From m3freak at rogers.com Tue Feb 1 00:34:39 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Mon, 31 Jan 2005 19:34:39 -0500 Subject: Request Tracker 3 In-Reply-To: <1107197015.3777.34.camel@nexus.verbum.private> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> Message-ID: <1107218079.4739.54.camel@localhost.localdomain> On Mon, 2005-31-01 at 13:43 -0500, Colin Walters wrote: > Right. Can you try moving the log into /var/log/httpd? I can't think > of another solution short of installing the policy sources and adding > the permissions. My guess is that it is actually this permission that > is stopping the program; the others are likely harmless. Moving it to /var/log/httpd generated this error in error.log for httpd: Log file /var/log/httpd/rt.log couldn't be written or created. /var/log/messages had this to say: avc: denied { read } for pid=1516 exe=/usr/bin/perl name=tmp dev=dm-3 ino=12 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tmp_t tclass=lnk_file Plus some more denies for { ioctl }. Here's the contents of /usr/tmp when apache starts: [root at mothership tmp]# ls -alZ /usr/tmp/ drwxrwxrwt root root system_u:object_r:tmp_t . drwxr-xr-x root root system_u:object_r:var_t .. srw------- apache apache root:object_r:httpd_tmp_t 38bb41ae9430107f1ab3add79fbea0aa drwx------ apache apache root:object_r:httpd_tmp_t dynamic > > Actually, it's just /tmp. > > Is your /tmp a symlink elsewhere? Or do you actually have a symlink > in /tmp named "tmp"? Are you *sure* it's really /tmp? Do an > "ls -di /tmp" to see if its inode number is 12. Then do > "ls -di /usr/tmp". Well, it's not 12. [root at mothership ~]# ls -di /tmp 2 /tmp But: [root at mothership tmp]# ls -di /usr/tmp 12 /usr/tmp So...I changed the parameter for FastCgiIpDir to /usr/tmp, but there were still more denials (a new one): avc: denied { getattr } for pid=2014 exe=/usr/bin/perl path=/var/log dev=dm-5 ino=129025 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_log_t tclass=dir A ls -alZ shows that /tmp is a normal directory: drwxrwxrwt root root system_u:object_r:tmp_t tmp The same command within /tmp: [root at mothership tmp]# ls -alZ drwxrwxrwt root root system_u:object_r:tmp_t . drwxr-xr-x root root system_u:object_r:root_t .. -rw-r--r-- root root root:object_r:tmp_t 49822b18a8485fff12354f4fbd601494 -rw-r--r-- root root root:object_r:tmp_t Apache- Session-49822b18a8485fff12354f4fbd601494.lock drwxr-xr-x root root root:object_r:tmp_t .cpan drwx------ apache apache root:object_r:httpd_tmp_t dynamic drwxr-xr-x root root root:object_r:tmp_t fastcgi drwxrwxrwx root root root:object_r:tmp_t FileCache drwxrwxrwt root root user_u:object_r:tmp_t .font- unix -rw-r--r-- root root root:object_r:tmp_t html- scrubber.test.html -rw-r--r-- root root root:object_r:tmp_t html- scrubber.test.html.html drwxrwxrwt root root user_u:object_r:tmp_t .ICE-unix drwx------ root root lost +found You can see the files and directories created by FastCGI when Apache fires up (when I had the FastCgiIpDir set to /tmp). > Better to use an ACL than mode 777; e.g. > "setfacl -m 'apache:rwx' /var/log/httpd". I got a "Operation not supported" error: setfacl: /var/log/httpd: Operation not supported > It only changes the type of the /usr/tmp symlink. My guess is still > that your program has some code (or a library it uses does) that > tries /usr/tmp first, and is getting permission denial on that symlink > because it should be usr_t, not tmp_t. A good try, but it didn't work. :( I actually tried turning off the separate log entirely, but I still received errors: avc: denied { ioctl } for pid=2305 exe=/usr/bin/perl path=/var/log/httpd/error_log dev=dm-5 ino=129070 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_log_t tclass=file Me = stumped. Thanks for the help. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From walters at redhat.com Tue Feb 1 01:07:19 2005 From: walters at redhat.com (Colin Walters) Date: Mon, 31 Jan 2005 20:07:19 -0500 Subject: Request Tracker 3 In-Reply-To: <1107218079.4739.54.camel@localhost.localdomain> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> Message-ID: <1107220040.6133.22.camel@nexus.verbum.private> On Mon, 2005-01-31 at 19:34 -0500, Kanwar Ranbir Sandhu wrote: > On Mon, 2005-31-01 at 13:43 -0500, Colin Walters wrote: > > Right. Can you try moving the log into /var/log/httpd? I can't think > > of another solution short of installing the policy sources and adding > > the permissions. My guess is that it is actually this permission that > > is stopping the program; the others are likely harmless. > > Moving it to /var/log/httpd generated this error in error.log for httpd: > > Log file /var/log/httpd/rt.log couldn't be written or created. Is the type on rt.log still httpd_log_t? Use ls -Z to inspect. > [root at mothership tmp]# ls -di /usr/tmp > 12 /usr/tmp Yeah, that's what I thought. If you look at the denial message, the inode number was 12. If your /usr isn't on a separate filesystem, then you know the denial was on the /usr/tmp symlink. I'm baffled you're still getting the denial though. Can you confirm with "ls -dZ /usr/tmp" that the type is usr_t? > avc: denied { getattr } for pid=2014 exe=/usr/bin/perl path=/var/log > dev=dm-5 ino=129025 scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:var_log_t tclass=dir If after everything else doesn't work, here's what you can do: yum install selinux-policy-targeted-sources cd /etc/selinux/targeted/src/policy echo 'allow httpd_sys_script_t var_log_t:dir { getattr search }' > domains/misc/local.te make reload There's work going on in SELinux upstream to make this easier. > I got a "Operation not supported" error: > > setfacl: /var/log/httpd: Operation not supported Try: mount -oremount,acl / This should be the default IMO; also note you need to do it for each filesystem you want ACLs on. > I actually tried turning off the separate log entirely, but I still > received errors: > > avc: denied { ioctl } for pid=2305 exe=/usr/bin/perl > path=/var/log/httpd/error_log dev=dm-5 ino=129070 > scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:httpd_log_t tclass=file I'd be fairly surprised if this is really the problem preventing the program from working. Was this the only denial you got after turning off the separate log? Anyways, this shouldn't be harmful to turn on (following the previous steps): echo 'allow httpd_sys_script_t httpd_log_t:file { ioctl };' >> domains/misc/local.te make reload > Me = stumped. Hope the above helps. Sometimes debugging this stuff can be a huge pain if you have to dig into some obscure Perl library or the like, other times it's a very simple fix. This unfortunately looks to be one of the former cases :/ From m3freak at rogers.com Tue Feb 1 02:28:19 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Mon, 31 Jan 2005 21:28:19 -0500 Subject: Request Tracker 3 In-Reply-To: <1107220040.6133.22.camel@nexus.verbum.private> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> Message-ID: <1107224899.4739.64.camel@localhost.localdomain> On Mon, 2005-31-01 at 20:07 -0500, Colin Walters wrote: > > Moving it to /var/log/httpd generated this error in error.log for httpd: > > > > Log file /var/log/httpd/rt.log couldn't be written or created. > > Is the type on rt.log still httpd_log_t? Use ls -Z to inspect. Yes it is...after I created the file by hand! :) In any case, it didn't help. > > [root at mothership tmp]# ls -di /usr/tmp > > 12 /usr/tmp > > Yeah, that's what I thought. If you look at the denial message, the > inode number was 12. If your /usr isn't on a separate filesystem, then > you know the denial was on the /usr/tmp symlink. > > I'm baffled you're still getting the denial though. Can you confirm > with "ls -dZ /usr/tmp" that the type is usr_t? Yes, the type is usr_t. BTW, I have /usr mounted on a separate partition (actually, the whole server is setup up with LVM). > > avc: denied { getattr } for pid=2014 exe=/usr/bin/perl path=/var/log > > dev=dm-5 ino=129025 scontext=root:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:var_log_t tclass=dir > > If after everything else doesn't work, here's what you can do: I wanted to keep hacking away, but I couldn't take it anymore. I setup RT with modperl2 instead, and viola, it worked. RT 3.2.2 is running. There are still denials, though I haven't noticed any problems in the app itself (here are two): avc: denied { ioctl } for pid=4439 exe=/usr/sbin/httpd path=/var/www/rt/bin/webmux.pl dev=dm-5 ino=28748 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_script_exec_t tclass=file avc: denied { create } for pid=4439 exe=/usr/sbin/httpd name=fastcgi scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=dir Thank you very much for your help. Not having solved the problem with FastCGI is obviously bad since getting selinux to work would have been the better answer. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From roger at gwch.net Tue Feb 1 06:29:12 2005 From: roger at gwch.net (Roger Grosswiler) Date: Tue, 01 Feb 2005 07:29:12 +0100 Subject: Squirrelmail, MySQL-change password and SELinux In-Reply-To: <41FEAEF8.9090803@redhat.com> References: <41FEA50F.1090707@gwch.net> <41FEAEF8.9090803@redhat.com> Message-ID: <41FF21B8.7060605@gwch.net> Daniel J Walsh schrieb: > Roger Grosswiler wrote: > >> Hi, >> >> tried successfully installing squirrelmail with mysql authentication. >> After installting the change_mysql-plugin, i got the following message >> in /var/log/messages: >> >>> Jan 31 22:21:53 frodo kernel: audit(1107206513.281:0): avc: denied >>> { write } for pid=12823 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 >>> ino=360554 scontext=root:system_r:httpd_t >>> tcontext=root:object_r:var_lib_t tclass=sock_file >>> Jan 31 22:22:07 frodo kernel: audit(1107206527.169:0): avc: denied >>> { write } for pid=12825 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 >>> ino=360554 scontext=root:system_r:httpd_t >>> tcontext=root:object_r:var_lib_t tclass=sock_file >> >> >> >> >> while squirrel's plugin meant, that the database is busy. If i >> understand the above right, selinux didn't let the plugin write the >> new password in the mysql-database. >> >> What can i do (except disabling selinux)? >> > The problem is you do not have the latest policy installed on this > machine, and you need to relabel mysql. > > Upgrade to the latest policy via yum > > rpm -q -l mysql-server | restorecon -R -v -f - > > service mysql restart > > Should fix the problem. > >> Thanks, >> Roger >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list Daniel, Thanks a lot, gonna do a complete update of my system via yum and then try rpm -q -l ... Roger From roger at gwch.net Tue Feb 1 09:22:26 2005 From: roger at gwch.net (Roger Grosswiler) Date: Tue, 01 Feb 2005 10:22:26 +0100 Subject: Squirrelmail, MySQL-change password and SELinux In-Reply-To: <41FEAEF8.9090803@redhat.com> References: <41FEA50F.1090707@gwch.net> <41FEAEF8.9090803@redhat.com> Message-ID: <41FF4A52.3070507@gwch.net> Daniel J Walsh schrieb: > Roger Grosswiler wrote: > >> Hi, >> >> tried successfully installing squirrelmail with mysql authentication. >> After installting the change_mysql-plugin, i got the following message >> in /var/log/messages: >> >>> Jan 31 22:21:53 frodo kernel: audit(1107206513.281:0): avc: denied >>> { write } for pid=12823 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 >>> ino=360554 scontext=root:system_r:httpd_t >>> tcontext=root:object_r:var_lib_t tclass=sock_file >>> Jan 31 22:22:07 frodo kernel: audit(1107206527.169:0): avc: denied >>> { write } for pid=12825 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 >>> ino=360554 scontext=root:system_r:httpd_t >>> tcontext=root:object_r:var_lib_t tclass=sock_file >> >> >> >> >> while squirrel's plugin meant, that the database is busy. If i >> understand the above right, selinux didn't let the plugin write the >> new password in the mysql-database. >> >> What can i do (except disabling selinux)? >> > The problem is you do not have the latest policy installed on this > machine, and you need to relabel mysql. > > Upgrade to the latest policy via yum > > rpm -q -l mysql-server | restorecon -R -v -f - > > service mysql restart > > Should fix the problem. > >> Thanks, >> Roger >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list Daniel, I tried, you were right, now it works perfect, thanks a lot! Roger From jorton at redhat.com Tue Feb 1 10:08:20 2005 From: jorton at redhat.com (Joe Orton) Date: Tue, 1 Feb 2005 10:08:20 +0000 Subject: other Raw Hide avc messages In-Reply-To: <41FE8BBA.5040501@redhat.com> References: <20050131164829.GA14626@redhat.com> <41FE8BBA.5040501@redhat.com> Message-ID: <20050201100820.GC3846@redhat.com> On Mon, Jan 31, 2005 at 02:49:14PM -0500, Daniel J Walsh wrote: > Could you check out the selinux-policy-targeted-1.21.5-1 on > > ftp://people.redhat.com/dwalsh/selinux/Fedora I found -1.21.5-5 from ftp://people.redhat.com/dwalsh/SELinux/Fedora/ - but it doesn't seem to have helped, I still get: type=KERNEL msg=audit(1107252061.377:13600081): avc: denied { transition } for pid=25433 exe=/usr/sbin/crond path=/bin/bash dev=hda3 ino=1933320 scontext=root:system_r:crond_t tcontext=system_u:system_r:unconfined_t tclass=processss tclass=file I notice we're back to a modified policy.18 from a stock install without -sources modifications: [root at trash ~]# rpm -V selinux-policy-targeted S.5....T. c /etc/selinux/targeted/booleans ..5....T. /etc/selinux/targeted/contexts/files/file_contexts ..5....T. /etc/selinux/targeted/policy/policy.18 joe From malists at epon.ro Tue Feb 1 13:04:07 2005 From: malists at epon.ro (Marius Andreiana) Date: Tue, 01 Feb 2005 15:04:07 +0200 Subject: postalias segfaults Message-ID: <1107263048.3525.17.camel@marte.biciclete.ro> Hi With selinux enabled on FC3, postalias /etc/aliases will segfault. There are other reports on google: http://www.google.ro/search?q=postalias%20%22segmentation%20fault% 22&ie=UTF-8&oe=UTF-8 Disabled selinux and it works. postfix and setup rpms are both unmodified. Thanks -- Marius Andreiana Epon Business Applications http://www.epon.ro From m3freak at rogers.com Tue Feb 1 14:04:13 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Tue, 01 Feb 2005 09:04:13 -0500 Subject: postalias segfaults In-Reply-To: <1107263048.3525.17.camel@marte.biciclete.ro> References: <1107263048.3525.17.camel@marte.biciclete.ro> Message-ID: <1107266654.4928.3.camel@localhost.localdomain> On Tue, 2005-01-02 at 15:04 +0200, Marius Andreiana wrote: > With selinux enabled on FC3, postalias /etc/aliases will segfault. I use "postalias /etc/postfix/aliases", and haven't noticed any problems. Actually, the aliases file used to be in /etc and even then I didn't have any issues. Just in case you're wondering, selinux is on and in enforcing mode. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From m3freak at rogers.com Tue Feb 1 15:22:16 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Tue, 01 Feb 2005 10:22:16 -0500 Subject: Request Tracker 3 In-Reply-To: <1107224899.4739.64.camel@localhost.localdomain> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> Message-ID: <1107271336.4928.14.camel@localhost.localdomain> Well, the web interface is working just fine, but there's a problem with the auto-replies etc. that RT emails when it receives a new email. I sent a test email to RT, and the ticket was created okay. However, selinux kicked in and denied RT to send an auto-reply. Here are the errors: avc: denied { search } for pid=2851 exe=/usr/bin/perl name=postfix dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir avc: denied { search } for pid=2851 exe=/usr/bin/perl name=postfix dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir avc: denied { setrlimit } for pid=2856 exe=/usr/sbin/sendmail.postfix scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=process RT: Could not send mail. (/var/www/rt/lib/RT/Action/SendEmail.pm:276) So, it looks to me like selinux won't let perl use postfix. I get the feeling that not many people are using RT with selinux turned on in FC3 (there just aren't any posts about this to the RT mailing list). Thanks in advance. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From hongwei at wustl.edu Tue Feb 1 15:27:16 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Tue, 1 Feb 2005 09:27:16 -0600 (CST) Subject: selinux and mail() in php code Message-ID: <2730.128.252.85.103.1107271636.squirrel@morpheus.wustl.edu> Hi, I posted this message a few days ago, but haven't seen any reply. Did I miss some posts? Here, I include my test code and post it again. Hope selinux experts can help me. My system information -- os: RedHat FC3 linux, kernel-2.6.10-1.741_FC3, selinux enforced, iptables enabled selinux: selinux-policy-targeted-1.17.30-2.73 (the most update one) iptables: iptables-1.2.11-3.1.FC3 web: httpd-2.0.52-3.1 sendmail: sendmail-8.13.1-2 php: php-4.3.10-3.2 SELINUXTYPE targeted I have a testing feedback php code for my web site using mail($toaddress, $subject, $feedback, $fromaddress); If selinux is disabled, the code works well. The user ($toaddress) receives the content ($mailcontent), etc. However, if selinux is enforced, the user does not receive it and the system log shows: Jan 28 14:19:46 pippo kernel: audit(1106943586.048:0): avc: denied { read } for pid=6801 exe=/usr/sbin/sendmail.sendmail name=clientmqueue dev=hda3 ino=470506 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Should I do something to make it working with selinux enforced? Is there anybody out there who uses php's mail() function in the "feedback form" in his web server? Below is my testing php code. The only line you need to change is the first line where you can replace "your-email-address" with your email address to see if you receive mail or get error (system log, not from web or email) when selinux is enforced: Selinux experts: please test this code on your web server and I appreciate all help! Hongwei Li From jorton at redhat.com Tue Feb 1 15:38:26 2005 From: jorton at redhat.com (Joe Orton) Date: Tue, 1 Feb 2005 15:38:26 +0000 Subject: selinux and mail() in php code In-Reply-To: <2730.128.252.85.103.1107271636.squirrel@morpheus.wustl.edu> References: <2730.128.252.85.103.1107271636.squirrel@morpheus.wustl.edu> Message-ID: <20050201153826.GA12473@redhat.com> On Tue, Feb 01, 2005 at 09:27:16AM -0600, Hongwei Li wrote: > Hi, > > I posted this message a few days ago, but haven't seen any reply. Did I > miss some posts? Here, I include my test code and post it again. Hope > selinux experts can help me. PHP mail() should be working if you are really running the latest policy, it works fine here. Do you have an /etc/selinux/targeted/policy.18.rpmnew file? joe From hongwei at wustl.edu Tue Feb 1 16:00:42 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Tue, 1 Feb 2005 10:00:42 -0600 (CST) Subject: selinux and mail() in php code Message-ID: <3031.128.252.85.103.1107273642.squirrel@morpheus.wustl.edu> > On Tue, Feb 01, 2005 at 09:27:16AM -0600, Hongwei Li wrote: >> Hi, >> I posted this message a few days ago, but haven't seen any reply. Did I >> miss some posts? Here, I include my test code and post it again. Hope selinux experts can help me. > > PHP mail() should be working if you are really running the latest policy, it works fine here. Do you have an > /etc/selinux/targeted/policy.18.rpmnew file? > > joe > What I have are: # ls -l /etc/selinux/targeted/ total 24 -rwx------ 1 root root 432 Jan 5 15:38 booleans drwxr-xr-x 4 root root 4096 Jan 26 13:49 contexts drwxr-xr-x 2 root root 4096 Jan 26 13:49 policy # ls -l /etc/selinux/targeted/policy/ total 332 -rw-r--r-- 1 root root 328447 Jan 19 16:44 policy.18 and my /etc/selinux/config is # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=Enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted Did I miss something? I recently installed the new policy 1.17.30-2.73 on Jan-26-2005, then did # restorecon -R -v /var/lib /var/spool # rpm -q -l mysql-server | restorecon -R -v -f - Should I do something else after that, specifically for php or sendmail, or...? Thanks! Hongwei From m3freak at rogers.com Tue Feb 1 16:52:27 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Tue, 01 Feb 2005 11:52:27 -0500 Subject: Request Tracker 3 In-Reply-To: <1107271336.4928.14.camel@localhost.localdomain> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> Message-ID: <1107276747.4928.28.camel@localhost.localdomain> On Tue, 2005-01-02 at 10:22 -0500, Kanwar Ranbir Sandhu wrote: > avc: denied { search } for pid=2851 exe=/usr/bin/perl name=postfix > dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object_r:var_spool_t tclass=dir > > avc: denied { search } for pid=2851 exe=/usr/bin/perl name=postfix > dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object_r:var_spool_t tclass=dir > > avc: denied { setrlimit } for pid=2856 exe=/usr/sbin/sendmail.postfix > scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t > tclass=process I've learned a little more about selinux, and so ran audit2allow on the denials above to generate the following two policies: allow httpd_sys_script_t var_spool_t:dir search; allow httpd_t self:process setrlimit; I know I can use dontaudit to turn off auditing for these policies (instead of allowing), but I don't know if that's a good idea, or even the right approach. Thanks, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From walters at redhat.com Tue Feb 1 16:55:10 2005 From: walters at redhat.com (Colin Walters) Date: Tue, 01 Feb 2005 11:55:10 -0500 Subject: Request Tracker 3 In-Reply-To: <1107276747.4928.28.camel@localhost.localdomain> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107276747.4928.28.camel@localhost.localdomain> Message-ID: <1107276911.3987.16.camel@nexus.verbum.private> On Tue, 2005-02-01 at 11:52 -0500, Kanwar Ranbir Sandhu wrote: > On Tue, 2005-01-02 at 10:22 -0500, Kanwar Ranbir Sandhu wrote: > > avc: denied { search } for pid=2851 exe=/usr/bin/perl name=postfix > > dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:var_spool_t tclass=dir > > > > avc: denied { search } for pid=2851 exe=/usr/bin/perl name=postfix > > dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t > > tcontext=system_u:object_r:var_spool_t tclass=dir > > > > avc: denied { setrlimit } for pid=2856 exe=/usr/sbin/sendmail.postfix > > scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t > > tclass=process > > I've learned a little more about selinux, and so ran audit2allow on the > denials above to generate the following two policies: > > allow httpd_sys_script_t var_spool_t:dir search; > allow httpd_t self:process setrlimit; Does adding those two permissions actually fix the problem? From cowchaser at axs.net Tue Feb 1 14:45:36 2005 From: cowchaser at axs.net (Roger Skildum) Date: Tue, 01 Feb 2005 09:45:36 -0500 Subject: error: kernel: audit: avc: denied { write } Message-ID: <41FF9610.7050609@axs.net> I am running FC3 with a vanilla 2.6.10 kernel patched for Win4lin. I am not sure what has happened but all of a sudden I started getting a whole slew of the errors listed below each time I boot. Jan 30 05:18:48 host kernel: audit(1107080328.663:0): avc: denied { write } for pid=3575 exe=/usr/sbin/ntpd name=log dev=tmpfs ino=6673 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:device_t tclass=sock_file From what I understand they are related to selinux. They are not all the same but all deal with kernel: audit. The system log shows me that they happen while the system is running also. I have not noticed any system degradation but something must be wrong. I do not think I have done anything to course this except update my system. When I run system monitor I see under the Resource Monitor tab I see a device listed as /dev/shm with a type as tmpfs with a total of 125MB but 0% used. When I look in the /dev directory there is no /dev/shm or /dev/tmpfs for that matter. Is this related to the problem since the error lists dev=tmpfs? Any I ideas as to what is wrong or how to correct? Thanks Roger From sds at epoch.ncsc.mil Tue Feb 1 18:27:14 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 01 Feb 2005 13:27:14 -0500 Subject: error: kernel: audit: avc: denied { write } In-Reply-To: <41FF9610.7050609@axs.net> References: <41FF9610.7050609@axs.net> Message-ID: <1107282434.26936.193.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-02-01 at 09:45, Roger Skildum wrote: > I am running FC3 with a vanilla 2.6.10 kernel patched for Win4lin. I am > not sure what has happened but all of a sudden I started getting a whole > slew of the errors listed below each time I boot. > > Jan 30 05:18:48 host kernel: audit(1107080328.663:0): avc: denied { > write } for pid=3575 exe=/usr/sbin/ntpd name=log dev=tmpfs ino=6673 > scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:device_t > tclass=sock_file What does /sbin/restorecon -v /dev/log show? -- Stephen Smalley National Security Agency From poohba at blkpoohba.dyndns.org Tue Feb 1 19:00:34 2005 From: poohba at blkpoohba.dyndns.org (poohba at blkpoohba.dyndns.org) Date: Tue, 1 Feb 2005 14:00:34 -0500 (EST) Subject: Xchat file permissions Message-ID: I copied my .xchat2 dir from fc1 and xchat works fine. I am however unable to save. I'm getting a permission denied. I have the dir chmod 775 and i have it chown root.media and i am part of that media group. if I do id I see media listed as one of my groups. Why am I unable to save to the dir. It is the correct dir. Does SELinux have anything to do with this? Is there a way to completely turn it off. I am able to create files and directories in that directory if i were to just go to it. From hongwei at wustl.edu Tue Feb 1 19:32:00 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Tue, 1 Feb 2005 13:32:00 -0600 (CST) Subject: Are these settings correct? Message-ID: <4424.128.252.85.103.1107286320.squirrel@morpheus.wustl.edu> While I am checking the posible reason that the php mail() does not work in my fc3 system, I found the following settings: # ls -lZ /usr/sbin/send* lrwxrwxrwx root root user_u:object_r:sbin_t /usr/sbin/sendmail -> /etc/alternatives/mta -rwxr-sr-x root smmsp system_u:object_r:sbin_t /usr/sbin/sendmail.sendmail and all files in /etc/alternatives/ show either user_u:object_r:etc_t or root:object_r:etc_t Are these settings correct? Do I need to run restorecon on them? or on all folders in the system? Thanks! Hongwei Li From dwalsh at redhat.com Tue Feb 1 22:23:57 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 01 Feb 2005 17:23:57 -0500 Subject: postalias segfaults In-Reply-To: <1107263048.3525.17.camel@marte.biciclete.ro> References: <1107263048.3525.17.camel@marte.biciclete.ro> Message-ID: <4200017D.6090303@redhat.com> Marius Andreiana wrote: >Hi > >With selinux enabled on FC3, postalias /etc/aliases will segfault. >There are other reports on google: >http://www.google.ro/search?q=postalias%20%22segmentation%20fault% >22&ie=UTF-8&oe=UTF-8 > >Disabled selinux and it works. >postfix and setup rpms are both unmodified. > >Thanks > > Are you getting any AVC messages in /var/log/messages? Dan From dwalsh at redhat.com Tue Feb 1 22:25:47 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 01 Feb 2005 17:25:47 -0500 Subject: selinux and mail() in php code In-Reply-To: <2730.128.252.85.103.1107271636.squirrel@morpheus.wustl.edu> References: <2730.128.252.85.103.1107271636.squirrel@morpheus.wustl.edu> Message-ID: <420001EB.5090809@redhat.com> Hongwei Li wrote: >Hi, > >I posted this message a few days ago, but haven't seen any reply. Did I >miss some posts? Here, I include my test code and post it again. Hope >selinux experts can help me. > >My system information -- > >os: RedHat FC3 linux, kernel-2.6.10-1.741_FC3, selinux >enforced, iptables enabled >selinux: selinux-policy-targeted-1.17.30-2.73 (the most update one) >iptables: iptables-1.2.11-3.1.FC3 >web: httpd-2.0.52-3.1 >sendmail: sendmail-8.13.1-2 >php: php-4.3.10-3.2 >SELINUXTYPE targeted > >I have a testing feedback php code for my web site using > >mail($toaddress, $subject, $feedback, $fromaddress); > >If selinux is disabled, the code works well. The user ($toaddress) >receives the content ($mailcontent), etc. However, if selinux is >enforced, the user does not receive it and the system log shows: > >Jan 28 14:19:46 pippo kernel: audit(1106943586.048:0): avc: denied { >read } for pid=6801 exe=/usr/sbin/sendmail.sendmail name=clientmqueue >dev=hda3 ino=470506 scontext=user_u:system_r:httpd_sys_script_t >tcontext=system_u:object_r:mqueue_spool_t tclass=dir > >Should I do something to make it working with selinux enforced? > >Is there anybody out there who uses php's mail() function in the "feedback >form" in his web server? Below is my testing php code. The only line you >need to change is the first line where you can replace >"your-email-address" with your email address to see if you receive mail or >get error (system log, not from web or email) when selinux is enforced: > > > $toaddress = 'your-email-address'; > > $feedback = 'This is a test.'; > $subject = 'Feedback from web'; > $fromaddress = "From: webmaster at your.domain\r\n"; > > mail($toaddress, $subject, $feedback, $fromaddress); > >?> > >Selinux experts: please test this code on your web server and I appreciate >all help! > >Hongwei Li > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > restorecon /usr/sbin/sendmail.sendmail From dwalsh at redhat.com Tue Feb 1 22:31:07 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 01 Feb 2005 17:31:07 -0500 Subject: other Raw Hide avc messages In-Reply-To: <20050201100820.GC3846@redhat.com> References: <20050131164829.GA14626@redhat.com> <41FE8BBA.5040501@redhat.com> <20050201100820.GC3846@redhat.com> Message-ID: <4200032B.2030504@redhat.com> Joe Orton wrote: >On Mon, Jan 31, 2005 at 02:49:14PM -0500, Daniel J Walsh wrote: > > >>Could you check out the selinux-policy-targeted-1.21.5-1 on >> >>ftp://people.redhat.com/dwalsh/selinux/Fedora >> >> > >I found -1.21.5-5 from ftp://people.redhat.com/dwalsh/SELinux/Fedora/ - >but it doesn't seem to have helped, I still get: > >type=KERNEL msg=audit(1107252061.377:13600081): avc: denied { >transition } for pid=25433 exe=/usr/sbin/crond path=/bin/bash dev=hda3 >ino=1933320 scontext=root:system_r:crond_t >tcontext=system_u:system_r:unconfined_t tclass=processss tclass=file > >I notice we're back to a modified policy.18 from a stock install without >-sources modifications: > >[root at trash ~]# rpm -V selinux-policy-targeted >S.5....T. c /etc/selinux/targeted/booleans >..5....T. /etc/selinux/targeted/contexts/files/file_contexts >..5....T. /etc/selinux/targeted/policy/policy.18 > >joe > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > I think I have finally fixed the crond problem selinux-policy-targeted-1.21.6-1 Sorry it took so long. Dan From walters at redhat.com Tue Feb 1 23:58:07 2005 From: walters at redhat.com (Colin Walters) Date: Tue, 01 Feb 2005 18:58:07 -0500 Subject: Request Tracker 3 In-Reply-To: <1107271336.4928.14.camel@localhost.localdomain> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> Message-ID: <1107302287.3987.20.camel@nexus.verbum.private> On Tue, 2005-02-01 at 10:22 -0500, Kanwar Ranbir Sandhu wrote: > avc: denied { search } for pid=2851 exe=/usr/bin/perl name=postfix > dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object_r:var_spool_t tclass=dir > > avc: denied { search } for pid=2851 exe=/usr/bin/perl name=postfix > dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object_r:var_spool_t tclass=dir Hmmm. Surely the SendEmail.pm perl module doesn't scribble on the postfix queue directly; I don't think that's supported. > avc: denied { setrlimit } for pid=2856 exe=/usr/sbin/sendmail.postfix > scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t > tclass=process It looks like there was no transition to system_mail_t because /usr/sbin/sendmail.postfix isn't labeled as sendmail_exec_t in the targeted policy. Try: chcon -h -t sendmail_exec_t /usr/sbin/sendmail.postfix From cowchaser at axs.net Wed Feb 2 03:28:23 2005 From: cowchaser at axs.net (Roger Skildum) Date: Tue, 01 Feb 2005 22:28:23 -0500 Subject: error: kernel: audit: avc: denied { write } Message-ID: <420048D7.8050101@axs.net> When I type the command this is what i get: /sbin/restorecon reset context /dev/log user_u:object_r:device_t->system_u:object_r:devlog_t >> slew of the errors listed below each time I boot. >> Jan 30 05:18:48 host kernel: audit(1107080328.663:0): avc: denied { >> write } for pid=3575 exe=/usr/sbin/ntpd name=log dev=tmpfs ino=6673 >> scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:device_t >> tclass=sock_file >What does /sbin/restorecon -v /dev/log show? >-- >Stephen Smalley >National Security Agency From malists at epon.ro Wed Feb 2 07:59:23 2005 From: malists at epon.ro (Marius Andreiana) Date: Wed, 02 Feb 2005 09:59:23 +0200 Subject: postalias segfaults In-Reply-To: <4200017D.6090303@redhat.com> References: <1107263048.3525.17.camel@marte.biciclete.ro> <4200017D.6090303@redhat.com> Message-ID: <1107331163.3573.10.camel@marte.biciclete.ro> On Tue, 2005-02-01 at 17:23 -0500, Daniel J Walsh wrote: > Are you getting any AVC messages in /var/log/messages? Not related to this. Just Feb 1 14:51:56 192-168-0-199 postfix: postalias "hash:/etc/aliases" failed I can't tell what for is this: Feb 1 14:41:33 192-168-0-199 kernel: audit(1107261693.771:0): avc: denied { read write } for pid=15091 exe=/usr/sbin/rndc path=/dev/tty dev=tmpfs ino=3539 scontext=root:system_r:ndc_t tcontext=system_u:object_r:devtty_t tclass=chr_file And this was about an warning starting httpd and complaining /home/galuna/www doesn't exist (file permissions were ok, I didn't check selinux restrictions) Feb 1 14:41:37 192-168-0-199 kernel: audit(1107261697.762:0): avc: denied { getattr } for pid=15124 exe=/usr/sbin/httpd path=/home/galuna/www dev=hda2 ino=96431 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir I disabled SELinux for now. Will try again in FC4 and debug more. -- Marius Andreiana Epon Business Applications http://www.epon.ro From sds at epoch.ncsc.mil Wed Feb 2 13:12:40 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 02 Feb 2005 08:12:40 -0500 Subject: execmod avcs from today's policy In-Reply-To: <1106937325.32737.99.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba153050128083863c42324@mail.gmail.com> <1106935922.32737.83.camel@moss-spartans.epoch.ncsc.mil> <1106937325.32737.99.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1107349960.890.76.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-01-28 at 13:35, Stephen Smalley wrote: > We should also wrap occurrences of execmem with a boolean, but a > separate one than the execmod rules. Might also want multiple booleans, > e.g. to allow certain programs without allowing all others. Note: An allow_execmem boolean has been introduced into the latest upstream policy, so I expect it will show up in future Fedora policies. Hence, you may need to enable this boolean, e.g. to allow X to continue to run. In the future, I think we will want multiple such booleans so that we can allow certain domains (like X) to have this permission while prohibiting others (like user domains). -- Stephen Smalley National Security Agency From selinux at gmail.com Wed Feb 2 13:32:14 2005 From: selinux at gmail.com (Tom London) Date: Wed, 2 Feb 2005 05:32:14 -0800 Subject: execmod avcs from today's policy In-Reply-To: <1107349960.890.76.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba153050128083863c42324@mail.gmail.com> <1106935922.32737.83.camel@moss-spartans.epoch.ncsc.mil> <1106937325.32737.99.camel@moss-spartans.epoch.ncsc.mil> <1107349960.890.76.