fedora-selinux-list Digest, Vol 12, Issue 11

kent mcclanahan kmwannsee at yahoo.com
Sat Feb 12 16:25:55 UTC 2005


Hey Steve,The csm at the end of my name stands for Certified Surpreme Master Gemcutter which was issued by the American Society of Gemcutters and not Walmart.I challenge you to try to obtain one!Kent McClanahan csm

fedora-selinux-list-request at redhat.com wrote:Send fedora-selinux-list mailing list submissions to
fedora-selinux-list at redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
or, via email, send a message with subject or body 'help' to
fedora-selinux-list-request at redhat.com

You can reach the person managing the list at
fedora-selinux-list-owner at redhat.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."


Today's Topics:

1. "invalid contex" question (David Hampton)
2. Re: "invalid contex" question (Stephen Smalley)
3. Re: "invalid contex" question (David Hampton)
4. Permissions for new users (Richard Jensen)
5. execmem and targeted policy (Colin Walters)
6. Re: execmem and targeted policy (Stephen Smalley)
7. Re: NAZI DATA (steve)
8. problems (steve)
9. Newbie to fedora/linux (Stephen Valenti)
10. Re: execmem and targeted policy (dragoran)
11. Re: Newbie to fedora/linux (ne...)


----------------------------------------------------------------------

Message: 1
Date: Thu, 10 Feb 2005 12:32:59 -0500
From: David Hampton 
Subject: "invalid contex" question
To: fedora-selinux-list at redhat.com
Message-ID: <1108056779.29383.24.camel at hampton-pc.rainbolthampton.net>
Content-Type: text/plain; charset="us-ascii"

I'm running an FC3 system with the latest rawhide strict policy. I'm
currently trying to tweak the dovecot files for my system and am running
into an invalid context error. My changes so far:


Index: domains/program/dovecot.te

+type dovecot_data_t, file_type, sysadmfile;
+create_dir_file(dovecot_t, dovecot_data_t)

Index: file_contexts/program/dovecot.fc

+/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t;


The problem is that after a 'make reload' when I try to relabel
the /var/spool/dovecot directory, I get the error message:

/etc/selinux/strict/contexts/files/file_contexts: line 999 has invalid
context system_u:object_r:dovecot_data_t;

Doing a 'make install' in the policy directory gives me this same error.
Is there something else I need to do to create this new type?
Thanks.

David

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://www.redhat.com/archives/fedora-selinux-list/attachments/20050210/adf2d238/attachment.bin

------------------------------

Message: 2
Date: Thu, 10 Feb 2005 12:31:15 -0500
From: Stephen Smalley 
Subject: Re: "invalid contex" question
To: "Fedora SELinux support list for users & developers."

Message-ID: <1108056675.22172.108.camel at moss-spartans.epoch.ncsc.mil>
Content-Type: text/plain

On Thu, 2005-02-10 at 12:32, David Hampton wrote:
> Index: file_contexts/program/dovecot.fc
> 
> +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t;

No semicolon terminators in file contexts files. They are just newline
delimited.

-- 
Stephen Smalley 
National Security Agency



------------------------------

Message: 3
Date: Thu, 10 Feb 2005 12:54:42 -0500
From: David Hampton 
Subject: Re: "invalid contex" question
To: "Fedora SELinux support list for users & developers."

Message-ID: <1108058082.29383.25.camel at hampton-pc.rainbolthampton.net>
Content-Type: text/plain; charset="us-ascii"

On Thu, 2005-02-10 at 12:31 -0500, Stephen Smalley wrote:
> On Thu, 2005-02-10 at 12:32, David Hampton wrote:
> > Index: file_contexts/program/dovecot.fc
> > 
> > +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_data_t;
> 
> No semicolon terminators in file contexts files. They are just newline
> delimited.

Thanks. (Boy do I feel silly.)

David

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://www.redhat.com/archives/fedora-selinux-list/attachments/20050210/a67e99e3/attachment.bin

------------------------------

Message: 4
Date: Wed, 09 Feb 2005 18:13:33 -0600
From: Richard Jensen 
Subject: Permissions for new users
To: fedora-selinux-list at redhat.com
Message-ID: <420AA72D.2010108 at rhjensen.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi. I'm wondering about the permissions new users get
when they are created. Before SELinux I had to add users
to 'wheel' to enable them to su to root.

