From walters at redhat.com Fri Oct 29 17:03:16 2004 From: walters at redhat.com (Colin Walters) Date: Fri, 29 Oct 2004 13:03:16 -0400 Subject: hwbrowser In-Reply-To: <4c4ba15304102909536278b269@mail.gmail.com> References: <4c4ba15304102909536278b269@mail.gmail.com> Message-ID: <1099069396.17521.8.camel@decepticon.boston.redhat.com> On Fri, 2004-10-29 at 09:53 -0700, Tom London wrote: > Just happen to notice this running strict/enforcing: > > hwbrowser produces the following avcs, and doesn't > display anything for 'Hard Drives' (sorry, got hit > with the truncated avc message...): We meant to kill hwbrowser; its functionality is subsumed by hal-device-manager (which itself has a bug that it needs to be moved to /usr/bin...). From dwalsh at redhat.com Fri Oct 29 17:04:43 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 29 Oct 2004 13:04:43 -0400 Subject: hwbrowser In-Reply-To: <1099069396.17521.8.camel@decepticon.boston.redhat.com> References: <4c4ba15304102909536278b269@mail.gmail.com> <1099069396.17521.8.camel@decepticon.boston.redhat.com> Message-ID: <4182782B.6030901@redhat.com> Colin Walters wrote: >On Fri, 2004-10-29 at 09:53 -0700, Tom London wrote: > > >>Just happen to notice this running strict/enforcing: >> >>hwbrowser produces the following avcs, and doesn't >>display anything for 'Hard Drives' (sorry, got hit >>with the truncated avc message...): >> >> > >We meant to kill hwbrowser; its functionality is subsumed by >hal-device-manager (which itself has a bug that it needs to be moved >to /usr/bin...). > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > One nice this is that it causes the audit problem to happen every time. Dan From dwalsh at redhat.com Fri Oct 29 17:06:35 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 29 Oct 2004 13:06:35 -0400 Subject: hwbrowser In-Reply-To: <4182782B.6030901@redhat.com> References: <4c4ba15304102909536278b269@mail.gmail.com> <1099069396.17521.8.camel@decepticon.boston.redhat.com> <4182782B.6030901@redhat.com> Message-ID: <4182789B.4010800@redhat.com> > echo > /var/log/mesages > hwbrowser > more /var/log/messages Oct 29 13:00:23 localhost kernel: audit(1099069223.384:0): avc: denied { unix_read unix_write } for pid=23286 exe=/usr/X11R6/bin/Xorg Oct 29 13:00:25 localhost kernel: audit(1099069225.084:0): avc: denied { create } for pid=10483 exe=/usr/bin/python name=tmpdev-10483 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:tmp_t tclass=chr_file Oct 29 13:00:25 localhost kernel: audit(1099069225.207:0): avc: denied { read write } for pid=10483 exe=/usr/bin/python name=hda dev=tmpfs ino=1105 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file Oct 29 13:00:25 localhost kernel: audit(1099069225.208:0): avc: denied { read } for pid=10483 exe=/usr/bin/python name=hda dev=tmpfs ino=1105 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file Oct 29 13:01:01 localhost crond(pam_unix)[10492]: session opened for user root by (uid=0) Oct 29 13:01:01 localhost crond(pam_unix)[10492]: session closed for user root From sds at epoch.ncsc.mil Fri Oct 29 17:38:16 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 29 Oct 2004 13:38:16 -0400 Subject: Truncated log entries In-Reply-To: <1099066681.21971.25.camel@redrum.boston.redhat.com> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> <1098897877.30470.165.camel@moss-spartans.epoch.ncsc.mil> <1099066681.21971.25.camel@redrum.boston.redhat.com> Message-ID: <1099071496.19703.173.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-10-29 at 12:18, Peter Martuccelli wrote: > I want to verify that people have only seen this issue on SMP systems. > > I can work with Dan on getting a test together to try and reproduce the > problem. A couple of people have reported it on UP as well. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Fri Oct 29 17:43:46 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 29 Oct 2004 13:43:46 -0400 Subject: hwbrowser In-Reply-To: <4182789B.4010800@redhat.com> References: <4c4ba15304102909536278b269@mail.gmail.com> <1099069396.17521.8.camel@decepticon.boston.redhat.com> <4182782B.6030901@redhat.com> <4182789B.4010800@redhat.com> Message-ID: <1099071826.19703.179.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-10-29 at 13:06, Daniel J Walsh wrote: > Oct 29 13:00:23 localhost kernel: > > audit(1099069223.384:0): avc: denied { unix_read unix_write } for > pid=23286 exe=/usr/X11R6/bin/Xorg Hmmm...I don't see this behavior upon running hwbrowser on FC3/rc1 (kernel 2.6.9-1.640) here. -- Stephen Smalley National Security Agency From selinux at gmail.com Fri Oct 29 17:53:51 2004 From: selinux at gmail.com (Tom London) Date: Fri, 29 Oct 2004 10:53:51 -0700 Subject: Truncated log entries In-Reply-To: <1099071496.19703.173.camel@moss-spartans.epoch.ncsc.mil> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> <1098897877.30470.165.camel@moss-spartans.epoch.ncsc.mil> <1099066681.21971.25.camel@redrum.boston.redhat.com> <1099071496.19703.173.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4c4ba15304102910536489789f@mail.gmail.com> Yeah, me, for example! Running on UP, no hyper, etc. tom -- Tom London From dwalsh at redhat.com Fri Oct 29 17:54:53 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 29 Oct 2004 13:54:53 -0400 Subject: hwbrowser In-Reply-To: <1099071826.19703.179.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba15304102909536278b269@mail.gmail.com> <1099069396.17521.8.camel@decepticon.boston.redhat.com> <4182782B.6030901@redhat.com> <4182789B.4010800@redhat.com> <1099071826.19703.179.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <418283ED.4040901@redhat.com> Stephen Smalley wrote: >On Fri, 2004-10-29 at 13:06, Daniel J Walsh wrote: > > >>Oct 29 13:00:23 localhost kernel: >> >>audit(1099069223.384:0): avc: denied { unix_read unix_write } for >>pid=23286 exe=/usr/X11R6/bin/Xorg >> >> > >Hmmm...I don't see this behavior upon running hwbrowser on FC3/rc1 >(kernel 2.6.9-1.640) here. > > > I am running 2.6.9-1.643 on a laptop. Happens every time. lsmod shows Module Size Used by appletalk 31145 0 ipx 29545 0 p8022 2369 1 ipx psnap 4421 2 appletalk,ipx llc 7125 2 p8022,psnap radeon 120517 2 tun 8897 0 nfs 221765 0 nfsd 204641 1 exportfs 8001 1 nfsd lockd 63241 2 nfs,nfsd parport_pc 24705 1 lp 11565 0 parport 41737 2 parport_pc,lp deflate 3521 0 zlib_deflate 20697 1 deflate twofish 36929 0 serpent 13249 0 blowfish 10049 0 des 11713 0 sha256 9281 0 crypto_null 2241 0 ipcomp 7753 0 esp4 7745 0 ah4 6209 0 af_key 30673 0 irnet 24069 0 ppp_generic 35669 1 irnet slhc 7105 1 ppp_generic ircomm_tty 28617 0 ircomm 14021 1 ircomm_tty irda 122237 3 irnet,ircomm_tty,ircomm crc_ccitt 2113 1 irda autofs4 24005 0 i2c_dev 10433 0 i2c_core 22081 1 i2c_dev rfcomm 36701 0 l2cap 25285 3 rfcomm bluetooth 46917 2 rfcomm,l2cap sunrpc 160421 11 nfs,nfsd,lockd md5 4033 1 ipv6 232577 14 aes_i586 38325 0 ds 16965 4 ip_vs 88225 0 ipt_REJECT 6465 1 ipt_state 1857 6 ip_conntrack 40693 1 ipt_state iptable_filter 2753 1 ip_tables 16193 3 ipt_REJECT,ipt_state,iptable_filter microcode 6497 0 button 6481 0 battery 8517 0 ac 4805 0 yenta_socket 18753 0 pcmcia_core 59913 2 ds,yenta_socket uhci_hcd 31449 0 hw_random 5589 0 snd_intel8x0m 18185 2 snd_intel8x0 34829 2 snd_ac97_codec 64401 2 snd_intel8x0m,snd_intel8x0 snd_pcm_oss 47609 0 snd_mixer_oss 17217 3 snd_pcm_oss snd_pcm 97993 3 snd_intel8x0m,snd_intel8x0,snd_pcm_oss snd_timer 29765 1 snd_pcm snd_page_alloc 9673 3 snd_intel8x0m,snd_intel8x0,snd_pcm gameport 4801 1 snd_intel8x0 snd_mpu401_uart 8769 1 snd_intel8x0 snd_rawmidi 26725 1 snd_mpu401_uart snd_seq_device 8137 1 snd_rawmidi snd 54053 14 snd_intel8x0m,snd_intel8x0,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer,snd_mpu401_uart,snd_rawmidi,snd_seq_device soundcore 9889 3 snd e100 39365 0 mii 4673 1 e100 floppy 58609 0 dm_snapshot 17029 0 dm_zero 2369 0 dm_mirror 23341 2 ext3 116809 2 jbd 74969 1 ext3 dm_mod 54741 6 dm_snapshot,dm_zero,dm_mirror From sds at epoch.ncsc.mil Fri Oct 29 18:23:13 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 29 Oct 2004 14:23:13 -0400 Subject: hwbrowser In-Reply-To: <418283ED.4040901@redhat.com> References: <4c4ba15304102909536278b269@mail.gmail.com> <1099069396.17521.8.camel@decepticon.boston.redhat.com> <4182782B.6030901@redhat.com> <4182789B.4010800@redhat.com> <1099071826.19703.179.camel@moss-spartans.epoch.ncsc.mil> <418283ED.4040901@redhat.com> Message-ID: <1099074193.19703.202.