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4c4ba15305020205324da8e068@mail.gmail.com> Excellent fix! Thanks, tom From dwalsh at redhat.com Wed Feb 2 14:44:53 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 02 Feb 2005 09:44:53 -0500 Subject: postalias segfaults In-Reply-To: <1107331163.3573.10.camel@marte.biciclete.ro> References: <1107263048.3525.17.camel@marte.biciclete.ro> <4200017D.6090303@redhat.com> <1107331163.3573.10.camel@marte.biciclete.ro> Message-ID: <4200E765.4020401@redhat.com> Marius Andreiana wrote: >On Tue, 2005-02-01 at 17:23 -0500, Daniel J Walsh wrote: > > >>Are you getting any AVC messages in /var/log/messages? >> >> >Not related to this. Just >Feb 1 14:51:56 192-168-0-199 postfix: postalias "hash:/etc/aliases" >failed > >I can't tell what for is this: >Feb 1 14:41:33 192-168-0-199 kernel: audit(1107261693.771:0): avc: >denied { read write } for pid=15091 exe=/usr/sbin/rndc path=/dev/tty >dev=tmpfs ino=3539 scontext=root:system_r:ndc_t >tcontext=system_u:object_r:devtty_t tclass=chr_file > > >And this was about an warning starting httpd and >complaining /home/galuna/www doesn't exist (file permissions were ok, I >didn't check selinux restrictions) >Feb 1 14:41:37 192-168-0-199 kernel: audit(1107261697.762:0): avc: >denied { getattr } for pid=15124 exe=/usr/sbin/httpd >path=/home/galuna/www dev=hda2 ino=96431 scontext=root:system_r:httpd_t >tcontext=root:object_r:user_home_t tclass=dir > >I disabled SELinux for now. Will try again in FC4 and debug more. > > You don't need to disable SELinux, You can disable certain "domains" if you do not want them protected. If you chcon -R -t httpd_sys_content_t /home/galuna/www and setsebool -P httpd_enable_homedirs 1 Your apache should work. Could you do a ls -l /etc/aliases* Dan From m3freak at rogers.com Wed Feb 2 14:46:25 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Wed, 02 Feb 2005 09:46:25 -0500 Subject: Request Tracker 3 In-Reply-To: <1107302287.3987.20.camel@nexus.verbum.private> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> Message-ID: <1107355585.4943.32.camel@localhost.localdomain> On Tue, 2005-01-02 at 18:58 -0500, Colin Walters wrote: > Hmmm. Surely the SendEmail.pm perl module doesn't scribble on the > postfix queue directly; I don't think that's supported. I don't know enough about the innards of RT to answer your question. However, I've sent an email to the RT list about this. Hopefully somone will chime in; I'll let you know. > Try: > > chcon -h -t sendmail_exec_t /usr/sbin/sendmail.postfix That got rid of the { setrlimit } denial, and produced a new one: avc: denied { execute } for pid=5736 exe=/usr/sbin/sendmail.postfix name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file Now, I don't want to confuse the issue, but in RT you define the mail command as 'sendmail' or 'sendmailpipe'. If using sendmail, then the arguements are '-oi'. If it's sendmailpipe, the arguements are '-oi - t', and the location of the sendmail binary must be specified (/usr/sbin/sendmail). The above error was generated with the mail command in RT to sendmail. When I set the mail command to sendmailpipe, I got this denial: avc: denied { read } for pid=5977 exe=/usr/sbin/httpd name=sendmail dev=dm-3 ino=277369 scontext=root:system_r:httpd_t tcontext=user_u:object_r:sbin_t tclass=lnk_file I then changed the location of the sendmail binary parameter in RT to /usr/sbin/sendmail.postfix (but kept the mail command as sendmailpipe): avc: denied { execute } for pid=6019 exe=/usr/sbin/sendmail.postfix name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file That's the same denial as the very first one listed above. I just wanted to point that out. In the past, I have configured RT with: mail command: sendmail arguements: -oi path: /usr/sbin/sendmail So, that's what I'll be sticking with, unless something else comes up. It seems the solution is a little closer... Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From dwalsh at redhat.com Wed Feb 2 15:10:04 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 02 Feb 2005 10:10:04 -0500 Subject: Request Tracker 3 In-Reply-To: <1107355585.4943.32.camel@localhost.localdomain> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> <1107355585.4943.32.camel@localhost.localdomain> Message-ID: <4200ED4C.1000601@redhat.com> Kanwar Ranbir Sandhu wrote: >On Tue, 2005-01-02 at 18:58 -0500, Colin Walters wrote: > > >>Hmmm. Surely the SendEmail.pm perl module doesn't scribble on the >>postfix queue directly; I don't think that's supported. >> >> > >I don't know enough about the innards of RT to answer your question. >However, I've sent an email to the RT list about this. Hopefully somone >will chime in; I'll let you know. > > > >>Try: >> >>chcon -h -t sendmail_exec_t /usr/sbin/sendmail.postfix >> >> > >That got rid of the { setrlimit } denial, and produced a new one: > >avc: denied { execute } for pid=5736 exe=/usr/sbin/sendmail.postfix >name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t >tcontext=system_u:object_r:sbin_t tclass=file > > >Now, I don't want to confuse the issue, but in RT you define the mail >command as 'sendmail' or 'sendmailpipe'. If using sendmail, then the >arguements are '-oi'. If it's sendmailpipe, the arguements are '-oi - >t', and the location of the sendmail binary must be specified >(/usr/sbin/sendmail). > >The above error was generated with the mail command in RT to sendmail. >When I set the mail command to sendmailpipe, I got this denial: > >avc: denied { read } for pid=5977 exe=/usr/sbin/httpd name=sendmail >dev=dm-3 ino=277369 scontext=root:system_r:httpd_t >tcontext=user_u:object_r:sbin_t tclass=lnk_file > > >I then changed the location of the sendmail binary parameter in RT >to /usr/sbin/sendmail.postfix (but kept the mail command as >sendmailpipe): > >avc: denied { execute } for pid=6019 exe=/usr/sbin/sendmail.postfix >name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t >tcontext=system_u:object_r:sbin_t tclass=file > >That's the same denial as the very first one listed above. > >I just wanted to point that out. In the past, I have configured RT >with: > >mail command: sendmail >arguements: -oi >path: /usr/sbin/sendmail > >So, that's what I'll be sticking with, unless something else comes up. > >It seems the solution is a little closer... > >Regards, > >Ranbir > > Rather than going down a rathole, here could you setenforce 0 Run both test and send the avc messages. From HBurde at t-online.de Wed Feb 2 15:11:41 2005 From: HBurde at t-online.de (hb) Date: Wed, 02 Feb 2005 16:11:41 +0100 Subject: policy change adventure .. Message-ID: <1107357101.8457.5.camel@marvin.warpnet.com> hi; I changed a SE linux system from a targeted policy to strict to do some testing with strict & enforcing for a particular setup i plan. System is FC3 (all patches up to 01.02.2005) with standard install up to that point. Policy change : 1 yum'ed the strict policy and policy sources 2 did a system-config-securelevel (changed targeted -> strict) 3 reboot (fingers crossed ..) What happend was this : Mass complains (avc: denies ) mass out of Memory errors .. (no way .. )// the system has 384MB RAM rescue CD : mount and change to permissive /etc/selinux/config touch /.autorelabel this time autorelabel worked still many avc denies from std. system services fixfiles check // everything ok .. surprise still many many avc denies from std system services .. So my Question : is this normal (still no production quality) ? or a bug / side effect from changing the policy (should work but does not) ? Since there are to many errors i can't track each individual problem down. any idea what to try? ---- Example /var/log/messages Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied { getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/mem dev=tmpfs ino=485 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:memory_device_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied { getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/net/tun dev=tmpfs ino=1816 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tun_tap_device_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied { getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/ppp dev=tmpfs ino=1817 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ppp_device_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.343:0): avc: denied { getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/zero dev=tmpfs ino=1820 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:zero_device_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.554:0): avc: denied { read } for pid=2183 exe=/sbin/lvm.static name=hdf dev=tmpfs ino=1063 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:removable_device_t tclass=blk_file Feb 1 15:58:15 dragon kernel: audit(1107269508.556:0): avc: denied { write } for pid=2183 exe=/sbin/lvm.static name=control dev=tmpfs ino=4737 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lvm_control_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.556:0): avc: denied { ioctl } for pid=2183 exe=/sbin/lvm.static path=/dev/mapper/control dev=tmpfs ino=4737 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lvm_control_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.557:0): avc: denied { write } for pid=2183 exe=/sbin/lvm.static name=.cache dev=hde1 ino=66753 scontext=system_u:system_r:initrc_t tcontext=user_u:object_r:etc_t tclass=file -- hb From dwalsh at redhat.com Wed Feb 2 15:20:38 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 02 Feb 2005 10:20:38 -0500 Subject: policy change adventure .. In-Reply-To: <1107357101.8457.5.camel@marvin.warpnet.com> References: <1107357101.8457.5.camel@marvin.warpnet.com> Message-ID: <4200EFC6.9000506@redhat.com> If you want to use strict policy please grab the one off of rawhide. Dan From m3freak at rogers.com Wed Feb 2 15:43:17 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Wed, 02 Feb 2005 10:43:17 -0500 Subject: Request Tracker 3 In-Reply-To: <4200ED4C.1000601@redhat.com> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> <1107355585.4943.32.camel@localhost.localdomain> <4200ED4C.1000601@redhat.com> Message-ID: <1107358997.6175.10.camel@localhost.localdomain> On Wed, 2005-02-02 at 10:10 -0500, Daniel J Walsh wrote: > Rather than going down a rathole, here could > you > setenforce 0 > Run both test and send the avc messages. Okay, no problem. I'll describe the mail setups, proceeded by the selinux messages for each. Mail config in RT: ------------------ mail command: sendmailpipe arguements: -oi -t #(-t required, as stated in RT docs) path: /usr/sbin/sendmail avc messages: ------------- avc: denied { read } for pid=6130 exe=/usr/sbin/httpd name=sendmail dev=dm-3 ino=277369 scontext=root:system_r:httpd_t tcontext=user_u:object_r:sbin_t tclass=lnk_file Mail config in RT: ------------------ mail command: sendmail arguements: -oi path: /usr/sbin/sendmail #(not read when mail command set to sendmail) avc messages: ------------- avc: denied { search } for pid=6082 exe=/usr/bin/perl name=postfix dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir avc: denied { getattr } for pid=6086 exe=/usr/sbin/sendmail.postfix path=socket:[14139] dev=sockfs ino=14139 scontext=root:system_r:system_mail_t tcontext=root:system_r:httpd_t tclass=unix_stream_socket avc: denied { execute } for pid=6087 exe=/usr/sbin/sendmail.postfix name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file avc: denied { execute_no_trans } for pid=6087 exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file avc: denied { read } for pid=6087 exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop name=maildrop dev=dm-5 ino=34842 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir avc: denied { add_name } for pid=6087 exe=/usr/sbin/postdrop name=1290.6087 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir avc: denied { create } for pid=6087 exe=/usr/sbin/postdrop name=1290.6087 scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t tclass=file avc: denied { getattr } for pid=6087 exe=/usr/sbin/postdrop path=/var/spool/postfix/maildrop/1290.6087 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t tclass=file avc: denied { remove_name } for pid=6087 exe=/usr/sbin/postdrop name=1290.6087 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir avc: denied { rename } for pid=6087 exe=/usr/sbin/postdrop name=1290.6087 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t tclass=file avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop path=/var/spool/postfix/maildrop/1ACA7885F dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t tclass=file avc: denied { setattr } for pid=6087 exe=/usr/sbin/postdrop name=1ACA7885F dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t tclass=file avc: denied { getattr } for pid=6087 exe=/usr/sbin/postdrop path=/var/spool/postfix/public/pickup dev=dm-5 ino=34827 scontext=root:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tclass=fifo_file avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop name=pickup dev=dm-5 ino=34827 scontext=root:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tclass=fifo_file Wow. Big difference in denials. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From dwalsh at redhat.com Wed Feb 2 15:56:44 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 02 Feb 2005 10:56:44 -0500 Subject: Request Tracker 3 In-Reply-To: <1107358997.6175.10.camel@localhost.localdomain> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> <1107355585.4943.32.camel@localhost.localdomain> <4200ED4C.1000601@redhat.com> <1107358997.6175.10.camel@localhost.localdomain> Message-ID: <4200F83C.9030300@redhat.com> Kanwar Ranbir Sandhu wrote: >On Wed, 2005-02-02 at 10:10 -0500, Daniel J Walsh wrote: > > >>Rather than going down a rathole, here could >>you >>setenforce 0 >>Run both test and send the avc messages. >> >> > >Okay, no problem. I'll describe the mail setups, proceeded by the >selinux messages for each. > >Mail config in RT: >------------------ >mail command: sendmailpipe >arguements: -oi -t #(-t required, as stated in RT docs) >path: /usr/sbin/sendmail > >avc messages: >------------- >avc: denied { read } for pid=6130 exe=/usr/sbin/httpd name=sendmail >dev=dm-3 ino=277369 scontext=root:system_r:httpd_t >tcontext=user_u:object_r:sbin_t tclass=lnk_file > > >Mail config in RT: >------------------ >mail command: sendmail >arguements: -oi >path: /usr/sbin/sendmail #(not read when mail command set to sendmail) > >avc messages: >------------- >avc: denied { search } for pid=6082 exe=/usr/bin/perl name=postfix >dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t >tcontext=system_u:object_r:var_spool_t tclass=dir > >avc: denied { getattr } for pid=6086 exe=/usr/sbin/sendmail.postfix >path=socket:[14139] dev=sockfs ino=14139 >scontext=root:system_r:system_mail_t tcontext=root:system_r:httpd_t >tclass=unix_stream_socket > >avc: denied { execute } for pid=6087 exe=/usr/sbin/sendmail.postfix >name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t >tcontext=system_u:object_r:sbin_t tclass=file > >avc: denied { execute_no_trans } for pid=6087 >exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-3 >ino=276825 scontext=root:system_r:system_mail_t >tcontext=system_u:object_r:sbin_t tclass=file > >avc: denied { read } for pid=6087 exe=/usr/sbin/sendmail.postfix >path=/usr/sbin/postdrop dev=dm-3 ino=276825 >scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t >tclass=file > >avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop >name=maildrop dev=dm-5 ino=34842 scontext=root:system_r:system_mail_t >tcontext=system_u:object_r:var_spool_t tclass=dir > >avc: denied { add_name } for pid=6087 exe=/usr/sbin/postdrop >name=1290.6087 scontext=root:system_r:system_mail_t >tcontext=system_u:object_r:var_spool_t tclass=dir > >avc: denied { create } for pid=6087 exe=/usr/sbin/postdrop >name=1290.6087 scontext=root:system_r:system_mail_t >tcontext=root:object_r:var_spool_t tclass=file > >avc: denied { getattr } for pid=6087 exe=/usr/sbin/postdrop >path=/var/spool/postfix/maildrop/1290.6087 dev=dm-5 ino=34911 >scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t >tclass=file > >avc: denied { remove_name } for pid=6087 exe=/usr/sbin/postdrop >name=1290.6087 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t >tcontext=system_u:object_r:var_spool_t tclass=dir > >avc: denied { rename } for pid=6087 exe=/usr/sbin/postdrop >name=1290.6087 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t >tcontext=root:object_r:var_spool_t tclass=file > >avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop >path=/var/spool/postfix/maildrop/1ACA7885F dev=dm-5 ino=34911 >scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t >tclass=file > >avc: denied { setattr } for pid=6087 exe=/usr/sbin/postdrop >name=1ACA7885F dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t >tcontext=root:object_r:var_spool_t tclass=file > >avc: denied { getattr } for pid=6087 exe=/usr/sbin/postdrop >path=/var/spool/postfix/public/pickup dev=dm-5 ino=34827 >scontext=root:system_r:system_mail_t >tcontext=user_u:object_r:var_spool_t tclass=fifo_file > >avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop name=pickup >dev=dm-5 ino=34827 scontext=root:system_r:system_mail_t >tcontext=user_u:object_r:var_spool_t tclass=fifo_file > >Wow. Big difference in denials. > >Regards, > >Ranbir > > Ok one more change. could you d a chcon -R -t mail_spool_t /var/spool/postfix And try it again? Dan From roger at gwch.net Wed Feb 2 16:07:53 2005 From: roger at gwch.net (Roger Grosswiler) Date: Wed, 02 Feb 2005 17:07:53 +0100 Subject: installing webapp via install.php in webroot Message-ID: <4200FAD9.3040103@gwch.net> Hi, Was trying to install Linpha in webroot. Untarred everythings, afterwards was pointing the browser to: http://frodo/linpha/install/install.php and got the following: Feb 1 13:19:37 frodo kernel: audit(1107260377.190:0): avc: denied { search } for pid=22391 exe=/usr/sbin/httpd name=linpha dev=dm-0 ino=771968 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir Feb 1 13:19:37 frodo kernel: audit(1107260377.190:0): avc: denied { getattr } for pid=22391 exe=/usr/sbin/httpd path=/var/www/html/linpha dev=dm-0 ino=771968 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir What can i do to get this running? Roger From m3freak at rogers.com Wed Feb 2 16:36:16 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Wed, 02 Feb 2005 11:36:16 -0500 Subject: Request Tracker 3 In-Reply-To: <4200F83C.9030300@redhat.com> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> <1107355585.4943.32.camel@localhost.localdomain> <4200ED4C.1000601@redhat.com> <1107358997.6175.10.camel@localhost.localdomain> <4200F83C.9030300@redhat.com> Message-ID: <1107362176.6175.32.camel@localhost.localdomain> On Wed, 2005-02-02 at 10:56 -0500, Daniel J Walsh wrote: > could you d a > > chcon -R -t mail_spool_t /var/spool/postfix Mail config in RT: ------------------ mail command: sendmail arguments: -oi path: /usr/sbin/sendmail avc messages: ------------- None! RT received the email and sent out an auto-reply without any selinux denials! However, the other email config produced many more selinux denials than before (last time there was only one message). I included the messages below anyway. Mail config in RT: ------------------ mail command: sendmailpipe arguments: -oi -t #(-t required, as stated in RT docs) path: /usr/sbin/sendmail avc messages: ------------- avc: denied { search } for pid=6171 exe=/usr/bin/perl name=postfix dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:mail_spool_t tclass=dir avc: denied { read } for pid=6173 exe=/usr/sbin/httpd name=sendmail dev=dm-3 ino=277369 scontext=root:system_r:httpd_t tcontext=user_u:object_r:sbin_t tclass=lnk_file avc: denied { getattr } for pid=6173 exe=/usr/sbin/sendmail.postfix path=socket:[14495] dev=sockfs ino=14495 scontext=root:system_r:system_mail_t tcontext=root:system_r:httpd_t tclass=unix_stream_socket avc: denied { search } for pid=6173 exe=/usr/sbin/sendmail.postfix name=postfix dev=dm-5 ino=34833 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir avc: denied { execute } for pid=6174 exe=/usr/sbin/sendmail.postfix name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file avc: denied { execute_no_trans } for pid=6174 exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file avc: denied { read } for pid=6174 exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file avc: denied { write } for pid=6174 exe=/usr/sbin/postdrop name=maildrop dev=dm-5 ino=34842 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir avc: denied { add_name } for pid=6174 exe=/usr/sbin/postdrop name=530173.6174 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir avc: denied { create } for pid=6174 exe=/usr/sbin/postdrop name=530173.6174 scontext=root:system_r:system_mail_t tcontext=root:object_r:mail_spool_t tclass=file avc: denied { getattr } for pid=6174 exe=/usr/sbin/postdrop path=/var/spool/postfix/maildrop/530173.6174 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:mail_spool_t tclass=file avc: denied { remove_name } for pid=6174 exe=/usr/sbin/postdrop name=530173.6174 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir avc: denied { rename } for pid=6174 exe=/usr/sbin/postdrop name=530173.6174 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:mail_spool_t tclass=file avc: denied { write } for pid=6174 exe=/usr/sbin/postdrop path=/var/spool/postfix/maildrop/9BD83885F dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:mail_spool_t tclass=file avc: denied { setattr } for pid=6174 exe=/usr/sbin/postdrop name=9BD83885F dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:mail_spool_t tclass=file avc: denied { getattr } for pid=6174 exe=/usr/sbin/postdrop path=/var/spool/postfix/public/pickup dev=dm-5 ino=34827 scontext=root:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=fifo_file avc: denied { write } for pid=6174 exe=/usr/sbin/postdrop name=pickup dev=dm-5 ino=34827 scontext=root:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=fifo_file Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From m3freak at rogers.com Wed Feb 2 16:43:19 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Wed, 02 Feb 2005 11:43:19 -0500 Subject: Request Tracker 3 In-Reply-To: <1107302287.3987.20.camel@nexus.verbum.private> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> Message-ID: <1107362599.6175.37.camel@localhost.localdomain> On Tue, 2005-01-02 at 18:58 -0500, Colin Walters wrote: > Hmmm. Surely the SendEmail.pm perl module doesn't scribble on the > postfix queue directly; I don't think that's supported. Jesse Vincent, one of the developers (actually, he started the whole thing), replied. Here's his message: ---start--- No. RT generally opens /usr/sbin/sendmail (or whateveryou've configured) and pipes the message to it, just like you'd do with cat "/tmp/msgfile" |/usr/sbin/sendmail -oi -t ---end--- Makes sense, especially considering the options passed to sendmail. I should have realized that. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From malists at epon.ro Wed Feb 2 16:48:16 2005 From: malists at epon.ro (Marius Andreiana) Date: Wed, 02 Feb 2005 18:48:16 +0200 Subject: postalias segfaults In-Reply-To: <4200E765.4020401@redhat.com> References: <1107263048.3525.17.camel@marte.biciclete.ro> <4200017D.6090303@redhat.com> <1107331163.3573.10.camel@marte.biciclete.ro> <4200E765.4020401@redhat.com> Message-ID: <1107362896.3573.56.camel@marte.biciclete.ro> On Wed, 2005-02-02 at 09:44 -0500, Daniel J Walsh wrote: > Could you do a > ls -l /etc/aliases* -rw-r--r-- 1 root root 1574 Oct 8 18:37 /etc/aliases -rw-r--r-- 1 root root 12288 Feb 1 15:19 /etc/aliases.db aliases.db was written after I disabled SELinux. I don't know how it looked before. Thanks -- Marius Andreiana Epon Business Applications http://www.epon.ro From k_andrzej_85 at o2.pl Wed Feb 2 16:49:46 2005 From: k_andrzej_85 at o2.pl (Andrzej =?ISO-8859-2?B?S7Frb2xld3NraQ==?=) Date: Wed, 2 Feb 2005 17:49:46 +0100 Subject: portmap Message-ID: <20050202174946.434e4e25@freedom> Hello I'm getting this avc message in /var/log/messages: audit(1107361904.516:0): avc: denied { read } for pid=3588 exe=/sbin/portmap name=libnsl.so.1 dev=dm-0 ino=8700082 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=lnk_file How can I fix it ? -- Pozdrawiam Andrzej K?kolewski Mail: k_andrzej_85 at o2.pl JID: gnr at jabber.atman.pl From walters at redhat.com Wed Feb 2 16:50:00 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 02 Feb 2005 11:50:00 -0500 Subject: portmap In-Reply-To: <20050202174946.434e4e25@freedom> References: <20050202174946.434e4e25@freedom> Message-ID: <1107363000.3874.32.camel@nexus.verbum.private> On Wed, 2005-02-02 at 17:49 +0100, Andrzej K?kolewski wrote: > Hello > I'm getting this avc message in /var/log/messages: > > audit(1107361904.516:0): avc: denied { read } for pid=3588 > exe=/sbin/portmap name=libnsl.so.1 dev=dm-0 ino=8700082 > scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t > tclass=lnk_file Looks like the file context got corrupted; try: restorecon -v /lib/libnsl.so.1 From dwalsh at redhat.com Wed Feb 2 17:42:58 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 02 Feb 2005 12:42:58 -0500 Subject: Request Tracker 3 In-Reply-To: <1107362599.6175.37.camel@localhost.localdomain> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> <1107362599.6175.37.camel@localhost.localdomain> Message-ID: <42011122.5080803@redhat.com> Kanwar Ranbir Sandhu wrote: >On Tue, 2005-01-02 at 18:58 -0500, Colin Walters wrote: > > >>Hmmm. Surely the SendEmail.pm perl module doesn't scribble on the >>postfix queue directly; I don't think that's supported. >> >> > >Jesse Vincent, one of the developers (actually, he started the whole >thing), replied. Here's his message: > >---start--- >No. RT generally opens /usr/sbin/sendmail (or whateveryou've configured) >and pipes the message to it, just like you'd do with > >cat "/tmp/msgfile" |/usr/sbin/sendmail -oi -t >---end--- > >Makes sense, especially considering the options passed to sendmail. I >should have realized that. > >Regards, > >Ranbir > > I think we are going to have to work on this here and setup a postfix mail system to see if we can get it to work. For the time being you might want to change the turn httpd transitioning off. setsebool -P httpd_disable_trans 1 From dwalsh at redhat.com Wed Feb 2 17:44:59 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 02 Feb 2005 12:44:59 -0500 Subject: postalias segfaults In-Reply-To: <4200E765.4020401@redhat.com> References: <1107263048.3525.17.camel@marte.biciclete.ro> <4200017D.6090303@redhat.com> <1107331163.3573.10.camel@marte.biciclete.ro> <4200E765.4020401@redhat.com> Message-ID: <4201119B.4090600@redhat.com> Daniel J Walsh wrote: > Marius Andreiana wrote: > >> On Tue, 2005-02-01 at 17:23 -0500, Daniel J Walsh wrote: >> >> >>> Are you getting any AVC messages in /var/log/messages? >>> >> >> Not related to this. Just >> Feb 1 14:51:56 192-168-0-199 postfix: postalias "hash:/etc/aliases" >> failed >> >> I can't tell what for is this: >> Feb 1 14:41:33 192-168-0-199 kernel: audit(1107261693.771:0): avc: >> denied { read write } for pid=15091 exe=/usr/sbin/rndc path=/dev/tty >> dev=tmpfs ino=3539 scontext=root:system_r:ndc_t >> tcontext=system_u:object_r:devtty_t tclass=chr_file >> >> >> And this was about an warning starting httpd and >> complaining /home/galuna/www doesn't exist (file permissions were ok, I >> didn't check selinux restrictions) >> Feb 1 14:41:37 192-168-0-199 kernel: audit(1107261697.762:0): avc: >> denied { getattr } for pid=15124 exe=/usr/sbin/httpd >> path=/home/galuna/www dev=hda2 ino=96431 scontext=root:system_r:httpd_t >> tcontext=root:object_r:user_home_t tclass=dir >> >> I disabled SELinux for now. Will try again in FC4 and debug more. >> >> > You don't need to disable SELinux, You can disable certain "domains" > if you do not want them protected. > If you > chcon -R -t httpd_sys_content_t /home/galuna/www > and > setsebool -P httpd_enable_homedirs 1 > > Your apache should work. > > Could you do a > ls -l /etc/aliases* I meant ls -lZ /etc/aliases > > Dan > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From k_andrzej_85 at o2.pl Wed Feb 2 17:58:56 2005 From: k_andrzej_85 at o2.pl (Andrzej =?ISO-8859-2?B?S7Frb2xld3NraQ==?=) Date: Wed, 2 Feb 2005 18:58:56 +0100 Subject: portmap In-Reply-To: <1107363000.3874.32.camel@nexus.verbum.private> References: <20050202174946.434e4e25@freedom> <1107363000.3874.32.camel@nexus.verbum.private> Message-ID: <20050202185856.2f7e2df1@freedom> Now I have this messages: audit(1107366819.358:0): avc: denied { read } for pid=3410 exe=/sbin/portmap name=libc.so.6 dev=dm-0 ino=8700100 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=lnk_file audit(1107366819.376:0): avc: denied { read } for pid=3410 exe=/sbin/portmap name=libc.so.6 dev=dm-0 ino=8700100 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=lnk_file audit(1107366819.391:0): avc: denied { read } for pid=3410 exe=/sbin/portmap name=libc.so.6 dev=dm-0 ino=8699916 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=lnk_file audit(1107366819.601:0): avc: denied { read } for pid=3411 exe=/sbin/portmap name=passwd dev=dm-0 ino=10374678 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file audit(1107366819.615:0): avc: denied { write } for pid=3411 exe=/sbin/portmap name=log dev=tmpfs ino=7175 scontext=user_u:system_r:portmap_t tcontext=user_u:object_r:device_t tclass=sock_file restorecon -v for libc.so.6 do nothing On Wed, 02 Feb 2005 11:50:00 -0500 Colin Walters wrote: > On Wed, 2005-02-02 at 17:49 +0100, Andrzej K?kolewski wrote: > > Hello > > I'm getting this avc message in /var/log/messages: > > > > audit(1107361904.516:0): avc: denied { read } for pid=3588 > > exe=/sbin/portmap name=libnsl.so.1 dev=dm-0 ino=8700082 > > scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t > > tclass=lnk_file > > Looks like the file context got corrupted; try: > > restorecon -v /lib/libnsl.so.1 > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Pozdrawiam Andrzej K?kolewski Mail: k_andrzej_85 at o2.pl JID: gnr at jabber.atman.pl From jwr at xmission.com Wed Feb 2 18:11:22 2005 From: jwr at xmission.com (Jared W. Robinson) Date: Wed, 2 Feb 2005 11:11:22 -0700 Subject: portmap In-Reply-To: <20050202185856.2f7e2df1@freedom> References: <20050202174946.434e4e25@freedom> <1107363000.3874.32.camel@nexus.verbum.private> <20050202185856.2f7e2df1@freedom> Message-ID: <20050202181122.GA18103@mars.localdomain> I'm having the same problem -- and it happened after I upgraded my system. So, I put my machine into permissive mode, and today, I've been restarting portmap and watching /var/log/messages to see what happens. Here's what I've done so far: restorecon -v /lib/libnsl.so.1 restorecon -v /lib/libnsl-2.3.4.so restorecon -v /lib/tls/libc-2.3.4.so restorecon -v /var/run/nscd/socket But, I still get this denied message: Feb 2 11:07:28 dev-zelda nscd: 13668 avc: denied { shmempwd } for scontext=root:system_r:portmap_t tcontext=user_u:system_r:unconfined_t tclass=nscd Anyone have a clue of what to do for that? - Jared On Wed, Feb 02, 2005 at 06:58:56PM +0100, Andrzej K?kolewski wrote: > Now I have this messages: > > audit(1107366819.358:0): avc: denied { read } for pid=3410 > exe=/sbin/portmap name=libc.so.6 dev=dm-0 ino=8700100 > scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t > tclass=lnk_file > > audit(1107366819.376:0): avc: denied { read } for pid=3410 > exe=/sbin/portmap name=libc.so.6 dev=dm-0 ino=8700100 > scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t > tclass=lnk_file > > audit(1107366819.391:0): avc: denied { read } for pid=3410 > exe=/sbin/portmap name=libc.so.6 dev=dm-0 ino=8699916 > scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t > tclass=lnk_file > > audit(1107366819.601:0): avc: denied { read } for pid=3411 > exe=/sbin/portmap name=passwd dev=dm-0 ino=10374678 > scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t > tclass=file > > audit(1107366819.615:0): avc: denied { write } for pid=3411 > exe=/sbin/portmap name=log dev=tmpfs ino=7175 > scontext=user_u:system_r:portmap_t tcontext=user_u:object_r:device_t > tclass=sock_file > > restorecon -v for libc.so.6 do nothing > > > On Wed, 02 Feb 2005 11:50:00 -0500 > Colin Walters wrote: > > > On Wed, 2005-02-02 at 17:49 +0100, Andrzej K?kolewski wrote: > > > Hello > > > I'm getting this avc message in /var/log/messages: > > > > > > audit(1107361904.516:0): avc: denied { read } for pid=3588 > > > exe=/sbin/portmap name=libnsl.so.1 dev=dm-0 ino=8700082 > > > scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t > > > tclass=lnk_file > > > > Looks like the file context got corrupted; try: > > > > restorecon -v /lib/libnsl.so.1 > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > -- > Pozdrawiam > Andrzej K?kolewski > Mail: k_andrzej_85 at o2.pl > JID: gnr at jabber.atman.pl > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- "Open source means standing on the shoulders of giants." "The Internet is powered by open source." - Marc Andreessen From HBurde at t-online.de Wed Feb 2 18:01:04 2005 From: HBurde at t-online.de (Holger Burde) Date: Wed, 02 Feb 2005 19:01:04 +0100 Subject: policy change adventure .. Message-ID: <1107367264.9508.3.camel@marvin.warpnet.com> Hi, Thx for the hint - looks a lot better now. I order to get that working i had to replace the policycoreutils with the rawhide version. Beside 2 warnings it seems ok : Preparing... ########################################### [100%] Warnung: setexeccon(root:staff_r:rpm_script_t) fails from context "root:staff_r:staff_t": Das Argument ist ung?ltig (= invalid argument) Continuing ... 1:selinux-policy-strict ########################################### [100%] Warnung: setexeccon(root:staff_r:rpm_script_t) fails from context "root:staff_r:staff_t": Das Argument ist ung?ltig Continuing ... I have to install the source to make some costum changes later on and got a 'wrong checkpolicy version' error (rpm -Uvh strict-sources...). Any idea ? (checkpolicy should be in policycoreutils which was allready replaced with the latest rawhide version !) -- Holger Burde From sds at epoch.ncsc.mil Wed Feb 2 18:55:50 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 02 Feb 2005 13:55:50 -0500 Subject: policy change adventure .. In-Reply-To: <1107367264.9508.3.camel@marvin.warpnet.com> References: <1107367264.9508.3.camel@marvin.warpnet.com> Message-ID: <1107370550.890.319.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-02-02 at 13:01, Holger Burde wrote: > Preparing... ########################################### > [100%] > Warnung: setexeccon(root:staff_r:rpm_script_t) fails from context > "root:staff_r:staff_t": Das Argument ist ung?ltig (= invalid argument) > Continuing ... > 1:selinux-policy-strict ########################################### > [100%] > Warnung: setexeccon(root:staff_r:rpm_script_t) fails from context > "root:staff_r:staff_t": Das Argument ist ung?ltig > Continuing ... newrole -r sysadm_r (or run su) prior to running rpm (or performing other admin duties). > I have to install the source to make some costum changes later on and > got a 'wrong checkpolicy version' error (rpm -Uvh strict-sources...). > Any idea ? (checkpolicy should be in policycoreutils which was allready > replaced with the latest rawhide version !) checkpolicy is a separate package. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Feb 2 19:05:25 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 02 Feb 2005 14:05:25 -0500 Subject: portmap In-Reply-To: <20050202181122.GA18103@mars.localdomain> References: <20050202174946.434e4e25@freedom> <1107363000.3874.32.camel@nexus.verbum.private> <20050202185856.2f7e2df1@freedom> <20050202181122.GA18103@mars.localdomain> Message-ID: <42012475.7010208@redhat.com> Jared W. Robinson wrote: >I'm having the same problem -- and it happened after I upgraded my >system. So, I put my machine into permissive mode, and today, I've been >restarting portmap and watching /var/log/messages to see what happens. >Here's what I've done so far: > >restorecon -v /lib/libnsl.so.1 >restorecon -v /lib/libnsl-2.3.4.so >restorecon -v /lib/tls/libc-2.3.4.so >restorecon -v /var/run/nscd/socket > >But, I still get this denied message: >Feb 2 11:07:28 dev-zelda nscd: 13668 avc: denied { shmempwd } for scontext=root:system_r:portmap_t tcontext=user_u:system_r:unconfined_t tclass=nscd > >Anyone have a clue of what to do for that? > >- Jared > >On Wed, Feb 02, 2005 at 06:58:56PM +0100, Andrzej K?kolewski wrote: > > >>Now I have this messages: >> >>audit(1107366819.358:0): avc: denied { read } for pid=3410 >>exe=/sbin/portmap name=libc.so.6 dev=dm-0 ino=8700100 >>scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t >>tclass=lnk_file >> >>audit(1107366819.376:0): avc: denied { read } for pid=3410 >>exe=/sbin/portmap name=libc.so.6 dev=dm-0 ino=8700100 >>scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t >>tclass=lnk_file >> >>audit(1107366819.391:0): avc: denied { read } for pid=3410 >>exe=/sbin/portmap name=libc.so.6 dev=dm-0 ino=8699916 >>scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t >>tclass=lnk_file >> >>audit(1107366819.601:0): avc: denied { read } for pid=3411 >>exe=/sbin/portmap name=passwd dev=dm-0 ino=10374678 >>scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t >>tclass=file >> >>audit(1107366819.615:0): avc: denied { write } for pid=3411 >>exe=/sbin/portmap name=log dev=tmpfs ino=7175 >>scontext=user_u:system_r:portmap_t tcontext=user_u:object_r:device_t >>tclass=sock_file >> >>restorecon -v for libc.so.6 do nothing >> >> >>On Wed, 02 Feb 2005 11:50:00 -0500 >>Colin Walters wrote: >> >> >> >>>On Wed, 2005-02-02 at 17:49 +0100, Andrzej K?kolewski wrote: >>> >>> >>>>Hello >>>>I'm getting this avc message in /var/log/messages: >>>> >>>>audit(1107361904.516:0): avc: denied { read } for pid=3588 >>>>exe=/sbin/portmap name=libnsl.so.1 dev=dm-0 ino=8700082 >>>>scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t >>>>tclass=lnk_file >>>> >>>> >>>Looks like the file context got corrupted; try: >>> >>>restorecon -v /lib/libnsl.so.1 >>> >>> >>>-- >>>fedora-selinux-list mailing list >>>fedora-selinux-list at redhat.com >>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >>-- >>Pozdrawiam >>Andrzej K?kolewski >>Mail: k_andrzej_85 at o2.pl >>JID: gnr at jabber.atman.pl >> >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > > > You do not have a labeled file system. Either you upgraded or you booted without SELinux support I would suspect. THe easiest way to cleanup is touch /.autorelabel reboot Dan From k_andrzej_85 at o2.pl Wed Feb 2 19:37:52 2005 From: k_andrzej_85 at o2.pl (Andrzej =?ISO-8859-2?B?S7Frb2xld3NraQ==?