I did an adduser and it seems to be unrestricted:

[testse at lankhmar ~]$ id -Z
user_u:system_r:unconfined_t

and the user is able to su to root. Is this normal?
How would I keep the user from being able to su?

I added:
user testse roles { user_r };

to /etc/selinux/targeted/src/policy/users
and did: make load

This didn't seem to make any difference.

This is on FC3 (2.6.10-1.760_FC3)
selinux-policy-targeted-1.17.30-2.75

[root at lankhmar ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted

I'm not sure if this is clear, or enough information.
I tried searching the archives but didn't find anything.
[I may be searching incorrectly].

Thanks,
Richard.



------------------------------

Message: 5
Date: Thu, 10 Feb 2005 13:17:58 -0500
From: Colin Walters 
Subject: execmem and targeted policy
To: fedora-selinux-list at redhat.com
Message-ID: <1108059478.6288.7.camel at nexus.verbum.private>
Content-Type: text/plain

Hi,

I noticed that as of a recent rawhide update that Eclipse stopped
working:

audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process

Chatting with Dan, this is apparently because the execmem permission was
dropped from unconfined_domain recently. 

We can't do this in targeted policy because it would require us to know
about (and specially label) all such programs. We could potentially
label /usr/bin/eclipse as unconfined_execmem_t or whatever since we have
Eclipse packages in Fedora. However, I am almost positive the Sun JVM
requires this permission too, and if we go this route, then every person
who untars the Sun JVM and tries to run Java programs will run into this
problem.

This is against the philosophy of the targeted policy in that it affects
programs outside of the targeted daemon set. My worry is that for every
person (like me) who tracks down this problem and finds a workaround,
there will be 999 others who disable SELinux entirely. And that's bad,
because we need it to be enabled by default so we can use it to confine
the programs that really need it.

(Dan says that textrel_shlib_t has a similar issue)

One approach might be to have e.g. bin_t and bin_nonexecmem_t. We label
programs that we know work as bin_nonexecmem_t.




------------------------------

Message: 6
Date: Thu, 10 Feb 2005 13:20:28 -0500
From: Stephen Smalley 
Subject: Re: execmem and targeted policy
To: "Fedora SELinux support list for users & developers."

Message-ID: <1108059628.22172.162.camel at moss-spartans.epoch.ncsc.mil>
Content-Type: text/plain

On Thu, 2005-02-10 at 13:17, Colin Walters wrote:
> I noticed that as of a recent rawhide update that Eclipse stopped
> working:
> 
> audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process
> 
> Chatting with Dan, this is apparently because the execmem permission was
> dropped from unconfined_domain recently. 
> 
> We can't do this in targeted policy because it would require us to know
> about (and specially label) all such programs.

It is controlled by a boolean. So simply enable the allow_execmem and
allow_execmod booleans by default in the targeted policy (via the
booleans config file). Or if you absolutely must unconditionally allow
it in targeted policy, put the allow rules in the targeted unconfined.te
file so that you don't affect the strict policy. But note that the
reason for subjecting these permissions to booleans even in the targeted
policy was that we were asked to do so by Ulrich (see the earlier
discussion on rhselinux-list).

-- 
Stephen Smalley 
National Security Agency



------------------------------

Message: 7
Date: Thu, 10 Feb 2005 17:00:35 -0600
From: steve 
Subject: Re: NAZI DATA
To: "Fedora SELinux support list for users & developers."

Message-ID: <200502101700.35460.w5set at alltel.net>
Content-Type: text/plain; charset="utf-8"

Sure--that info is readily available. Just march into the CIA Headquarters and 
demand the info you need and site the Freedom of Information ACT. But they 
will stall you forever, and try to read you another ACT, but I have heard 
that most of the collaboration is being done on the CLONEHitler project. Or 
was that the CLOWN HITLER project?
OHHHH--my mind is so fuzzy these days--YOU should recognize that symptom right 
off. But thanks to modern medicine I am so much better these days--maybe you 
should try some.
On a more realistic note, have you heard from ET lately? He hasn't called me 
in months now.
And the csm at the end of your name---Do you work for Wal Mart? CSM there 
stands for Customer Service Manager.
Almost Sincerely, Steve



On Thursday February 10 2005 09:48, kent mcclanahan wrote:
> Gentlemen,could you please inform me how to obtain data on Nazi involvement
> with the National Security Agency and The Central Intelligence Agency
> including names of the projects?Most Sincerely,Kent McClanahan csm
>
>
> ---------------------------------
> Do you Yahoo!?
> Meet the all-new My Yahoo! – Try it today!