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-10-29 at 13:54, Daniel J Walsh wrote: > I am running 2.6.9-1.643 on a laptop. > > Happens every time. Hmm...updated to 1.643, rebooted, ran hwbrowser. Still no truncated audit messages. As I said earlier, seems difficult to reproduce reliably. If you reboot the laptop, does it still occur? Or did you have to run it a while before it started doing this? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Oct 29 18:53:02 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 29 Oct 2004 14:53:02 -0400 Subject: hwbrowser In-Reply-To: <1099074193.19703.202.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba15304102909536278b269@mail.gmail.com> <1099069396.17521.8.camel@decepticon.boston.redhat.com> <4182782B.6030901@redhat.com> <4182789B.4010800@redhat.com> <1099071826.19703.179.camel@moss-spartans.epoch.ncsc.mil> <418283ED.4040901@redhat.com> <1099074193.19703.202.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4182918E.5000908@redhat.com> Stephen Smalley wrote: >On Fri, 2004-10-29 at 13:54, Daniel J Walsh wrote: > > >>I am running 2.6.9-1.643 on a laptop. >> >>Happens every time. >> >> > >Hmm...updated to 1.643, rebooted, ran hwbrowser. Still no truncated >audit messages. > >As I said earlier, seems difficult to reproduce reliably. If you reboot >the laptop, does it still occur? Or did you have to run it a while >before it started doing this? > > > Yes went away on reboot, now hwbrowser and hal_device_manager seem to work. Could be something to do with doing lots of policy reloads, I have been doing a lot of policy development on this laptop. Dan From peterm at redhat.com Fri Oct 29 16:18:03 2004 From: peterm at redhat.com (Peter Martuccelli) Date: Fri, 29 Oct 2004 12:18:03 -0400 Subject: Truncated log entries In-Reply-To: <1098897877.30470.165.camel@moss-spartans.epoch.ncsc.mil> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> <1098897877.30470.165.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1099066681.21971.25.camel@redrum.boston.redhat.com> On Wed, 2004-10-27 at 13:24, Stephen Smalley wrote: > On Wed, 2004-10-27 at 13:13, Barry Roomberg wrote: > > I'm running Fedora Core 2 Kernel: 2.6.5-1.358 > > I'm logging activity in a directory (thanks Stephen). > > > > I occasionally get what look like to be truncated log entries such as: > > > > Oct 27 11:24:21 mstoppel1 kernel: audit(1098890661.257:8894633): > > avc: granted { read } for pid=17834 exed=500 fsuid=500 egid=500 > > sgid=500 fsgid=500 > > > > "exed=500" ??? > > > > also: > > Oct 27 11:26:47 mstoppel1 kernel: =500 fsgid=500 > > > > > > Any idea why? They are rare and interspersed with good entries. > > /me guesses that the kernel audit framework isn't SMP-safe. Is anyone > at RedHat looking into this? It was already bugzilla'd by Tom London. I want to verify that people have only seen this issue on SMP systems. I can work with Dan on getting a test together to try and reproduce the problem. Regards, Peter From selinux at gmail.com Fri Oct 29 19:40:21 2004 From: selinux at gmail.com (Tom London) Date: Fri, 29 Oct 2004 12:40:21 -0700 Subject: hwbrowser In-Reply-To: <4182918E.5000908@redhat.com> References: <4c4ba15304102909536278b269@mail.gmail.com> <1099069396.17521.8.camel@decepticon.boston.redhat.com> <4182782B.6030901@redhat.com> <4182789B.4010800@redhat.com> <1099071826.19703.179.camel@moss-spartans.epoch.ncsc.mil> <418283ED.4040901@redhat.com> <1099074193.19703.202.camel@moss-spartans.epoch.ncsc.mil> <4182918E.5000908@redhat.com> Message-ID: <4c4ba15304102912405cd43d48@mail.gmail.com> Happened on my system, but not every time. [and I'm running the 'boot policy']. tom From Valdis.Kletnieks at vt.edu Fri Oct 29 21:01:47 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 29 Oct 2004 17:01:47 -0400 Subject: Truncated log entries In-Reply-To: Your message of "Fri, 29 Oct 2004 12:18:03 EDT." <1099066681.21971.25.camel@redrum.boston.redhat.com> References: <992869706CCB3842977776032647EA9B0115C445@treexchange.ccgroupnet.com> <1098897877.30470.165.camel@moss-spartans.epoch.ncsc.mil> <1099066681.21971.25.camel@redrum.boston.redhat.com> Message-ID: <200410292101.i9TL1lwK017423@turing-police.cc.vt.edu> On Fri, 29 Oct 2004 12:18:03 EDT, Peter Martuccelli said: > > /me guesses that the kernel audit framework isn't SMP-safe. Is anyone > > at RedHat looking into this? It was already bugzilla'd by Tom London. > > I want to verify that people have only seen this issue on SMP systems. > > I can work with Dan on getting a test together to try and reproduce the > problem. Possibly a variant issue, often seen on my laptop (is a UP with Ingo Molnar's VP patches and PREEMPT defined). Lots of leading blanks. Always show up in pairs, one with 115-120 blanks, followed by a second that has 15-25 more blanks. Both messages are always truncated after the exe= field. Oct 19 09:25:28 turing-police kernel: audit(1098192328.373:0): avc: denied { unlink } for pid=3110 exe=/sbin/ldconfig name= ld.so.cache dev=dm-5 ino=24601 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:etc_t tclass=file Oct 19 09:25:28 turing-police kernel: audit(1098192328.986:0): avc: denied { search } for pid=15579 exe=/usr/bin/dbus-daemo n-1 Oct 19 09:25:28 turing-police kernel: audit(1098192328.986:0): avc: denied { write } for pid=15579 exe=/usr/ bin/dbus-daemon-1 Those were 3 consecutive messages out of the kernel. Might be the issue is 'SMP or PREEMPT'. Two more examples from that day... Oct 19 09:59:03 turing-police crond(pam_unix)[13653]: session opened for user dshield by (uid=0) Oct 19 09:59:03 turing-police kernel: audit(1098194343.340:0): avc: denied { search } for pid=30651 exe=/usr/sbin/crond Oct 19 09:59:03 turing-police kernel: audit(1098194343.340:0): avc: denied { write } for pid=30651 exe=/usr/sbin/crond ... Oct 19 10:19:37 turing-police ntpd[30628]: sendto(198.82.1.204): Invalid argument Oct 19 10:20:18 turing-police kernel: audit(1098195618.634:0): avc: denied { search } for pid=21753 exe=/usr/sbin/smartd Oct 19 10:20:18 turing-police kernel: audit(1098195618.923:0): avc: denied { write } for pid=21753 exe=/usr/sbin/smartd -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From kmacmillan at tresys.com Fri Oct 29 22:01:47 2004 From: kmacmillan at tresys.com (Karl MacMillan) Date: Fri, 29 Oct 2004 18:01:47 -0400 Subject: ANN: Setools 1.5 released Message-ID: <1099087307.23756.33.camel@pham.columbia.tresys.com> A new version of setools is available from http://www.tresys.com/selinux/. This is a major release with several new features including: - Additional options for domain transition analysis to filter the results based on the access privileges of the target domain. - A new tool (seaudit-report) for creating reports from SELinux log messages. This tool is highly configurable and can effectively integrate with the LogWatch application for automating SE Linux audit log reporting. - Seaudit can now export filtered log messages. - A pair of new tools (indexcon and searchcon) for creating and searching a snapshot of the filesystem on an SELinux system. Searchcon allows efficient searching based on path, type, user, and/or object class. This tool will be expanded and integrated with Apol in the future. - Numerous bug fixes to all of the tools. -- Karl MacMillan Tresys Technology kmacmillan at tresys.com http://www.tresys.com