=) Date: Wed, 2 Feb 2005 20:37:52 +0100 Subject: portmap In-Reply-To: <42012475.7010208@redhat.com> References: <20050202174946.434e4e25@freedom> <1107363000.3874.32.camel@nexus.verbum.private> <20050202185856.2f7e2df1@freedom> <20050202181122.GA18103@mars.localdomain> <42012475.7010208@redhat.com> Message-ID: <20050202203752.7299bbe0@freedom> thanks On Wed, 02 Feb 2005 14:05:25 -0500 Daniel J Walsh wrote: > You do not have a labeled file system. Either you upgraded or you > booted without SELinux support I would suspect. > > THe easiest way to cleanup is > touch /.autorelabel > reboot > > Dan > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Pozdrawiam Andrzej K?kolewski Mail: k_andrzej_85 at o2.pl JID: gnr at jabber.atman.pl From jwr at xmission.com Wed Feb 2 23:38:29 2005 From: jwr at xmission.com (Jared W. Robinson) Date: Wed, 2 Feb 2005 16:38:29 -0700 Subject: apt-get doesn't support SELinux (Was Re: portmap) In-Reply-To: <42012475.7010208@redhat.com> References: <20050202174946.434e4e25@freedom> <1107363000.3874.32.camel@nexus.verbum.private> <20050202185856.2f7e2df1@freedom> <20050202181122.GA18103@mars.localdomain> <42012475.7010208@redhat.com> Message-ID: <20050202233829.GA18584@mars.localdomain> As an FYI, apt-get doesn't support SELinux. I didn't know that until now. - Jared On Wed, Feb 02, 2005 Daniel J Walsh wrote: > > > > I installed the FC3 machine from scratch, and it was running for > > some time without problems in targeted mode. [...] But looking at it > > today, many libraries in the /lib directory had the wrong contexts. > > I wonder if using apt-get and freshrpms or the Dag Wieers rpms had > > anything to do with the "degradation" of my system. > > apt-get does not have the SELinux port, so any RPM that you installed > would get the default context for the directory that it was installed > in. Yum and rpm support SELinux but apt does not. (We don't ship apt so > I don't get a chance to change it. You might find a SELinux version of > it available from debian.) From m3freak at rogers.com Thu Feb 3 01:03:22 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Wed, 02 Feb 2005 20:03:22 -0500 Subject: Request Tracker 3 In-Reply-To: <42011122.5080803@redhat.com> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> <1107362599.6175.37.camel@localhost.localdomain> <42011122.5080803@redhat.com> Message-ID: <1107392602.4761.9.camel@localhost.localdomain> On Wed, 2005-02-02 at 12:42 -0500, Daniel J Walsh wrote: > I think we are going to have to work on this here and setup a postfix > mail system to > see if we can get it to work. For the time being you might want to > change the > turn httpd transitioning off. > > setsebool -P httpd_disable_trans 1 Thanks, but now that RT is working with the config I mentioned in my other message, I'm not so concerned (you read my other message, right?). I am a little worried that a future selinux update will wipe out what you and Colin helped me with. Gotta make some notes... Again, thanks for your help. It's good to see RT running with selinux in place. I'll have to report this to the RT list. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From m3freak at rogers.com Thu Feb 3 04:46:08 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Wed, 02 Feb 2005 23:46:08 -0500 Subject: Request Tracker 3 In-Reply-To: <1107392602.4761.9.camel@localhost.localdomain> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> <1107362599.6175.37.camel@localhost.localdomain> <42011122.5080803@redhat.com> <1107392602.4761.9.camel@localhost.localdomain> Message-ID: <1107405968.5623.7.camel@localhost.localdomain> I spoke too soon. It's still not working. For some reason I sent a few emails, and there were no denials. I waited a few minutes, and then tried again, and lo and behold, the denials were back. So, my other message was partially incorrect (the part about there not being any denials when setting the mail command to "sendmail"). After running "chcon -R -t mail_spool_t /var/spool/postfix", these were the denials eventually reported (there a few new ones): avc: denied { search } for pid=6845 exe=/usr/bin/perl name=postfix dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:mail_spool_t tclass=dir avc: denied { getattr } for pid=6847 exe=/usr/sbin/sendmail.postfix path=socket:[17672] dev=sockfs ino=17672 scontext=root:system_r:system_mail_t tcontext=root:system_r:httpd_t tclass=unix_stream_socket avc: denied { search } for pid=6847 exe=/usr/sbin/sendmail.postfix name=postfix dev=dm-5 ino=34833 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir avc: denied { execute } for pid=6848 exe=/usr/sbin/sendmail.postfix name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file avc: denied { execute_no_trans } for pid=6848 exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file avc: denied { read } for pid=6848 exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file avc: denied { write } for pid=6848 exe=/usr/sbin/postdrop name=maildrop dev=dm-5 ino=34842 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir avc: denied { add_name } for pid=6848 exe=/usr/sbin/postdrop name=964455.6848 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir avc: denied { create } for pid=6848 exe=/usr/sbin/postdrop name=964455.6848 scontext=root:system_r:system_mail_t tcontext=root:object_r:mail_spool_t tclass=file avc: denied { getattr } for pid=6848 exe=/usr/sbin/postdrop path=/var/spool/postfix/maildrop/964455.6848 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:mail_spool_t tclass=file avc: denied { remove_name } for pid=6848 exe=/usr/sbin/postdrop name=964455.6848 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir avc: denied { rename } for pid=6848 exe=/usr/sbin/postdrop name=964455.6848 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:mail_spool_t tclass=file avc: denied { write } for pid=6848 exe=/usr/sbin/postdrop path=/var/spool/postfix/maildrop/11B20885F dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:mail_spool_t tclass=file avc: denied { setattr } for pid=6848 exe=/usr/sbin/postdrop name=11B20885F dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t tcontext=root:object_r:mail_spool_t tclass=file avc: denied { getattr } for pid=6848 exe=/usr/sbin/postdrop path=/var/spool/postfix/public/pickup dev=dm-5 ino=34827 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=fifo_file avc: denied { write } for pid=6848 exe=/usr/sbin/postdrop name=pickup dev=dm-5 ino=34827 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=fifo_file HTH in finding a solution. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From m3freak at rogers.com Thu Feb 3 04:59:01 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Wed, 02 Feb 2005 23:59:01 -0500 Subject: Request Tracker 3 In-Reply-To: <42011122.5080803@redhat.com> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> <1107362599.6175.37.camel@localhost.localdomain> <42011122.5080803@redhat.com> Message-ID: <1107406741.5623.15.camel@localhost.localdomain> On Wed, 2005-02-02 at 12:42 -0500, Daniel J Walsh wrote: > For the time being you might want to > change the > turn httpd transitioning off. > > setsebool -P httpd_disable_trans 1 I gave that a shot, but it doesn't work. A denial is still reported: avc: denied { search } for pid=6904 exe=/usr/sbin/sendmail.postfix name=postfix dev=dm-5 ino=34833 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir BTW, the error reported in /var/log/maillog is this: postfix/sendmail[6904]: fatal: chdir /var/spool/postfix: Permission denied Email is making it's way into RT because tickets are being created. It's just the auto replies from RT that aren't making it out. Basically, RT is not being allowed to SEND email. Since I'm still running tests on RT (just upgraded), I'm going to set SElinux to permissive mode. I'm sure I'm going to run into other problems with selinux. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From malists at epon.ro Thu Feb 3 07:13:37 2005 From: malists at epon.ro (Marius Andreiana) Date: Thu, 03 Feb 2005 09:13:37 +0200 Subject: postalias segfaults In-Reply-To: <4201119B.4090600@redhat.com> References: <1107263048.3525.17.camel@marte.biciclete.ro> <4200017D.6090303@redhat.com> <1107331163.3573.10.camel@marte.biciclete.ro> <4200E765.4020401@redhat.com> <4201119B.4090600@redhat.com> Message-ID: <1107414818.3563.9.camel@marte.biciclete.ro> On Wed, 2005-02-02 at 12:44 -0500, Daniel J Walsh wrote: > I meant ls -lZ /etc/aliases -rw-r--r-- root root system_u:object_r:etc_t /etc/aliases -rw-r--r-- root root /etc/aliases.db In order to get this ls I enabled SELinux again and rebooted. Tried postalias again and it works now. Can't explain it. -- Marius Andreiana Epon Business Applications http://www.epon.ro From dwalsh at redhat.com Thu Feb 3 15:24:03 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 03 Feb 2005 10:24:03 -0500 Subject: Request Tracker 3 In-Reply-To: <1107406741.5623.15.camel@localhost.localdomain> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> <1107362599.6175.37.camel@localhost.localdomain> <42011122.5080803@redhat.com> <1107406741.5623.15.camel@localhost.localdomain> Message-ID: <42024213.5070701@redhat.com> Kanwar Ranbir Sandhu wrote: >On Wed, 2005-02-02 at 12:42 -0500, Daniel J Walsh wrote: > > >>For the time being you might want to >>change the >>turn httpd transitioning off. >> >>setsebool -P httpd_disable_trans 1 >> >> > >I gave that a shot, but it doesn't work. A denial is still reported: > >avc: denied { search } for pid=6904 exe=/usr/sbin/sendmail.postfix >name=postfix dev=dm-5 ino=34833 scontext=root:system_r:system_mail_t >tcontext=system_u:object_r:mail_spool_t tclass=dir > >BTW, the error reported in /var/log/maillog is this: > >postfix/sendmail[6904]: fatal: chdir /var/spool/postfix: Permission >denied > >Email is making it's way into RT because tickets are being created. >It's just the auto replies from RT that aren't making it out. >Basically, RT is not being allowed to SEND email. > >Since I'm still running tests on RT (just upgraded), I'm going to set >SElinux to permissive mode. I'm sure I'm going to run into other >problems with selinux. > >Regards, > >Ranbir > > > There is a bug in targeted policy that allows the system to transition from unconfined_t to httpd_sys_script_t even if httpd_disable_trans is set. selinux-policy-targeted-1.17.30-2.76 should fix this for FC3 selinux-policy-targeted-1.21.8.3 should fix this for rawhide both are available on ftp://people.redhat.com/dwalsh/SELinux/{FC3,Fedora} From gbpeck at sbcglobal.net Thu Feb 3 19:29:54 2005 From: gbpeck at sbcglobal.net (Gary Peck) Date: Thu, 3 Feb 2005 11:29:54 -0800 Subject: apt-get doesn't support SELinux (Was Re: portmap) In-Reply-To: <20050202233829.GA18584@mars.localdomain> References: <20050202174946.434e4e25@freedom> <1107363000.3874.32.camel@nexus.verbum.private> <20050202185856.2f7e2df1@freedom> <20050202181122.GA18103@mars.localdomain> <42012475.7010208@redhat.com> <20050202233829.GA18584@mars.localdomain> Message-ID: <20050203192953.GA19934@realify.com> On Wed, Feb 02, 2005 at 04:38:29PM -0700, Jared W. Robinson wrote: > As an FYI, apt-get doesn't support SELinux. I didn't know that until now. Actually, apt-get has SELinux support in CVS, just not in the latest released version (0.5.15cnc6). Which version of apt-get are you running, and from which repository? I know that apt in Fedora Extras is using the CVS version, but I believe Dag's apt might still be at the last released version. BTW, the SELinux patch is available at http://distro2.conectiva.com.br/pipermail/apt-rpm/2004-June/002415.html. It's pretty minor. Gary > On Wed, Feb 02, 2005 Daniel J Walsh wrote: > > > > > > I installed the FC3 machine from scratch, and it was running for > > > some time without problems in targeted mode. [...] But looking at it > > > today, many libraries in the /lib directory had the wrong contexts. > > > I wonder if using apt-get and freshrpms or the Dag Wieers rpms had > > > anything to do with the "degradation" of my system. > > > > apt-get does not have the SELinux port, so any RPM that you installed > > would get the default context for the directory that it was installed > > in. Yum and rpm support SELinux but apt does not. (We don't ship apt so > > I don't get a chance to change it. You might find a SELinux version of > > it available from debian.) From m3freak at rogers.com Thu Feb 3 21:33:11 2005 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Thu, 03 Feb 2005 16:33:11 -0500 Subject: Request Tracker 3 In-Reply-To: <42024213.5070701@redhat.com> References: <1107133597.4988.34.camel@localhost.localdomain> <1107191568.3777.25.camel@nexus.verbum.private> <1107195401.4739.18.camel@localhost.localdomain> <1107197015.3777.34.camel@nexus.verbum.private> <1107218079.4739.54.camel@localhost.localdomain> <1107220040.6133.22.camel@nexus.verbum.private> <1107224899.4739.64.camel@localhost.localdomain> <1107271336.4928.14.camel@localhost.localdomain> <1107302287.3987.20.camel@nexus.verbum.private> <1107362599.6175.37.camel@localhost.localdomain> <42011122.5080803@redhat.com> <1107406741.5623.15.camel@localhost.localdomain> <42024213.5070701@redhat.com> Message-ID: <1107466391.4925.73.camel@localhost.localdomain> On Thu, 2005-03-02 at 10:24 -0500, Daniel J Walsh wrote: > There is a bug in targeted policy that allows the system to transition > from unconfined_t to httpd_sys_script_t even > if httpd_disable_trans is set. > > selinux-policy-targeted-1.17.30-2.76 should fix this for FC3 I installed that after updating my system with selinux-policy-targeted-1.17.30-2.75, but I didn't see a change. I still got the same denials. I've been running in permissive mode, and so far a few other denials have popped up (denials for scripts trying to write directories). I've been able to resolve them by changing the type in the target security context. When you want me to try something out, let me know. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com From jwr at xmission.com Thu Feb 3 22:35:36 2005 From: jwr at xmission.com (Jared W. Robinson) Date: Thu, 3 Feb 2005 15:35:36 -0700 Subject: apt-get doesn't support SELinux (Was Re: portmap) In-Reply-To: <20050203192953.GA19934@realify.com> References: <20050202174946.434e4e25@freedom> <1107363000.3874.32.camel@nexus.verbum.private> <20050202185856.2f7e2df1@freedom> <20050202181122.GA18103@mars.localdomain> <42012475.7010208@redhat.com> <20050202233829.GA18584@mars.localdomain> <20050203192953.GA19934@realify.com> Message-ID: <20050203223536.GB20086@mars.localdomain> I was using apt from freshrpms, and I happen to figure out today that the Fedora Extras version of apt supports SELinux. I've forwarded your patch URL to the maintainer of freshrpms. Thanks, - Jared On Thu, Feb 03, 2005 at 11:29:54AM -0800, Gary Peck wrote: > On Wed, Feb 02, 2005 at 04:38:29PM -0700, Jared W. Robinson wrote: > > As an FYI, apt-get doesn't support SELinux. I didn't know that until now. > > Actually, apt-get has SELinux support in CVS, just not in the latest > released version (0.5.15cnc6). Which version of apt-get are you running, > and from which repository? I know that apt in Fedora Extras is using the > CVS version, but I believe Dag's apt might still be at the last released > version. > > BTW, the SELinux patch is available at > http://distro2.conectiva.com.br/pipermail/apt-rpm/2004-June/002415.html. > It's pretty minor. > > Gary > > > On Wed, Feb 02, 2005 Daniel J Walsh wrote: > > > > > > > > I installed the FC3 machine from scratch, and it was running for > > > > some time without problems in targeted mode. [...] But looking at it > > > > today, many libraries in the /lib directory had the wrong contexts. > > > > I wonder if using apt-get and freshrpms or the Dag Wieers rpms had > > > > anything to do with the "degradation" of my system. > > > > > > apt-get does not have the SELinux port, so any RPM that you installed > > > would get the default context for the directory that it was installed > > > in. Yum and rpm support SELinux but apt does not. (We don't ship apt so > > > I don't get a chance to change it. You might find a SELinux version of > > > it available from debian.) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- "Open source means standing on the shoulders of giants." "The Internet is powered by open source." - Marc Andreessen From dragoran at feuerpokemon.de Sun Feb 6 08:08:55 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Sun, 06 Feb 2005 09:08:55 +0100 Subject: mysql wont start with new kernel Message-ID: <4205D097.5010800@feuerpokemon.de> I installed kernel 2.6.11-rc3-RT-V0.7.38-01 (compiled it from source) I did make oldconfig and enabled PREEMT_DESKTOP ,CONFIG_MK7 and ntfs support. After booting the kernel mysql don't start: It shows: Timeout error occurred trying to start MySQL Daemon. dmesg says: audit(1107676996.424:0): avc: denied { execmem } for pid=4806 comm=mysqld scontext=root:system_r:mysqld_t tcontext=root:system_r:mysqld_t tclass=process it works when I disabled selinux for mysqld. I am running the targeted policy. From russell at coker.com.au Sun Feb 6 12:42:21 2005 From: russell at coker.com.au (Russell Coker) Date: Sun, 6 Feb 2005 23:42:21 +1100 Subject: Are these settings correct? In-Reply-To: <4424.128.252.85.103.1107286320.squirrel@morpheus.wustl.edu> References: <4424.128.252.85.103.1107286320.squirrel@morpheus.wustl.edu> Message-ID: <200502062342.24540.russell@coker.com.au> On Wednesday 02 February 2005 06:32, "Hongwei Li" wrote: > # ls -lZ /usr/sbin/send* > lrwxrwxrwx root root user_u:object_r:sbin_t > /usr/sbin/sendmail -> /etc/alternatives/mta > -rwxr-sr-x root smmsp system_u:object_r:sbin_t > /usr/sbin/sendmail.sendmail > > and all files in /etc/alternatives/ show either user_u:object_r:etc_t or > root:object_r:etc_t > > Are these settings correct? Do I need to run restorecon on them? or on > all folders in the system? Those settings are correct for the targeted policy (the default for Fedora). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From Fred.New at microlink.ee Mon Feb 7 07:54:04 2005 From: Fred.New at microlink.ee (Fred New) Date: Mon, 7 Feb 2005 09:54:04 +0200 Subject: httpd log rotation problem? Message-ID: <345764DCB65C0C4FACC44529DE273C18F8EA11@eemail1.microlink.lan> I am getting the following message once a week on a standard FC3 system. Is this one of those denials that shouldn't be audited?: Feb 6 04:02:26 nimeta01 kernel: audit(1107655346.258:0): avc: denied { ioctl } for pid=3587 exe=/usr/sbin/httpd path=/var/log/httpd/error_log.1 dev=hda3 ino=1174805 scontext=user_u:system_r:httpd_t tcontext=root:object_r:httpd_runtime_t tclass=file httpd-2.0.52-3.1 selinux-policy-targeted-1.17.30-2.75 logrotate-3.7.1-2 Fred New From KokHow.Teh at marconi.com Mon Feb 7 05:03:21 2005 From: KokHow.Teh at marconi.com (KokHow Teh) Date: Mon, 7 Feb 2005 13:03:21 +0800 Subject: Fedora Core 2: initrd failed to mount ext3 root fs. Message-ID: Hi list; I just installed Fedora Core 2 last 2 days. The binaries work fine from the installation CDs that I have no problem installing the full system and booting up the machine i686 P4. However, when I build the kernel from the source with the default configuration for arch/i386, booting up the machine failed due to initrd failing to mount the ext3 root file system. It failed when linuxrc trying to mount the root fs with pivot_root(). Please advise. Thanks. Regards, TEH From Paul.Kutzler at arrowintl.com Wed Feb 9 20:06:16 2005 From: Paul.Kutzler at arrowintl.com (Kutzler, Paul) Date: Wed, 9 Feb 2005 15:06:16 -0500 Subject: CORE 3 Message-ID: I am having problems getting the syslog to write to something outside the /var/log directory..... I have this working on FC2 and i believe I have all the configs changed over.... Maybe I am missing a file? Any help appreciated. Thanks Paul Paul E. Kutzler II, CISSP,RHCE Senior Systems Administrator Arrow International, Inc www.arrowintl.com Corporate Offices 2400 Bernville Road, Reading, PA 19605 Voice: 610 - 378 - 0131, ext. 3458 Fax: 610 - 374 - 5360 CONFIDENTIALITY NOTICE: If you have received this e-mail in error, please immediately notify the sender by e-mail at the address shown. This e-mail transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity for whom it is intended even if addressed incorrectly. Please delete from your files if you are not the intended recipient. Thank you for your compliance. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 813 bytes Desc: image001.jpg URL: From drepper at redhat.com Wed Feb 9 22:32:05 2005 From: drepper at redhat.com (Ulrich Drepper) Date: Wed, 09 Feb 2005 14:32:05 -0800 Subject: CORE 3 In-Reply-To: References: Message-ID: <420A8F65.4090701@redhat.com> Kutzler, Paul wrote: > I am having problems getting the syslog to write to something outside > the /var/log directory?.. You mean the file you want to write to is not in /var/log? With SELinux enabled, the directory the file lives in must be labeled with system_u:object_r:var_log_t and the file itself with root:object_r:var_log_t (or user_u:object_r:var_log_t, depending on the file). Either change the label by hand or add an appropriate line to the file_contexts file. If you're not familiar with SELinux, read the release notes and the other information pointed to in this document. -- ? Ulrich Drepper ? Red Hat, Inc. ? 444 Castro St ? Mountain View, CA ? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From linuxuser at rhjensen.com Thu Feb 10 03:06:31 2005 From: linuxuser at rhjensen.com (R. Jensen) Date: Wed, 09 Feb 2005 21:06:31 -0600 Subject: Default permissions and security context of new user? Message-ID: <420ACFB7.7070307@rhjensen.com> Moderator: I didn't realize I had sent this message from a different address than the one I used to subscribe to the list. Sorry. ------------------------------------------------------ Hi. I'm wondering about the permissions new users get when they are created. Before SELinux I had to add users to 'wheel' to enable them to su to root. I did an adduser and it seems to be unrestricted: [testse at lankhmar ~]$ id -Z user_u:system_r:unconfined_t and the user is able to su to root. Is this normal? How would I keep the user from being able to su? I added: user testse roles { user_r }; to /etc/selinux/targeted/src/policy/users and did: make load This didn't seem to make any difference. This is on FC3 (2.6.10-1.760_FC3) selinux-policy-targeted-1.17.30-2.75 [root at lankhmar ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted I'm not sure if this is clear, or enough information. I tried searching the archives but didn't find anything. [I may be searching incorrectly]. Thanks, Richard. From sds at epoch.ncsc.mil Thu Feb 10 12:18:48 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 10 Feb 2005 07:18:48 -0500 Subject: Default permissions and security context of new user? In-Reply-To: <420ACFB7.7070307@rhjensen.com> References: <420ACFB7.7070307@rhjensen.com> Message-ID: <1108037928.22172.8.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-02-09 at 22:06, R. Jensen wrote: > Hi. I'm wondering about the permissions new users get > when they are created. Before SELinux I had to add users > to 'wheel' to enable them to su to root. > > I did an adduser and it seems to be unrestricted: > > [testse at lankhmar ~]$ id -Z > user_u:system_r:unconfined_t > > and the user is able to su to root. Is this normal? > How would I keep the user from being able to su? > > I added: > user testse roles { user_r }; > > to /etc/selinux/targeted/src/policy/users > and did: make load > > This didn't seem to make any difference. > > This is on FC3 (2.6.10-1.760_FC3) > selinux-policy-targeted-1.17.30-2.75 > > [root at lankhmar ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 18 > Policy from config file:targeted > > I'm not sure if this is clear, or enough information. > I tried searching the archives but didn't find anything. > [I may be searching incorrectly]. The Red Hat targeted policy is only focused on confining specific daemons, not users. If you want to confine users and a much wider set of programs and daemons, install and switch to the strict policy, but be prepared for a significant change in your normal mode of operation. See the Fedora SELinux FAQ. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Feb 10 12:20:14 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 10 Feb 2005 07:20:14 -0500 Subject: Default permissions and security context of new user? In-Reply-To: <420ACFB7.7070307@rhjensen.com> References: <420ACFB7.7070307@rhjensen.com> Message-ID: <1108038014.22172.10.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-02-09 at 22:06, R. Jensen wrote: > Policy from config file:targeted > > I'm not sure if this is clear, or enough information. > I tried searching the archives but didn't find anything. > [I may be searching incorrectly]. Also, if you are going to use the strict policy, you are advised to grab the latest one from rawhide rather than just using the one from FC3. -- Stephen Smalley National Security Agency From selinux at gmail.com Thu Feb 10 15:23:30 2005 From: selinux at gmail.com (Tom London) Date: Thu, 10 Feb 2005 07:23:30 -0800 Subject: Today's targeted policy... Message-ID: <4c4ba1530502100723c893a33@mail.gmail.com> Running targeted/enforcing, latest rawhide. After installing today's policy files and rebooting, had X/execmem problems. Solved by 'setsebool -P allow_execmem 1'. Rebooting produces scads of use and sigchild denials. Attached is /var/log/messages. In the past, use/fd denials were usually due to leaky file descriptors across execs. That likely the case here? Not sure about sigchild.... tom -- Tom London -------------- next part -------------- A non-text attachment was scrubbed... Name: log Type: application/octet-stream Size: 50622 bytes Desc: not available URL: From kmwannsee at yahoo.com Thu Feb 10 15:48:37 2005 From: kmwannsee at yahoo.com (kent mcclanahan) Date: Thu, 10 Feb 2005 07:48:37 -0800 (PST) Subject: NAZI DATA Message-ID: <20050210154837.76812.qmail@web50606.mail.yahoo.com> Gentlemen,could you please inform me how to obtain data on Nazi involvement with the National Security Agency and The Central Intelligence Agency including names of the projects?Most Sincerely,Kent McClanahan csm --------------------------------- Do you Yahoo!? Meet the all-new My Yahoo! ? Try it today! -------------- next part -------------- An HTML attachment was scrubbed... URL: From rirving at antient.org Thu Feb 10 16:54:24 2005 From: rirving at antient.org (Richard Irving) Date: Thu, 10 Feb 2005 11:54:24 -0500 Subject: NAZI DATA In-Reply-To: <20050210154837.76812.qmail@web50606.mail.yahoo.com> References: <20050210154837.76812.qmail@web50606.mail.yahoo.com> Message-ID: <420B91C0.3070502@antient.org> kent mcclanahan wrote: > Gentlemen,could you please inform me how to obtain data on Nazi > involvement with the National Security Agency and The Central > Intelligence Agency including names of the projects?Most Sincerely,Kent > McClanahan csm The answer to those questions, and more, have been encoded into the wrinkles in the aluminum foil beanie, you are now wearing. Your challenge is to decode the message, without removing the aluminum foil hat, and exposing yourself to the dreaded "mind rays". Good Luck. This message will self destruct, shortly after you hit delete. :P (ROTFLMAO!) > ------------------------------------------------------------------------ > Do you Yahoo!? > Meet the all-new My Yahoo! ? Try it today! > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From sds at epoch.ncsc.mil Thu Feb 10 16:48:55 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 10 Feb 2005 11:48:55 -0500 Subject: Today's targeted policy... In-Reply-To: <4c4ba1530502100723c893a33@mail.gmail.com> References: <4c4ba1530502100723c893a33@mail.gmail.com> Message-ID: <1108054135.22172.90.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-02-10 at 10:23, Tom London wrote: > Running targeted/enforcing, latest rawhide. > > After installing today's policy files and rebooting, had X/execmem > problems. Solved by 'setsebool -P allow_execmem 1'. > > Rebooting produces scads of use and sigchild denials. Attached is > /var/log/messages. > > In the past, use/fd denials were usually due to leaky file descriptors > across execs. That likely the case here? Not sure about sigchild.... No, I removed rules from the general unconfined_domain() macro that shouldn't be applied to _all_ unconfined domains, and no one has yet added them back to the specific unconfined.te file in the targeted policy (which is the only place they were needed). In the targeted policy, all other domains are launched from the unconfined_t domain, and these rules used to be covered by the domain_auto_trans rules, but the re-introduction of initrc_t into the targeted policy means that they have to be separately allowed. So the allow domain unconfined_t:fd use; allow domain unconfined_t:process sigchld; rules need to go into the targeted unconfined.te file. -- Stephen Smalley National Security Agency From hampton at employees.org Thu Feb 10 17:32:59 2005 From: hampton at employees.org (David Hampton) Date: Thu, 10 Feb 2005 12:32:59 -0500 Subject: "invalid contex" question Message-ID: <1108056779.29383.24.camel@hampton-pc.rainbolthampton.net> I'm running an FC3 system with the latest rawhide strict policy. I'm currently trying to tweak the dovecot files for my system and am running into an invalid context error. My changes so far: Index: domains/program/dovecot.te +type dovecot_data_t, file_type, sysadmfile; +create_dir_file(dovecot_t, dovecot_data_t) Index: file_contexts/program/dovecot.fc +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t; The problem is that after a 'make reload' when I try to relabel the /var/spool/dovecot directory, I get the error message: /etc/selinux/strict/contexts/files/file_contexts: line 999 has invalid context system_u:object_r:dovecot_data_t; Doing a 'make install' in the policy directory gives me this same error. Is there something else I need to do to create this new type? Thanks. David -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From sds at epoch.ncsc.mil Thu Feb 10 17:31:15 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 10 Feb 2005 12:31:15 -0500 Subject: "invalid contex" question In-Reply-To: <1108056779.29383.24.camel@hampton-pc.rainbolthampton.net> References: <1108056779.29383.24.camel@hampton-pc.rainbolthampton.net> Message-ID: <1108056675.22172.108.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-02-10 at 12:32, David Hampton wrote: > Index: file_contexts/program/dovecot.fc > > +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t; No semicolon terminators in file contexts files. They are just newline delimited. -- Stephen Smalley National Security Agency From hampton at employees.org Thu Feb 10 17:54:42 2005 From: hampton at employees.org (David Hampton) Date: Thu, 10 Feb 2005 12:54:42 -0500 Subject: "invalid contex" question In-Reply-To: <1108056675.22172.108.camel@moss-spartans.epoch.ncsc.mil> References: <1108056779.29383.24.camel@hampton-pc.rainbolthampton.net> <1108056675.22172.108.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1108058082.29383.25.camel@hampton-pc.rainbolthampton.net> On Thu, 2005-02-10 at 12:31 -0500, Stephen Smalley wrote: > On Thu, 2005-02-10 at 12:32, David Hampton wrote: > > Index: file_contexts/program/dovecot.fc > > > > +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t; > > No semicolon terminators in file contexts files. They are just newline > delimited. Thanks. (Boy do I feel silly.) David -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From richard at rhjensen.com Thu Feb 10 00:13:33 2005 From: richard at rhjensen.com (Richard Jensen) Date: Wed, 09 Feb 2005 18:13:33 -0600 Subject: Permissions for new users Message-ID: <420AA72D.2010108@rhjensen.com> Hi. I'm wondering about the permissions new users get when they are created. Before SELinux I had to add users to 'wheel' to enable them to su to root. I did an adduser and it seems to be unrestricted: [testse at lankhmar ~]$ id -Z user_u:system_r:unconfined_t and the user is able to su to root. Is this normal? How would I keep the user from being able to su? I added: user testse roles { user_r }; to /etc/selinux/targeted/src/policy/users and did: make load This didn't seem to make any difference. This is on FC3 (2.6.10-1.760_FC3) selinux-policy-targeted-1.17.30-2.75 [root at lankhmar ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted I'm not sure if this is clear, or enough information. I tried searching the archives but didn't find anything. [I may be searching incorrectly]. Thanks, Richard. From walters at redhat.com Thu Feb 10 18:17:58 2005 From: walters at redhat.com (Colin Walters) Date: Thu, 10 Feb 2005 13:17:58 -0500 Subject: execmem and targeted policy Message-ID: <1108059478.6288.7.camel@nexus.verbum.private> Hi, I noticed that as of a recent rawhide update that Eclipse stopped working: audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process Chatting with Dan, this is apparently because the execmem permission was dropped from unconfined_domain recently. We can't do this in targeted policy because it would require us to know about (and specially label) all such programs. We could potentially label /usr/bin/eclipse as unconfined_execmem_t or whatever since we have Eclipse packages in Fedora. However, I am almost positive the Sun JVM requires this permission too, and if we go this route, then every person who untars the Sun JVM and tries to run Java programs will run into this problem. This is against the philosophy of the targeted policy in that it affects programs outside of the targeted daemon set. My worry is that for every person (like me) who tracks down this problem and finds a workaround, there will be 999 others who disable SELinux entirely. And that's bad, because we need it to be enabled by default so we can use it to confine the programs that really need it. (Dan says that textrel_shlib_t has a similar issue) One approach might be to have e.g. bin_t and bin_nonexecmem_t. We label programs that we know work as bin_nonexecmem_t. From sds at epoch.ncsc.mil Thu Feb 10 18:20:28 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 10 Feb 2005 13:20:28 -0500 Subject: execmem and targeted policy In-Reply-To: <1108059478.6288.7.camel@nexus.verbum.private> References: <1108059478.6288.7.camel@nexus.verbum.private> Message-ID: <1108059628.22172.162.