------------------------------

Message: 8
Date: Thu, 10 Feb 2005 17:25:35 -0600
From: steve 
Subject: problems
To: "Fedora SELinux support list for users & developers."

Message-ID: <200502101725.35518.w5set at alltel.net>
Content-Type: text/plain; charset="us-ascii"

And ya'll think that having problems with such a mundane subject as Fedora 
Core SELinux is a biggie, Kent obviously has much bigger (problem) fish to 
fry.
About time I had a good laugh reading this email forum, but back to reality 
and getting my server to run without any help from the Internet "assistants" 
that stop often to help me by inputing code or something that trys to 
overfill the buffers or evade detection by my router/firewalls. Ho-Hum.
-- 
.................steve w5set



------------------------------

Message: 9
Date: Fri, 11 Feb 2005 15:28:57 +0800
From: "Stephen Valenti" 
Subject: Newbie to fedora/linux
To: 
Message-ID: <001401c5100b$595c6800$0600000a at stephen>
Content-Type: text/plain; charset="iso-8859-1"

Hi,
I was wondering if anybody could help.Im a real newbie at
linux and dont know much about it.I installed fedora core 3 with 
\windows xp sp2.and am currently trying to get my speedtouch 
adsl 530 modem to work but everytime I try create a folder to install
too it tells me "I cant create the folder I dont own the computer"
or something like that.I tried to find administration tools within fedora
but couldnt what am I doing wrong or do i need to re-install fedora

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20050211/4bd8a506/attachment.htm

------------------------------

Message: 10
Date: Fri, 11 Feb 2005 12:20:51 +0100
From: dragoran 
Subject: Re: execmem and targeted policy
To: "Fedora SELinux support list for users & developers."

Message-ID: <420C9513.20206 at feuerpokemon.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Colin Walters wrote:

>Hi,
>
>I noticed that as of a recent rawhide update that Eclipse stopped
>working:
>
>audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process
>
>Chatting with Dan, this is apparently because the execmem permission was
>dropped from unconfined_domain recently. 
>
>We can't do this in targeted policy because it would require us to know
>about (and specially label) all such programs. We could potentially
>label /usr/bin/eclipse as unconfined_execmem_t or whatever since we have
>Eclipse packages in Fedora. However, I am almost positive the Sun JVM
>requires this permission too, and if we go this route, then every person
>who untars the Sun JVM and tries to run Java programs will run into this
>problem.
>
>This is against the philosophy of the targeted policy in that it affects
>programs outside of the targeted daemon set. My worry is that for every
>person (like me) who tracks down this problem and finds a workaround,
>there will be 999 others who disable SELinux entirely. And that's bad,
>because we need it to be enabled by default so we can use it to confine
>the programs that really need it.
>
>(Dan says that textrel_shlib_t has a similar issue)
>
>One approach might be to have e.g. bin_t and bin_nonexecmem_t. We label
>programs that we know work as bin_nonexecmem_t.
>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> 
>
mysqld has the same issues even in fc3 when running 2.6.11-rc3
http://www.redhat.com/archives/fedora-selinux-list/2005-February/msg00056.html



------------------------------

Message: 11
Date: Fri, 11 Feb 2005 07:51:58 -0500
From: "ne..." 
Subject: Re: Newbie to fedora/linux
To: "Fedora SELinux support list for users &, developers."

Message-ID: 
Content-Type: text/plain; charset=US-ASCII

On Fri, 11 Feb 2005 15:28:57 +0800, Stephen Valenti
wrote:
> 
> Hi, 
> I was wondering if anybody could help.
Yep.

> what am I doing wrong or do i need to re-install fedora 
Posting to the wrong group. You to join fedora-list and
post your problems there.

N.Emile...
-- 
Registered Linux User # 125653 (http://counter.li.org)
Certified: 75% bastard, 42% of which is tard. 
http://www.thespark.com/bastardtest
Now accepting personal mail for GMail invites.



------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list

End of fedora-selinux-list Digest, Vol 12, Issue 11
***************************************************


		
---------------------------------
Do you Yahoo!?
 Yahoo! Search presents - Jib Jab's 'Second Term'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050212/0458bc2a/attachment.htm>


More information about the fedora-selinux-list mailing list