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-02-10 at 13:17, Colin Walters wrote: > I noticed that as of a recent rawhide update that Eclipse stopped > working: > > audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process > > Chatting with Dan, this is apparently because the execmem permission was > dropped from unconfined_domain recently. > > We can't do this in targeted policy because it would require us to know > about (and specially label) all such programs. It is controlled by a boolean. So simply enable the allow_execmem and allow_execmod booleans by default in the targeted policy (via the booleans config file). Or if you absolutely must unconditionally allow it in targeted policy, put the allow rules in the targeted unconfined.te file so that you don't affect the strict policy. But note that the reason for subjecting these permissions to booleans even in the targeted policy was that we were asked to do so by Ulrich (see the earlier discussion on rhselinux-list). -- Stephen Smalley National Security Agency From w5set at alltel.net Thu Feb 10 23:00:35 2005 From: w5set at alltel.net (steve) Date: Thu, 10 Feb 2005 17:00:35 -0600 Subject: NAZI DATA In-Reply-To: <20050210154837.76812.qmail@web50606.mail.yahoo.com> References: <20050210154837.76812.qmail@web50606.mail.yahoo.com> Message-ID: <200502101700.35460.w5set@alltel.net> Sure--that info is readily available. Just march into the CIA Headquarters and demand the info you need and site the Freedom of Information ACT. But they will stall you forever, and try to read you another ACT, but I have heard that most of the collaboration is being done on the CLONEHitler project. Or was that the CLOWN HITLER project? OHHHH--my mind is so fuzzy these days--YOU should recognize that symptom right off. But thanks to modern medicine I am so much better these days--maybe you should try some. On a more realistic note, have you heard from ET lately? He hasn't called me in months now. And the csm at the end of your name---Do you work for Wal Mart? CSM there stands for Customer Service Manager. Almost Sincerely, Steve On Thursday February 10 2005 09:48, kent mcclanahan wrote: > Gentlemen,could you please inform me how to obtain data on Nazi involvement > with the National Security Agency and The Central Intelligence Agency > including names of the projects?Most Sincerely,Kent McClanahan csm > > > --------------------------------- > Do you Yahoo!? > Meet the all-new My Yahoo! ? Try it today! From w5set at alltel.net Thu Feb 10 23:25:35 2005 From: w5set at alltel.net (steve) Date: Thu, 10 Feb 2005 17:25:35 -0600 Subject: problems Message-ID: <200502101725.35518.w5set@alltel.net> And ya'll think that having problems with such a mundane subject as Fedora Core SELinux is a biggie, Kent obviously has much bigger (problem) fish to fry. About time I had a good laugh reading this email forum, but back to reality and getting my server to run without any help from the Internet "assistants" that stop often to help me by inputing code or something that trys to overfill the buffers or evade detection by my router/firewalls. Ho-Hum. -- .................steve w5set From kva64770 at bigpond.net.au Fri Feb 11 07:28:57 2005 From: kva64770 at bigpond.net.au (Stephen Valenti) Date: Fri, 11 Feb 2005 15:28:57 +0800 Subject: Newbie to fedora/linux Message-ID: <001401c5100b$595c6800$0600000a@stephen> Hi, I was wondering if anybody could help.Im a real newbie at linux and dont know much about it.I installed fedora core 3 with \windows xp sp2.and am currently trying to get my speedtouch adsl 530 modem to work but everytime I try create a folder to install too it tells me "I cant create the folder I dont own the computer" or something like that.I tried to find administration tools within fedora but couldnt what am I doing wrong or do i need to re-install fedora Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From dragoran at feuerpokemon.de Fri Feb 11 11:20:51 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Fri, 11 Feb 2005 12:20:51 +0100 Subject: execmem and targeted policy In-Reply-To: <1108059478.6288.7.camel@nexus.verbum.private> References: <1108059478.6288.7.camel@nexus.verbum.private> Message-ID: <420C9513.20206@feuerpokemon.de> Colin Walters wrote: >Hi, > >I noticed that as of a recent rawhide update that Eclipse stopped >working: > >audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process > >Chatting with Dan, this is apparently because the execmem permission was >dropped from unconfined_domain recently. > >We can't do this in targeted policy because it would require us to know >about (and specially label) all such programs. We could potentially >label /usr/bin/eclipse as unconfined_execmem_t or whatever since we have >Eclipse packages in Fedora. However, I am almost positive the Sun JVM >requires this permission too, and if we go this route, then every person >who untars the Sun JVM and tries to run Java programs will run into this >problem. > >This is against the philosophy of the targeted policy in that it affects >programs outside of the targeted daemon set. My worry is that for every >person (like me) who tracks down this problem and finds a workaround, >there will be 999 others who disable SELinux entirely. And that's bad, >because we need it to be enabled by default so we can use it to confine >the programs that really need it. > >(Dan says that textrel_shlib_t has a similar issue) > >One approach might be to have e.g. bin_t and bin_nonexecmem_t. We label >programs that we know work as bin_nonexecmem_t. > > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > mysqld has the same issues even in fc3 when running 2.6.11-rc3 http://www.redhat.com/archives/fedora-selinux-list/2005-February/msg00056.html From guhvies at gmail.com Fri Feb 11 12:51:58 2005 From: guhvies at gmail.com (ne...) Date: Fri, 11 Feb 2005 07:51:58 -0500 Subject: Newbie to fedora/linux In-Reply-To: <001401c5100b$595c6800$0600000a@stephen> References: <001401c5100b$595c6800$0600000a@stephen> Message-ID: On Fri, 11 Feb 2005 15:28:57 +0800, Stephen Valenti wrote: > > Hi, > I was wondering if anybody could help. Yep. > what am I doing wrong or do i need to re-install fedora Posting to the wrong group. You to join fedora-list and post your problems there. N.Emile... -- Registered Linux User # 125653 (http://counter.li.org) Certified: 75% bastard, 42% of which is tard. http://www.thespark.com/bastardtest Now accepting personal mail for GMail invites. From dragoran at feuerpokemon.de Sat Feb 12 16:06:09 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Sat, 12 Feb 2005 17:06:09 +0100 Subject: mysql wont start with new kernel In-Reply-To: <4205D097.5010800@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> Message-ID: <420E2971.2090309@feuerpokemon.de> dragoran schrieb: > I installed kernel 2.6.11-rc3-RT-V0.7.38-01 (compiled it from source) > I did make oldconfig and enabled PREEMT_DESKTOP ,CONFIG_MK7 and ntfs > support. > After booting the kernel mysql don't start: > It shows: > Timeout error occurred trying to start MySQL Daemon. > dmesg says: > audit(1107676996.424:0): avc: denied { execmem } for pid=4806 > comm=mysqld scontext=root:system_r:mysqld_t > tcontext=root:system_r:mysqld_t tclass=process > it works when I disabled selinux for mysqld. > I am running the targeted policy. > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > no solution? From smooge at gmail.com Sat Feb 12 16:26:46 2005 From: smooge at gmail.com (Stephen J. Smoogen) Date: Sat, 12 Feb 2005 09:26:46 -0700 Subject: mysql wont start with new kernel In-Reply-To: <420E2971.2090309@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> Message-ID: <80d7e40905021208264c92e32a@mail.gmail.com> On Sat, 12 Feb 2005 17:06:09 +0100, dragoran wrote: > dragoran schrieb: > > > I installed kernel 2.6.11-rc3-RT-V0.7.38-01 (compiled it from source) > > I did make oldconfig and enabled PREEMT_DESKTOP ,CONFIG_MK7 and ntfs > > support. > > After booting the kernel mysql don't start: > > It shows: > > Timeout error occurred trying to start MySQL Daemon. > > dmesg says: > > audit(1107676996.424:0): avc: denied { execmem } for pid=4806 > > comm=mysqld scontext=root:system_r:mysqld_t > > tcontext=root:system_r:mysqld_t tclass=process > > it works when I disabled selinux for mysqld. > > I am running the targeted policy. > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > no solution? > Have you rerun the policy on the system? Also how far different is the selinux patch in the kernle you made from the standard Fedora one? Sorry for no better answers > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- Stephen J Smoogen. CSIRT/Linux System Administrator From dragoran at feuerpokemon.de Sat Feb 12 16:43:19 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Sat, 12 Feb 2005 17:43:19 +0100 Subject: mysql wont start with new kernel In-Reply-To: <80d7e40905021208264c92e32a@mail.gmail.com> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <80d7e40905021208264c92e32a@mail.gmail.com> Message-ID: <420E3227.5020209@feuerpokemon.de> Stephen J. Smoogen schrieb: >On Sat, 12 Feb 2005 17:06:09 +0100, dragoran wrote: > > >>dragoran schrieb: >> >> >> >>>I installed kernel 2.6.11-rc3-RT-V0.7.38-01 (compiled it from source) >>>I did make oldconfig and enabled PREEMT_DESKTOP ,CONFIG_MK7 and ntfs >>>support. >>>After booting the kernel mysql don't start: >>>It shows: >>>Timeout error occurred trying to start MySQL Daemon. >>>dmesg says: >>>audit(1107676996.424:0): avc: denied { execmem } for pid=4806 >>>comm=mysqld scontext=root:system_r:mysqld_t >>>tcontext=root:system_r:mysqld_t tclass=process >>>it works when I disabled selinux for mysqld. >>>I am running the targeted policy. >>> >>> >>>-- >>>fedora-selinux-list mailing list >>>fedora-selinux-list at redhat.com >>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >>> >>> >>no solution? >> >> >> > >Have you rerun the policy on the system? Also how far different is the >selinux patch in the kernle you made from the standard Fedora one? >Sorry for no better answers > > > >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> >> > > > > how do I rerun the policy? dunno how much differnt the patch it I don't applied any selinux patches...its the vanilla kernel+the realtimepreemt patch... From dragoran at feuerpokemon.de Sat Feb 12 17:04:53 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Sat, 12 Feb 2005 18:04:53 +0100 Subject: mysql wont start with new kernel In-Reply-To: <420E3227.5020209@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <80d7e40905021208264c92e32a@mail.gmail.com> <420E3227.5020209@feuerpokemon.de> Message-ID: <420E3735.3050504@feuerpokemon.de> dragoran schrieb: > Stephen J. Smoogen schrieb: > >> On Sat, 12 Feb 2005 17:06:09 +0100, dragoran >> wrote: >> >> >>> dragoran schrieb: >>> >>> >>> >>>> I installed kernel 2.6.11-rc3-RT-V0.7.38-01 (compiled it from source) >>>> I did make oldconfig and enabled PREEMT_DESKTOP ,CONFIG_MK7 and ntfs >>>> support. >>>> After booting the kernel mysql don't start: >>>> It shows: >>>> Timeout error occurred trying to start MySQL Daemon. >>>> dmesg says: >>>> audit(1107676996.424:0): avc: denied { execmem } for pid=4806 >>>> comm=mysqld scontext=root:system_r:mysqld_t >>>> tcontext=root:system_r:mysqld_t tclass=process >>>> it works when I disabled selinux for mysqld. >>>> I am running the targeted policy. >>>> >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> >>>> >>> >>> no solution? >>> >>> >> >> >> Have you rerun the policy on the system? Also how far different is the >> selinux patch in the kernle you made from the standard Fedora one? >> Sorry for no better answers >> >> >> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >> >> >> >> >> > how do I rerun the policy? > dunno how much differnt the patch it I don't applied any selinux > patches...its the vanilla kernel+the realtimepreemt patch... > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > I try to rebuild the kernel with this patch removed: http://marc.theaimsgroup.com/?l=linux-kernel&m=110200324503263&w=2 and see if it works.... From dragoran at feuerpokemon.de Sat Feb 12 17:10:29 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Sat, 12 Feb 2005 18:10:29 +0100 Subject: mysql wont start with new kernel In-Reply-To: <420E3735.3050504@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <80d7e40905021208264c92e32a@mail.gmail.com> <420E3227.5020209@feuerpokemon.de> <420E3735.3050504@feuerpokemon.de> Message-ID: <420E3885.3060302@feuerpokemon.de> dragoran schrieb: > dragoran schrieb: > >> Stephen J. Smoogen schrieb: >> >>> On Sat, 12 Feb 2005 17:06:09 +0100, dragoran >>> wrote: >>> >>> >>>> dragoran schrieb: >>>> >>>> >>>> >>>>> I installed kernel 2.6.11-rc3-RT-V0.7.38-01 (compiled it from source) >>>>> I did make oldconfig and enabled PREEMT_DESKTOP ,CONFIG_MK7 and ntfs >>>>> support. >>>>> After booting the kernel mysql don't start: >>>>> It shows: >>>>> Timeout error occurred trying to start MySQL Daemon. >>>>> dmesg says: >>>>> audit(1107676996.424:0): avc: denied { execmem } for pid=4806 >>>>> comm=mysqld scontext=root:system_r:mysqld_t >>>>> tcontext=root:system_r:mysqld_t tclass=process >>>>> it works when I disabled selinux for mysqld. >>>>> I am running the targeted policy. >>>>> >>>>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list at redhat.com >>>>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> >>>>> >>>>> >>>> >>>> >>>> no solution? >>>> >>>> >>> >>> >>> >>> Have you rerun the policy on the system? Also how far different is the >>> selinux patch in the kernle you made from the standard Fedora one? >>> Sorry for no better answers >>> >>> >>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> >>> >>> >>> >>> >>> >>> >> how do I rerun the policy? >> dunno how much differnt the patch it I don't applied any selinux >> patches...its the vanilla kernel+the realtimepreemt patch... >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > I try to rebuild the kernel with this patch removed: > http://marc.theaimsgroup.com/?l=linux-kernel&m=110200324503263&w=2 > and see if it works.... > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > don't build .... From sds at epoch.ncsc.mil Mon Feb 14 12:41:49 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 14 Feb 2005 07:41:49 -0500 Subject: mysql wont start with new kernel In-Reply-To: <420E2971.2090309@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> Message-ID: <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2005-02-12 at 11:06, dragoran wrote: > > Timeout error occurred trying to start MySQL Daemon. > > dmesg says: > > audit(1107676996.424:0): avc: denied { execmem } for pid=4806 > > comm=mysqld scontext=root:system_r:mysqld_t > > tcontext=root:system_r:mysqld_t tclass=process > > it works when I disabled selinux for mysqld. > > I am running the targeted policy. rpm -q mysql-server rpm -V mysql-server execstack -q /usr/libexec/mysqld -- Stephen Smalley National Security Agency From hongwei at wustl.edu Mon Feb 14 15:46:18 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Mon, 14 Feb 2005 09:46:18 -0600 (CST) Subject: How to let squirrelspell work in selinux? Message-ID: <1817.128.252.85.103.1108395978.squirrel@morpheus.wustl.edu> Hi, I got the following error in system log when I click "Check Spelling" in SquirrelMail 1.4.3a of my fc3 linux system: Feb 14 09:36:02 pippo kernel: audit(1108395362.621:0): avc: denied { search } for pid=10663 exe=/bin/cat name=spool dev=hda3 ino=470497 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir The "Cehck Spelling" calls SquirrelSpell v0.3.8, which works well if selinux is disabled. But, I'd like to have selinux enforced. My system: os: RedHat FC3 linux, kernel-2.6.10-1.741_FC3, selinux enforced, iptables enabled selinux: selinux-policy-targeted-1.17.30-2.73 iptables: iptables-1.2.11-3.1.FC3 Can somebody tell me how to fix this problem? Thanks a lot! Hongwei Li From kmwannsee at yahoo.com Fri Feb 11 15:54:37 2005 From: kmwannsee at yahoo.com (kent mcclanahan) Date: Fri, 11 Feb 2005 07:54:37 -0800 (PST) Subject: fedora-selinux-list Digest, Vol 12, Issue 10 In-Reply-To: <20050210170034.81636741F0@hormel.redhat.com> Message-ID: <20050211155437.60739.qmail@web50610.mail.yahoo.com> Dear P,the Nazi involvement in question is only coming to attention.Keep you ears open.Kent Mc. fedora-selinux-list-request at redhat.com wrote:Send fedora-selinux-list mailing list submissions to fedora-selinux-list at redhat.com To subscribe or unsubscribe via the World Wide Web, visit http://www.redhat.com/mailman/listinfo/fedora-selinux-list or, via email, send a message with subject or body 'help' to fedora-selinux-list-request at redhat.com You can reach the person managing the list at fedora-selinux-list-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of fedora-selinux-list digest..." Today's Topics: 1. NAZI DATA (kent mcclanahan) 2. Re: NAZI DATA (Richard Irving) 3. Re: Today's targeted policy... (Stephen Smalley) ---------------------------------------------------------------------- Message: 1 Date: Thu, 10 Feb 2005 07:48:37 -0800 (PST) From: kent mcclanahan Subject: NAZI DATA To: fedora-selinux-list at redhat.com Message-ID: <20050210154837.76812.qmail at web50606.mail.yahoo.com> Content-Type: text/plain; charset="us-ascii" Gentlemen,could you please inform me how to obtain data on Nazi involvement with the National Security Agency and The Central Intelligence Agency including names of the projects?Most Sincerely,Kent McClanahan csm --------------------------------- Do you Yahoo!? Meet the all-new My Yahoo! ? Try it today! -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20050210/8809cfc2/attachment.htm ------------------------------ Message: 2 Date: Thu, 10 Feb 2005 11:54:24 -0500 From: Richard Irving Subject: Re: NAZI DATA To: "Fedora SELinux support list for users & developers." Message-ID: <420B91C0.3070502 at antient.org> Content-Type: text/plain; charset=windows-1252; format=flowed kent mcclanahan wrote: > Gentlemen,could you please inform me how to obtain data on Nazi > involvement with the National Security Agency and The Central > Intelligence Agency including names of the projects?Most Sincerely,Kent > McClanahan csm The answer to those questions, and more, have been encoded into the wrinkles in the aluminum foil beanie, you are now wearing. Your challenge is to decode the message, without removing the aluminum foil hat, and exposing yourself to the dreaded "mind rays". Good Luck. This message will self destruct, shortly after you hit delete. :P (ROTFLMAO!) > ------------------------------------------------------------------------ > Do you Yahoo!? > Meet the all-new My Yahoo! ? Try it today! > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list ------------------------------ Message: 3 Date: Thu, 10 Feb 2005 11:48:55 -0500 From: Stephen Smalley Subject: Re: Today's targeted policy... To: Tom London , "Fedora SELinux support list for users & developers." Message-ID: <1108054135.22172.90.camel at moss-spartans.epoch.ncsc.mil> Content-Type: text/plain On Thu, 2005-02-10 at 10:23, Tom London wrote: > Running targeted/enforcing, latest rawhide. > > After installing today's policy files and rebooting, had X/execmem > problems. Solved by 'setsebool -P allow_execmem 1'. > > Rebooting produces scads of use and sigchild denials. Attached is > /var/log/messages. > > In the past, use/fd denials were usually due to leaky file descriptors > across execs. That likely the case here? Not sure about sigchild.... No, I removed rules from the general unconfined_domain() macro that shouldn't be applied to _all_ unconfined domains, and no one has yet added them back to the specific unconfined.te file in the targeted policy (which is the only place they were needed). In the targeted policy, all other domains are launched from the unconfined_t domain, and these rules used to be covered by the domain_auto_trans rules, but the re-introduction of initrc_t into the targeted policy means that they have to be separately allowed. So the allow domain unconfined_t:fd use; allow domain unconfined_t:process sigchld; rules need to go into the targeted unconfined.te file. -- Stephen Smalley National Security Agency ------------------------------ -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list End of fedora-selinux-list Digest, Vol 12, Issue 10 *************************************************** --------------------------------- Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmwannsee at yahoo.com Sat Feb 12 16:25:55 2005 From: kmwannsee at yahoo.com (kent mcclanahan) Date: Sat, 12 Feb 2005 08:25:55 -0800 (PST) Subject: fedora-selinux-list Digest, Vol 12, Issue 11 In-Reply-To: <20050211170023.388B37351F@hormel.redhat.com> Message-ID: <20050212162555.12542.qmail@web50609.mail.yahoo.com> Hey Steve,The csm at the end of my name stands for Certified Surpreme Master Gemcutter which was issued by the American Society of Gemcutters and not Walmart.I challenge you to try to obtain one!Kent McClanahan csm fedora-selinux-list-request at redhat.com wrote:Send fedora-selinux-list mailing list submissions to fedora-selinux-list at redhat.com To subscribe or unsubscribe via the World Wide Web, visit http://www.redhat.com/mailman/listinfo/fedora-selinux-list or, via email, send a message with subject or body 'help' to fedora-selinux-list-request at redhat.com You can reach the person managing the list at fedora-selinux-list-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of fedora-selinux-list digest..." Today's Topics: 1. "invalid contex" question (David Hampton) 2. Re: "invalid contex" question (Stephen Smalley) 3. Re: "invalid contex" question (David Hampton) 4. Permissions for new users (Richard Jensen) 5. execmem and targeted policy (Colin Walters) 6. Re: execmem and targeted policy (Stephen Smalley) 7. Re: NAZI DATA (steve) 8. problems (steve) 9. Newbie to fedora/linux (Stephen Valenti) 10. Re: execmem and targeted policy (dragoran) 11. Re: Newbie to fedora/linux (ne...) ---------------------------------------------------------------------- Message: 1 Date: Thu, 10 Feb 2005 12:32:59 -0500 From: David Hampton Subject: "invalid contex" question To: fedora-selinux-list at redhat.com Message-ID: <1108056779.29383.24.camel at hampton-pc.rainbolthampton.net> Content-Type: text/plain; charset="us-ascii" I'm running an FC3 system with the latest rawhide strict policy. I'm currently trying to tweak the dovecot files for my system and am running into an invalid context error. My changes so far: Index: domains/program/dovecot.te +type dovecot_data_t, file_type, sysadmfile; +create_dir_file(dovecot_t, dovecot_data_t) Index: file_contexts/program/dovecot.fc +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t; The problem is that after a 'make reload' when I try to relabel the /var/spool/dovecot directory, I get the error message: /etc/selinux/strict/contexts/files/file_contexts: line 999 has invalid context system_u:object_r:dovecot_data_t; Doing a 'make install' in the policy directory gives me this same error. Is there something else I need to do to create this new type? Thanks. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : https://www.redhat.com/archives/fedora-selinux-list/attachments/20050210/adf2d238/attachment.bin ------------------------------ Message: 2 Date: Thu, 10 Feb 2005 12:31:15 -0500 From: Stephen Smalley Subject: Re: "invalid contex" question To: "Fedora SELinux support list for users & developers." Message-ID: <1108056675.22172.108.camel at moss-spartans.epoch.ncsc.mil> Content-Type: text/plain On Thu, 2005-02-10 at 12:32, David Hampton wrote: > Index: file_contexts/program/dovecot.fc > > +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t; No semicolon terminators in file contexts files. They are just newline delimited. -- Stephen Smalley National Security Agency ------------------------------ Message: 3 Date: Thu, 10 Feb 2005 12:54:42 -0500 From: David Hampton Subject: Re: "invalid contex" question To: "Fedora SELinux support list for users & developers." Message-ID: <1108058082.29383.25.camel at hampton-pc.rainbolthampton.net> Content-Type: text/plain; charset="us-ascii" On Thu, 2005-02-10 at 12:31 -0500, Stephen Smalley wrote: > On Thu, 2005-02-10 at 12:32, David Hampton wrote: > > Index: file_contexts/program/dovecot.fc > > > > +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t; > > No semicolon terminators in file contexts files. They are just newline > delimited. Thanks. (Boy do I feel silly.) David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : https://www.redhat.com/archives/fedora-selinux-list/attachments/20050210/a67e99e3/attachment.bin ------------------------------ Message: 4 Date: Wed, 09 Feb 2005 18:13:33 -0600 From: Richard Jensen Subject: Permissions for new users To: fedora-selinux-list at redhat.com Message-ID: <420AA72D.2010108 at rhjensen.com> Content-Type: text/plain; charset=ISO-8859-1 Hi. I'm wondering about the permissions new users get when they are created. Before SELinux I had to add users to 'wheel' to enable them to su to root. I did an adduser and it seems to be unrestricted: [testse at lankhmar ~]$ id -Z user_u:system_r:unconfined_t and the user is able to su to root. Is this normal? How would I keep the user from being able to su? I added: user testse roles { user_r }; to /etc/selinux/targeted/src/policy/users and did: make load This didn't seem to make any difference. This is on FC3 (2.6.10-1.760_FC3) selinux-policy-targeted-1.17.30-2.75 [root at lankhmar ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted I'm not sure if this is clear, or enough information. I tried searching the archives but didn't find anything. [I may be searching incorrectly]. Thanks, Richard. ------------------------------ Message: 5 Date: Thu, 10 Feb 2005 13:17:58 -0500 From: Colin Walters Subject: execmem and targeted policy To: fedora-selinux-list at redhat.com Message-ID: <1108059478.6288.7.camel at nexus.verbum.private> Content-Type: text/plain Hi, I noticed that as of a recent rawhide update that Eclipse stopped working: audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process Chatting with Dan, this is apparently because the execmem permission was dropped from unconfined_domain recently. We can't do this in targeted policy because it would require us to know about (and specially label) all such programs. We could potentially label /usr/bin/eclipse as unconfined_execmem_t or whatever since we have Eclipse packages in Fedora. However, I am almost positive the Sun JVM requires this permission too, and if we go this route, then every person who untars the Sun JVM and tries to run Java programs will run into this problem. This is against the philosophy of the targeted policy in that it affects programs outside of the targeted daemon set. My worry is that for every person (like me) who tracks down this problem and finds a workaround, there will be 999 others who disable SELinux entirely. And that's bad, because we need it to be enabled by default so we can use it to confine the programs that really need it. (Dan says that textrel_shlib_t has a similar issue) One approach might be to have e.g. bin_t and bin_nonexecmem_t. We label programs that we know work as bin_nonexecmem_t. ------------------------------ Message: 6 Date: Thu, 10 Feb 2005 13:20:28 -0500 From: Stephen Smalley Subject: Re: execmem and targeted policy To: "Fedora SELinux support list for users & developers." Message-ID: <1108059628.22172.162.camel at moss-spartans.epoch.ncsc.mil> Content-Type: text/plain On Thu, 2005-02-10 at 13:17, Colin Walters wrote: > I noticed that as of a recent rawhide update that Eclipse stopped > working: > > audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process > > Chatting with Dan, this is apparently because the execmem permission was > dropped from unconfined_domain recently. > > We can't do this in targeted policy because it would require us to know > about (and specially label) all such programs. It is controlled by a boolean. So simply enable the allow_execmem and allow_execmod booleans by default in the targeted policy (via the booleans config file). Or if you absolutely must unconditionally allow it in targeted policy, put the allow rules in the targeted unconfined.te file so that you don't affect the strict policy. But note that the reason for subjecting these permissions to booleans even in the targeted policy was that we were asked to do so by Ulrich (see the earlier discussion on rhselinux-list). -- Stephen Smalley National Security Agency ------------------------------ Message: 7 Date: Thu, 10 Feb 2005 17:00:35 -0600 From: steve Subject: Re: NAZI DATA To: "Fedora SELinux support list for users & developers." Message-ID: <200502101700.35460.w5set at alltel.net> Content-Type: text/plain; charset="utf-8" Sure--that info is readily available. Just march into the CIA Headquarters and demand the info you need and site the Freedom of Information ACT. But they will stall you forever, and try to read you another ACT, but I have heard that most of the collaboration is being done on the CLONEHitler project. Or was that the CLOWN HITLER project? OHHHH--my mind is so fuzzy these days--YOU should recognize that symptom right off. But thanks to modern medicine I am so much better these days--maybe you should try some. On a more realistic note, have you heard from ET lately? He hasn't called me in months now. And the csm at the end of your name---Do you work for Wal Mart? CSM there stands for Customer Service Manager. Almost Sincerely, Steve On Thursday February 10 2005 09:48, kent mcclanahan wrote: > Gentlemen,could you please inform me how to obtain data on Nazi involvement > with the National Security Agency and The Central Intelligence Agency > including names of the projects?Most Sincerely,Kent McClanahan csm > > > --------------------------------- > Do you Yahoo!? > Meet the all-new My Yahoo! ?? Try it today! ------------------------------ Message: 8 Date: Thu, 10 Feb 2005 17:25:35 -0600 From: steve Subject: problems To: "Fedora SELinux support list for users & developers." Message-ID: <200502101725.35518.w5set at alltel.net> Content-Type: text/plain; charset="us-ascii" And ya'll think that having problems with such a mundane subject as Fedora Core SELinux is a biggie, Kent obviously has much bigger (problem) fish to fry. About time I had a good laugh reading this email forum, but back to reality and getting my server to run without any help from the Internet "assistants" that stop often to help me by inputing code or something that trys to overfill the buffers or evade detection by my router/firewalls. Ho-Hum. -- .................steve w5set ------------------------------ Message: 9 Date: Fri, 11 Feb 2005 15:28:57 +0800 From: "Stephen Valenti" Subject: Newbie to fedora/linux To: Message-ID: <001401c5100b$595c6800$0600000a at stephen> Content-Type: text/plain; charset="iso-8859-1" Hi, I was wondering if anybody could help.Im a real newbie at linux and dont know much about it.I installed fedora core 3 with \windows xp sp2.and am currently trying to get my speedtouch adsl 530 modem to work but everytime I try create a folder to install too it tells me "I cant create the folder I dont own the computer" or something like that.I tried to find administration tools within fedora but couldnt what am I doing wrong or do i need to re-install fedora Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20050211/4bd8a506/attachment.htm ------------------------------ Message: 10 Date: Fri, 11 Feb 2005 12:20:51 +0100 From: dragoran Subject: Re: execmem and targeted policy To: "Fedora SELinux support list for users & developers." Message-ID: <420C9513.20206 at feuerpokemon.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Colin Walters wrote: >Hi, > >I noticed that as of a recent rawhide update that Eclipse stopped >working: > >audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process > >Chatting with Dan, this is apparently because the execmem permission was >dropped from unconfined_domain recently. > >We can't do this in targeted policy because it would require us to know >about (and specially label) all such programs. We could potentially >label /usr/bin/eclipse as unconfined_execmem_t or whatever since we have >Eclipse packages in Fedora. However, I am almost positive the Sun JVM >requires this permission too, and if we go this route, then every person >who untars the Sun JVM and tries to run Java programs will run into this >problem. > >This is against the philosophy of the targeted policy in that it affects >programs outside of the targeted daemon set. My worry is that for every >person (like me) who tracks down this problem and finds a workaround, >there will be 999 others who disable SELinux entirely. And that's bad, >because we need it to be enabled by default so we can use it to confine >the programs that really need it. > >(Dan says that textrel_shlib_t has a similar issue) > >One approach might be to have e.g. bin_t and bin_nonexecmem_t. We label >programs that we know work as bin_nonexecmem_t. > > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > mysqld has the same issues even in fc3 when running 2.6.11-rc3 http://www.redhat.com/archives/fedora-selinux-list/2005-February/msg00056.html ------------------------------ Message: 11 Date: Fri, 11 Feb 2005 07:51:58 -0500 From: "ne..." Subject: Re: Newbie to fedora/linux To: "Fedora SELinux support list for users &, developers." Message-ID: Content-Type: text/plain; charset=US-ASCII On Fri, 11 Feb 2005 15:28:57 +0800, Stephen Valenti wrote: > > Hi, > I was wondering if anybody could help. Yep. > what am I doing wrong or do i need to re-install fedora Posting to the wrong group. You to join fedora-list and post your problems there. N.Emile... -- Registered Linux User # 125653 (http://counter.li.org) Certified: 75% bastard, 42% of which is tard. http://www.thespark.com/bastardtest Now accepting personal mail for GMail invites. ------------------------------ -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list End of fedora-selinux-list Digest, Vol 12, Issue 11 *************************************************** --------------------------------- Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' -------------- next part -------------- An HTML attachment was scrubbed... URL: From dragoran at feuerpokemon.de Mon Feb 14 17:24:34 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Mon, 14 Feb 2005 18:24:34 +0100 Subject: mysql wont start with new kernel In-Reply-To: <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4210DED2.9040608@feuerpokemon.de> Stephen Smalley wrote: >On Sat, 2005-02-12 at 11:06, dragoran wrote: > > >>>Timeout error occurred trying to start MySQL Daemon. >>>dmesg says: >>>audit(1107676996.424:0): avc: denied { execmem } for pid=4806 >>>comm=mysqld scontext=root:system_r:mysqld_t >>>tcontext=root:system_r:mysqld_t tclass=process >>>it works when I disabled selinux for mysqld. >>>I am running the targeted policy. >>> >>> > >rpm -q mysql-server >rpm -V mysql-server >execstack -q /usr/libexec/mysqld > > > [dragoran at chello062178124144 ~]$ rpm -q mysql-server mysql-server-3.23.58-14 [dragoran at chello062178124144 ~]$ rpm -V mysql-server [dragoran at chello062178124144 ~]$ execstack -q /usr/libexec/mysqld - /usr/libexec/mysqld [dragoran at chello062178124144 ~]$ From sds at epoch.ncsc.mil Mon Feb 14 17:40:35 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 14 Feb 2005 12:40:35 -0500 Subject: mysql wont start with new kernel In-Reply-To: <4210DED2.9040608@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> Message-ID: <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-02-14 at 12:24, dragoran wrote: > [dragoran at chello062178124144 ~]$ rpm -q mysql-server > mysql-server-3.23.58-14 > [dragoran at chello062178124144 ~]$ rpm -V mysql-server > [dragoran at chello062178124144 ~]$ execstack -q /usr/libexec/mysqld > - /usr/libexec/mysqld > [dragoran at chello062178124144 ~]$ Hmm...I have the same version here, same results as above, yet it does not trigger an execmem check on the current kernel. for f in `ldd /usr/libexec/mysqld | awk '{print $3}'`; do if [ -f $f ]; then if readelf -d $f | grep -q TEXTREL ; then echo $f; fi; fi; done -- Stephen Smalley National Security Agency From dragoran at feuerpokemon.de Mon Feb 14 17:50:28 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Mon, 14 Feb 2005 18:50:28 +0100 Subject: mysql wont start with new kernel In-Reply-To: <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4210E4E4.102@feuerpokemon.de> Stephen Smalley schrieb: >On Mon, 2005-02-14 at 12:24, dragoran wrote: > > >>[dragoran at chello062178124144 ~]$ rpm -q mysql-server >>mysql-server-3.23.58-14 >>[dragoran at chello062178124144 ~]$ rpm -V mysql-server >>[dragoran at chello062178124144 ~]$ execstack -q /usr/libexec/mysqld >>- /usr/libexec/mysqld >>[dragoran at chello062178124144 ~]$ >> >> > >Hmm...I have the same version here, same results as above, yet it does >not trigger an execmem check on the current kernel. > >for f in `ldd /usr/libexec/mysqld | awk '{print $3}'`; do if [ -f $f ]; then if readelf -d $f | grep -q TEXTREL ; then echo $f; fi; fi; done > > > this command prints nothing ;) From selinux at gmail.com Mon Feb 14 18:05:32 2005 From: selinux at gmail.com (Tom London) Date: Mon, 14 Feb 2005 10:05:32 -0800 Subject: privoxy and targeted Message-ID: <4c4ba153050214100549d8fe5c@mail.gmail.com> Running targeted/enforcing, latest Rawhide. Get the following from privoxy: Feb 14 09:59:19 localhost kernel: audit(1108403959.792:0): avc: denied { connect } for pid=5734 exe=/usr/sbin/privoxy scontext=user_u:system_r:privoxy_t tcontext=user_u:system_r:privoxy_t tclass=tcp_socket Feb 14 09:59:19 localhost kernel: audit(1108403959.838:0): avc: denied { connect } for pid=5733 exe=/usr/sbin/privoxy scontext=user_u:system_r:privoxy_t tcontext=user_u:system_r:privoxy_t tclass=tcp_socket adding allow privoxy_t self:tcp_socket connect; to privoxy.te fixes....but I'm sure there is a better way to do this, e.g., change can_network_server(privoxy_t) to can_network(privoxy_t) tom -- Tom London From sds at epoch.ncsc.mil Mon Feb 14 18:06:17 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 14 Feb 2005 13:06:17 -0500 Subject: mysql wont start with new kernel In-Reply-To: <4210E4E4.102@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> Message-ID: <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-02-14 at 12:50, dragoran wrote: > this command prints nothing ;) /etc/init.d/mysqld stop strace -o mysqld.out -f -ff /etc/init.d/mysqld start & Then send me the mysqld.out* files. -- Stephen Smalley National Security Agency From dragoran at feuerpokemon.de Mon Feb 14 18:20:14 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Mon, 14 Feb 2005 19:20:14 +0100 Subject: mysql wont start with new kernel In-Reply-To: <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4210EBDE.2000405@feuerpokemon.de> Stephen Smalley wrote: >On Mon, 2005-02-14 at 12:50, dragoran wrote: > > >>this command prints nothing ;) >> >> > >/etc/init.d/mysqld stop >strace -o mysqld.out -f -ff /etc/init.d/mysqld start & > >Then send me the mysqld.out* files. > > > here are the mysql.out files (tar.bz2 archiv) -------------- next part -------------- A non-text attachment was scrubbed... Name: mysql.tar.bz2 Type: application/x-bzip Size: 22291 bytes Desc: not available URL: From sds at epoch.ncsc.mil Mon Feb 14 18:17:36 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 14 Feb 2005 13:17:36 -0500 Subject: mysql wont start with new kernel In-Reply-To: <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1108405056.15437.130.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-02-14 at 12:40, Stephen Smalley wrote: > Hmm...I have the same version here, same results as above, yet it does > not trigger an execmem check on the current kernel. > > for f in `ldd /usr/libexec/mysqld | awk '{print $3}'`; do if [ -f $f ]; then if readelf -d $f | grep -q TEXTREL ; then echo $f; fi; fi; done Sorry, wrong test. How about: for f in `ldd /usr/libexec/mysqld | awk '{print $3}'`; do if [ -f $f ]; then if readelf -l $f | grep -q RWE ; then echo $f; fi; fi; done -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Mon Feb 14 18:28:59 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 14 Feb 2005 13:28:59 -0500 Subject: mysql wont start with new kernel In-Reply-To: <4210EBDE.2000405@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> <4210EBDE.2000405@feuerpokemon.de> Message-ID: <1108405739.15437.138.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-02-14 at 13:20, dragoran wrote: > here are the mysql.out files (tar.bz2 archiv) > > ______________________________________________________________________ Ok. Notice the mprotect.*PROT_EXEC|PROT_GROWSDOWN call in mysqld.out.5275. Occurs after an open() of /lib/libgcc_s.so.1. rpm -q -f /lib/libgcc_s.so.1 execstack -q /lib/libgcc_s.so.1 -- Stephen Smalley National Security Agency From dragoran at feuerpokemon.de Mon Feb 14 18:49:06 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Mon, 14 Feb 2005 19:49:06 +0100 Subject: mysql wont start with new kernel In-Reply-To: <1108405739.15437.138.camel@moss-spartans.epoch.ncsc.mil> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> <4210EBDE.2000405@feuerpokemon.de> <1108405739.15437.138.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4210F2A2.8070102@feuerpokemon.de> Stephen Smalley wrote: >On Mon, 2005-02-14 at 13:20, dragoran wrote: > > >>here are the mysql.out files (tar.bz2 archiv) >> >>______________________________________________________________________ >> >> >Ok. Notice the mprotect.*PROT_EXEC|PROT_GROWSDOWN call in >mysqld.out.5275. Occurs after an open() of /lib/libgcc_s.so.1. > >rpm -q -f /lib/libgcc_s.so.1 >execstack -q /lib/libgcc_s.so.1 > > > [dragoran at chello062178124144 ~]$ rpm -q -f /lib/libgcc_s.so.1 libgcc-3.4.2-6.fc3 [dragoran at chello062178124144 ~]$ execstack -q /lib/libgcc_s.so.1 X /lib/libgcc_s.so.1 [dragoran at chello062178124144 ~]$ From sds at epoch.ncsc.mil Mon Feb 14 18:52:22 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 14 Feb 2005 13:52:22 -0500 Subject: mysql wont start with new kernel In-Reply-To: <4210F2A2.8070102@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> <4210EBDE.2000405@feuerpokemon.de> <1108405739.15437.138.camel@moss-spartans.epoch.ncsc.mil> <4210F2A2.8070102@feuerpokemon.de> Message-ID: <1108407142.15437.153.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-02-14 at 13:49, dragoran wrote: > [dragoran at chello062178124144 ~]$ rpm -q -f /lib/libgcc_s.so.1 > libgcc-3.4.2-6.fc3 > [dragoran at chello062178124144 ~]$ execstack -q /lib/libgcc_s.so.1 > X /lib/libgcc_s.so.1 > [dragoran at chello062178124144 ~]$ Hmmm...same version here, but no executable stack. What is your architecture? What does 'rpm -V libgcc' show? Can you do an 'execstack -c /lib/libgcc_s.so.1'? -- Stephen Smalley National Security Agency From dragoran at feuerpokemon.de Mon Feb 14 19:10:50 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Mon, 14 Feb 2005 20:10:50 +0100 Subject: mysql wont start with new kernel In-Reply-To: <1108407142.15437.153.camel@moss-spartans.epoch.ncsc.mil> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> <4210EBDE.2000405@feuerpokemon.de> <1108405739.15437.138.camel@moss-spartans.epoch.ncsc.mil> <4210F2A2.8070102@feuerpokemon.de> <1108407142.15437.153.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4210F7BA.7000203@feuerpokemon.de> Stephen Smalley wrote: >On Mon, 2005-02-14 at 13:49, dragoran wrote: > > >>[dragoran at chello062178124144 ~]$ rpm -q -f /lib/libgcc_s.so.1 >>libgcc-3.4.2-6.fc3 >>[dragoran at chello062178124144 ~]$ execstack -q /lib/libgcc_s.so.1 >>X /lib/libgcc_s.so.1 >>[dragoran at chello062178124144 ~]$ >> >> > >Hmmm...same version here, but no executable stack. What is your >architecture? What does 'rpm -V libgcc' show? Can you do an 'execstack >-c /lib/libgcc_s.so.1'? > > > My arch is i686 (athlon). rpm -V libgcc shows: SM5....T. /lib/libgcc_s-3.4.2-20041018.so.1 execstack -c /lib/libgcc_s.so.1 shows nothing. From sds at epoch.ncsc.mil Mon Feb 14 19:11:01 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 14 Feb 2005 14:11:01 -0500 Subject: mysql wont start with new kernel In-Reply-To: <4210F7BA.7000203@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> <4210EBDE.2000405@feuerpokemon.de> <1108405739.15437.138.camel@moss-spartans.epoch.ncsc.mil> <4210F2A2.8070102@feuerpokemon.de> <1108407142.15437.153.camel@moss-spartans.epoch.ncsc.mil> <4210F7BA.7000203@feuerpokemon.de> Message-ID: <1108408261.15437.161.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-02-14 at 14:10, dragoran wrote: > My arch is i686 (athlon). > rpm -V libgcc shows: > SM5....T. /lib/libgcc_s-3.4.2-20041018.so.1 This means that it doesn't match the rpm database in various respects, i.e. S = size differs, M = mode differs, 5 = MD5 sum differs, T = mtime differs. Seems a little worrisome to me. > execstack -c /lib/libgcc_s.so.1 shows nothing. Run execstack -q again on it to see if it did indeed clear the executable marker. But I'd be more worried about the rpm -V output at this point. -- Stephen Smalley National Security Agency From dragoran at feuerpokemon.de Mon Feb 14 19:23:59 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Mon, 14 Feb 2005 20:23:59 +0100 Subject: mysql wont start with new kernel In-Reply-To: <1108408261.15437.161.camel@moss-spartans.epoch.ncsc.mil> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> <4210EBDE.2000405@feuerpokemon.de> <1108405739.15437.138.camel@moss-spartans.epoch.ncsc.mil> <4210F2A2.8070102@feuerpokemon.de> <1108407142.15437.153.camel@moss-spartans.epoch.ncsc.mil> <4210F7BA.7000203@feuerpokemon.de> <1108408261.15437.161.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4210FACF.4000200@feuerpokemon.de> Stephen Smalley wrote: >On Mon, 2005-02-14 at 14:10, dragoran wrote: > > >>My arch is i686 (athlon). >>rpm -V libgcc shows: >>SM5....T. /lib/libgcc_s-3.4.2-20041018.so.1 >> >> > >This means that it doesn't match the rpm database in various respects, >i.e. S = size differs, M = mode differs, 5 = MD5 sum differs, T = mtime >differs. Seems a little worrisome to me. > > > >>execstack -c /lib/libgcc_s.so.1 shows nothing. >> >> > >Run execstack -q again on it to see if it did indeed clear the >executable marker. But I'd be more worried about the rpm -V output at >this point. > > > [dragoran at chello062178124144 ~]$ execstack -q /lib/libgcc_s-3.4.2-20041018.so.1 X /lib/libgcc_s-3.4.2-20041018.so.1 [dragoran at chello062178124144 ~]$ execstack -q /lib/libgcc_s.so.1 - /lib/libgcc_s.so.1 [dragoran at chello062178124144 ~]$ From sds at epoch.ncsc.mil Mon Feb 14 19:24:14 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 14 Feb 2005 14:24:14 -0500 Subject: mysql wont start with new kernel In-Reply-To: <4210FACF.4000200@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> <4210EBDE.2000405@feuerpokemon.de> <1108405739.15437.138.camel@moss-spartans.epoch.ncsc.mil> <4210F2A2.8070102@feuerpokemon.de> <1108407142.15437.153.camel@moss-spartans.epoch.ncsc.mil> <4210F7BA.7000203@feuerpokemon.de> <1108408261.15437.161.camel@moss-spartans.epoch.ncsc.mil> <4210FACF.4000200@feuerpokemon.de> Message-ID: <1108409054.15437.171.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-02-14 at 14:23, dragoran wrote: > [dragoran at chello062178124144 ~]$ execstack -q > /lib/libgcc_s-3.4.2-20041018.so.1 > X /lib/libgcc_s-3.4.2-20041018.so.1 > [dragoran at chello062178124144 ~]$ execstack -q /lib/libgcc_s.so.1 > - /lib/libgcc_s.so.1 > [dragoran at chello062178124144 ~]$ /lib/libgcc_s.so.1 is a symlink to /lib/libgcc_s-3.4.2-20041018.so.1 on a FC3 system here. And neither requires executable stack. Have you rebuilt it from source? -- Stephen Smalley National Security Agency From dragoran at feuerpokemon.de Tue Feb 15 05:47:45 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Tue, 15 Feb 2005 06:47:45 +0100 Subject: mysql wont start with new kernel In-Reply-To: <1108409054.15437.171.camel@moss-spartans.epoch.ncsc.mil> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> <4210EBDE.2000405@feuerpokemon.de> <1108405739.15437.138.camel@moss-spartans.epoch.ncsc.mil> <4210F2A2.8070102@feuerpokemon.de> <1108407142.15437.153.camel@moss-spartans.epoch.ncsc.mil> <4210F7BA.7000203@feuerpokemon.de> <1108408261.15437.161.camel@moss-spartans.epoch.ncsc.mil> <4210FACF.4000200@feuerpokemon.de> <1108409054.15437.171.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42118D01.9040305@feuerpokemon.de> Stephen Smalley wrote: >On Mon, 2005-02-14 at 14:23, dragoran wrote: > > >>[dragoran at chello062178124144 ~]$ execstack -q >>/lib/libgcc_s-3.4.2-20041018.so.1 >>X /lib/libgcc_s-3.4.2-20041018.so.1 >>[dragoran at chello062178124144 ~]$ execstack -q /lib/libgcc_s.so.1 >>- /lib/libgcc_s.so.1 >>[dragoran at chello062178124144 ~]$ >> >> > >/lib/libgcc_s.so.1 is a symlink to /lib/libgcc_s-3.4.2-20041018.so.1 on >a FC3 system here. And neither requires executable stack. > >Have you rebuilt it from source? > > > no From joe at swelltech.com Tue Feb 15 07:49:31 2005 From: joe at swelltech.com (Joe Cooper) Date: Tue, 15 Feb 2005 01:49:31 -0600 Subject: Problems adding to targeted policy for a new cache directory for Squid Message-ID: <4211A98B.1040107@swelltech.com> Hi all, I'm running into some issues adding policy to cover some extra directories that we use on our systems. I'm using FC3 and the latest errata targeted policy and kernel. For our Squid process, we devote one or more partitions for cache storage, named /cache0, /cache1, and so on. I've added the following line to file_contexts/program/squid.fc: /cache.*(/.*)? system_u:object_r:squid_cache_t Which matches the lines for /var/spool/squid(/.*)? and /var/cache/squid(/.*)?. After running "restorecon -Rv /cache0", I have the right label on /cache0: [root at localhost /]# ls -ldZ /cache0 drwxr-xr-x squid squid system_u:object_r:squid_cache_t /cache0 [root at localhost /]# ls -ldZ /var/spool/squid drwxr-x--- squid squid system_u:object_r:squid_cache_t /var/spool/squid However, when I start Squid I get a lot of avc: denied errors (I'm in permissive mode for testing). Some of which don't even make any sense to me, like this one: audit(1108452395.149:0): avc: denied { read } for pid=3778 exe=/usr/sbin/squid name=00 dev=hdc2 ino=5 scontext=root:system_r:squid_t tcontext=root:object_r:nfs_t tclass=dir This seems to indicate Squid needs to have nfs_t privileges, though I don't see why this should be so in the targeted policy. If I run restorecon again (after creating the directories), I get a segfault and it stops before reaching the file(s) in the top level of the directory (there are subdirectories which all get relabeled). i.e.: [root at localhost /]# restorecon -Rv /cache0 ... restorecon reset context /cache0/0F/FF:->system_u:object_r:squid_cache_t Segmentation fault [root at localhost /]# ls -lZ /cache0 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 00 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 01 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 02 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 03 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 04 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 05 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 06 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 07 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 08 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 09 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0A drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0B drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0C drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0D drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0E drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0F -rw-r--r-- squid squid swap.state So swap.state is still unlabeled, and starting Squid leads to more avc: denied errores. If I restorecon on just swap.state, Squid starts without errors, but after a reboot, the label is lost and Squid generates errors again. I'll file an issue on the restorecon segfault, but that still probably doesn't solve all of my problems. So, I'm quite stumped...I thought I had done what I needed to make this work, but clearly there's at least three things I don't understand: 1. Why does it lose the swap.state label on reboot? Does restorecon run on every boot? 2. Why doesn't /var/spool/squid exhibit this same problem? restorecon works without segfault, and doesn't lose the label on swap.state after a reboot. 3. Where is nfs_t coming from on /cache0? It seems like some kind of default that it falls back to when a file is unlabeled, but I don't see anywhere that nfs_t is a generic label. Thanks! From joe at swelltech.com Tue Feb 15 08:04:03 2005 From: joe at swelltech.com (Joe Cooper) Date: Tue, 15 Feb 2005 02:04:03 -0600 Subject: Problems adding to targeted policy for a new cache directory for Squid In-Reply-To: <4211A98B.1040107@swelltech.com> References: <4211A98B.1040107@swelltech.com> Message-ID: <4211ACF3.8010503@swelltech.com> Joe Cooper wrote: > If I run restorecon again (after creating the directories), I get a > segfault and it stops before reaching the file(s) in the top level of > the directory (there are subdirectories which all get relabeled). i.e.: > > [root at localhost /]# restorecon -Rv /cache0 > ... > restorecon reset context /cache0/0F/FF:->system_u:object_r:squid_cache_t > Segmentation fault Just to add to this, I found an update in the testing directory for policycoreutils that fixes this segfault, so this aspect of the problem goes away. However, I'm still losing the label on swap.state, and I've also noticed that I'm actually getting slightly different labels than /var/spool/squid: [root at localhost /]# ls -lZ /var/spool/squid drwxr-xr-x squid squid root:object_r:squid_cache_t 00 [root at localhost /]# ls -lZ /cache0 drwxr-xr-x squid squid system_u:object_r:squid_cache_t 00 So I've got root:object_r:squid_cache_t for /var/spool/squid (the one that works) and system_u:object_r:squid_cache_t for the one that doesn't, though the top level directory of /var/squid/squid is the same: [root at localhost /]# ls -ldZ /var/spool/squid drwxr-x--- squid squid system_u:object_r:squid_cache_t /var/spool/squid [root at localhost /]# ls -ldZ /cache0 drwxr-xr-x squid squid system_u:object_r:squid_cache_t /cache0 I have no clue where that root/system_u difference is coming from--I never have been able to figure out how this labeling happens. Thanks for any clarification anyone might have for me. My first foray into SELinux has been a harrowing experience...a week in and I still have only foggy notions of what's happening. ;-) From sds at epoch.ncsc.mil Tue Feb 15 12:21:15 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 15 Feb 2005 07:21:15 -0500 Subject: mysql wont start with new kernel In-Reply-To: <42118D01.9040305@feuerpokemon.de> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> <4210EBDE.2000405@feuerpokemon.de> <1108405739.15437.138.camel@moss-spartans.epoch.ncsc.mil> <4210F2A2.8070102@feuerpokemon.de> <1108407142.15437.153.camel@moss-spartans.epoch.ncsc.mil> <4210F7BA.7000203@feuerpokemon.de> <1108408261.15437.161.camel@moss-spartans.epoch.ncsc.mil> <4210FACF.4000200@feuerpokemon.de> <1108409054.15437.171.camel@moss-spartans.epoch.ncsc.mil> <42118D01.9040305@feuerpokemon.de> Message-ID: <1108470074.17854.27.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-02-15 at 00:47, dragoran wrote: > Stephen Smalley wrote: > >Have you rebuilt it from source? > > > > > > > no Then it is time for forensics I think, i.e. you've been rooted or suffered some kind of corruption, and then it is time to re-install. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Tue Feb 15 14:37:57 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 15 Feb 2005 09:37:57 -0500 Subject: Problems adding to targeted policy for a new cache directory for Squid In-Reply-To: <4211A98B.1040107@swelltech.com> References: <4211A98B.1040107@swelltech.com> Message-ID: <42120945.7080309@redhat.com> Joe Cooper wrote: > Hi all, > > I'm running into some issues adding policy to cover some extra > directories that we use on our systems. I'm using FC3 and the latest > errata targeted policy and kernel. For our Squid process, we devote > one or more partitions for cache storage, named /cache0, /cache1, and > so on. > > I've added the following line to file_contexts/program/squid.fc: > > /cache.*(/.*)? system_u:object_r:squid_cache_t > The newer versions of restorecon allow you to specify file_contexts.local for things like this so you don't have to deal with sources. > Which matches the lines for /var/spool/squid(/.*)? and > /var/cache/squid(/.*)?. After running "restorecon -Rv /cache0", I > have the right label on /cache0: > > [root at localhost /]# ls -ldZ /cache0 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t /cache0 > [root at localhost /]# ls -ldZ /var/spool/squid > drwxr-x--- squid squid system_u:object_r:squid_cache_t > /var/spool/squid > > However, when I start Squid I get a lot of avc: denied errors (I'm in > permissive mode for testing). Some of which don't even make any sense > to me, like this one: > > audit(1108452395.149:0): avc: denied { read } for pid=3778 > exe=/usr/sbin/squid name=00 dev=hdc2 ino=5 > scontext=root:system_r:squid_t tcontext=root:object_r:nfs_t tclass=dir > > This seems to indicate Squid needs to have nfs_t privileges, though I > don't see why this should be so in the targeted policy. > Yes it should not need this. > If I run restorecon again (after creating the directories), I get a > segfault and it stops before reaching the file(s) in the top level of > the directory (there are subdirectories which all get relabeled). i.e.: > > [root at localhost /]# restorecon -Rv /cache0 > ... > restorecon reset context /cache0/0F/FF:->system_u:object_r:squid_cache_t > Segmentation fault > [root at localhost /]# ls -lZ /cache0 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 00 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 01 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 02 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 03 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 04 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 05 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 06 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 07 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 08 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 09 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0A > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0B > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0C > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0D > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0E > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0F > -rw-r--r-- squid squid swap.state > > So swap.state is still unlabeled, and starting Squid leads to more > avc: denied errores. If I restorecon on just swap.state, Squid starts > without errors, but after a reboot, the label is lost and Squid > generates errors again. I'll file an issue on the restorecon > segfault, but that still probably doesn't solve all of my problems. > > So, I'm quite stumped...I thought I had done what I needed to make > this work, but clearly there's at least three things I don't understand: > > 1. Why does it lose the swap.state label on reboot? Does restorecon > run on every boot? > Does /cache0 get deleted on reboot? Is this on an ext3 file system? > 2. Why doesn't /var/spool/squid exhibit this same problem? restorecon > works without segfault, and doesn't lose the label on swap.state after > a reboot. > restorecon fixed in update. The only way you should loose the context is if you are using something other than ext2/3 for a file system or if the directory is being replaced on every reboot. > 3. Where is nfs_t coming from on /cache0? It seems like some kind of > default that it falls back to when a file is unlabeled, but I don't > see anywhere that nfs_t is a generic label. > I don't know, Are you starting the squid service while sitting on an NFS partition? Any directories having anything to do with Squid on an NFS partition? > Thanks! > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From susan_geller at speakeasy.net Tue Feb 15 16:35:35 2005 From: susan_geller at speakeasy.net (susan_geller at speakeasy.net) Date: Tue, 15 Feb 2005 16:35:35 +0000 Subject: Policies for apache httpd and snmp Message-ID: I installed Fedora Core 3 recently and haven't made any changes to the configuration files in /etc. I'm getting: audit(1108296143.176:0): avc: denied { write } for pid=3971 exe=/usr/sbin/httpd name=mibs dev=hda1 ino=833921 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir It seems that apache is trying to write to a file in the /usr/share/snmp/mibs directory. I don't know enough about snmp to know what apache thinks it is trying to do, but I'm guessing I should allow it in my selinux policies. Which policy do I change and how? Thanks, Susan From dwalsh at redhat.com Tue Feb 15 16:53:22 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 15 Feb 2005 11:53:22 -0500 Subject: Policies for apache httpd and snmp In-Reply-To: References: Message-ID: <42122902.6020902@redhat.com> susan_geller at speakeasy.net wrote: >I installed Fedora Core 3 recently and haven't made any changes to the >configuration files in /etc. > >I'm getting: > >audit(1108296143.176:0): avc: denied { write } for pid=3971 exe=/usr/sbin/httpd name=mibs dev=hda1 ino=833921 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir > >It seems that apache is trying to write to a file in the /usr/share/snmp/mibs directory. > >I don't know enough about snmp to know what apache thinks it is trying to do, but I'm guessing I should allow it in my selinux policies. > >Which policy do I change and how? > >Thanks, Susan > > > > > Please update to the latest policy file available. yum update selinux-policy-targeted >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From selinux at gmail.com Tue Feb 15 17:04:45 2005 From: selinux at gmail.com (Tom London) Date: Tue, 15 Feb 2005 09:04:45 -0800 Subject: vmware: execmod for /lib/tls/libc-2.3.4.so, /lib/libnss_files-2.3.4.so, /lib/ld-2.3.4.so? Message-ID: <4c4ba1530502150904719c9085@mail.gmail.com> Running targeted, latest Rawhide. VMware now produces the following: Feb 15 07:31:38 localhost kernel: audit(1108481498.195:0): avc: denied { execmod } for pid=2911 comm=vmnet-bridge path=/lib/tls/libc-2.3.4.so dev=dm-0 ino=327780 scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file Feb 15 07:31:38 localhost kernel: audit(1108481498.255:0): avc: denied { execmod } for pid=2915 comm=vmware-ping path=/lib/tls/libc-2.3.4.so dev=dm-0 ino=327780 scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file Feb 15 07:31:38 localhost VMware[init]: /usr/bin/vmware-ping: error while loading shared libraries: /lib/tls/libc.so.6: cannot apply additional memory protection after relocation: Permission denied <<>> Feb 15 07:47:53 localhost kernel: audit(1108482473.711:0): avc: denied { execmod } for pid=6297 comm=vmnet-dhcpd path=/lib/libnss_files-2.3.4.so dev=dm-0 ino=556112 scontext=root:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file <<>> Feb 15 08:45:20 localhost kernel: audit(1108485920.125:0): avc: denied { execmod } for pid=5004 comm=vmnet-bridge path=/lib/ld-2.3.4.so dev=dm-0 ino=327776 scontext=root:system_r:initrc_t tcontext=system_u:object_r:ld_so_t tclass=file Could tag /lib/tls/libc* and /lib/libnss_files* as texrel_shlib_t, but what about /lib/ld-*? Seperate domain for VMware? I'm testing this on a targeted system; not sure impact on strict policy. tom [Minor point/question: The AVC shows the libraries as lib_t, even though they are shlib_t. The symbolic links (e.g., /lib/tls/libc.so.6) are lib_t, however.... Should the AVC have tcontext of the link or the file?] -- Tom London From dwalsh at redhat.com Tue Feb 15 17:10:04 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 15 Feb 2005 12:10:04 -0500 Subject: vmware: execmod for /lib/tls/libc-2.3.4.so, /lib/libnss_files-2.3.4.so, /lib/ld-2.3.4.so? In-Reply-To: <4c4ba1530502150904719c9085@mail.gmail.com> References: <4c4ba1530502150904719c9085@mail.gmail.com> Message-ID: <42122CEC.5040500@redhat.com> Tom London wrote: >Running targeted, latest Rawhide. > >VMware now produces the following: > >Feb 15 07:31:38 localhost kernel: audit(1108481498.195:0): avc: >denied { execmod } for pid=2911 comm=vmnet-bridge >path=/lib/tls/libc-2.3.4.so dev=dm-0 ino=327780 >scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:lib_t >tclass=file >Feb 15 07:31:38 localhost kernel: audit(1108481498.255:0): avc: >denied { execmod } for pid=2915 comm=vmware-ping >path=/lib/tls/libc-2.3.4.so dev=dm-0 ino=327780 >scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:lib_t >tclass=file >Feb 15 07:31:38 localhost VMware[init]: /usr/bin/vmware-ping: error >while loading shared libraries: /lib/tls/libc.so.6: cannot apply >additional memory protection after relocation: Permission denied ><<>> >Feb 15 07:47:53 localhost kernel: audit(1108482473.711:0): avc: >denied { execmod } for pid=6297 comm=vmnet-dhcpd >path=/lib/libnss_files-2.3.4.so dev=dm-0 ino=556112 >scontext=root:system_r:initrc_t tcontext=system_u:object_r:lib_t >tclass=file ><<>> >Feb 15 08:45:20 localhost kernel: audit(1108485920.125:0): avc: >denied { execmod } for pid=5004 comm=vmnet-bridge >path=/lib/ld-2.3.4.so dev=dm-0 ino=327776 >scontext=root:system_r:initrc_t tcontext=system_u:object_r:ld_so_t >tclass=file > >Could tag /lib/tls/libc* and /lib/libnss_files* as texrel_shlib_t, but >what about /lib/ld-*? >Seperate domain for VMware? > >I'm testing this on a targeted system; not sure impact on strict policy. > >tom > >[Minor point/question: The AVC shows the libraries as lib_t, even >though they are shlib_t. The symbolic links (e.g., /lib/tls/libc.so.6) >are lib_t, however.... Should the AVC have tcontext of the link or the >file?] > > Current policy should allow unconfined_t to have these perms. If you have allow_execmod set? From dwalsh at redhat.com Tue Feb 15 17:14:07 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 15 Feb 2005 12:14:07 -0500 Subject: vmware: execmod for /lib/tls/libc-2.3.4.so, /lib/libnss_files-2.3.4.so, /lib/ld-2.3.4.so? In-Reply-To: <4c4ba1530502150904719c9085@mail.gmail.com> References: <4c4ba1530502150904719c9085@mail.gmail.com> Message-ID: <42122DDF.1010404@redhat.com> Tom London wrote: >Running targeted, latest Rawhide. > >VMware now produces the following: > >Feb 15 07:31:38 localhost kernel: audit(1108481498.195:0): avc: >denied { execmod } for pid=2911 comm=vmnet-bridge >path=/lib/tls/libc-2.3.4.so dev=dm-0 ino=327780 >scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:lib_t >tclass=file >Feb 15 07:31:38 localhost kernel: audit(1108481498.255:0): avc: >denied { execmod } for pid=2915 comm=vmware-ping >path=/lib/tls/libc-2.3.4.so dev=dm-0 ino=327780 >scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:lib_t >tclass=file >Feb 15 07:31:38 localhost VMware[init]: /usr/bin/vmware-ping: error >while loading shared libraries: /lib/tls/libc.so.6: cannot apply >additional memory protection after relocation: Permission denied ><<>> >Feb 15 07:47:53 localhost kernel: audit(1108482473.711:0): avc: >denied { execmod } for pid=6297 comm=vmnet-dhcpd >path=/lib/libnss_files-2.3.4.so dev=dm-0 ino=556112 >scontext=root:system_r:initrc_t tcontext=system_u:object_r:lib_t >tclass=file ><<>> >Feb 15 08:45:20 localhost kernel: audit(1108485920.125:0): avc: >denied { execmod } for pid=5004 comm=vmnet-bridge >path=/lib/ld-2.3.4.so dev=dm-0 ino=327776 >scontext=root:system_r:initrc_t tcontext=system_u:object_r:ld_so_t >tclass=file > >Could tag /lib/tls/libc* and /lib/libnss_files* as texrel_shlib_t, but >what about /lib/ld-*? >Seperate domain for VMware? > >I'm testing this on a targeted system; not sure impact on strict policy. > >tom > >[Minor point/question: The AVC shows the libraries as lib_t, even >though they are shlib_t. The symbolic links (e.g., /lib/tls/libc.so.6) >are lib_t, however.... Should the AVC have tcontext of the link or the >file?] > > Targeted policy now equates lib_t and shlib_t so this is probably what is happening. Links should be lib_t. From selinux at gmail.com Tue Feb 15 17:44:31 2005 From: selinux at gmail.com (Tom London) Date: Tue, 15 Feb 2005 09:44:31 -0800 Subject: vmware: execmod for /lib/tls/libc-2.3.4.so, /lib/libnss_files-2.3.4.so, /lib/ld-2.3.4.so? In-Reply-To: <42122DDF.1010404@redhat.com> References: <4c4ba1530502150904719c9085@mail.gmail.com> <42122DDF.1010404@redhat.com> Message-ID: <4c4ba15305021509443ca89797@mail.gmail.com> On Tue, 15 Feb 2005 12:14:07 -0500, Daniel J Walsh wrote: >Current policy should allow unconfined_t to have these perms. If you >have allow_execmod set? > allow_execmod --> active If I 'chcon -t texrel_shlib_t /lib/tls/.... /lib/libnss...' those two AVC go away. But what to do about /lib/ld-*? BTW, this happened with today's policy: selinux-policy-targeted-1.21.12-3. Previous ones worked just fine. tom -- Tom London From dragoran at feuerpokemon.de Tue Feb 15 17:51:32 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Tue, 15 Feb 2005 18:51:32 +0100 Subject: mysql wont start with new kernel In-Reply-To: <1108470074.17854.27.camel@moss-spartans.epoch.ncsc.mil> References: <4205D097.5010800@feuerpokemon.de> <420E2971.2090309@feuerpokemon.de> <1108384909.15437.11.camel@moss-spartans.epoch.ncsc.mil> <4210DED2.9040608@feuerpokemon.de> <1108402835.15437.116.camel@moss-spartans.epoch.ncsc.mil> <4210E4E4.102@feuerpokemon.de> <1108404377.15437.124.camel@moss-spartans.epoch.ncsc.mil> <4210EBDE.2000405@feuerpokemon.de> <1108405739.15437.138.camel@moss-spartans.epoch.ncsc.mil> <4210F2A2.8070102@feuerpokemon.de> <1108407142.15437.153.camel@moss-spartans.epoch.ncsc.mil> <4210F7BA.7000203@feuerpokemon.de> <1108408261.15437.161.camel@moss-spartans.epoch.ncsc.mil> <4210FACF.4000200@feuerpokemon.de> <1108409054.15437.171.camel@moss-spartans.epoch.ncsc.mil> <42118D01.9040305@feuerpokemon.de> <1108470074.17854.27.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <421236A4.3090209@feuerpokemon.de> Stephen Smalley wrote: >On Tue, 2005-02-15 at 00:47, dragoran wrote: > > >>Stephen Smalley wrote: >> >> >>>Have you rebuilt it from source? >>> >>> >>> >>> >>> >>no >> >> > >Then it is time for forensics I think, i.e. you've been rooted or >suffered some kind of corruption, and then it is time to re-install. > > > thanks I downloaded the libgcc rpm and did rpm -Uhv --force libgcc-3.4.2-6.fc3.i386.rpm and it seems to work now. [root at chello062178124144 Downloads]# rpm -V libgcc [root at chello062178124144 Downloads]# execstack -q /lib/libgcc_s-3.4.2-20041018.so.1 - /lib/libgcc_s-3.4.2-20041018.so.1 [root at chello062178124144 Downloads]# From sds at epoch.ncsc.mil Tue Feb 15 18:26:24 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 15 Feb 2005 13:26:24 -0500 Subject: vmware: execmod for /lib/tls/libc-2.3.4.so, /lib/libnss_files-2.3.4.so, /lib/ld-2.3.4.so? In-Reply-To: <42122CEC.5040500@redhat.com> References: <4c4ba1530502150904719c9085@mail.gmail.com> <42122CEC.5040500@redhat.com> Message-ID: <1108491984.17854.161.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-02-15 at 12:10, Daniel J Walsh wrote: > Current policy should allow unconfined_t to have these perms. If you > have allow_execmod set? The audit messages in his posting showed the denials happening for initrc_t, not unconfined_t. Why is vmware running in initrc_t? -- Stephen Smalley National Security Agency From selinux at gmail.com Tue Feb 15 18:37:55 2005 From: selinux at gmail.com (Tom London) Date: Tue, 15 Feb 2005 10:37:55 -0800 Subject: vmware: execmod for /lib/tls/libc-2.3.4.so, /lib/libnss_files-2.3.4.so, /lib/ld-2.3.4.so? In-Reply-To: <1108491984.17854.161.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530502150904719c9085@mail.gmail.com> <42122CEC.5040500@redhat.com> <1108491984.17854.161.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4c4ba153050215103778eab33c@mail.gmail.com> On Tue, 15 Feb 2005 13:26:24 -0500, Stephen Smalley wrote: > On Tue, 2005-02-15 at 12:10, Daniel J Walsh wrote: > > Current policy should allow unconfined_t to have these perms. If you > > have allow_execmod set? > > The audit messages in his posting showed the denials happening for > initrc_t, not unconfined_t. Why is vmware running in initrc_t? > > -- > Stephen Smalley > National Security Agency > Ah... good point. VMware has stuff in /etc/init.d to install its kernel modules and setup its networking stuff. So this script is running as initrc_t as is failing. Because of this, I don't even get to run the 'vmware' command. Sorry for the confusion. tom -- Tom London From susan_geller at speakeasy.net Wed Feb 16 03:00:07 2005 From: susan_geller at speakeasy.net (susan_geller at speakeasy.net) Date: Wed, 16 Feb 2005 03:00:07 +0000 Subject: Policies for apache httpd and snmp (Daniel J Walsh) Message-ID: > > yum update selinux-policy-targeted > Thanks. It seems to be working now. Susan From russell at coker.com.au Wed Feb 16 05:45:13 2005 From: russell at coker.com.au (Russell Coker) Date: Wed, 16 Feb 2005 16:45:13 +1100 Subject: error: kernel: audit: avc: denied { write } In-Reply-To: <41FF9610.7050609@axs.net> References: <41FF9610.7050609@axs.net> Message-ID: <200502161645.15786.russell@coker.com.au> On Wednesday 02 February 2005 01:45, Roger Skildum wrote: > I am running FC3 with a vanilla 2.6.10 kernel patched for Win4lin. I am > not sure what has happened but all of a sudden I started getting a whole > slew of the errors listed below each time I boot. > > Jan 30 05:18:48 host kernel: audit(1107080328.663:0): avc: denied { > write } for pid=3575 exe=/usr/sbin/ntpd name=log dev=tmpfs ino=6673 > scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:device_t > tclass=sock_file Does that particular message happen every time you boot? If so then maybe syslogd is running in the wrong domain. Run "ps axZ|grep syslog" to check the context of syslogd (should be syslogd_t). > From what I understand they are related to selinux. They are not all > the same but all deal with kernel: audit. The system log shows me that > they happen while the system is running also. I have not noticed any > system degradation but something must be wrong. I do not think I have Is the system in permissive mode? If it's in enforcing mode then such errors would result in significant differences of the operation of the machine. > done anything to course this except update my system. When I run system > monitor I see under the Resource Monitor tab I see a device listed as > /dev/shm with a type as tmpfs with a total of 125MB but 0% used. When I > look in the /dev directory there is no /dev/shm or /dev/tmpfs for that > matter. Is this related to the problem since the error lists > dev=tmpfs? Any I ideas as to what is wrong or how to correct? The error you report related to /dev/shm is strange. Let's fix the other error first. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From kwade at redhat.com Wed Feb 16 05:49:00 2005 From: kwade at redhat.com (Karsten Wade) Date: Tue, 15 Feb 2005 21:49:00 -0800 Subject: Problems adding to targeted policy for a new cache directory for Squid In-Reply-To: <4211ACF3.8010503@swelltech.com> References: <4211A98B.1040107@swelltech.com> <4211ACF3.8010503@swelltech.com> Message-ID: <1108532941.27835.16.camel@erato.phig.org> On Tue, 2005-02-15 at 02:04 -0600, Joe Cooper wrote: > Joe Cooper wrote: > also noticed that I'm actually getting slightly different labels than > /var/spool/squid: > > [root at localhost /]# ls -lZ /var/spool/squid > drwxr-xr-x squid squid root:object_r:squid_cache_t 00 > [root at localhost /]# ls -lZ /cache0 > drwxr-xr-x squid squid system_u:object_r:squid_cache_t 00 > > So I've got root:object_r:squid_cache_t for /var/spool/squid (the one > that works) and system_u:object_r:squid_cache_t for the one that > doesn't, That different field is for the SELinux identity, which doesn't come much into play for the targeted policy. You get 'system_u:object_r' when something has been created by a system process, you get 'root:object_r' when something has been created by the root user. There is an actual SELinux user 'root' that corresponds to the Linux user 'root'. - Karsten -- Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 IT executives rate Red Hat #1 for value http://www.redhat.com/promo/vendor/ From joe at swelltech.com Wed Feb 16 06:42:30 2005 From: joe at swelltech.com (Joe Cooper) Date: Wed, 16 Feb 2005 00:42:30 -0600 Subject: Problems adding to targeted policy for a new cache directory for Squid In-Reply-To: <1108532941.27835.16.camel@erato.phig.org> References: <4211A98B.1040107@swelltech.com> <4211ACF3.8010503@swelltech.com> <1108532941.27835.16.camel@erato.phig.org> Message-ID: <4212EB56.4060707@swelltech.com> Karsten Wade wrote: > On Tue, 2005-02-15 at 02:04 -0600, Joe Cooper wrote: > >>Joe Cooper wrote: >>also noticed that I'm actually getting slightly different labels than >>/var/spool/squid: >> >>[root at localhost /]# ls -lZ /var/spool/squid >>drwxr-xr-x squid squid root:object_r:squid_cache_t 00 >>[root at localhost /]# ls -lZ /cache0 >>drwxr-xr-x squid squid system_u:object_r:squid_cache_t 00 >> >>So I've got root:object_r:squid_cache_t for /var/spool/squid (the one >>that works) and system_u:object_r:squid_cache_t for the one that >>doesn't, > > > That different field is for the SELinux identity, which doesn't come > much into play for the targeted policy. > > You get 'system_u:object_r' when something has been created by a system > process, you get 'root:object_r' when something has been created by the > root user. There is an actual SELinux user 'root' that corresponds to > the Linux user 'root'. Thanks for that explanation, Karsten. Some of these things are starting to make a bit of sense now. ;-) From jorton at redhat.com Wed Feb 16 14:24:25 2005 From: jorton at redhat.com (Joe Orton) Date: Wed, 16 Feb 2005 14:24:25 +0000 Subject: httpd log rotation problem? In-Reply-To: <345764DCB65C0C4FACC44529DE273C18F8EA11@eemail1.microlink.lan> References: <345764DCB65C0C4FACC44529DE273C18F8EA11@eemail1.microlink.lan> Message-ID: <20050216142425.GA1139@redhat.com> On Mon, Feb 07, 2005 at 09:54:04AM +0200, Fred New wrote: > I am getting the following message once a week on a standard FC3 system. > Is this one of those denials that shouldn't be audited?: > > Feb 6 04:02:26 nimeta01 kernel: audit(1107655346.258:0): avc: denied > { ioctl } for pid=3587 exe=/usr/sbin/httpd > path=/var/log/httpd/error_log.1 dev=hda3 ino=1174805 > scontext=user_u:system_r:httpd_t tcontext=root:object_r:httpd_runtime_t > tclass=file I've also seen this a few times on my FC3 test box too now, it triggers on logrotate runs when the server is restarted. Do you have mod_perl installed? I believe it's Perl which does random ioctl calls on fd's 0-3, I don't know why, but it should probably marked as "dontaudit". joe From hongwei at wustl.edu Wed Feb 16 15:21:06 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Wed, 16 Feb 2005 09:21:06 -0600 (CST) Subject: Can somebody help me? Message-ID: <3551.128.252.85.103.1108567266.squirrel@morpheus.wustl.edu> Hi, I posted this question a few days ago, but I haven't seen any reply. Maybe, I missed some. Here I post it again and hope can get some help. My system: os: RedHat FC3 linux, kernel-2.6.10-1.760_FC3, selinux enforced, iptables enabled selinux: selinux-policy-targeted-1.17.30-2.75 iptables: iptables-1.2.11-3.1.FC3 web sever: httpd-2.0.52-3.1 sendmail: sendmail-8.13.1-2 squirrelmail: squirrelmail-1.4.3a-6.FC3 SELINUXTYPE=targeted The problem is the SquirrelCheck in squirrelmail does not work when selinux is enforced (targeted). If I click "Check Spelling" in squirrelmail's Compose windows, it does not do any spell checking and the system log shows: Feb 16 09:07:25 pippo kernel: audit(1108566445.074:0): avc: denied { search } for pid=7899 exe=/bin/cat name=spool dev=hda3 ino=470497 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir If selinux is disabled, then it works well. Does anybody run fc3 with selinux enforced and run squirrelmail? If yes, please try "Check Spelling". Does it work in your system? If yes, how did you make it working? or how to fix this problem? I appreciate all the help! Hongwei Li From susan_geller at speakeasy.net Wed Feb 16 19:21:15 2005 From: susan_geller at speakeasy.net (susan_geller at speakeasy.net) Date: Wed, 16 Feb 2005 19:21:15 +0000 Subject: Policies for apache httpd and snmp Message-ID: Sorry, I was mistaken. I'm still getting the original audit message: Feb 16 11:06:50 grant kernel: audit(1108580810.311:0): avc: denied { write } for pid=4662 exe=/usr/sbin/httpd name=mibs dev=hda1 ino=833921 scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir I checked selinux-policy-targeted and it seems to be up to date: [root at grant ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-2.75 [root at grant ~]# rpm --verify selinux-policy-targeted Time to learn a little about snmp and selinux, I guess. Thanks, Susan From kwade at redhat.com Thu Feb 17 08:24:36 2005 From: kwade at redhat.com (Karsten Wade) Date: Thu, 17 Feb 2005 00:24:36 -0800 Subject: Red Hat SELinux Guide Message-ID: <1108628676.7566.11.camel@erato.phig.org> Pardon the slightly off-topic intrusion. This might be helpful to some: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ The policy in rawhide, FC3 updates, and coming in FC4test1 are all later than the policy this guide focuses on. However, there are extensive sections explaining what SELinux is, how it works, and how to work with it that are relevant. Enjoy. - Karsten -- Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 IT executives rate Red Hat #1 for value http://www.redhat.com/promo/vendor/ From ghenry at suretecsystems.com Thu Feb 17 08:34:20 2005 From: ghenry at suretecsystems.com (Gavin Henry) Date: Thu, 17 Feb 2005 08:34:20 -0000 (GMT) Subject: Red Hat SELinux Guide In-Reply-To: <1108628676.7566.11.camel@erato.phig.org> References: <1108628676.7566.11.camel@erato.phig.org> Message-ID: <1448.192.168.100.89.1108629260.squirrel@webmail.suretecsystems.com> > Pardon the slightly off-topic intrusion. This might be helpful to some: > > http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ > > The policy in rawhide, FC3 updates, and coming in FC4test1 are all later > than the policy this guide focuses on. However, there are extensive > sections explaining what SELinux is, how it works, and how to work with > it that are relevant. > > Enjoy. Whoa!! You finished it! > > - Karsten > -- > Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/ > gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 > IT executives rate Red Hat #1 for value > http://www.redhat.com/promo/vendor/ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From russell at coker.com.au Thu Feb 17 10:01:24 2005 From: russell at coker.com.au (Russell Coker) Date: Thu, 17 Feb 2005 21:01:24 +1100 Subject: Can somebody help me? In-Reply-To: <3551.128.252.85.103.1108567266.squirrel@morpheus.wustl.edu> References: <3551.128.252.85.103.1108567266.squirrel@morpheus.wustl.edu> Message-ID: <200502172101.26916.russell@coker.com.au> On Thursday 17 February 2005 02:21, "Hongwei Li" wrote: > The problem is the SquirrelCheck in squirrelmail does not work when > selinux is enforced (targeted). If I click "Check Spelling" in > squirrelmail's Compose windows, it does not do any spell checking and the > system log shows: > > Feb 16 09:07:25 pippo kernel: audit(1108566445.074:0): avc: denied { > search } for pid=7899 exe=/bin/cat name=spool dev=hda3 ino=470497 > scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object_r:var_spool_t tclass=dir Currently we don't have policy for Squirrelmail. One option is to enable httpd_disable_trans, this means that SE Linux does not restrict Apache and child processes but will restrict other daemons. Another option is to grant httpd_sys_script_t the access to do the things it wants, this isn't ideal and isn't what we will do for proper squirrelmail policy, but will solve your problems. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Thu Feb 17 11:44:08 2005 From: russell at coker.com.au (Russell Coker) Date: Thu, 17 Feb 2005 22:44:08 +1100 Subject: findutils-4.2.15 In-Reply-To: <20050131144804.GN5322@redhat.com> References: <20050131144804.GN5322@redhat.com> Message-ID: <200502172244.11423.russell@coker.com.au> On Tuesday 01 February 2005 01:48, Tim Waugh wrote: > I just updated findutils to 4.2.15 in devel. Please check that I > didn't make any mistakes porting the findutils-selinux.patch. I can't comment on the changes as I never tested the old version. Here are some suggestions about the current version: getfilecon(/proc/2/maps): Operation not supported Above is part of the output of "find / --context system_u:object_r:bin_t". Perhaps it would make sense that whenever find enters a new file system it checks whether the context is available and skips file systems of types that don't support the XATTR interface to labelling. We could have a config file which lists the supported file systems (ext2, ext3, xfs, devpts, and tmpfs at the moment) so that find knows what to do. Or maybe this is something that should be in the kernel? Another option might be to just have find give up on a tree when a directory gives ENOTSUP. Searching on context alone seems of little utility to me. I think it's likely that most times when a search is being performed the desired result will either be all files of a particular identity or of a particular type. For example I may want to find files of type bin_t to discover the full list of programs that can_exec(foo_t, bin_t) grants access to. The fact that I created some files under /usr/local/bin by just copying them there as administrator (and giving them the context of root:object_r:bin_t instead of the usual system_u:object_r:bin_t) not something that concerns me. Also saving some typing is a benefit too. When running chcon I often use the -t option to save typing as usually I only want to change the type and am not concerned about the identity. The command `find . -printf "%Z %f\n"` returns the string "pipefs" instead of the final "t" in file contexts. Eg here's part of the output of running such a find command from the /var/run directory: system_u:object_r:xdm_var_run_pipefs gdm.pid Here's "ls -lZ" output from the same file: -rw-r--r-- root root system_u:object_r:xdm_var_run_t gdm.pid Once again, being able to split out identity and type would be handy, the -printf option has a huge number of ways of specifying atime with %A, maybe having %Zi for identity, %Zt for type, and %z for full context would be a good idea. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From jp_espino at hotmail.com Thu Feb 17 18:40:40 2005 From: jp_espino at hotmail.com (Juan Espino) Date: Thu, 17 Feb 2005 18:40:40 +0000 Subject: Bell & Lapadula Model In-Reply-To: Message-ID: Hello all, SELinux enforces a Mandatory Access Control (MAC) Policy based on Bell and Lapadula Model. I understand the read control property (no read up) and the write control (no write down), but in this model there are another property called tranquility property, I don't know very well how SELinux enforces this property, somebody can help me to understand in this way?, thanks in advance! _________________________________________________________________ Charla con tus amigos en l?nea mediante MSN Messenger: http://messenger.latam.msn.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Thu Feb 17 19:00:23 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 17 Feb 2005 14:00:23 -0500 Subject: findutils-4.2.15 In-Reply-To: <200502172244.11423.russell@coker.com.au> References: <20050131144804.GN5322@redhat.com> <200502172244.11423.russell@coker.com.au> Message-ID: <4214E9C7.4090509@redhat.com> Russell Coker wrote: >On Tuesday 01 February 2005 01:48, Tim Waugh wrote: > > >>I just updated findutils to 4.2.15 in devel. Please check that I >>didn't make any mistakes porting the findutils-selinux.patch. >> >> > >I can't comment on the changes as I never tested the old version. Here are >some suggestions about the current version: > >getfilecon(/proc/2/maps): Operation not supported > >Above is part of the output of "find / --context system_u:object_r:bin_t". >Perhaps it would make sense that whenever find enters a new file system it >checks whether the context is available and skips file systems of types that >don't support the XATTR interface to labelling. We could have a config file >which lists the supported file systems (ext2, ext3, xfs, devpts, and tmpfs at >the moment) so that find knows what to do. Or maybe this is something that >should be in the kernel? Another option might be to just have find give up >on a tree when a directory gives ENOTSUP. > >Searching on context alone seems of little utility to me. I think it's likely >that most times when a search is being performed the desired result will >either be all files of a particular identity or of a particular type. For >example I may want to find files of type bin_t to discover the full list of >programs that can_exec(foo_t, bin_t) grants access to. The fact that I >created some files under /usr/local/bin by just copying them there as >administrator (and giving them the context of root:object_r:bin_t instead of >the usual system_u:object_r:bin_t) not something that concerns me. > >Also saving some typing is a benefit too. When running chcon I often use the >-t option to save typing as usually I only want to change the type and am not >concerned about the identity. > > Find has glob support to do something similar so you can find / --context *:bin_t to find all bin_t files. >The command `find . -printf "%Z %f\n"` returns the string "pipefs" instead of >the final "t" in file contexts. Eg here's part of the output of running such >a find command from the /var/run directory: >system_u:object_r:xdm_var_run_pipefs gdm.pid > >Here's "ls -lZ" output from the same file: >-rw-r--r-- root root system_u:object_r:xdm_var_run_t gdm.pid > >Once again, being able to split out identity and type would be handy, the >-printf option has a huge number of ways of specifying atime with %A, maybe >having %Zi for identity, %Zt for type, and %z for full context would be a >good idea. > > > From dwalsh at redhat.com Thu Feb 17 19:05:14 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 17 Feb 2005 14:05:14 -0500 Subject: httpd log rotation problem? In-Reply-To: <20050216142425.GA1139@redhat.com> References: <345764DCB65C0C4FACC44529DE273C18F8EA11@eemail1.microlink.lan> <20050216142425.GA1139@redhat.com> Message-ID: <4214EAEA.4030000@redhat.com> Joe Orton wrote: >On Mon, Feb 07, 2005 at 09:54:04AM +0200, Fred New wrote: > > >>I am getting the following message once a week on a standard FC3 system. >>Is this one of those denials that shouldn't be audited?: >> >>Feb 6 04:02:26 nimeta01 kernel: audit(1107655346.258:0): avc: denied >>{ ioctl } for pid=3587 exe=/usr/sbin/httpd >>path=/var/log/httpd/error_log.1 dev=hda3 ino=1174805 >>scontext=user_u:system_r:httpd_t tcontext=root:object_r:httpd_runtime_t >>tclass=file >> >> > >I've also seen this a few times on my FC3 test box too now, it triggers >on logrotate runs when the server is restarted. > >Do you have mod_perl installed? I believe it's Perl which does random >ioctl calls on fd's 0-3, I don't know why, but it should probably marked >as "dontaudit". > >joe > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Added dontaudit for 1.17.30-2.83 From jmorris at redhat.com Thu Feb 17 20:24:27 2005 From: jmorris at redhat.com (James Morris) Date: Thu, 17 Feb 2005 15:24:27 -0500 (EST) Subject: Bell & Lapadula Model In-Reply-To: Message-ID: On Thu, 17 Feb 2005, Juan Espino wrote: > Hello all, > > SELinux enforces a Mandatory Access Control (MAC) Policy based on Bell and > Lapadula Model. I understand the read control property (no read up) and the > write control (no write down), but in this model there are another property > called tranquility property, I don't know very well how SELinux enforces > this property, > SELinux includes an experimental MLS implementation based on BLP. This feature is not currently enabled in Fedora. Thus, it may be better to discuss the MLS component on the NSA list: http://www.nsa.gov/selinux/info/list.cfm?MenuID=41.1.1.9 - James -- James Morris From KokHow.Teh at marconi.com Fri Feb 18 03:08:10 2005 From: KokHow.Teh at marconi.com (KokHow Teh) Date: Fri, 18 Feb 2005 11:08:10 +0800 Subject: Fedora Core 2: initrd failed to mount ext3 root fs. Message-ID: Hi list; I just installed Fedora Core 2 last 2 days. The binaries work fine from the installation CDs that I have no problem installing the full system and booting up the machine i686 P4. However, when I build the kernel from the source with the default configuration for arch/i386, booting up the machine failed due to initrd failing to mount the ext3 root file system. It failed when linuxrc trying to mount the root fs with pivot_root(). Any insight is appreciated. Thanks. Regards, TEH From selinux at gmail.com Fri Feb 18 14:53:22 2005 From: selinux at gmail.com (Tom London) Date: Fri, 18 Feb 2005 06:53:22 -0800 Subject: file_contexts.homedirs: line 1408 ???? Missing LF? Message-ID: <4c4ba15305021806533ef48d5b@mail.gmail.com> Running targeted, latest Rawhide. After installing today's updates, 'restorecon -v -R /etc' produces: [root at tlondon ~]# restorecon -v -R /etc /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 1408 is too long, would be truncated, skipping but file_contexts.homedirs has only 22 lines. (file_contexts has 1385 lines; 1385+22=1407...?) Looks like file_contexts.homedirs is missing trailing LF. tom -- Tom London From russell at coker.com.au Sat Feb 19 12:43:57 2005 From: russell at coker.com.au (Russell Coker) Date: Sat, 19 Feb 2005 23:43:57 +1100 Subject: load_policy in chroot question In-Reply-To: References: <1105250107.4246.14.camel@chaucer> <1105330805.4605.41.camel@nexus.verbum.private> Message-ID: <200502192344.00476.russell@coker.com.au> On Saturday 15 January 2005 09:13, Alexandre Oliva wrote: > In my case, what I used to do was to maintain two or more installs on > each box, each of them up-to-date, such that, in case I messed up with > the daily-use install (say rawhide), I could go back to a known-good > install (say FC3 or even FC2). The best thing to do would be to occasionally boot the older system to update it. > What would be really nice would be if loading a policy into selinux > affected the behavior within that chroot (or rather within the > directory tree accessible from the root at the time of policy load), SE Linux controls all aspects of system security, including global thing such as mounting file systems and directly writing to block devices. If the chroot had a local policy as you suggest then which policy would control writing to the device node for the boot device? Something like Xen is what you need. The below URL about Xen and hypervisor security may interest you. http://sourceforge.net/mailarchive/forum.php?thread_id=6364737&forum_id=35600 -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From kalium at gmx.de Sat Feb 19 16:32:34 2005 From: kalium at gmx.de (Mark Stier) Date: Sat, 19 Feb 2005 17:32:34 +0100 (MET) Subject: Mozilla/Firefox/Licq policy files? Message-ID: <1370.1108830754@www72.gmx.net> Are there any? -- DSL Komplett von GMX +++ Superg?nstig und stressfrei einsteigen! AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl From ivg2 at cornell.edu Sat Feb 19 21:45:57 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sat, 19 Feb 2005 16:45:57 -0500 Subject: Mozilla/Firefox/Licq policy files? In-Reply-To: <1370.1108830754@www72.gmx.net> References: <1370.1108830754@www72.gmx.net> Message-ID: <1108849557.1070.5.camel@cobra.ivg2.net> On Sat, 2005-02-19 at 17:32 +0100, Mark Stier wrote: >Are there any? There are in the strict policy (for mozilla/firefox): However, Java still doesn't transition properly: https://bugzilla.redhat.com/beta/show_bug.cgi?id=147646 Plus, a recent change for mozilla writing to tmp caused a regression that causes a lot of denials: https://bugzilla.redhat.com/beta/show_bug.cgi?id=147645 -- Ivan Gyurdiev Cornell University From russell at coker.com.au Sat Feb 19 23:58:01 2005 From: russell at coker.com.au (Russell Coker) Date: Sun, 20 Feb 2005 10:58:01 +1100 Subject: New user/role transition error In-Reply-To: <60D45469A1AAD311A04C009027B6BF6804FCF002@server20.inside.oracorp.com> References: <60D45469A1AAD311A04C009027B6BF6804FCF002@server20.inside.oracorp.com> Message-ID: <200502201058.04093.russell@coker.com.au> On Tuesday 18 January 2005 03:27, Steve Brueckner wrote: > engineer$ newrole -r developer_r > engineer:developer_r:user_t is not a valid context > > Any ideas what I've neglected in setting this up? Thanks! Add "developer_r:developer_t" to /etc/selinux/strict/contexts/default_type . -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From jbbacher at hotmail.com Sun Feb 20 00:00:52 2005 From: jbbacher at hotmail.com (John Ramsbacher) Date: Sat, 19 Feb 2005 18:00:52 -0600 Subject: Changing Permisions Message-ID: I'm a N00b so be patient. I've installed Fedora Core 3 on a duel boot system with windows 98 (fat 32) and have mounted the windows partition from Fedora but find that I can only write to the windows partition if I'm logged in as root. How do I change the permissions to allow me to write to certain folders on the windows partition without compromising the security biult into SELinux. Remember that I'm new to this so try to explain it step by step or point me to a web page that explains it step by step. Much Thanks. John From russell at coker.com.au Sun Feb 20 00:16:16 2005 From: russell at coker.com.au (Russell Coker) Date: Sun, 20 Feb 2005 11:16:16 +1100 Subject: Permissions for new users In-Reply-To: <420AA72D.2010108@rhjensen.com> References: <420AA72D.2010108@rhjensen.com> Message-ID: <200502201116.19226.russell@coker.com.au> On Thursday 10 February 2005 11:13, Richard Jensen wrote: > Hi. I'm wondering about the permissions new users get > when they are created. Before SELinux I had to add users > to 'wheel' to enable them to su to root. You can enable that feature by editing /etc/pam.d/su . > I did an adduser and it seems to be unrestricted: > > [testse at lankhmar ~]$ id -Z > user_u:system_r:unconfined_t Fedora Core 3 and RHEL4 install the "targeted" policy by default which does not restrict user logins. You have to install the "strict" policy to restrict user logins. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sun Feb 20 12:09:47 2005 From: russell at coker.com.au (Russell Coker) Date: Sun, 20 Feb 2005 23:09:47 +1100 Subject: Changing Permisions In-Reply-To: References: Message-ID: <200502202309.49266.russell@coker.com.au> On Sunday 20 February 2005 11:00, "John Ramsbacher" wrote: > I've installed Fedora Core 3 on a duel boot system with windows 98 (fat 32) > and have mounted the windows partition from Fedora but find that I can only > write to the windows partition if I'm logged in as root. How do I change > the permissions to allow me to write to certain folders on the windows > partition without compromising the security biult into SELinux. Remember > that I'm new to this so try to explain it step by step or point me to a web > page that explains it step by step. Much Thanks. John Isn't this a case of having the files mode 0755 and owned by root? I don't think that SE Linux is stopping you from doing what you want to do, I think it's something that you would have if SE Linux was not active. Someone here may be able to help you solve this, but I don't think it's a SE Linux problem. Maybe setting the uid= or gid= mount options for the Windows partition will help. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From ivg2 at cornell.edu Mon Feb 21 05:11:33 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 21 Feb 2005 00:11:33 -0500 Subject: Mozilla/Firefox/Licq policy files? In-Reply-To: <1108849557.1070.5.camel@cobra.ivg2.net> References: <1370.1108830754@www72.gmx.net> <1108849557.1070.5.camel@cobra.ivg2.net> Message-ID: <1108962693.20922.2.camel@cobra.ivg2.net> On Sat, 2005-02-19 at 16:45 -0500, Ivan Gyurdiev wrote: >On Sat, 2005-02-19 at 17:32 +0100, Mark Stier wrote: >>Are there any? > >There are in the strict policy (for mozilla/firefox): > >However, Java still doesn't transition properly: >https://bugzilla.redhat.com/beta/show_bug.cgi?id=147646 > >Plus, a recent change for mozilla writing to tmp caused >a regression that causes a lot of denials: >https://bugzilla.redhat.com/beta/show_bug.cgi?id=147645 Strike the first one as incorrect (closed). Second one I asked about on the NSA list, since it is pretty annoying. -- Ivan Gyurdiev Cornell University From aoliva at redhat.com Mon Feb 21 13:54:31 2005 From: aoliva at redhat.com (Alexandre Oliva) Date: 21 Feb 2005 10:54:31 -0300 Subject: load_policy in chroot question In-Reply-To: <200502192344.00476.russell@coker.com.au> References: <1105250107.4246.14.camel@chaucer> <1105330805.4605.41.camel@nexus.verbum.private> <200502192344.00476.russell@coker.com.au> Message-ID: On Feb 19, 2005, Russell Coker wrote: > SE Linux controls all aspects of system security, including global > thing such as mounting file systems and directly writing to block > devices. If the chroot had a local policy as you suggest then which > policy would control writing to the device node for the boot device? Err... No differently from the way the Xen solution you recommended would? Except, perhaps, for... > http://sourceforge.net/mailarchive/forum.php?thread_id=6364737&forum_id=35600 which would require presumably yet another layer of MAC configuration files. Which means yet another level of setting up and overlapping settings, not really different from one possible implementation for chroot policies. -- Alexandre Oliva http://www.ic.unicamp.br/~oliva/ Red Hat Compiler Engineer aoliva@{redhat.com, gcc.gnu.org} Free Software Evangelist oliva@{lsd.ic.unicamp.br, gnu.org} From russell at coker.com.au Mon Feb 21 14:33:10 2005 From: russell at coker.com.au (Russell Coker) Date: Tue, 22 Feb 2005 01:33:10 +1100 Subject: load_policy in chroot question In-Reply-To: References: <1105250107.4246.14.camel@chaucer> <200502192344.00476.russell@coker.com.au> Message-ID: <200502220133.13212.russell@coker.com.au> On Tuesday 22 February 2005 00:54, Alexandre Oliva wrote: > On Feb 19, 2005, Russell Coker wrote: > > SE Linux controls all aspects of system security, including global > > thing such as mounting file systems and directly writing to block > > devices. If the chroot had a local policy as you suggest then which > > policy would control writing to the device node for the boot device? > > Err... No differently from the way the Xen solution you recommended > would? Except, perhaps, for... Xen is totally different to a chroot. Xen has a virtual environment which has it's own access controls. The URL below concerns methods of limiting interaction between Xen sessions (I don't know enough about Xen to comment on it). With a chroot you might have /dev/hda1 mounted as the root file system, but inside the chroot the /dev/hda1 device node will still exist and grant access to the file system that's outside the chroot. I believe that Xen solves this problem but don't know the details. > > http://sourceforge.net/mailarchive/forum.php?thread_id=6364737&forum_id=3 > >5600 > > which would require presumably yet another layer of MAC configuration > files. Which means yet another level of setting up and overlapping > settings, not really different from one possible implementation for > chroot policies. True, it could be considered to be slightly similar in concept to a well implemented chroot setup. But note that a Xen guest can't change the resources managed by the Xen host, and a similar level of isolation is required for a secure chroot. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From elkingto at lasp.colorado.edu Mon Feb 21 17:37:21 2005 From: elkingto at lasp.colorado.edu (Scot Elkington) Date: Mon, 21 Feb 2005 10:37:21 -0700 (MST) Subject: Changing Permisions In-Reply-To: <20050220170010.35148736F5@hormel.redhat.com> References: <20050220170010.35148736F5@hormel.redhat.com> Message-ID: Hi John-- this isn't really an SELinux issue, so I'm replying off-line. If it helps, here's what I did for a similar setup in a fashion that makes some use of the standard unix/linux DAC-based security system. Your fat32 partition is being mounted by default with owner/group of root. A solution for me was to change the group assigned to that partition, then associate those users I wanted to allow access to the fat32 partition with that group. By giving read/write/execute permissions to that group, non-root users can access the partition. So create a group for the people you wish to allow access to your windows partition. For example, from the command line in fedora, type system-config-users, or otherwise select 'Users and Groups' from the 'System Settings' menu. In the resulting window, click the 'Add Group' button and create a name for your windows-users group (I named my group "dos"). Now click the 'groups' tab and you should see your newly-created group, along with the Group ID number of your group, a three-digit number like '502'. Make a note of your new group ID number. (you can also find the group id by examining the file /etc/group). Now doubleclick your new group, and click on the 'Group Users' tab in the new window. There will be a whole slew of system-specific users there; find among them the usernames of those users you wish to allow access to your windows partition and add them to the group by checking them off. You can do the same thing by instead clicking the 'Users' tab in the main window of the users/groups gui, double-clicking each user you wish to add, and checking off the "DOS" group (or equivalent) in the 'Groups' tab of the new window. Now we need to make sure the partition gets mounted under the DOS group each time at boot. As root, open the file /etc/fstab ('file system table') for editing. You should see a list of 6 or so space-delimited fields describing each partition you mount in your installation. Identify your windows partition, which you can probably find from the mount point in the second column or the filesystem type in the third column ('vfat'). In the fourth column, make sure it reads "defaults,gid=YOURGROUPID,umask=007", where YOURGROUPID is the group ID number of the new group noted above. On my system, for example, the appropriate line in /etc/fstab now looks like /dev/hda1 /win98 vfat defaults,gid=502,umask=007 0 0 This tells the system to mount the windows partition at /dev/hda1 under the root directory /win98, assign it to the group 502 (my 'dos' group), and set default permissions to 770: root gets read/write/execute permissions, anyone in group DOS gets read/write/execute, and anyone not explicitly in group DOS can neither see nor write to the windows partition. Now reboot. when linux comes back up, type 'ls -l /' at the command line and you should see the directory your windows partition is mounted under listed something as follows: drwxrwx--- 9 root dos 4096 Apr 1 13:21 win98 Hope those suggestions help. let me know if you have any questions..... --scot __________ Scot R. Elkington Voice: 303-735-0810 LASP, University of Colorado Fax: 303-492-6444 1234 Innovation Drive scot.elkington at lasp.colorado.edu Boulder, CO 80303 http://lasp.colorado.edu/~elkingto > Date: Sat, 19 Feb 2005 18:00:52 -0600 > From: "John Ramsbacher" > Subject: Changing Permisions > To: fedora-selinux-list at redhat.com > > I'm a N00b so be patient. > > I've installed Fedora Core 3 on a duel boot system with windows 98 (fat 32) > and have mounted the windows partition from Fedora but find that I can only > write to the windows partition if I'm logged in as root. How do I change > the permissions to allow me to write to certain folders on the windows > partition without compromising the security biult into SELinux. Remember > that I'm new to this so try to explain it step by step or point me to a web > page that explains it step by step. Much Thanks. John > > From r.godzilla at comcast.net Tue Feb 22 00:05:39 2005 From: r.godzilla at comcast.net (Richard E Miles) Date: Mon, 21 Feb 2005 16:05:39 -0800 Subject: Experiences with selinux enabled targetted on Fedora Core 3 Message-ID: <20050221160539.6aba22bd.r.godzilla@comcast.net> In order to become more familiar with the selinux capabilities I did the following: Started selinux in permissive mode for targetted. I recieved warnings for the following services: portmap, ntpd, and ntpdate. I then ran fixfiles check. After it ran for quite some time. It did not report any problems. So I enabled targetted and rebooted. I then received error warnings for the same services. The following relevent messages from dmesg follow: EXT3-fs: mounted filesystem with ordered data mode. security: 3 users, 4 roles, 319 types, 20 bools security: 53 classes, 10805 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda2, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts ip_tables: (C) 2000-2002 Netfilter core team ip_conntrack version 2.1 (2047 buckets, 16376 max) - 360 bytes per conntrack eth0: link up, 100Mbps, full-duplex, lpa 0x45E1 audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts IPv6 over IPv4 tunneling driver divert: not allocating divert_blk for non-ethernet device sit0 audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir Obviously something is amiss. I do not know how to correct these messages for the services. Does anyone know how the fix this delemma? If not should I bugzilla it? -- Richard E Miles Federal Way WA. USA registered linux user 46097 From walters at redhat.com Tue Feb 22 00:09:29 2005 From: walters at redhat.com (Colin Walters) Date: Mon, 21 Feb 2005 19:09:29 -0500 Subject: Experiences with selinux enabled targetted on Fedora Core 3 In-Reply-To: <20050221160539.6aba22bd.r.godzilla@comcast.net> References: <20050221160539.6aba22bd.r.godzilla@comcast.net> Message-ID: <1109030970.3803.11.camel@nexus.verbum.private> On Mon, 2005-02-21 at 16:05 -0800, Richard E Miles wrote: >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir Is your root filesystem labeled? >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts > >IPv6 over IPv4 tunneling driver >divert: not allocating divert_blk for non-ethernet device sit0 >audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >Obviously something is amiss. I do not know how to correct these messages for >the services. Does anyone know how the fix this delemma? If not should I >bugzilla it? > >-- >Richard E Miles >Federal Way WA. USA >registered linux user 46097 > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list From r.godzilla at comcast.net Tue Feb 22 00:23:51 2005 From: r.godzilla at comcast.net (Richard E Miles) Date: Mon, 21 Feb 2005 16:23:51 -0800 Subject: Experiences with selinux enabled targetted on Fedora Core 3 In-Reply-To: <1109030970.3803.11.camel@nexus.verbum.private> References: <20050221160539.6aba22bd.r.godzilla@comcast.net> <1109030970.3803.11.camel@nexus.verbum.private> Message-ID: <20050221162351.632c98cc.r.godzilla@comcast.net> On Mon, 21 Feb 2005 19:09:29 -0500 Colin Walters wrote: > On Mon, 2005-02-21 at 16:05 -0800, Richard E Miles wrote: > > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > > Is your root filesystem labeled? Probably not. The best way to do this is to touch /.autorelable right? > > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > >SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts > > > >IPv6 over IPv4 tunneling driver > >divert: not allocating divert_blk for non-ethernet device sit0 > >audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > >audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir > > > >Obviously something is amiss. I do not know how to correct these messages for > >the services. Does anyone know how the fix this delemma? If not should I > >bugzilla it? > > > >-- > >Richard E Miles > >Federal Way WA. USA > >registered linux user 46097 > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Richard E Miles Federal Way WA. USA registered linux user 46097 From dwalsh at redhat.com Tue Feb 22 00:33:18 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 21 Feb 2005 19:33:18 -0500 Subject: Experiences with selinux enabled targetted on Fedora Core 3 In-Reply-To: <20050221162351.632c98cc.r.godzilla@comcast.net> References: <20050221160539.6aba22bd.r.godzilla@comcast.net> <1109030970.3803.11.camel@nexus.verbum.private> <20050221162351.632c98cc.r.godzilla@comcast.net> Message-ID: <421A7DCE.9050506@redhat.com> Richard E Miles wrote: >On Mon, 21 Feb 2005 19:09:29 -0500 >Colin Walters wrote: > > > >>On Mon, 2005-02-21 at 16:05 -0800, Richard E Miles wrote: >> >> >> >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>> >>> >>Is your root filesystem labeled? >> >> > >Probably not. The best way to do this is to touch /.autorelable right? > > /.autorelabel > > >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir >>>SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts >>> >>>IPv6 over IPv4 tunneling driver >>>divert: not allocating divert_blk for non-ethernet device sit0 >>>audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>>audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir >>> >>>Obviously something is amiss. I do not know how to correct these messages for >>>the services. Does anyone know how the fix this delemma? If not should I >>>bugzilla it? >>> >>>-- >>>Richard E Miles >>>Federal Way WA. USA >>>registered linux user 46097 >>> >>>-- >>>fedora-selinux-list mailing list >>>fedora-selinux-list at redhat.com >>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > > > > From Valdis.Kletnieks at vt.edu Tue Feb 22 01:15:48 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 21 Feb 2005 20:15:48 -0500 Subject: Experiences with selinux enabled targetted on Fedora Core 3 In-Reply-To: Your message of "Mon, 21 Feb 2005 16:05:39 PST." <20050221160539.6aba22bd.r.godzilla@comcast.net> References: <20050221160539.6aba22bd.r.godzilla@comcast.net> Message-ID: <200502220115.j1M1Fn7i013604@turing-police.cc.vt.edu> On Mon, 21 Feb 2005 16:05:39 PST, Richard E Miles said: > audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir At least at one point in time, I was seeing random avc errors on mount points that made absolutely no sense - I'd do an 'ls -Z' and it would look OK. Finally twigged in that I needed to unmount the file system, relabel the *directory*, and then remount. Seem to remember /usr/share and /usr/local biting me that way (/, /usr, /usr/local, and /usr/share are 4 different file systems on my box). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From r.godzilla at comcast.net Tue Feb 22 01:50:36 2005 From: r.godzilla at comcast.net (Richard E Miles) Date: Mon, 21 Feb 2005 17:50:36 -0800 Subject: Experiences with selinux enabled targetted on Fedora Core 3 In-Reply-To: <200502220115.j1M1Fn7i013604@turing-police.cc.vt.edu> References: <20050221160539.6aba22bd.r.godzilla@comcast.net> <200502220115.j1M1Fn7i013604@turing-police.cc.vt.edu> Message-ID: <20050221175036.46879496.r.godzilla@comcast.net> On Mon, 21 Feb 2005 20:15:48 -0500 Valdis.Kletnieks at vt.edu wrote: > On Mon, 21 Feb 2005 16:05:39 PST, Richard E Miles said: > > > audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir > > At least at one point in time, I was seeing random avc errors on mount points > that made absolutely no sense - I'd do an 'ls -Z' and it would look OK. > Finally twigged in that I needed to unmount the file system, relabel the > *directory*, and then remount. Seem to remember /usr/share and /usr/local > biting me that way (/, /usr, /usr/local, and /usr/share are 4 different file > systems on my box). > > I put /.autorelabel file and rebooted. Seems to have fixed the problem. -- Richard E Miles Federal Way WA. USA registered linux user 46097 From carifio at usys.com Tue Feb 22 01:59:27 2005 From: carifio at usys.com (Mike Carifio) Date: Mon, 21 Feb 2005 20:59:27 -0500 Subject: FC3 dump/restore Message-ID: <421A91FF.6020806@usys.com> If I dump an ext3 file system for backup, will the file security attributes get saved? Will they by restored by /restore? /Pl. advise. Thanks. From cra at WPI.EDU Tue Feb 22 02:25:26 2005 From: cra at WPI.EDU (Chuck R. Anderson) Date: Mon, 21 Feb 2005 21:25:26 -0500 Subject: FC3 dump/restore In-Reply-To: <421A91FF.6020806@usys.com> References: <421A91FF.6020806@usys.com> Message-ID: <20050222022526.GC19098@angus.ind.WPI.EDU> On Mon, Feb 21, 2005 at 08:59:27PM -0500, Mike Carifio wrote: > If I dump an ext3 file system for backup, will the file security > attributes get saved? > Will they by restored by /restore? /Pl. advise. Thanks. SELinux attributes are stored as Extended Attributes (EA). It appears that an FC3 update to dump added support for these: * Mon Jan 31 2005 Jindrich Novy 0.4b39-1.FC3 - Updated to dump-0.4b39. - Add patch for EA/ACL support. From Valdis.Kletnieks at vt.edu Tue Feb 22 03:51:08 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 21 Feb 2005 22:51:08 -0500 Subject: FC3 dump/restore In-Reply-To: Your message of "Mon, 21 Feb 2005 21:25:26 EST." <20050222022526.GC19098@angus.ind.WPI.EDU> References: <421A91FF.6020806@usys.com> <20050222022526.GC19098@angus.ind.WPI.EDU> Message-ID: <200502220351.j1M3p9Sq008746@turing-police.cc.vt.edu> On Mon, 21 Feb 2005 21:25:26 EST, "Chuck R. Anderson" said: > On Mon, Feb 21, 2005 at 08:59:27PM -0500, Mike Carifio wrote: > > If I dump an ext3 file system for backup, will the file security > > attributes get saved? > > Will they by restored by /restore? /Pl. advise. Thanks. > > SELinux attributes are stored as Extended Attributes (EA). It appears > that an FC3 update to dump added support for these: > > * Mon Jan 31 2005 Jindrich Novy 0.4b39-1.FC3 > > - Updated to dump-0.4b39. > - Add patch for EA/ACL support. Might be a bit half-baked still - just a few minutes before seeing this, I opened a bugzilla: https://bugzilla.redhat.com/beta/show_bug.cgi?id=149299 (Note - this is dump-0.4b39-1 in the Fedora -devel tree, and the changelog differs from your -1.FC3) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From netdxr at gmail.com Tue Feb 22 21:14:44 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Tue, 22 Feb 2005 14:14:44 -0700 Subject: Horde Application Suite and SELinux... Message-ID: <863ff45205022213147bf61e56@mail.gmail.com> Hi folks! I've just installed the php based Horde Application Suite (http://horde.org) on a Fedora Core 3. Everything is working great with the targeted policy and SELinux enabled except for a small problem with spell checking in the Imp webmail app. The spell checker passes the text to aspell using a temporary file in /tmp. The targeted policy prohibits "http scripts" from using the /tmp directory... so aspell runs but doesn't return any results. If I disable SELinux, it works fine... but since this server will be running in a hostile environment, I'd rather not. I could also add: allow httpd_sys_script_t httpd_tmp_t:file { getattr read }; ... to the targeted policy, but I'd prefer not modify it or open this directory up to other less trustworthy scripts that may eventually run on the system. I've thought about creating a separate directory and rule for this app and operation... but I can't help but wonder if there's better approach for resolving this problem? Any suggestions would be greatly appreciated! Thanks, -Tom From walters at redhat.com Tue Feb 22 22:12:20 2005 From: walters at redhat.com (Colin Walters) Date: Tue, 22 Feb 2005 17:12:20 -0500 Subject: Horde Application Suite and SELinux... In-Reply-To: <863ff45205022213147bf61e56@mail.gmail.com> References: <863ff45205022213147bf61e56@mail.gmail.com> Message-ID: <1109110340.3858.32.camel@nexus.verbum.private> On Tue, 2005-02-22 at 14:14 -0700, Tom Lisjac wrote: >Hi folks! > >I've just installed the php based Horde Application Suite >(http://horde.org) on a Fedora Core 3. Everything is working great >with the targeted policy and SELinux enabled except for a small >problem with spell checking in the Imp webmail app. > >The spell checker passes the text to aspell using a temporary file in >/tmp. The targeted policy prohibits "http scripts" from using the /tmp >directory... CGI scripts (running as httpd_sys_script_t) shouldn't be prevented from using /tmp; this macro in macros/apache_macros.te allows it: file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) >so aspell runs but doesn't return any results. If I >disable SELinux, it works fine... but since this server will be >running in a hostile environment, I'd rather not. I could also add: > >allow httpd_sys_script_t httpd_tmp_t:file { getattr read }; Hmmm. httpd_tmp_t is the type of temporary files generated by the main webserver, not by CGI scripts. Perhaps what's happening is you have some PHP code which is using aspell and creating a temporary file in the main httpd process, and then a CGI script wants to read that later? Hard to say without knowing more details about how aspell works. From netdxr at gmail.com Tue Feb 22 23:44:13 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Tue, 22 Feb 2005 16:44:13 -0700 Subject: Horde Application Suite and SELinux... In-Reply-To: <1109110340.3858.32.camel@nexus.verbum.private> References: <863ff45205022213147bf61e56@mail.gmail.com> <1109110340.3858.32.camel@nexus.verbum.private> Message-ID: <863ff45205022215441de906ea@mail.gmail.com> On Tue, 22 Feb 2005 17:12:20 -0500, Colin Walters wrote: > On Tue, 2005-02-22 at 14:14 -0700, Tom Lisjac wrote: Thanks for the reply. > >...so aspell runs but doesn't return any results. If I > >disable SELinux, it works fine... but since this server will be > >running in a hostile environment, I'd rather not. I could also add: > > > >allow httpd_sys_script_t httpd_tmp_t:file { getattr read }; > > Hmmm. httpd_tmp_t is the type of temporary files generated by the main > webserver, not by CGI scripts. Perhaps what's happening is you have > some PHP code which is using aspell and creating a temporary file in the > main httpd process, and then a CGI script wants to read that later? I was under the impression that mod_php and the webserver ran in the same context... so I'm not sure I understand the distinction SELinux would make between the server and the script. Here's the avc that is generated. Apparently the write did occur and this was an attempt by the script to read the spellchecked file back. avc: denied { getattr } for pid=32122 exe=/usr/bin/aspell path=/tmp/spellkQimNQ dev=hda2 ino=326408 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_tmp_t tclass=file I'm curious why the targeted policy allows the write but blocks reads from /tmp? In any case, it appears that I should make the exception and allow the read. I made a huge mess when I started hacking the policy sources in FC2... is there a document or howto somewhere that describes the correct way to add a exception that will survive an rpm policy update? Thanks, -Tom From kwade at redhat.com Tue Feb 22 23:54:51 2005 From: kwade at redhat.com (Karsten Wade) Date: Tue, 22 Feb 2005 15:54:51 -0800 Subject: Horde Application Suite and SELinux... In-Reply-To: <863ff45205022215441de906ea@mail.gmail.com> References: <863ff45205022213147bf61e56@mail.gmail.com> <1109110340.3858.32.camel@nexus.verbum.private> <863ff45205022215441de906ea@mail.gmail.com> Message-ID: <1109116492.3097.142.camel@erato.phig.org> On Tue, 2005-02-22 at 16:44 -0700, Tom Lisjac wrote: > In any case, it appears that I should make the exception and allow the > read. I made a huge mess when I started hacking the policy sources in > FC2... is there a document or howto somewhere that describes the > correct way to add a exception that will survive an rpm policy update? Short answer - /etc/selinux/targeted/src/policy/domains/misc/local.te. Long answer - I tried to compile all the best recommendations here: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-section-0120.html File a bug if you hear about one I'm missing. :) - Karsten -- Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 IT executives rate Red Hat #1 for value http://www.redhat.com/promo/vendor/ From ram25gwu at gmail.com Wed Feb 23 04:26:07 2005 From: ram25gwu at gmail.com (Kodungallur Varma) Date: Tue, 22 Feb 2005 23:26:07 -0500 Subject: Horde Application Suite and SELinux... In-Reply-To: <1109110340.3858.32.camel@nexus.verbum.private> References: <863ff45205022213147bf61e56@mail.gmail.com> <1109110340.3858.32.camel@nexus.verbum.private> Message-ID: Hi all, I have my fedora core 3 selinux machine setup. I wrote a policy to run the following process - spread daemon (Spread tool kit - www.spread.org). its running great with the policy. what I want now is some API's/ system calls that I can use to change the security context of spread dynamically. in case I am not clear, I am trying to modify the spread source code so that spread while running, can change its security contexts dynamically. I downloaded libselinux.XXX rpm, but I could not get any functions that I can use to access the functionality. any help in this regard is greatly appreciated. thanx in advance.. Ram From walters at redhat.com Wed Feb 23 13:40:32 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 23 Feb 2005 08:40:32 -0500 Subject: Horde Application Suite and SELinux... In-Reply-To: References: <863ff45205022213147bf61e56@mail.gmail.com> <1109110340.3858.32.camel@nexus.verbum.private> Message-ID: <1109166032.3928.9.camel@nexus.verbum.private> On Tue, 2005-02-22 at 23:26 -0500, Kodungallur Varma wrote: >Hi all, > > I have my fedora core 3 selinux machine setup. I wrote a policy >to run the following process - spread daemon (Spread tool kit - >www.spread.org). its running great with the policy. what I want now >is some API's/ system calls that I can use to change the security >context of spread dynamically. in case I am not clear, I am trying to >modify the spread source code so that spread while running, can change >its security contexts dynamically. In order to do privilege bracketing? There is work upstream on "dynamic transitions" (see the mailing list archives) which can occur outside of an exec, and it looks to me like the necessary code is in Fedora rawhide. However, it is not in FC3. From jayendren at hivsa.com Wed Feb 23 07:37:40 2005 From: jayendren at hivsa.com (Jayendren Anand Maduray) Date: Wed, 23 Feb 2005 09:37:40 +0200 Subject: fc3 - password change problem - syslog and portmapper Message-ID: <200502230937.40550.jayendren@hivsa.com> Hi! having problems with selinux for sylog and portmapper. Also cannot change password with selinux enable. it is running in targeted mode. I have been checking with nsa-selinux forum, and some of the ppl recommend that i ask this forum. from nsa-linux: On Tue, 2005-02-22 at 08:09 +0200, Jayendren Anand Maduray wrote: > Got FC3 running SELINUX in enforcing mode. > > 1. however when i try to change my password, i get the ffg error: > SystemError: couldn't get security context of `/etc/passwd': No data available > > 2. also, when i boot up, syslogd, and portmap cannot start, so i disabled it > in SELinux. i would like to get this to work, though. > > i am running kernel Linux shiva 2.6.10-1.741_FC3smp The most likely scenario is that you never labeled your filesystems, or that you ran with SELinux disabled for some period of time and thus ended up with some files without security labels. ?Touch /.autorelabel and reboot, or run /sbin/fixfiles relabel and reboot. ?BTW, this kind of question belongs on fedora-selinux-list, not here, IMHO. -- Stephen Smalley National Security Agency Hi! tried restorecon, here is the output: [root at shiva jay]# restorecon /etc/passwd [root at shiva jay]# passwd Changing password for user root. New UNIX password: Retype new UNIX password: passwd: Authentication failure [root at shiva jay]# here is dmesg: SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda5, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts For Syslogd: syslogd: error while loading shared libraries: /lib/ld-linux.so.2: cannot apply additional memory protection after relocation For portmap: error while loading shared libraries: libnsl.so.1: cannot open shared object file: No such file or directory. On Tuesday 22 February 2005 14:46, Russell Coker wrote: > restorecon /etc/passwd -- Jayendren Anand Maduray Microsoft Certified Professional Network Plus IT Administrator Perinatal HIV Research Unit Old Potch Road Chris Hani Baragwanath Hospital Soweto South Africa Tel: +27 11 989 9776 Tel: +27 11 989 9999 Fax: +27 11 938 3973 Cel: 082 22 774 94 From walters at redhat.com Wed Feb 23 14:49:06 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 23 Feb 2005 09:49:06 -0500 Subject: Horde Application Suite and SELinux... In-Reply-To: <863ff45205022215441de906ea@mail.gmail.com> References: <863ff45205022213147bf61e56@mail.gmail.com> <1109110340.3858.32.camel@nexus.verbum.private> <863ff45205022215441de906ea@mail.gmail.com> Message-ID: <1109170147.3928.20.camel@nexus.verbum.private> On Tue, 2005-02-22 at 16:44 -0700, Tom Lisjac wrote: >I was under the impression that mod_php and the webserver ran in the >same context... so I'm not sure I understand the distinction SELinux >would make between the server and the script. You are correct; mod_php code does run in the same context as Apache (i.e. httpd_t), because it runs in-process. >Here's the avc that is generated. Apparently the write did occur and >this was an attempt by the script to read the spellchecked file back. > >avc: denied { getattr } for pid=32122 exe=/usr/bin/aspell >path=/tmp/spellkQimNQ dev=hda2 ino=326408 >scontext=root:system_r:httpd_sys_script_t >tcontext=root:object_r:httpd_tmp_t tclass=file Note however here that the source context is httpd_sys_script_t (not httpd_t), which means it's a CGI script. CGI scripts by default run in a separate context. Are you really sure that you don't have an external CGI script being run? Perhaps what is happening here is that for some reason, when httpd_t execs /usr/bin/aspell, a transition is happening to httpd_sys_script_t. But from looking at the policy, I don't see any transition rules for bin_t. >I'm curious why the targeted policy allows the write but blocks reads from /tmp? Because as best I can tell, the write was done by the main webserver process, and the read is being attempted by a CGI script. Consider the case where Apache keeps temporary data files containing private information in /tmp; in general you don't want CGI scripts to be able to read that. >In any case, it appears that I should make the exception and allow the >read. I made a huge mess when I started hacking the policy sources in >FC2... is there a document or howto somewhere that describes the >correct way to add a exception that will survive an rpm policy update? You should probably upgrade to FC3; a huge amount of work has gone into the policy (but we still have a lot more to do...). From walters at redhat.com Wed Feb 23 15:33:25 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 23 Feb 2005 10:33:25 -0500 Subject: Horde Application Suite and SELinux... In-Reply-To: <1109170147.3928.20.camel@nexus.verbum.private> References: <863ff45205022213147bf61e56@mail.gmail.com> <1109110340.3858.32.camel@nexus.verbum.private> <863ff45205022215441de906ea@mail.gmail.com> <1109170147.3928.20.camel@nexus.verbum.private> Message-ID: <1109172805.3820.2.camel@nexus.verbum.private> On Wed, 2005-02-23 at 09:49 -0500, Colin Walters wrote: >>In any case, it appears that I should make the exception and allow the >>read. I made a huge mess when I started hacking the policy sources in >>FC2... is there a document or howto somewhere that describes the >>correct way to add a exception that will survive an rpm policy update? One other note - all my comments were relative to the rawhide targeted policy (which in the case of httpd AFAIK isn't very divergent from FC3). However I know the delta between FC2 and FC3 is larger, particularly due to the strict->targeted transition, and it's quite possible there are bugs there (such as the one you are encountering) which are fixed in FC3. Upgrading very strongly recommended :) From dwalsh at redhat.com Wed Feb 23 17:08:49 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 23 Feb 2005 12:08:49 -0500 Subject: fc3 - password change problem - syslog and portmapper In-Reply-To: <200502230937.40550.jayendren@hivsa.com> References: <200502230937.40550.jayendren@hivsa.com> Message-ID: <421CB8A1.5090503@redhat.com> Jayendren Anand Maduray wrote: >Hi! > >having problems with selinux for sylog and portmapper. Also cannot change >password with selinux enable. >it is running in targeted mode. >I have been checking with nsa-selinux forum, and some of the ppl recommend >that i ask this forum. > > > You need to relabel you file system. I would update to the latest policy and relabel your file system yum upgrade selinux-policy-targeted touch /.autorelabel reboot >from nsa-linux: >On Tue, 2005-02-22 at 08:09 +0200, Jayendren Anand Maduray wrote: > > >>Got FC3 running SELINUX in enforcing mode. >> >>1. however when i try to change my password, i get the ffg error: >>SystemError: couldn't get security context of `/etc/passwd': No data >> >> >available > > >>2. also, when i boot up, syslogd, and portmap cannot start, so i disabled it >>in SELinux. i would like to get this to work, though. >> >>i am running kernel Linux shiva 2.6.10-1.741_FC3smp >> >> > >The most likely scenario is that you never labeled your filesystems, or >that you ran with SELinux disabled for some period of time and thus >ended up with some files without security labels. Touch /.autorelabel >and reboot, or run /sbin/fixfiles relabel and reboot. BTW, this kind of >question belongs on fedora-selinux-list, not here, IMHO. > > > From sds at tycho.nsa.gov Wed Feb 23 13:15:32 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 23 Feb 2005 08:15:32 -0500 Subject: Horde Application Suite and SELinux... In-Reply-To: References: <863ff45205022213147bf61e56@mail.gmail.com> <1109110340.3858.32.camel@nexus.verbum.private> Message-ID: <1109164532.17298.24.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-02-22 at 23:26 -0500, Kodungallur Varma wrote: > I have my fedora core 3 selinux machine setup. I wrote a policy > to run the following process - spread daemon (Spread tool kit - > www.spread.org). its running great with the policy. what I want now > is some API's/ system calls that I can use to change the security > context of spread dynamically. in case I am not clear, I am trying to > modify the spread source code so that spread while running, can change > its security contexts dynamically. I downloaded libselinux.XXX rpm, > but I could not get any functions that I can use to access the > functionality. any help in this regard is greatly appreciated. thanx > in advance.. Historically, SELinux has only support security context transitions via execve; the application can explicitly request such a transition by calling setexeccon(3) and then calling execve(), or the policy can specify an automatic transition using the domain_auto_trans() macro based on the calling domain and the type assigned to the program executable. Exec-based transitions are preferable because one can control the inheritance of state and the initialization of the process in the new security context, providing real isolation and protection between the two security contexts. More recently, a setcon(3) interface was added to support dynamic context transitions as you describe for privilege bracketing by applications that are trusted to maintain separation between the two contexts, but this should only be used with great care and only if an exec-based transition is truly infeasible. As setcon(3) was a very recent change, I'm not sure that it was even included in FC3; you may need a more recent kernel and libselinux for it. -- Stephen Smalley National Security Agency From jeremy at ardley.org Thu Feb 24 10:55:21 2005 From: jeremy at ardley.org (Jeremy Ardley) Date: Thu, 24 Feb 2005 18:55:21 +0800 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 Message-ID: <421DB299.3060507@ardley.org> Hi, On fedora core 3 - out of the box plus some upgrades. My current setup has policycoreutils-1.18.1-2.9 selinux-policy-targeted-1.17.30-2.80 squirrelmail-1.4.3a-6.FC3 dovecot-0.99.11-1.FC3.4 I can send mail normally from my system except when I use squirrelmail. The mail is quietly dropped without being sent and a copy is moved into my sent items folder. When I check the messages log I see the following avc entries Feb 24 17:14:46 mail kernel: audit(1109236486.039:0): avc: denied { read append } for pid=7589 exe=/bin/bash path=/var/lib/squirrelmail/prefs/jeremy.abook dev=dm-0 ino=6438914 scontext=user_u:system_r:httpd_sys_script_t t context=root:object_r:httpd_var_lib_t tclass=file Feb 24 17:14:46 mail kernel: audit(1109236486.128:0): avc: denied { create } for pid=7589 exe=/usr/sbin/sendmail.postfix scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket Feb 24 17:14:46 mail kernel: audit(1109236486.136:0): avc: denied { search } for pid=7589 exe=/usr/sbin/sendmail.postfix name=spool dev=dm-0 ino=4030501 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object _r:var_spool_t tclass=dir Feb 24 17:14:46 mail kernel: audit(1109236486.137:0): avc: denied { create } for pid=7589 exe=/usr/sbin/sendmail.postfix scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket I have seen previous correspondence regarding similar faults but nothing I have tried has improved things. Is there a definitive fix I can apply? Thanks Jeremy From netdxr at gmail.com Thu Feb 24 17:17:14 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Thu, 24 Feb 2005 10:17:14 -0700 Subject: Horde Application Suite and SELinux... In-Reply-To: <1109172805.3820.2.camel@nexus.verbum.private> References: <863ff45205022213147bf61e56@mail.gmail.com> <1109110340.3858.32.camel@nexus.verbum.private> <863ff45205022215441de906ea@mail.gmail.com> <1109170147.3928.20.camel@nexus.verbum.private> <1109172805.3820.2.camel@nexus.verbum.private> Message-ID: <863ff452050224091761bf939e@mail.gmail.com> On Wed, 23 Feb 2005 10:33:25 -0500, Colin Walters wrote: > On Wed, 2005-02-23 at 09:49 -0500, Colin Walters wrote: > > >>I made a huge mess when I started hacking the policy sources in > >>FC2... > One other note - all my comments were relative to the rawhide targeted > policy (which in the case of httpd AFAIK isn't very divergent from FC3). > However I know the delta between FC2 and FC3 is larger, particularly due > to the strict->targeted transition, and it's quite possible there are > bugs there (such as the one you are encountering) which are fixed in > FC3. Upgrading very strongly recommended :) Yes, I'm happily running the targeted policy in FC3! I was alluding to my less then elegant attemtps to modify the strict policy in FC2. :) I fixed the problem with the aspell call by adding the following rules per Karsten's excellent writeup on making policy changes with a local.te: allow httpd_sys_script_t httpd_tmp_t:file read; allow httpd_sys_script_t httpd_tmp_t:file getattr; Thanks for your comments and suggestions... much appreciated! -Tom From niki.waibel at newlogic.com Thu Feb 24 17:33:56 2005 From: niki.waibel at newlogic.com (Niki Waibel) Date: Thu, 24 Feb 2005 18:33:56 +0100 (CET) Subject: nis+ support f nscd in targeted pol Message-ID: <200502241733.j1OHXu66010163@enterprise2.newlogic.at> hi, i am new to selinux. i usually extend redhat/fedora linux by nis-utils-1.4.1 to access the NIS+ environment. i've just found out that this is not configured in selinux of fc3 for nscd: === Feb 23 18:35:14 pcxeon-1 kernel: audit(1109180114.178:0): avc: denied { read } for pid=20078 exe=/usr/sbin/nscd name=NIS_COLD_START dev=sda1 ino=737383 scontext=root:system_r:nscd_t tcontext=root:object_r:var_t tclass=file === so i guess that the /var/nis/NIS_COLD_START file has to be made available to the nscd command. i tried the following (cheers russell coker): === cd /etc/selinux/targeted/src/policy echo "allow nscd_t var_t:file { getattr read };" >> domains/misc/custom.te make load === but now i get: === Feb 24 18:03:14 pcxeon-1 kernel: audit(1109264594.241:0): avc: denied { write } for pid=8888 exe=/usr/sbin/nscd name=keyservsock dev=sda1 ino=737436 scontext=root:system_r:nscd_t tcontext=user_u:object_r:var_run_t tclass=sock_file === i think that the /var/nis (NIS+) dir should be integrated into the targeted policy like the /var/yp (NIS) dir... i've tried to add /var/nis(/.*)? system_u:object_r:var_nis_t at several places, without success. (i am simply too new to all this selinux stuff...). anyway, using >>allow nscd_t var_t:file { getattr read };<< now nscd seems to contact the keyserv program of the portmapper: === # rpcinfo -p program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100029 1 udp 980 keyserv 100029 2 udp 980 keyserv 100024 1 udp 32772 status 100024 1 tcp 32776 status 100021 1 udp 32778 nlockmgr 100021 3 udp 32778 nlockmgr 100021 4 udp 32778 nlockmgr 100021 1 tcp 33060 nlockmgr 100021 3 tcp 33060 nlockmgr 100021 4 tcp 33060 nlockmgr === which seems to have an open socket at: # ls -la /var/run/keyservsock srw-rw-rw- 1 root root 0 Feb 24 04:58 /var/run/keyservsock niki -- niki w. waibel - system administrator @ newlogic technologies ag From netdxr at gmail.com Thu Feb 24 17:37:37 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Thu, 24 Feb 2005 10:37:37 -0700 Subject: Horde Application Suite and SELinux... In-Reply-To: <1109170147.3928.20.camel@nexus.verbum.private> References: <863ff45205022213147bf61e56@mail.gmail.com> <1109110340.3858.32.camel@nexus.verbum.private> <863ff45205022215441de906ea@mail.gmail.com> <1109170147.3928.20.camel@nexus.verbum.private> Message-ID: <863ff4520502240937207ce17e@mail.gmail.com> On Wed, 23 Feb 2005 09:49:06 -0500, Colin Walters wrote: > On Tue, 2005-02-22 at 16:44 -0700, Tom Lisjac wrote: > > >I was under the impression that mod_php and the webserver ran in the > >same context... > You are correct; mod_php code does run in the same context as Apache > (i.e. httpd_t), because it runs in-process. > >avc: denied { getattr } for pid=32122 exe=/usr/bin/aspell > >path=/tmp/spellkQimNQ dev=hda2 ino=326408 > >scontext=root:system_r:httpd_sys_script_t > >tcontext=root:object_r:httpd_tmp_t tclass=file > > Note however here that the source context is httpd_sys_script_t (not > httpd_t), which means it's a CGI script. CGI scripts by default run in > a separate context. > > Are you really sure that you don't have an external CGI script being > run? You're right. I looked at the php code and aspell is being called using an exec... which appears to spawn a shell process. I understand the distinction now... thanks. > Because as best I can tell, the write was done by the main webserver > process, and the read is being attempted by a CGI script. > > Consider the case where Apache keeps temporary data files containing > private information in /tmp; in general you don't want CGI scripts to be > able to read that. That makes sense... especially for things like session information that could contain login credentials or other personal data. > You should probably upgrade to FC3; a huge amount of work has gone into > the policy (but we still have a lot more to do...). I'm running FC3 with SELinux enabled on all my internet facing servers. :) I never got there wih FC2... it was just too difficult. Many thanks to everyone who contributed to the FC3 revisions and targeted policy! -Tom From niki.waibel at newlogic.com Thu Feb 24 17:59:38 2005 From: niki.waibel at newlogic.com (Niki Waibel) Date: Thu, 24 Feb 2005 18:59:38 +0100 (CET) Subject: nis+ support f nscd in targeted pol In-Reply-To: <200502241733.j1OHXu66010163@enterprise2.newlogic.at> Message-ID: <200502241759.j1OHxc66012152@enterprise2.newlogic.at> the audit2allow prg has helped me to generate this file: === allow nscd_t unconfined_t:unix_stream_socket connectto; #EXE=/usr/sbin/nscd PATH=/var/run/keyservsock : connectto #EXE=/usr/sbin/nscd PATH=/var/run/keyservsock : connectto allow nscd_t var_run_t:sock_file write; #EXE=/usr/sbin/nscd NAME=keyservsock : write #EXE=/usr/sbin/nscd NAME=keyservsock : write #EXE=/usr/sbin/nscd NAME=keyservsock : write allow nscd_t var_t:file { getattr read }; #EXE=/usr/sbin/nscd NAME=NIS_COLD_START : read #EXE=/usr/sbin/nscd NAME=NIS_COLD_START : read #EXE=/usr/sbin/nscd PATH=/var/nis/NIS_COLD_START : getattr #EXE=/usr/sbin/nscd PATH=/var/nis/NIS_COLD_START : getattr === using that nscd starts without trouble! it still cannot get any nis+ data it seems. no audit errors are produced... i'll check that tomorrow. niki On 24-Feb-2005 Niki Waibel wrote: > hi, i am new to selinux. > > i usually extend redhat/fedora linux by nis-utils-1.4.1 > to access the NIS+ environment. > > i've just found out that this is not configured in selinux > of fc3 for nscd: > === > Feb 23 18:35:14 pcxeon-1 kernel: audit(1109180114.178:0): > avc: denied { read } for pid=20078 exe=/usr/sbin/nscd > name=NIS_COLD_START dev=sda1 ino=737383 scontext=root:system_r:nscd_t > tcontext=root:object_r:var_t tclass=file > === > so i guess that the /var/nis/NIS_COLD_START file has to be made > available to the nscd command. > > i tried the following (cheers russell coker): > === > cd /etc/selinux/targeted/src/policy > echo "allow nscd_t var_t:file { getattr read };" >> domains/misc/custom.te > make load > === > but now i get: > === > Feb 24 18:03:14 pcxeon-1 kernel: audit(1109264594.241:0): > avc: denied { write } for pid=8888 exe=/usr/sbin/nscd > name=keyservsock dev=sda1 ino=737436 scontext=root:system_r:nscd_t > tcontext=user_u:object_r:var_run_t tclass=sock_file > === > > i think that the /var/nis (NIS+) dir should be integrated > into the targeted policy like the /var/yp (NIS) dir... > > i've tried to add > /var/nis(/.*)? system_u:object_r:var_nis_t > at several places, without success. (i am simply too new > to all this selinux stuff...). > > anyway, using >>allow nscd_t var_t:file { getattr read };<< now nscd > seems to contact the keyserv program of the portmapper: > === ># rpcinfo -p > program vers proto port > 100000 2 tcp 111 portmapper > 100000 2 udp 111 portmapper > 100029 1 udp 980 keyserv > 100029 2 udp 980 keyserv > 100024 1 udp 32772 status > 100024 1 tcp 32776 status > 100021 1 udp 32778 nlockmgr > 100021 3 udp 32778 nlockmgr > 100021 4 udp 32778 nlockmgr > 100021 1 tcp 33060 nlockmgr > 100021 3 tcp 33060 nlockmgr > 100021 4 tcp 33060 nlockmgr > === > > which seems to have an open socket at: ># ls -la /var/run/keyservsock > srw-rw-rw- 1 root root 0 Feb 24 04:58 /var/run/keyservsock > > niki > -- > niki w. waibel - system administrator @ newlogic technologies ag From dwalsh at redhat.com Thu Feb 24 19:09:07 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 24 Feb 2005 14:09:07 -0500 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421DB299.3060507@ardley.org> References: <421DB299.3060507@ardley.org> Message-ID: <421E2653.4030109@redhat.com> Jeremy Ardley wrote: > Hi, > > On fedora core 3 - out of the box plus some upgrades. My current setup > has > > policycoreutils-1.18.1-2.9 > selinux-policy-targeted-1.17.30-2.80 > squirrelmail-1.4.3a-6.FC3 > dovecot-0.99.11-1.FC3.4 > > I can send mail normally from my system except when I use > squirrelmail. The mail is quietly dropped without being sent and a > copy is moved into my sent items folder. > > When I check the messages log I see the following avc entries > > Feb 24 17:14:46 mail kernel: audit(1109236486.039:0): avc: denied { > read append } for pid=7589 exe=/bin/bash > path=/var/lib/squirrelmail/prefs/jeremy.abook dev=dm-0 ino=6438914 > scontext=user_u:system_r:httpd_sys_script_t t > context=root:object_r:httpd_var_lib_t tclass=file > Feb 24 17:14:46 mail kernel: audit(1109236486.128:0): avc: denied { > create } for pid=7589 exe=/usr/sbin/sendmail.postfix > scontext=user_u:system_r:httpd_sys_script_t > tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket > Feb 24 17:14:46 mail kernel: audit(1109236486.136:0): avc: denied { > search } for pid=7589 exe=/usr/sbin/sendmail.postfix name=spool > dev=dm-0 ino=4030501 scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object _r:var_spool_t tclass=dir > Feb 24 17:14:46 mail kernel: audit(1109236486.137:0): avc: denied { > create } for pid=7589 exe=/usr/sbin/sendmail.postfix > scontext=user_u:system_r:httpd_sys_script_t > tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket > > I have seen previous correspondence regarding similar faults but > nothing I have tried has improved things. Is there a definitive fix I > can apply? restorecon -R -v /usr/lib/squirrelmail /usr/sbin/sendmail.postfix /var/spool Should help. > > Thanks > > Jeremy > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jeremy at ardley.org Thu Feb 24 19:39:43 2005 From: jeremy at ardley.org (Jeremy Ardley) Date: Fri, 25 Feb 2005 03:39:43 +0800 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421E2653.4030109@redhat.com> References: <421DB299.3060507@ardley.org> <421E2653.4030109@redhat.com> Message-ID: <421E2D7F.2040908@ardley.org> Daniel J Walsh wrote: > Jeremy Ardley wrote: > >> When I check the messages log I see the following avc entries >> >> Feb 24 17:14:46 mail kernel: audit(1109236486.039:0): avc: denied { >> read append } for pid=7589 exe=/bin/bash >> path=/var/lib/squirrelmail/prefs/jeremy.abook dev=dm-0 ino=6438914 >> scontext=user_u:system_r:httpd_sys_script_t t >> context=root:object_r:httpd_var_lib_t tclass=file >> Feb 24 17:14:46 mail kernel: audit(1109236486.128:0): avc: denied { >> create } for pid=7589 exe=/usr/sbin/sendmail.postfix >> scontext=user_u:system_r:httpd_sys_script_t >> tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket >> Feb 24 17:14:46 mail kernel: audit(1109236486.136:0): avc: denied { >> search } for pid=7589 exe=/usr/sbin/sendmail.postfix name=spool >> dev=dm-0 ino=4030501 scontext=user_u:system_r:httpd_sys_script_t >> tcontext=system_u:object _r:var_spool_t tclass=dir >> Feb 24 17:14:46 mail kernel: audit(1109236486.137:0): avc: denied { >> create } for pid=7589 exe=/usr/sbin/sendmail.postfix >> scontext=user_u:system_r:httpd_sys_script_t >> tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket >> >> I have seen previous correspondence regarding similar faults but >> nothing I have tried has improved things. Is there a definitive fix I >> can apply? > > > restorecon -R -v /usr/lib/squirrelmail /usr/sbin/sendmail.postfix > /var/spool > > Should help. > I had to change the command to restorecon -R -v /var/lib/squirrelmail /usr/sbin/sendmail.postfix /var/spool However I still get errors - though different ones - and the mail is still dropped Feb 25 03:30:47 mail kernel: audit(1109273447.864:0): avc: denied { create } for pid=8704 exe=/usr/sbin/sendmail.postfix scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_dgram_socket Feb 25 03:30:47 mail kernel: audit(1109273447.878:0): avc: denied { search } for pid=8704 exe=/usr/sbin/sendmail.postfix name=spool dev=dm-0 ino=4030501 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir Feb 25 03:30:47 mail kernel: audit(1109273447.880:0): avc: denied { create } for pid=8704 exe=/usr/sbin/sendmail.postfix scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_dgram_socket From dwalsh at redhat.com Thu Feb 24 20:15:17 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 24 Feb 2005 15:15:17 -0500 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421E2D7F.2040908@ardley.org> References: <421DB299.3060507@ardley.org> <421E2653.4030109@redhat.com> <421E2D7F.2040908@ardley.org> Message-ID: <421E35D5.4050800@redhat.com> Jeremy Ardley wrote: > Daniel J Walsh wrote: > >> Jeremy Ardley wrote: >> >>> When I check the messages log I see the following avc entries >>> >>> Feb 24 17:14:46 mail kernel: audit(1109236486.039:0): avc: denied >>> { read append } for pid=7589 exe=/bin/bash >>> path=/var/lib/squirrelmail/prefs/jeremy.abook dev=dm-0 ino=6438914 >>> scontext=user_u:system_r:httpd_sys_script_t t >>> context=root:object_r:httpd_var_lib_t tclass=file >>> Feb 24 17:14:46 mail kernel: audit(1109236486.128:0): avc: denied >>> { create } for pid=7589 exe=/usr/sbin/sendmail.postfix >>> scontext=user_u:system_r:httpd_sys_script_t >>> tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket >>> Feb 24 17:14:46 mail kernel: audit(1109236486.136:0): avc: denied >>> { search } for pid=7589 exe=/usr/sbin/sendmail.postfix name=spool >>> dev=dm-0 ino=4030501 scontext=user_u:system_r:httpd_sys_script_t >>> tcontext=system_u:object _r:var_spool_t tclass=dir >>> Feb 24 17:14:46 mail kernel: audit(1109236486.137:0): avc: denied >>> { create } for pid=7589 exe=/usr/sbin/sendmail.postfix >>> scontext=user_u:system_r:httpd_sys_script_t >>> tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket >>> >>> I have seen previous correspondence regarding similar faults but >>> nothing I have tried has improved things. Is there a definitive fix >>> I can apply? >> >> >> >> restorecon -R -v /usr/lib/squirrelmail /usr/sbin/sendmail.postfix >> /var/spool >> >> Should help. >> > I had to change the command to > > restorecon -R -v /var/lib/squirrelmail /usr/sbin/sendmail.postfix > /var/spool > > However I still get errors - though different ones - and the mail is > still dropped > > Feb 25 03:30:47 mail kernel: audit(1109273447.864:0): avc: denied { > create } for pid=8704 exe=/usr/sbin/sendmail.postfix > scontext=user_u:system_r:httpd_sys_script_t > tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_dgram_socket > Feb 25 03:30:47 mail kernel: audit(1109273447.878:0): avc: denied { > search } for pid=8704 exe=/usr/sbin/sendmail.postfix name=spool > dev=dm-0 ino=4030501 scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object_r:var_spool_t tclass=dir > Feb 25 03:30:47 mail kernel: audit(1109273447.880:0): avc: denied { > create } for pid=8704 exe=/usr/sbin/sendmail.postfix > scontext=user_u:system_r:httpd_sys_script_t > tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_dgram_socket > Could you try the selinux-policy-targeted-1.17.30-2.84 on ftp://people.redhat.com/dwalsh/SELinux/FC3 Your /usr/sbin/sendmail.postfix has the wrong context on it. It should be running as sendmail_exec_t and /var/spool/postfix should be system_u:object_r:mail_spool_t Dan > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jeremy at ardley.org Thu Feb 24 20:37:46 2005 From: jeremy at ardley.org (Jeremy Ardley) Date: Fri, 25 Feb 2005 04:37:46 +0800 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421E35D5.4050800@redhat.com> References: <421DB299.3060507@ardley.org> <421E2653.4030109@redhat.com> <421E2D7F.2040908@ardley.org> <421E35D5.4050800@redhat.com> Message-ID: <421E3B1A.6070509@ardley.org> Daniel J Walsh wrote: > Could you try the selinux-policy-targeted-1.17.30-2.84 on > ftp://people.redhat.com/dwalsh/SELinux/FC3 > The latest copy there is selinux-policy-targeted-1.17.30-2.81 Should I try this ? From dwalsh at redhat.com Thu Feb 24 20:47:17 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 24 Feb 2005 15:47:17 -0500 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421E3B1A.6070509@ardley.org> References: <421DB299.3060507@ardley.org> <421E2653.4030109@redhat.com> <421E2D7F.2040908@ardley.org> <421E35D5.4050800@redhat.com> <421E3B1A.6070509@ardley.org> Message-ID: <421E3D55.1090609@redhat.com> Jeremy Ardley wrote: > Daniel J Walsh wrote: > >> Could you try the selinux-policy-targeted-1.17.30-2.84 on >> ftp://people.redhat.com/dwalsh/SELinux/FC3 >> > The latest copy there is selinux-policy-targeted-1.17.30-2.81 > > Should I try this ? > I see 84. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jeremy at ardley.org Thu Feb 24 21:03:03 2005 From: jeremy at ardley.org (Jeremy Ardley) Date: Fri, 25 Feb 2005 05:03:03 +0800 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421E3D55.1090609@redhat.com> References: <421DB299.3060507@ardley.org> <421E2653.4030109@redhat.com> <421E2D7F.2040908@ardley.org> <421E35D5.4050800@redhat.com> <421E3B1A.6070509@ardley.org> <421E3D55.1090609@redhat.com> Message-ID: <421E4107.7010702@ardley.org> Daniel J Walsh wrote: > Jeremy Ardley wrote: > >> Daniel J Walsh wrote: >> >>> Could you try the selinux-policy-targeted-1.17.30-2.84 on >>> ftp://people.redhat.com/dwalsh/SELinux/FC3 >>> >> The latest copy there is selinux-policy-targeted-1.17.30-2.81 >> >> Should I try this ? >> > I see 84. > So do I now that I hit refresh on my browser. Installed using rpm -Uvh selinux-policy-targeted-1.17.30-2.84.noarch.rpm Then I ran restorecon -R -v /var/lib/squirrelmail /usr/sbin/sendmail.postfix /var/spool And got Feb 25 04:56:27 mail kernel: audit(1109278587.831:0): avc: denied { append } for pid=9795 exe=/usr/sbin/sendmail.postfix path=/var/log/httpd/error_log dev=dm-0 ino=4033974 scontext=user_u:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Feb 25 04:56:27 mail kernel: audit(1109278587.832:0): avc: denied { append } for pid=9795 exe=/usr/sbin/sendmail.postfix path=/var/log/httpd/error_log dev=dm-0 ino=4033974 scontext=user_u:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Feb 25 04:56:27 mail kernel: audit(1109278587.832:0): avc: denied { append } for pid=9795 exe=/usr/sbin/sendmail.postfix path=/var/log/httpd/ssl_error_log dev=dm-0 ino=4033975 scontext=user_u:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Feb 25 04:56:27 mail kernel: audit(1109278587.832:0): avc: denied { append } for pid=9795 exe=/usr/sbin/sendmail.postfix path=/var/log/httpd/access_log dev=dm-0 ino=4032679 scontext=user_u:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Feb 25 04:56:27 mail kernel: audit(1109278587.832:0): avc: denied { append } for pid=9795 exe=/usr/sbin/sendmail.postfix path=/var/log/httpd/ssl_access_log dev=dm-0 ino=3784723 scontext=user_u:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Feb 25 04:56:27 mail kernel: audit(1109278587.832:0): avc: denied { append } for pid=9795 exe=/usr/sbin/sendmail.postfix path=/var/log/httpd/ssl_request_log dev=dm-0 ino=3784724 scontext=user_u:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Feb 25 04:56:27 mail kernel: audit(1109278587.856:0): avc: denied { search } for pid=9795 exe=/usr/sbin/sendmail.postfix name=postfix dev=dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir On a hunch I ran restorecon -R -v /var/log and then got Feb 25 05:01:08 mail kernel: audit(1109278868.985:0): avc: denied { search } for pid=9813 exe=/usr/sbin/sendmail.postfix name=postfix dev=dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir From dwalsh at redhat.com Fri Feb 25 16:46:50 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 25 Feb 2005 11:46:50 -0500 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421E4107.7010702@ardley.org> References: <421DB299.3060507@ardley.org> <421E2653.4030109@redhat.com> <421E2D7F.2040908@ardley.org> <421E35D5.4050800@redhat.com> <421E3B1A.6070509@ardley.org> <421E3D55.1090609@redhat.com> <421E4107.7010702@ardley.org> Message-ID: <421F567A.8030202@redhat.com> Jeremy Ardley wrote: > Daniel J Walsh wrote: > >> Jeremy Ardley wrote: >> >>> Daniel J Walsh wrote: >>> >>>> Could you try the selinux-policy-targeted-1.17.30-2.84 on >>>> ftp://people.redhat.com/dwalsh/SELinux/FC3 >>>> >>> The latest copy there is selinux-policy-targeted-1.17.30-2.81 >>> >>> Should I try this ? >>> >> I see 84. >> > So do I now that I hit refresh on my browser. > > Installed using rpm -Uvh selinux-policy-targeted-1.17.30-2.84.noarch.rpm > > Then I ran restorecon -R -v /var/lib/squirrelmail > /usr/sbin/sendmail.postfix /var/spool > > And got > > Feb 25 04:56:27 mail kernel: audit(1109278587.831:0): avc: denied { > append } for pid=9795 exe=/usr/sbin/sendmail.postfix > path=/var/log/httpd/error_log dev=dm-0 ino=4033974 > scontext=user_u:system_r:system_mail_t > tcontext=root:object_r:httpd_runtime_t tclass=file > Feb 25 04:56:27 mail kernel: audit(1109278587.832:0): avc: denied { > append } for pid=9795 exe=/usr/sbin/sendmail.postfix > path=/var/log/httpd/error_log dev=dm-0 ino=4033974 > scontext=user_u:system_r:system_mail_t > tcontext=root:object_r:httpd_runtime_t tclass=file > Feb 25 04:56:27 mail kernel: audit(1109278587.832:0): avc: denied { > append } for pid=9795 exe=/usr/sbin/sendmail.postfix > path=/var/log/httpd/ssl_error_log dev=dm-0 ino=4033975 > scontext=user_u:system_r:system_mail_t > tcontext=root:object_r:httpd_runtime_t tclass=file > Feb 25 04:56:27 mail kernel: audit(1109278587.832:0): avc: denied { > append } for pid=9795 exe=/usr/sbin/sendmail.postfix > path=/var/log/httpd/access_log dev=dm-0 ino=4032679 > scontext=user_u:system_r:system_mail_t > tcontext=root:object_r:httpd_runtime_t tclass=file > Feb 25 04:56:27 mail kernel: audit(1109278587.832:0): avc: denied { > append } for pid=9795 exe=/usr/sbin/sendmail.postfix > path=/var/log/httpd/ssl_access_log dev=dm-0 ino=3784723 > scontext=user_u:system_r:system_mail_t > tcontext=root:object_r:httpd_runtime_t tclass=file > Feb 25 04:56:27 mail kernel: audit(1109278587.832:0): avc: denied { > append } for pid=9795 exe=/usr/sbin/sendmail.postfix > path=/var/log/httpd/ssl_request_log dev=dm-0 ino=3784724 > scontext=user_u:system_r:system_mail_t > tcontext=root:object_r:httpd_runtime_t tclass=file > Feb 25 04:56:27 mail kernel: audit(1109278587.856:0): avc: denied { > search } for pid=9795 exe=/usr/sbin/sendmail.postfix name=postfix > dev=dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=dir > > On a hunch I ran restorecon -R -v /var/log > > and then got > > Feb 25 05:01:08 mail kernel: audit(1109278868.985:0): avc: denied { > search } for pid=9813 exe=/usr/sbin/sendmail.postfix name=postfix > dev=dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=dir > Could you run one more test. Run setenforce 0 and then try to use the mail program. What other AVC messages do you see? > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jeremy at ardley.org Fri Feb 25 19:59:55 2005 From: jeremy at ardley.org (Jeremy Ardley) Date: Sat, 26 Feb 2005 03:59:55 +0800 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421F567A.8030202@redhat.com> References: <421DB299.3060507@ardley.org> <421E2653.4030109@redhat.com> <421E2D7F.2040908@ardley.org> <421E35D5.4050800@redhat.com> <421E3B1A.6070509@ardley.org> <421E3D55.1090609@redhat.com> <421E4107.7010702@ardley.org> <421F567A.8030202@redhat.com> Message-ID: <421F83BB.6010006@ardley.org> Daniel J Walsh wrote: >> Feb 25 05:01:08 mail kernel: audit(1109278868.985:0): avc: denied { >> search } for pid=9813 exe=/usr/sbin/sendmail.postfix name=postfix >> dev=dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t >> tcontext=system_u:object_r:mail_spool_t tclass=dir >> > Could you run one more test. > Run setenforce 0 > and then try to use the mail program. What other AVC messages do you > see? > Feb 26 03:58:10 mail kernel: audit(1109361490.957:0): avc: denied { search } for pid=11105 exe=/usr/sbin/sendmail.postfix name=postfix dev =dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir Feb 26 03:58:10 mail kernel: audit(1109361490.975:0): avc: denied { execute } for pid=11106 exe=/usr/sbin/sendmail.postfix name=postdrop d ev=dm-0 ino=2961715 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file Feb 26 03:58:10 mail kernel: audit(1109361490.976:0): avc: denied { execute_no_trans } for pid=11106 exe=/usr/sbin/sendmail.postfix path=/ usr/sbin/postdrop dev=dm-0 ino=2961715 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file Feb 26 03:58:10 mail kernel: audit(1109361490.976:0): avc: denied { read } for pid=11106 exe=/usr/sbin/sendmail.postfix path=/usr/sbin/pos tdrop dev=dm-0 ino=2961715 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file Feb 26 03:58:11 mail kernel: audit(1109361491.017:0): avc: denied { write } for pid=11106 exe=/usr/sbin/postdrop name=maildrop dev=dm-0 in o=4032533 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir Feb 26 03:58:11 mail kernel: audit(1109361491.017:0): avc: denied { add_name } for pid=11106 exe=/usr/sbin/postdrop name=17816.11106 scont ext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir Feb 26 03:58:11 mail kernel: audit(1109361491.017:0): avc: denied { create } for pid=11106 exe=/usr/sbin/postdrop name=17816.11106 scontex t=user_u:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=file Feb 26 03:58:11 mail kernel: audit(1109361491.018:0): avc: denied { getattr } for pid=11106 exe=/usr/sbin/postdrop path=/var/spool/postfix /maildrop/17816.11106 dev=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=file Feb 26 03:58:11 mail kernel: audit(1109361491.019:0): avc: denied { remove_name } for pid=11106 exe=/usr/sbin/postdrop name=17816.11106 de v=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir Feb 26 03:58:11 mail kernel: audit(1109361491.019:0): avc: denied { rename } for pid=11106 exe=/usr/sbin/postdrop name=17816.11106 dev=dm- 0 ino=6340609 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=file Feb 26 03:58:11 mail kernel: audit(1109361491.020:0): avc: denied { write } for pid=11106 exe=/usr/sbin/postdrop path=/var/spool/postfix/m aildrop/04D8460C001 dev=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=file Feb 26 03:58:11 mail kernel: audit(1109361491.022:0): avc: denied { setattr } for pid=11106 exe=/usr/sbin/postdrop name=04D8460C001 dev=dm -0 ino=6340609 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=file Feb 26 03:58:11 mail kernel: audit(1109361491.037:0): avc: denied { getattr } for pid=11106 exe=/usr/sbin/postdrop path=/var/spool/postfix /public/pickup dev=dm-0 ino=4032604 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=fifo_file Feb 26 03:58:11 mail kernel: audit(1109361491.038:0): avc: denied { write } for pid=11106 exe=/usr/sbin/postdrop name=pickup dev=dm-0 ino= 4032604 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=fifo_file From dwalsh at redhat.com Fri Feb 25 20:41:21 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 25 Feb 2005 15:41:21 -0500 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421F83BB.6010006@ardley.org> References: <421DB299.3060507@ardley.org> <421E2653.4030109@redhat.com> <421E2D7F.2040908@ardley.org> <421E35D5.4050800@redhat.com> <421E3B1A.6070509@ardley.org> <421E3D55.1090609@redhat.com> <421E4107.7010702@ardley.org> <421F567A.8030202@redhat.com> <421F83BB.6010006@ardley.org> Message-ID: <421F8D71.2080308@redhat.com> Jeremy Ardley wrote: > Daniel J Walsh wrote: > >>> Feb 25 05:01:08 mail kernel: audit(1109278868.985:0): avc: denied >>> { search } for pid=9813 exe=/usr/sbin/sendmail.postfix name=postfix >>> dev=dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t >>> tcontext=system_u:object_r:mail_spool_t tclass=dir >>> >> Could you run one more test. >> Run setenforce 0 >> and then try to use the mail program. What other AVC messages do you >> see? >> > Feb 26 03:58:10 mail kernel: audit(1109361490.957:0): avc: denied { > search } for pid=11105 exe=/usr/sbin/sendmail.postfix name=postfix > dev =dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=dir > Feb 26 03:58:10 mail kernel: audit(1109361490.975:0): avc: denied { > execute } for pid=11106 exe=/usr/sbin/sendmail.postfix name=postdrop > d ev=dm-0 ino=2961715 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:sbin_t tclass=file > Feb 26 03:58:10 mail kernel: audit(1109361490.976:0): avc: denied { > execute_no_trans } for pid=11106 exe=/usr/sbin/sendmail.postfix > path=/ usr/sbin/postdrop dev=dm-0 ino=2961715 > scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:sbin_t tclass=file > Feb 26 03:58:10 mail kernel: audit(1109361490.976:0): avc: denied { > read } for pid=11106 exe=/usr/sbin/sendmail.postfix > path=/usr/sbin/pos tdrop dev=dm-0 ino=2961715 > scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:sbin_t tclass=file > Feb 26 03:58:11 mail kernel: audit(1109361491.017:0): avc: denied { > write } for pid=11106 exe=/usr/sbin/postdrop name=maildrop dev=dm-0 > in o=4032533 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=dir > Feb 26 03:58:11 mail kernel: audit(1109361491.017:0): avc: denied { > add_name } for pid=11106 exe=/usr/sbin/postdrop name=17816.11106 > scont ext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=dir > Feb 26 03:58:11 mail kernel: audit(1109361491.017:0): avc: denied { > create } for pid=11106 exe=/usr/sbin/postdrop name=17816.11106 > scontex t=user_u:system_r:system_mail_t > tcontext=user_u:object_r:mail_spool_t tclass=file > Feb 26 03:58:11 mail kernel: audit(1109361491.018:0): avc: denied { > getattr } for pid=11106 exe=/usr/sbin/postdrop > path=/var/spool/postfix /maildrop/17816.11106 dev=dm-0 ino=6340609 > scontext=user_u:system_r:system_mail_t > tcontext=user_u:object_r:mail_spool_t tclass=file > Feb 26 03:58:11 mail kernel: audit(1109361491.019:0): avc: denied { > remove_name } for pid=11106 exe=/usr/sbin/postdrop name=17816.11106 > de v=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=dir > Feb 26 03:58:11 mail kernel: audit(1109361491.019:0): avc: denied { > rename } for pid=11106 exe=/usr/sbin/postdrop name=17816.11106 > dev=dm- 0 ino=6340609 scontext=user_u:system_r:system_mail_t > tcontext=user_u:object_r:mail_spool_t tclass=file > Feb 26 03:58:11 mail kernel: audit(1109361491.020:0): avc: denied { > write } for pid=11106 exe=/usr/sbin/postdrop > path=/var/spool/postfix/m aildrop/04D8460C001 dev=dm-0 ino=6340609 > scontext=user_u:system_r:system_mail_t > tcontext=user_u:object_r:mail_spool_t tclass=file > Feb 26 03:58:11 mail kernel: audit(1109361491.022:0): avc: denied { > setattr } for pid=11106 exe=/usr/sbin/postdrop name=04D8460C001 > dev=dm -0 ino=6340609 scontext=user_u:system_r:system_mail_t > tcontext=user_u:object_r:mail_spool_t tclass=file > Feb 26 03:58:11 mail kernel: audit(1109361491.037:0): avc: denied { > getattr } for pid=11106 exe=/usr/sbin/postdrop > path=/var/spool/postfix /public/pickup dev=dm-0 ino=4032604 > scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=fifo_file > Feb 26 03:58:11 mail kernel: audit(1109361491.038:0): avc: denied { > write } for pid=11106 exe=/usr/sbin/postdrop name=pickup dev=dm-0 > ino= 4032604 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=fifo_file > Ok I built selinux-policy-targeted-1.17.30-2.85 on ftp://people.redhat.com/dwalsh/SELinux/FC3 Try that one out. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jeremy at ardley.org Fri Feb 25 21:07:19 2005 From: jeremy at ardley.org (Jeremy Ardley) Date: Sat, 26 Feb 2005 05:07:19 +0800 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421F8D71.2080308@redhat.com> References: <421DB299.3060507@ardley.org> <421E2653.4030109@redhat.com> <421E2D7F.2040908@ardley.org> <421E35D5.4050800@redhat.com> <421E3B1A.6070509@ardley.org> <421E3D55.1090609@redhat.com> <421E4107.7010702@ardley.org> <421F567A.8030202@redhat.com> <421F83BB.6010006@ardley.org> <421F8D71.2080308@redhat.com> Message-ID: <421F9387.7070807@ardley.org> Daniel J Walsh wrote: > Ok I built selinux-policy-targeted-1.17.30-2.85 on > ftp://people.redhat.com/dwalsh/SELinux/FC3 > > Try that one out. rpm -Uvh selinux-policy-targeted-1.17.30-2.85.noarch.rpm restorecon -R -v /var/lib/squirrelmail /usr/sbin/sendmail.postfix /var/spool restorecon -R -v /var/log setenforce 1 Feb 26 05:01:03 mail kernel: audit(1109365263.017:0): avc: denied { search } for pid=12048 exe=/usr/sbin/sendmail.postfix name=postfix dev=dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir Mail was delivered however then setenforce 0 Feb 26 05:02:33 mail kernel: audit(1109365353.670:0): avc: granted { setenforce } for pid=12056 exe=/usr/bin/setenforce scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Feb 26 05:02:58 mail kernel: audit(1109365378.602:0): avc: denied { search } for pid=12057 exe=/usr/sbin/sendmail.postfix name=postfix dev=dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir Feb 26 05:02:58 mail kernel: audit(1109365378.628:0): avc: denied { execute } for pid=12058 exe=/usr/sbin/sendmail.postfix name=postdrop dev=dm-0 ino=2961715 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file Feb 26 05:02:58 mail kernel: audit(1109365378.629:0): avc: denied { execute_no_trans } for pid=12058 exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-0 ino=2961715 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file Feb 26 05:02:58 mail kernel: audit(1109365378.629:0): avc: denied { read } for pid=12058 exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-0 ino=2961715 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:sbin_t tclass=file Feb 26 05:02:58 mail kernel: audit(1109365378.686:0): avc: denied { write } for pid=12058 exe=/usr/sbin/postdrop name=maildrop dev=dm-0 ino=4032533 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir Feb 26 05:02:58 mail kernel: audit(1109365378.686:0): avc: denied { add_name } for pid=12058 exe=/usr/sbin/postdrop name=686987.12058 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir Feb 26 05:02:58 mail kernel: audit(1109365378.686:0): avc: denied { create } for pid=12058 exe=/usr/sbin/postdrop name=686987.12058 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=file Feb 26 05:02:58 mail kernel: audit(1109365378.711:0): avc: denied { getattr } for pid=12058 exe=/usr/sbin/postdrop path=/var/spool/postfix/maildrop/686987.12058 dev=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=file Feb 26 05:02:58 mail kernel: audit(1109365378.712:0): avc: denied { remove_name } for pid=12058 exe=/usr/sbin/postdrop name=686987.12058 dev=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=dir Feb 26 05:02:58 mail kernel: audit(1109365378.712:0): avc: denied { rename } for pid=12058 exe=/usr/sbin/postdrop name=686987.12058 dev=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=file Feb 26 05:02:58 mail kernel: audit(1109365378.714:0): avc: denied { write } for pid=12058 exe=/usr/sbin/postdrop path=/var/spool/postfix/maildrop/ADE8760C001 dev=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=file Feb 26 05:02:58 mail kernel: audit(1109365378.715:0): avc: denied { setattr } for pid=12058 exe=/usr/sbin/postdrop name=ADE8760C001 dev=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:mail_spool_t tclass=file Feb 26 05:02:58 mail kernel: audit(1109365378.733:0): avc: denied { getattr } for pid=12058 exe=/usr/sbin/postdrop path=/var/spool/postfix/public/pickup dev=dm-0 ino=4032604 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=fifo_file Feb 26 05:02:58 mail kernel: audit(1109365378.733:0): avc: denied { write } for pid=12058 exe=/usr/sbin/postdrop name=pickup dev=dm-0 ino=4032604 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:mail_spool_t tclass=fifo_file mail was delivered again From dwalsh at redhat.com Fri Feb 25 21:29:59 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 25 Feb 2005 16:29:59 -0500 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421F9387.7070807@ardley.org> References: <421DB299.3060507@ardley.org> <421E2653.4030109@redhat.com> <421E2D7F.2040908@ardley.org> <421E35D5.4050800@redhat.com> <421E3B1A.6070509@ardley.org> <421E3D55.1090609@redhat.com> <421E4107.7010702@ardley.org> <421F567A.8030202@redhat.com> <421F83BB.6010006@ardley.org> <421F8D71.2080308@redhat.com> <421F9387.7070807@ardley.org> Message-ID: <421F98D7.3030104@redhat.com> Jeremy Ardley wrote: > Daniel J Walsh wrote: > >> Ok I built selinux-policy-targeted-1.17.30-2.85 on >> ftp://people.redhat.com/dwalsh/SELinux/FC3 >> >> Try that one out. > > > rpm -Uvh selinux-policy-targeted-1.17.30-2.85.noarch.rpm > restorecon -R -v /var/lib/squirrelmail /usr/sbin/sendmail.postfix > /var/spool > restorecon -R -v /var/log > setenforce 1 That is strange. Could you do a load_policy /etc/selinux/targeted/policy/policy.19 And then try. The new rules should work. You don't need to restorecon. > Feb 26 05:01:03 mail kernel: audit(1109365263.017:0): avc: denied { > search } for pid=12048 exe=/usr/sbin/sendmail.postfix name=postfix > dev=dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=dir > > Mail was delivered however > then > > setenforce 0 > > Feb 26 05:02:33 mail kernel: audit(1109365353.670:0): avc: granted { > setenforce } for pid=12056 exe=/usr/bin/setenforce > scontext=root:system_r:unconfined_t > tcontext=system_u:object_r:security_t tclass=security > Feb 26 05:02:58 mail kernel: audit(1109365378.602:0): avc: denied { > search } for pid=12057 exe=/usr/sbin/sendmail.postfix name=postfix > dev=dm-0 ino=4032524 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=dir > Feb 26 05:02:58 mail kernel: audit(1109365378.628:0): avc: denied { > execute } for pid=12058 exe=/usr/sbin/sendmail.postfix name=postdrop > dev=dm-0 ino=2961715 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:sbin_t tclass=file > Feb 26 05:02:58 mail kernel: audit(1109365378.629:0): avc: denied { > execute_no_trans } for pid=12058 exe=/usr/sbin/sendmail.postfix > path=/usr/sbin/postdrop dev=dm-0 ino=2961715 > scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:sbin_t tclass=file > Feb 26 05:02:58 mail kernel: audit(1109365378.629:0): avc: denied { > read } for pid=12058 exe=/usr/sbin/sendmail.postfix > path=/usr/sbin/postdrop dev=dm-0 ino=2961715 > scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:sbin_t tclass=file > Feb 26 05:02:58 mail kernel: audit(1109365378.686:0): avc: denied { > write } for pid=12058 exe=/usr/sbin/postdrop name=maildrop dev=dm-0 > ino=4032533 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=dir > Feb 26 05:02:58 mail kernel: audit(1109365378.686:0): avc: denied { > add_name } for pid=12058 exe=/usr/sbin/postdrop name=686987.12058 > scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=dir > Feb 26 05:02:58 mail kernel: audit(1109365378.686:0): avc: denied { > create } for pid=12058 exe=/usr/sbin/postdrop name=686987.12058 > scontext=user_u:system_r:system_mail_t > tcontext=user_u:object_r:mail_spool_t tclass=file > Feb 26 05:02:58 mail kernel: audit(1109365378.711:0): avc: denied { > getattr } for pid=12058 exe=/usr/sbin/postdrop > path=/var/spool/postfix/maildrop/686987.12058 dev=dm-0 ino=6340609 > scontext=user_u:system_r:system_mail_t > tcontext=user_u:object_r:mail_spool_t tclass=file > Feb 26 05:02:58 mail kernel: audit(1109365378.712:0): avc: denied { > remove_name } for pid=12058 exe=/usr/sbin/postdrop name=686987.12058 > dev=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=dir > Feb 26 05:02:58 mail kernel: audit(1109365378.712:0): avc: denied { > rename } for pid=12058 exe=/usr/sbin/postdrop name=686987.12058 > dev=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t > tcontext=user_u:object_r:mail_spool_t tclass=file > Feb 26 05:02:58 mail kernel: audit(1109365378.714:0): avc: denied { > write } for pid=12058 exe=/usr/sbin/postdrop > path=/var/spool/postfix/maildrop/ADE8760C001 dev=dm-0 ino=6340609 > scontext=user_u:system_r:system_mail_t > tcontext=user_u:object_r:mail_spool_t tclass=file > Feb 26 05:02:58 mail kernel: audit(1109365378.715:0): avc: denied { > setattr } for pid=12058 exe=/usr/sbin/postdrop name=ADE8760C001 > dev=dm-0 ino=6340609 scontext=user_u:system_r:system_mail_t > tcontext=user_u:object_r:mail_spool_t tclass=file > Feb 26 05:02:58 mail kernel: audit(1109365378.733:0): avc: denied { > getattr } for pid=12058 exe=/usr/sbin/postdrop > path=/var/spool/postfix/public/pickup dev=dm-0 ino=4032604 > scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=fifo_file > Feb 26 05:02:58 mail kernel: audit(1109365378.733:0): avc: denied { > write } for pid=12058 exe=/usr/sbin/postdrop name=pickup dev=dm-0 > ino=4032604 scontext=user_u:system_r:system_mail_t > tcontext=system_u:object_r:mail_spool_t tclass=fifo_file > > mail was delivered again > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jeremy at ardley.org Sat Feb 26 00:22:54 2005 From: jeremy at ardley.org (Jeremy Ardley) Date: Sat, 26 Feb 2005 08:22:54 +0800 Subject: squirrelmail / postfix mail lost policy 1.17.30-2.80 In-Reply-To: <421F98D7.3030104@redhat.com> References: <421DB299.3060507@ardley.org> <421E2653.4030109@redhat.com> <421E2D7F.2040908@ardley.org> <421E35D5.4050800@redhat.com> <421E3B1A.6070509@ardley.org> <421E3D55.1090609@redhat.com> <421E4107.7010702@ardley.org> <421F567A.8030202@redhat.com> <421F83BB.6010006@ardley.org> <421F8D71.2080308@redhat.com> <421F9387.7070807@ardley.org> <421F98D7.3030104@redhat.com> Message-ID: <421FC15E.8020004@ardley.org> Daniel J Walsh wrote: > > That is strange. Could you do a > load_policy /etc/selinux/targeted/policy/policy.19 > > And then try. > > The new rules should work. You don't need to restorecon. > The .85 package installs policy 18, not 19. load_policy /etc/selinux/targeted/policy/policy.18 And everything now works, For the benefit of those that follow, could you confirm the steps necessary to work around this problem are : Obtain selinux-policy-targeted-1.17.30-2.84 from ftp://people.redhat.com/dwalsh/SELinux/FC3 rpm -Uvh selinux-policy-targeted-1.17.30-2.84 restorecon -R -v /var/lib/squirrelmail /usr/sbin/sendmail.postfix /var/spool /var/log load_policy /etc/selinux/targeted/policy/policy.18 Thanks for all your help Jeremy From KokHow.Teh at marconi.com Mon Feb 28 04:56:51 2005 From: KokHow.Teh at marconi.com (KokHow Teh) Date: Mon, 28 Feb 2005 12:56:51 +0800 Subject: make: ***[_modinst_post] Error 143 Message-ID: Hi; I ran into the above error when I `make modules_install` in FC2. Could someone enlighten me on how I can find out more information about the error please? Regards, TEH From kmacmillan at tresys.com Mon Feb 28 23:42:32 2005 From: kmacmillan at tresys.com (Karl MacMillan) Date: Mon, 28 Feb 2005 18:42:32 -0500 Subject: [ANN] Setools 2.0 released Message-ID: <200502282342.j1SNgW8R008814@gotham.columbia.tresys.com> A new version of Setools is available from http://www.tresys.com/selinux. This release contains major new features including: - Sediff: a new tool that allows a user to take two policies and find the differences including added or removed types, users, roles, booleans and most importantly type enforcement rules. The semantic difference of a policy is different from the syntactic difference in that it shows the cumulative effect of rules rather than doing a line-by-line comparison. - File contexts database: major improvements were made to the file context indexing and searching tools including conversion to an on-disk database for reduced memory usage and integration into Apol. - Direct file relabel analysis: a new analysis module was added to Apol for analyzing direct object relabeling. - Type relationship analysis: a new analysis module was added to Apol for to facilitate understanding the relationship between two types. This analysis builds on the rule searching and other analysis in Apol to give the user convenient access to many queries and anlyses at once. - Seaudit report: generation of reports was integrated into seaudit. Previously this was only available as a commandline tool. More details on the new features can be found at http://www.tresys.com/selinux/setools_new_noteworthy.html. --- Karl MacMillan Tresys Technology http://www.tresys.com (410) 290-1411 ext 134 From nanocurie at cocmast.net Mon Feb 28 23:54:49 2005 From: nanocurie at cocmast.net (nanocurie) Date: Mon, 28 Feb 2005 18:54:49 -0500 Subject: hello all, I just joined the list Message-ID: <200503010030.j210U5el017444@mx3.redhat.com> Hello all, I just joined the list. I just downloaded and installed FC3, and noticed that it had SE-Linux installed by default. I thought okay, so the NSA now can/will take control of my secure computers. Good, if there's anyone I'd want controlling them other than I. Then I saw the post about setools, and saw how they can be used in an enterprise environment. Reminds me of Active Directory. Cool. This is probably better. Just kidding bigbrother. I look forward to learning with you all about SElinux nc -------------- next part -------------- An HTML attachment was scrubbed... URL: