From james.zheng.li at gmail.com Wed Jun 1 01:11:59 2005 From: james.zheng.li at gmail.com (James Z. Li) Date: Tue, 31 May 2005 21:11:59 -0400 Subject: how does rpm work under Selinux In-Reply-To: References: <8a239a56050531115036c044dc@mail.gmail.com> <1117566690.28924.263.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <8a239a560505311811269dc05@mail.gmail.com> On 5/31/05, Mike Hearn wrote: > On Tue, 31 May 2005 15:11:30 -0400, Stephen Smalley wrote: > > rpm has been modified to set the security context on newly installed > > files in accordance with the policy (based on the file_contexts > > configuration). > > I thought RPMs could contain their own file contexts for each contained > file, rather than relying on external regular expressions. Is this not the > case? Was it ever the case? :) I am also interested in this. Is it possible to have some kind of checklist of file_context for each rpm package so that rpm will label each contained file according to the checklist. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From nutello at sweetness.com Wed Jun 1 02:01:18 2005 From: nutello at sweetness.com (Rudi Chiarito) Date: Wed, 1 Jun 2005 04:01:18 +0200 Subject: how does rpm work under Selinux In-Reply-To: References: <8a239a56050531115036c044dc@mail.gmail.com> <1117566690.28924.263.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20050601020118.GA22597@plain.rackshack.net> On Wed, Jun 01, 2005 at 12:53:46AM +0100, Mike Hearn wrote: > I thought RPMs could contain their own file contexts for each contained > file, rather than relying on external regular expressions. Is this not the > case? Was it ever the case? :) No matter how tempting, that also sounds like a perfect way for a rogue package to subvert the whole SELinux scheme, overriding the preinstalled policy, right? -- Rudi From ivg2 at cornell.edu Wed Jun 1 02:20:46 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Tue, 31 May 2005 22:20:46 -0400 Subject: how does rpm work under Selinux In-Reply-To: <20050601020118.GA22597@plain.rackshack.net> References: <8a239a56050531115036c044dc@mail.gmail.com> <1117566690.28924.263.camel@moss-spartans.epoch.ncsc.mil> <20050601020118.GA22597@plain.rackshack.net> Message-ID: <1117592446.30866.13.camel@localhost.localdomain> On Wed, 2005-06-01 at 04:01 +0200, Rudi Chiarito wrote: > > No matter how tempting, that also sounds like a perfect way for a > rogue > package to subvert the whole SELinux scheme, overriding the > preinstalled policy, right? Actually, I think all a rogue package has to do to subvert the SELinux scheme is to install itself where the regexps expect, and it will get labeled as a privileged process. It's certainly possible to restrict rpm on a SELinux system. I believe the current policy prevents it from writing to /etc/shadow, unless a tunable is on. On the other hand I am suspicious whether this protection works at all - it probably allows the rpm to install an executable over an auth_write binary, at which point it can just install a hostile executable there, and the battle is lost. I could be wrong though - I hadn't looked at the rpm policy until now... -- Ivan Gyurdiev Cornell University From ivg2 at cornell.edu Wed Jun 1 02:38:12 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Tue, 31 May 2005 22:38:12 -0400 Subject: how does rpm work under Selinux In-Reply-To: <1117592446.30866.13.camel@localhost.localdomain> References: <8a239a56050531115036c044dc@mail.gmail.com> <1117566690.28924.263.camel@moss-spartans.epoch.ncsc.mil> <20050601020118.GA22597@plain.rackshack.net> <1117592446.30866.13.camel@localhost.localdomain> Message-ID: <1117593492.30866.20.camel@localhost.localdomain> On Tue, 2005-05-31 at 22:20 -0400, Ivan Gyurdiev wrote: > On Wed, 2005-06-01 at 04:01 +0200, Rudi Chiarito wrote: > > > > No matter how tempting, that also sounds like a perfect way for a > > rogue > > package to subvert the whole SELinux scheme, overriding the > > preinstalled policy, right? > > Actually, I think all a rogue package has to do to subvert the SELinux > scheme is to install itself where the regexps expect, and it will get > labeled as a privileged process. > > It's certainly possible to restrict rpm on a SELinux system. I believe > the current policy prevents it from writing to /etc/shadow, unless a > tunable is on. > > On the other hand I am suspicious whether this protection works at all - > it probably allows the rpm to install an executable over an auth_write > binary, at which point it can just install a hostile executable there, > and the battle is lost. > > I could be wrong though - I hadn't looked at the rpm policy until now... ...but that's why we import gpg keys and do rpm verification, right? -- Ivan Gyurdiev Cornell University From sds at tycho.nsa.gov Wed Jun 1 11:31:10 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 01 Jun 2005 07:31:10 -0400 Subject: how does rpm work under Selinux In-Reply-To: References: <8a239a56050531115036c044dc@mail.gmail.com> <1117566690.28924.263.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1117625470.32745.21.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-06-01 at 00:53 +0100, Mike Hearn wrote: > On Tue, 31 May 2005 15:11:30 -0400, Stephen Smalley wrote: > > rpm has been modified to set the security context on newly installed > > files in accordance with the policy (based on the file_contexts > > configuration). > > I thought RPMs could contain their own file contexts for each contained > file, rather than relying on external regular expressions. Is this not the > case? Was it ever the case? :) That was the original approach during FC2 development, but was later dropped. With multiple policies (strict, targeted, mls, ...), including potential customization by end users, it became problematic. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Jun 1 11:33:01 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 01 Jun 2005 07:33:01 -0400 Subject: how does rpm work under Selinux In-Reply-To: <20050601020118.GA22597@plain.rackshack.net> References: <8a239a56050531115036c044dc@mail.gmail.com> <1117566690.28924.263.camel@moss-spartans.epoch.ncsc.mil> <20050601020118.GA22597@plain.rackshack.net> Message-ID: <1117625581.32745.24.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-06-01 at 04:01 +0200, Rudi Chiarito wrote: > No matter how tempting, that also sounds like a perfect way for a rogue > package to subvert the whole SELinux scheme, overriding the > preinstalled policy, right? rpm is trusted at present in Fedora. There have been discussions of limiting it, e.g. having it transition to different domains and using different file contexts depending on some measure of the "trustworthiness" of the package, but no progress there yet. You just have the traditional signature verification support at present. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Jun 1 11:33:30 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 01 Jun 2005 07:33:30 -0400 Subject: how does rpm work under Selinux In-Reply-To: <1117592446.30866.13.camel@localhost.localdomain> References: <8a239a56050531115036c044dc@mail.gmail.com> <1117566690.28924.263.camel@moss-spartans.epoch.ncsc.mil> <20050601020118.GA22597@plain.rackshack.net> <1117592446.30866.13.camel@localhost.localdomain> Message-ID: <1117625610.32745.26.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-05-31 at 22:20 -0400, Ivan Gyurdiev wrote: > Actually, I think all a rogue package has to do to subvert the SELinux > scheme is to install itself where the regexps expect, and it will get > labeled as a privileged process. > > It's certainly possible to restrict rpm on a SELinux system. I believe > the current policy prevents it from writing to /etc/shadow, unless a > tunable is on. > > On the other hand I am suspicious whether this protection works at all - > it probably allows the rpm to install an executable over an auth_write > binary, at which point it can just install a hostile executable there, > and the battle is lost. > > I could be wrong though - I hadn't looked at the rpm policy until now... Yes, rpm is effectively unrestricted at present. -- Stephen Smalley National Security Agency From aleksander.adamowski.fedora at altkom.pl Wed Jun 1 12:42:26 2005 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Wed, 01 Jun 2005 14:42:26 +0200 Subject: HELP: transition denied regardless of policy? In-Reply-To: <1117548705.28924.109.camel@moss-spartans.epoch.ncsc.mil> References: <429528E8.2070301@altkom.pl> <1117110154.2644.23.camel@moss-spartans.epoch.ncsc.mil> <42977789.7060107@altkom.pl> <1117548705.28924.109.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <429DAD32.1090300@altkom.pl> Stephen Smalley wrote: >I doubt it. FC3 only gets bug fixes, not enhancements. You'll have to >pull from FC4/development if you want those changes. > >Also, in general, if using strict policy, you are advised to track the >development tree, as Red Hat hasn't been issuing updates to strict >policy in FC3 at all. > > Strange, the patch is against FC-3 files: /cvs/dist/rpms/checkpolicy/FC-3/checkpolicy-typeattribute.patch /cvs/dist/rpms/checkpolicy/FC-3/checkpolicy.spec I thought it would go into a future package update... -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.ab.altkom.pl From sds at tycho.nsa.gov Wed Jun 1 12:35:46 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 01 Jun 2005 08:35:46 -0400 Subject: HELP: transition denied regardless of policy? In-Reply-To: <429DAD32.1090300@altkom.pl> References: <429528E8.2070301@altkom.pl> <1117110154.2644.23.camel@moss-spartans.epoch.ncsc.mil> <42977789.7060107@altkom.pl> <1117548705.28924.109.camel@moss-spartans.epoch.ncsc.mil> <429DAD32.1090300@altkom.pl> Message-ID: <1117629346.32745.33.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-06-01 at 14:42 +0200, Aleksander Adamowski wrote: > Strange, the patch is against FC-3 files: > > /cvs/dist/rpms/checkpolicy/FC-3/checkpolicy-typeattribute.patch > /cvs/dist/rpms/checkpolicy/FC-3/checkpolicy.spec > > I thought it would go into a future package update... I could be wrong - Dan will know. My impression was that FC3 would only get bug fixes at this point, so I wouldn't have expected any changes to its checkpolicy program (unless they are required by an updated targeted policy for FC3). -- Stephen Smalley National Security Agency From mike at navi.cx Wed Jun 1 22:29:59 2005 From: mike at navi.cx (Mike Hearn) Date: Wed, 01 Jun 2005 23:29:59 +0100 Subject: how does rpm work under Selinux References: <8a239a56050531115036c044dc@mail.gmail.com> <1117566690.28924.263.camel@moss-spartans.epoch.ncsc.mil> <1117625470.32745.21.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Wed, 01 Jun 2005 07:31:10 -0400, Stephen Smalley wrote: > That was the original approach during FC2 development, but was later > dropped. With multiple policies (strict, targeted, mls, ...), including > potential customization by end users, it became problematic. Oh, OK. When binary policy modules appear maybe it would be useful to do it again so third party RPMs can be a part of the SELinux world. At the moment the focus seems to be on totally centralised policy for everything the user might want to run (or be secured) ... I can't see this scaling as SELinux enters the mainstream. thanks -mike From bob at mail.cert.ucr.edu Thu Jun 2 02:35:53 2005 From: bob at mail.cert.ucr.edu (Robert Bottomley) Date: Wed, 01 Jun 2005 19:35:53 -0700 Subject: Unable to create files when using "context" option for NFS Message-ID: <429E7089.6020709@cert.ucr.edu> In FC3 (running kernel 2.6.11-1.27_FC3smp and selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem for use by Apache. In /etc/fstab, I have: ozone:/usr/local/svn /svn nfs rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192 0 0 Any attempts to create a file in /svn are met with (here I was attempting a "touch x"): audit(1117233333.027:0): avc: denied { associate } for pid=12795 exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem It does not matter what context I specify, I cannot create a file -- even though my shell is running as unconfined_t. (If a file already exists, I can edit it.) So the questions are: 1. Is this a bug? Should I not be able to create a file when running in the unconfined_t context? 2. Audit2allow tells me that I need to add: allow httpd_sys_script_rw_t self:filesystem associate; but if unconfined_t context cannot write, then will something in httpd_sys_script_rw_t be able to? sestatus ======== SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted Policy booleans: allow_ypbind active dhcpd_disable_trans inactive httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified inactive mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive use_syslogng inactive winbind_disable_trans inactive ypbind_disable_trans inactive -- Robert Bottomley | E-mail: bob at cert.ucr.edu System Administrator | Tel: 951-781-5788 College of Engineering | It is dangerous to be right Center for Environmental | CE-CERT when the government is wrong. Research and Technology | UC Riverside --Voltaire From florin at andrei.myip.org Thu Jun 2 03:25:45 2005 From: florin at andrei.myip.org (Florin Andrei) Date: Wed, 01 Jun 2005 20:25:45 -0700 Subject: web-controlled system Message-ID: <1117682745.5887.20.camel@rivendell.home.local> Any guidelines for changing the SELinux config for a system that's controlled over a web interface running in Apache? The interface is supposed to do things like: stop/start services, change network settings, etc. -- Florin Andrei http://florin.myip.org/ From Valdis.Kletnieks at vt.edu Thu Jun 2 05:29:00 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 02 Jun 2005 01:29:00 -0400 Subject: how does rpm work under Selinux In-Reply-To: Your message of "Wed, 01 Jun 2005 23:29:59 BST." References: <8a239a56050531115036c044dc@mail.gmail.com> <1117566690.28924.263.camel@moss-spartans.epoch.ncsc.mil> <1117625470.32745.21.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200506020529.j525T1rl013072@turing-police.cc.vt.edu> On Wed, 01 Jun 2005 23:29:59 BST, Mike Hearn said: > At the moment the focus seems to be on totally centralised policy for > everything the user might want to run (or be secured) ... I can't see this > scaling as SELinux enters the mainstream. Well, technically, if it isn't centralized, you don't have a prayer of any *real* enforcement. There's days when I think that Casey is right, and even the *current* strict scheme isn't centralized and top-down design enough. The average user can't write policy, and can't evaluate policy - and neither can the average developer. Quite frankly, most of the time I'm ecstatic if I can get a user or developer to state a coherent and realistic threat model. As a result, it will be a *long* time before we can realistically support any model other than telling developers to ask for help on the mailing list. Hopefully with the binary-policy stuff, at least the "how to deploy the pieces" part will become easier. There's additional good security reasons for the current model - the centralized policy is driven out of a centralized development tree, and the current open review structure both ensures double-checks and honesty among all concerned. It's hopefully pretty hard to sneak a backdoor (intentional or accidental) in when Dan Walsh, Russell Coker, and Stephen Smalley are all cross-checking each other - and everybody and their pet llama are sniping from the sidelines on this list :) On the other hand, there's no particular reason for anybody to trust a policy shipped with MobyFrobozz 0.9.4 if it hasn't been vetted by somebody. (Aside to the RedHat/Fedora developers - I *like* the description Chris PeBenito gave of how Gentoo is packaging it - he gave the example of 'ntp' having a pre-req of 'selinux-ntp'. Having the "owners" of the two packages be different people would address most of the issues this sort of thing causes....) And quite frankly, we're not 100% of the way to understanding how to even do a totally centralized policy - trying to expand out to other stuff might be foolhardy. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From roger at gwch.net Thu Jun 2 06:24:57 2005 From: roger at gwch.net (Roger Grosswiler) Date: Thu, 2 Jun 2005 08:24:57 +0200 (CEST) Subject: Setting Squid free in the shell Message-ID: <48403.62.2.21.164.1117693497.squirrel@www.gwch.net> Hi, need a quick help, try to get squid running, but get the read avc denied. If i want to give free squid in selinux, i have to set those, isn't it? setsebool -P squid_disable_trans active and then i have to fixfiles relabel ?? Thanks for your help. Roger From mike at navi.cx Thu Jun 2 06:40:28 2005 From: mike at navi.cx (Mike Hearn) Date: Thu, 02 Jun 2005 07:40:28 +0100 Subject: how does rpm work under Selinux References: <8a239a56050531115036c044dc@mail.gmail.com> <1117566690.28924.263.camel@moss-spartans.epoch.ncsc.mil> <1117625470.32745.21.camel@moss-spartans.epoch.ncsc.mil> <200506020529.j525T1rl013072@turing-police.cc.vt.edu> Message-ID: On Thu, 02 Jun 2005 01:29:00 -0400, Valdis.Kletnieks wrote: > Well, technically, if it isn't centralized, you don't have a prayer of any > *real* enforcement. There's days when I think that Casey is right, and even > the *current* strict scheme isn't centralized and top-down design enough. I see your point, and I see the points about centralised analysis. That said, you seem to be saying you prefer an all or nothing situation. Maybe I'm wrong but I think a partly locked down program is still better than one running in unconfined_t right? Even if the policy was written by a non-expert. At some point if policy isn't actually pushed upstream you'll hit the limits on the size of the policy you guys can maintain without constant tweaks to fix updates sucking up more time than adding new policy. Or worse, the policy will bit rot over time as apps start requiring new privileges in edge cases that aren't tested and so SELinux will cause more and more "bugs", and people will start switching it off. thanks -mike From bob at mail.cert.ucr.edu Wed Jun 1 21:43:44 2005 From: bob at mail.cert.ucr.edu (Robert Bottomley) Date: Wed, 01 Jun 2005 14:43:44 -0700 Subject: Unable to create files when using "context"option for NFS Message-ID: <429E2C10.7060501@cert.ucr.edu> In FC3 (running kernel 2.6.11-1.27_FC3smp and selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem for use by Apache. In /etc/fstab, I have: ozone:/usr/local/svn /svn nfs rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192 0 0 Any attempts to create a file in /svn are met with (here I was attempting a "touch x"): audit(1117233333.027:0): avc: denied { associate } for pid=12795 exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem It does not matter what context I specify, I cannot create a file -- even though my shell is running as unconfined_t. (If a file already exists, I can edit it.) So the questions are: 1. Is this a bug? Should I not be able to create a file when running in the unconfined_t context? 2. Audit2allow tells me that I need to add: allow httpd_sys_script_rw_t self:filesystem associate; but if unconfined_t context cannot write, then will something in httpd_sys_script_rw_t be able to? sestatus ======== SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted Policy booleans: allow_ypbind active dhcpd_disable_trans inactive httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified inactive mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive use_syslogng inactive winbind_disable_trans inactive ypbind_disable_trans inactive -- Robert Bottomley | E-mail: bob at cert.ucr.edu System Administrator | Tel: 951-781-5788 College of Engineering | It is dangerous to be right Center for Environmental | CE-CERT when the government is wrong. Research and Technology | UC Riverside --Voltaire From dadams at rentawheel.net Thu Jun 2 22:08:47 2005 From: dadams at rentawheel.net (Darrel Adams) Date: Thu, 2 Jun 2005 17:08:47 -0500 Subject: booting fedora 3 Message-ID: <200506022209.j52M8rvs016661@mail805.megamailservers.com> I downloaded the 4 FC3 ISO files on my windows xp machine and burned them to cd's using Sonic Record Now but when I put disk 1 in my other machine and set it to boot from cd, I get the message "No boot device available-". I can start the machine with a Win98 disk in it and it starts the install of Win98 ok so I don't see it as a hardware setting issue. I'm a rookie with Fedora so be easy on me. Thanks, Darrel -------------- next part -------------- An HTML attachment was scrubbed... URL: From russell at coker.com.au Fri Jun 3 06:29:31 2005 From: russell at coker.com.au (Russell Coker) Date: Fri, 3 Jun 2005 16:29:31 +1000 Subject: web-controlled system In-Reply-To: <1117682745.5887.20.camel@rivendell.home.local> References: <1117682745.5887.20.camel@rivendell.home.local> Message-ID: <200506031629.34653.russell@coker.com.au> On Thursday 02 June 2005 13:25, Florin Andrei wrote: > Any guidelines for changing the SELinux config for a system that's > controlled over a web interface running in Apache? The interface is > supposed to do things like: stop/start services, change network > settings, etc. Probably the easiest solution will be to have Apache or the CGI-BIN script in question running unconfined. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From florin at andrei.myip.org Fri Jun 3 07:27:22 2005 From: florin at andrei.myip.org (Florin Andrei) Date: Fri, 03 Jun 2005 00:27:22 -0700 Subject: web-controlled system In-Reply-To: <200506031629.34653.russell@coker.com.au> References: <1117682745.5887.20.camel@rivendell.home.local> <200506031629.34653.russell@coker.com.au> Message-ID: <1117783642.6134.13.camel@rivendell.home.local> On Fri, 2005-06-03 at 16:29 +1000, Russell Coker wrote: > On Thursday 02 June 2005 13:25, Florin Andrei wrote: > > Any guidelines for changing the SELinux config for a system that's > > controlled over a web interface running in Apache? The interface is > > supposed to do things like: stop/start services, change network > > settings, etc. > > Probably the easiest solution will be to have Apache or the CGI-BIN script in > question running unconfined. True, but I'd like to avoid that. Is there any tutorial that describes how to use the selinux avc: denied messages to "loosen up" the policy? I'd imagine that by exercising the daemon in all ways possible, and keeping an eye on syslog at the same time, I should be able to figure out what needs to be permitted in the policy, right? Should be fairly straightforward once the details are comprehended. Any guidelines/howto/cookbook on the subject? -- Florin Andrei http://florin.myip.org/ From russell at coker.com.au Fri Jun 3 07:46:43 2005 From: russell at coker.com.au (Russell Coker) Date: Fri, 3 Jun 2005 17:46:43 +1000 Subject: web-controlled system In-Reply-To: <1117783642.6134.13.camel@rivendell.home.local> References: <1117682745.5887.20.camel@rivendell.home.local> <200506031629.34653.russell@coker.com.au> <1117783642.6134.13.camel@rivendell.home.local> Message-ID: <200506031746.47074.russell@coker.com.au> On Friday 03 June 2005 17:27, Florin Andrei wrote: > On Fri, 2005-06-03 at 16:29 +1000, Russell Coker wrote: > > On Thursday 02 June 2005 13:25, Florin Andrei wrote: > > > Any guidelines for changing the SELinux config for a system that's > > > controlled over a web interface running in Apache? The interface is > > > supposed to do things like: stop/start services, change network > > > settings, etc. > > > > Probably the easiest solution will be to have Apache or the CGI-BIN > > script in question running unconfined. > > True, but I'd like to avoid that. Why? If Apache can change system configuration files and restart daemons then what's the point of trying to restrict it? Using Apache to configure the system to boot without SE Linux enabled should be easy enough. > Is there any tutorial that describes how to use the selinux avc: denied > messages to "loosen up" the policy? No. The problem you face is how to change the labels on some file so that Apache can write to them but not grant Apache write to too many things. If your requirement is "control everything over the web" then this may not be a solvable problem. > I'd imagine that by exercising the daemon in all ways possible, and > keeping an eye on syslog at the same time, I should be able to figure > out what needs to be permitted in the policy, right? Correct. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From florin at andrei.myip.org Fri Jun 3 17:16:30 2005 From: florin at andrei.myip.org (Florin Andrei) Date: Fri, 03 Jun 2005 10:16:30 -0700 Subject: web-controlled system In-Reply-To: <200506031746.47074.russell@coker.com.au> References: <1117682745.5887.20.camel@rivendell.home.local> <200506031629.34653.russell@coker.com.au> <1117783642.6134.13.camel@rivendell.home.local> <200506031746.47074.russell@coker.com.au> Message-ID: <1117818990.30576.10.camel@stantz.corp.sgi.com> On Fri, 2005-06-03 at 17:46 +1000, Russell Coker wrote: > On Friday 03 June 2005 17:27, Florin Andrei wrote: > > On Fri, 2005-06-03 at 16:29 +1000, Russell Coker wrote: > > > Probably the easiest solution will be to have Apache or the CGI-BIN > > > script in question running unconfined. > > > > True, but I'd like to avoid that. > > If Apache can change system configuration files and restart daemons then > what's the point of trying to restrict it? Using Apache to configure the > system to boot without SE Linux enabled should be easy enough. It's not supposed to change everything. The system will be a "black box" to the users who have access to it solely through the Web interface, but that interface is not all-powerful. Some daemons can be tweaked, some system parameters can be changed, but the interface will not and should not have discretionary powers. I'd like to retain some of the protection offered by SELinux. > The problem you face is how to change the labels on some file so that > Apache can write to them but not grant Apache write to too many things. If > your requirement is "control everything over the web" then this may not be a > solvable problem. Ok, I see. My mistake - the interface doesn't control everything. I'm thinking about this: how about I leave the policy alone, create a small daemon (in Perl, whatever) that's listening on a Unix socket, then the Web interface is just passing the commands to the daemon. The daemon compares them to a list of "known good commands", maybe makes some other verifications, then goes ahead and executes the commands. This way I retain the original tight policy, plus I get a supplemental level of intelligence in validating what gets sent to the system via the interface. I dunno, this might be a method that would be interesting for more people using selinux that want to keep selinux but still be able to have a deeper control over the system. > > I'd imagine that by exercising the daemon in all ways possible, and > > keeping an eye on syslog at the same time, I should be able to figure > > out what needs to be permitted in the policy, right? > > Correct. I wish there was a concrete example somewhere on how to do that. It's not like SELinux doesn't have any docs at all but... So many things to do, so little time... -- Florin Andrei http://florin.myip.org/ From malejandra.castillo at gmail.com Mon Jun 6 22:44:11 2005 From: malejandra.castillo at gmail.com (Ma. Alejandra Castillo M.) Date: Mon, 6 Jun 2005 18:44:11 -0400 Subject: question policy Message-ID: <065c01c56ae9$430b85c0$800410ac@rocl.csavgroup.com> Sirs, I need a little help. I want to realize a policy (targeted) with Samba or shh. In this moment I am realizing my tesis and I have already documented in spanish a lot about selinux. But now is the time to realize the policy and I only have two months for this. Can you give an idea to realize this in a short time?. The idea is to create a final product well done. saludos -- Ma. Alejandra Castillo From kwade at redhat.com Tue Jun 7 06:00:38 2005 From: kwade at redhat.com (Karsten Wade) Date: Mon, 06 Jun 2005 23:00:38 -0700 Subject: booting fedora 3 In-Reply-To: <200506022209.j52M8rvs016661@mail805.megamailservers.com> References: <200506022209.j52M8rvs016661@mail805.megamailservers.com> Message-ID: <1118124038.12368.211.camel@erato.phig.org> On Thu, 2005-06-02 at 17:08 -0500, Darrel Adams wrote: > I downloaded the 4 FC3 ISO files on my windows xp machine and burned > them to cd?s using Sonic Record Now but when I put disk 1 in my other > machine and set it to boot from cd, I get the message ?No boot device > available-?. I can start the machine with a Win98 disk in it and it > starts the install of Win98 ok so I don?t see it as a hardware setting > issue. I?m a rookie with Fedora so be easy on me. I'll be as easy as I can be. :) Your email found it's way to a mailing list focused on Security-Enhanced Linux in Fedora Core. You want to try or more of the following: * fedora-list at redhat.com * http://www.fedoraforum.org * http://www.fedorafaq.org Just using Google may also help. Good luck. -- Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 Red Hat SELinux Guide http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From kwade at redhat.com Tue Jun 7 06:08:51 2005 From: kwade at redhat.com (Karsten Wade) Date: Mon, 06 Jun 2005 23:08:51 -0700 Subject: web-controlled system In-Reply-To: <1117818990.30576.10.camel@stantz.corp.sgi.com> References: <1117682745.5887.20.camel@rivendell.home.local> <200506031629.34653.russell@coker.com.au> <1117783642.6134.13.camel@rivendell.home.local> <200506031746.47074.russell@coker.com.au> <1117818990.30576.10.camel@stantz.corp.sgi.com> Message-ID: <1118124531.12368.219.camel@erato.phig.org> On Fri, 2005-06-03 at 10:16 -0700, Florin Andrei wrote: > On Fri, 2005-06-03 at 17:46 +1000, Russell Coker wrote: > > On Friday 03 June 2005 17:27, Florin Andrei wrote: > > > I'd imagine that by exercising the daemon in all ways possible, and > > > keeping an eye on syslog at the same time, I should be able to figure > > > out what needs to be permitted in the policy, right? > > > > Correct. > > I wish there was a concrete example somewhere on how to do that. > It's not like SELinux doesn't have any docs at all but... So many things > to do, so little time... You might have seen this, or not: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-chapter-0071.html It's very generic and high-level. I'm very interested in real world experiences trying to use those how-to instructions. Other methodologies and experiences are also interesting. You can file a bugzilla report[1] with any details you want to share. This is an area of the SELinux Guide that people are asking for improvement on, and it would be nice to have more concrete details to work from. - Karsten [1] Follow the directions here: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/s1-intro-more-to-come.html -- Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 Red Hat SELinux Guide http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From hongwei at wustl.edu Tue Jun 7 13:17:00 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Tue, 7 Jun 2005 08:17:00 -0500 (CDT) Subject: avc: denied { ioctl }? Message-ID: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu> Hi, I have a fc3 linux system with targed selinux enforced, kernel 2.6.11-1.14_FC3, target policy 1.17.30-2.96. After I updated the policy to this version (1.17.30-2.96), from time to time the system log shows a lot of error messages like this: Jun 6 17:51:04 morpheus kernel: audit(1118098264.336:0): avc: denied { ioctl } for pid=17395 exe=/usr/bin/perl path=/proc/loadavg dev=proc ino=-268435456 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:proc_t tclass=file Can somebody help me to figure out what is going on? What should I check and change to fix the problem? Thanks! Hongwei Li From malejandra.castillo at gmail.com Tue Jun 7 14:48:45 2005 From: malejandra.castillo at gmail.com (Ma. Alejandra Castillo M.) Date: Tue, 7 Jun 2005 10:48:45 -0400 Subject: quiestion policy! Message-ID: <003701c56b70$02bb0f90$800410ac@rocl.csavgroup.com> Sirs, I need a little help. I want to realize a policy (targeted) with Samba or shh. In this moment I am realizing my tesis and I have already documented in spanish a lot about selinux. But now is the time to realize the policy and I only have two months for this. Can you give an idea to realize this in a short time?. The idea is to create a final product well done. saludos From dwalsh at redhat.com Tue Jun 7 20:21:46 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 07 Jun 2005 16:21:46 -0400 Subject: web-controlled system In-Reply-To: <1117818990.30576.10.camel@stantz.corp.sgi.com> References: <1117682745.5887.20.camel@rivendell.home.local> <200506031629.34653.russell@coker.com.au> <1117783642.6134.13.camel@rivendell.home.local> <200506031746.47074.russell@coker.com.au> <1117818990.30576.10.camel@stantz.corp.sgi.com> Message-ID: <42A601DA.9070800@redhat.com> Florin Andrei wrote: >On Fri, 2005-06-03 at 17:46 +1000, Russell Coker wrote: > > >>On Friday 03 June 2005 17:27, Florin Andrei wrote: >> >> >>>On Fri, 2005-06-03 at 16:29 +1000, Russell Coker wrote: >>> >>> >>>>Probably the easiest solution will be to have Apache or the CGI-BIN >>>>script in question running unconfined. >>>> >>>> >>>True, but I'd like to avoid that. >>> >>> >>If Apache can change system configuration files and restart daemons then >>what's the point of trying to restrict it? Using Apache to configure the >>system to boot without SE Linux enabled should be easy enough. >> >> > >It's not supposed to change everything. The system will be a "black box" >to the users who have access to it solely through the Web interface, but >that interface is not all-powerful. Some daemons can be tweaked, some >system parameters can be changed, but the interface will not and should >not have discretionary powers. > >I'd like to retain some of the protection offered by SELinux. > > > >>The problem you face is how to change the labels on some file so that >>Apache can write to them but not grant Apache write to too many things. If >>your requirement is "control everything over the web" then this may not be a >>solvable problem. >> >> > >Ok, I see. My mistake - the interface doesn't control everything. > >I'm thinking about this: how about I leave the policy alone, create a >small daemon (in Perl, whatever) that's listening on a Unix socket, then >the Web interface is just passing the commands to the daemon. >The daemon compares them to a list of "known good commands", maybe makes >some other verifications, then goes ahead and executes the commands. >This way I retain the original tight policy, plus I get a supplemental >level of intelligence in validating what gets sent to the system via the >interface. > >I dunno, this might be a method that would be interesting for more >people using selinux that want to keep selinux but still be able to have >a deeper control over the system. > > > >>>I'd imagine that by exercising the daemon in all ways possible, and >>>keeping an eye on syslog at the same time, I should be able to figure >>>out what needs to be permitted in the policy, right? >>> >>> >>Correct. >> >> > > I wish there was a concrete example somewhere on how to do that. >It's not like SELinux doesn't have any docs at all but... So many things >to do, so little time... > > > You can begin defining the policy via apache_domain. After installing selinux-policy-targeted-sources I would start out by creating a te file. cd /etc/selinux/targetd/src/policy echo apache_domain(mycgi) >> domains/program/mycgi.te echo "/var/www/cgi-bin/mycgi -- system_u:object_r:httpd_mycgi_script_exec_t" > file_contexts/program/mycgi.te make load restorecon /var/www/cgi-bin/mycgi setenforce 0 Start using the mycgi script file. Gather the avc messages and start using audit2allow to generate rules for the script. Lather; Rinse; Repeat. Dan -- From malejandra.castillo at gmail.com Tue Jun 7 21:24:46 2005 From: malejandra.castillo at gmail.com (Ma. Alejandra Castillo M.) Date: Tue, 7 Jun 2005 17:24:46 -0400 Subject: policy para samba or ssh? Message-ID: <006601c56ba7$54f3c720$800410ac@rocl.csavgroup.com> Sirs, I need a little help. I want to realize a policy (targeted) with Samba or shh. In this moment I am realizing my tesis and I have already documented in spanish a lot about selinux. But now is the time to realize the policy and I only have two months for this. Can you give an idea to realize this in a short time?. The idea is to create a final product well done. saludos -- Mai From sds at tycho.nsa.gov Wed Jun 8 12:08:56 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 08 Jun 2005 08:08:56 -0400 Subject: question policy In-Reply-To: <065c01c56ae9$430b85c0$800410ac@rocl.csavgroup.com> References: <065c01c56ae9$430b85c0$800410ac@rocl.csavgroup.com> Message-ID: <1118232536.26902.25.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-06-06 at 18:44 -0400, Ma. Alejandra Castillo M. wrote: > Sirs, I need a little help. I want to realize a policy (targeted) with Samba > or shh. In this moment I am realizing my tesis and I have already documented > in spanish a lot about selinux. But now is the time to realize the policy > and I only have two months for this. > > Can you give an idea to realize this in a short time?. The idea is to create > a final product well done. Not clear what you are asking, but have you looked at the FC4 targeted policy? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Jun 8 12:29:58 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 08 Jun 2005 08:29:58 -0400 Subject: avc: denied { ioctl }? In-Reply-To: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu> References: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu> Message-ID: <1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-06-07 at 08:17 -0500, Hongwei Li wrote: > After I updated the policy to this version (1.17.30-2.96), from time to time > the system log shows a lot of error messages like this: > > Jun 6 17:51:04 morpheus kernel: audit(1118098264.336:0): avc: denied { > ioctl } for pid=17395 exe=/usr/bin/perl path=/proc/loadavg dev=proc > ino=-268435456 scontext=user_u:system_r:httpd_sys_script_t > tcontext=system_u:object_r:proc_t tclass=file Likely should just be dontaudit'd, e.g. yum install selinux-policy-targeted-sources cd /etc/selinux/targeted/src/policy echo "dontaudit httpd_sys_script_t proc_t:file ioctl;" >> domains/misc/local.te make load -- Stephen Smalley National Security Agency From hongwei at wustl.edu Wed Jun 8 13:53:29 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Wed, 8 Jun 2005 08:53:29 -0500 (CDT) Subject: avc: denied { ioctl }? In-Reply-To: <1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil> References: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu> <1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <3070.128.252.85.103.1118238809.squirrel@morpheus.wustl.edu> > On Tue, 2005-06-07 at 08:17 -0500, Hongwei Li wrote: >> After I updated the policy to this version (1.17.30-2.96), from time to time >> the system log shows a lot of error messages like this: >> >> Jun 6 17:51:04 morpheus kernel: audit(1118098264.336:0): avc: denied { >> ioctl } for pid=17395 exe=/usr/bin/perl path=/proc/loadavg dev=proc >> ino=-268435456 scontext=user_u:system_r:httpd_sys_script_t >> tcontext=system_u:object_r:proc_t tclass=file > > Likely should just be dontaudit'd, e.g. > yum install selinux-policy-targeted-sources > cd /etc/selinux/targeted/src/policy > echo "dontaudit httpd_sys_script_t proc_t:file ioctl;" >> > domains/misc/local.te > make load > > -- > Stephen Smalley > National Security Agency Thanks for the help. The strnage thing is that after June 6, 18:00, this message avc: denied { ioctl }... suddenly does not show up any more (up to now, June 8, 9am). If it shows up again, I will do the above. Now, I am just curious what happened. I did not change the policy in these two days, did not change any system setting either. What does the error message mean? What is loadavg? Thanks! Hongwei Li From sds at tycho.nsa.gov Wed Jun 8 14:17:44 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 08 Jun 2005 10:17:44 -0400 Subject: avc: denied { ioctl }? In-Reply-To: <3070.128.252.85.103.1118238809.squirrel@morpheus.wustl.edu> References: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu> <1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil> <3070.128.252.85.103.1118238809.squirrel@morpheus.wustl.edu> Message-ID: <1118240264.26902.90.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-06-08 at 08:53 -0500, Hongwei Li wrote: > Thanks for the help. The strnage thing is that after June 6, 18:00, this > message avc: denied { ioctl }... suddenly does not show up any more (up to > now, June 8, 9am). If it shows up again, I will do the above. Now, I am just > curious what happened. I did not change the policy in these two days, did not > change any system setting either. What does the error message mean? What is > loadavg? perl script attempted to probe /proc/loadavg, likely was redirecting stdin from it and did the usual check to see if it was a tty. /proc/loadavg contains load average information provided by the kernel. -- Stephen Smalley National Security Agency From hongwei at wustl.edu Wed Jun 8 14:28:20 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Wed, 8 Jun 2005 09:28:20 -0500 (CDT) Subject: avc: denied { ioctl }? In-Reply-To: <1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil> References: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu> <1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <3495.128.252.85.103.1118240900.squirrel@morpheus.wustl.edu> > On Tue, 2005-06-07 at 08:17 -0500, Hongwei Li wrote: >> After I updated the policy to this version (1.17.30-2.96), from time to time >> the system log shows a lot of error messages like this: >> >> Jun 6 17:51:04 morpheus kernel: audit(1118098264.336:0): avc: denied { >> ioctl } for pid=17395 exe=/usr/bin/perl path=/proc/loadavg dev=proc >> ino=-268435456 scontext=user_u:system_r:httpd_sys_script_t >> tcontext=system_u:object_r:proc_t tclass=file > > Likely should just be dontaudit'd, e.g. > yum install selinux-policy-targeted-sources > cd /etc/selinux/targeted/src/policy > echo "dontaudit httpd_sys_script_t proc_t:file ioctl;" >> > domains/misc/local.te > make load > > -- > Stephen Smalley > National Security Agency > Another question. I installed selinux-policy-targeted-sources. However, I could not find local.te under domains/misc. What I see under domain are: misc program unconfined.te under misc I see only a folder unused under which are: auth-net.te fcron.te kernel.te screensaver.te startx.te userspace_objmgr.te xclient.te but no local.te. I don't see it under domain/program/ either. Then, what file should I run the above command to? Thanks! HOngwei From dwalsh at redhat.com Wed Jun 8 14:46:56 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 08 Jun 2005 10:46:56 -0400 Subject: Unable to create files when using "context"option for NFS In-Reply-To: <429E2C10.7060501@cert.ucr.edu> References: <429E2C10.7060501@cert.ucr.edu> Message-ID: <42A704E0.5040002@redhat.com> Robert Bottomley wrote: > In FC3 (running kernel 2.6.11-1.27_FC3smp and > selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem > for use by Apache. In /etc/fstab, I have: > > ozone:/usr/local/svn /svn nfs > rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192 > 0 0 > > Any attempts to create a file in /svn are met with (here I was > attempting a "touch x"): > We don't have a good solution for this. > audit(1117233333.027:0): avc: denied { associate } for pid=12795 > exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t > tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem > > It does not matter what context I specify, I cannot create a file -- > even though my shell is running as unconfined_t. (If a file already > exists, I can edit it.) > > So the questions are: > > 1. Is this a bug? Should I not be able to create a file when running > in the unconfined_t context? > > 2. Audit2allow tells me that I need to add: > " > You can install policy sources (selinux-policy-targeted-sources) cd /etc/selinux/targeted/src/policy echo "allow httpd_sys_script_rw_t self:filesystem associate;" >> domains/misc/local.te make load And try it out. It should work. The problem for us is how to generalize this solution. Dan > but if unconfined_t context cannot write, then will something in > httpd_sys_script_rw_t be able to? > > sestatus > ======== > > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 18 > Policy from config file:targeted > > Policy booleans: > allow_ypbind active > dhcpd_disable_trans inactive > httpd_disable_trans inactive > httpd_enable_cgi active > httpd_enable_homedirs active > httpd_ssi_exec active > httpd_tty_comm inactive > httpd_unified inactive > mysqld_disable_trans inactive > named_disable_trans inactive > named_write_master_zonesinactive > nscd_disable_trans inactive > ntpd_disable_trans inactive > portmap_disable_trans inactive > postgresql_disable_transinactive > snmpd_disable_trans inactive > squid_disable_trans inactive > syslogd_disable_trans inactive > use_nfs_home_dirs inactive > use_samba_home_dirs inactive > use_syslogng inactive > winbind_disable_trans inactive > ypbind_disable_trans inactive > -- From malejandra.castillo at gmail.com Wed Jun 8 15:58:20 2005 From: malejandra.castillo at gmail.com (Ma. Alejandra Castillo M.) Date: Wed, 8 Jun 2005 11:58:20 -0400 Subject: question policy References: <065c01c56ae9$430b85c0$800410ac@rocl.csavgroup.com> <1118232536.26902.25.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <013101c56c42$e68340d0$800410ac@rocl.csavgroup.com> > Not clear what you are asking, but have you looked at the FC4 targeted > policy? > > -- > Stephen Smalley > National Security Agency jejeje, i hope now is understood. I kindly request your assistance, I would like to do a targeted wether with Samba or SSH. Right now I'm doing my final tesis and I have enough documents in spanish about SE Linux, but time has come to do a targeted and I have only two months left to do so. (FC4? not yet I have reviewed. I am waiting for the final version) saludos -- Ma. Alejandra Castillo From Valdis.Kletnieks at vt.edu Wed Jun 8 18:18:32 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 08 Jun 2005 14:18:32 -0400 Subject: local.te (was Re: avc: denied { ioctl }? In-Reply-To: Your message of "Wed, 08 Jun 2005 09:28:20 CDT." <3495.128.252.85.103.1118240900.squirrel@morpheus.wustl.edu> References: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu> <1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil> <3495.128.252.85.103.1118240900.squirrel@morpheus.wustl.edu> Message-ID: <200506081818.j58IIYjs010934@turing-police.cc.vt.edu> On Wed, 08 Jun 2005 09:28:20 CDT, Hongwei Li said: > but no local.te. I don't see it under domain/program/ either. Then, what > file should I run the above command to? You don't have a domain/program/local.te yet because you haven't done any local changes to ruleset yet. Go ahead and create it if you decide to 'dontaudit' that one avc. Question to the list: Should the Fedora RPM ship a one-line local.te that says '# Put your local stuff here', and flag it as a config file so RPM will DTRT with it? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From sds at tycho.nsa.gov Wed Jun 8 16:21:24 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 08 Jun 2005 12:21:24 -0400 Subject: question policy In-Reply-To: <013101c56c42$e68340d0$800410ac@rocl.csavgroup.com> References: <065c01c56ae9$430b85c0$800410ac@rocl.csavgroup.com> <1118232536.26902.25.camel@moss-spartans.epoch.ncsc.mil> <013101c56c42$e68340d0$800410ac@rocl.csavgroup.com> Message-ID: <1118247684.26902.159.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-06-08 at 11:58 -0400, Ma. Alejandra Castillo M. wrote: > I kindly request your assistance, I would like to do a targeted wether with > Samba or SSH. Right now I'm doing my final tesis and I have enough documents > in spanish about SE Linux, but time has come to do a targeted and I have > only two months left to do so. > (FC4? not yet I have reviewed. I am waiting for the final version) > saludos FC4 targeted policy includes many more confined daemons than FC3, so you might want to look at it (from the development tree). Or you could use strict policy. I doubt that even FC4 targeted policy confines sshd, since it has to transition to user processes that are unconfined. -- Stephen Smalley National Security Agency From cs007fc at wowway.com Wed Jun 8 21:02:18 2005 From: cs007fc at wowway.com (Craig) Date: Wed, 08 Jun 2005 17:02:18 -0400 Subject: local.te (was Re: avc: denied { ioctl }? In-Reply-To: <200506081818.j58IIYjs010934@turing-police.cc.vt.edu> References: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu> <1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil> <3495.128.252.85.103.1118240900.squirrel@morpheus.wustl.edu> <200506081818.j58IIYjs010934@turing-police.cc.vt.edu> Message-ID: <42A75CDA.9040408@wowway.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Valdis.Kletnieks at vt.edu wrote: | On Wed, 08 Jun 2005 09:28:20 CDT, Hongwei Li said: | | |>but no local.te. I don't see it under domain/program/ either. Then, what |>file should I run the above command to? | | | You don't have a domain/program/local.te yet because you haven't done any local | changes to ruleset yet. Go ahead and create it if you decide to 'dontaudit' that | one avc. | | Question to the list: Should the Fedora RPM ship a one-line local.te that | says '# Put your local stuff here', and flag it as a config file so RPM will | DTRT with it? Although it would seem unnecessary, I think it is an excellent idea. There are a lot of people, even some IT/IS Admins, using(trying) fedora that are totally unfamiliar with Unix-like systems let alone SE Linux and it would be extremely reassuring and preferable to them to edit an existing file than to create one from scratch. Craig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCp1za6XcoldzZ4rgRAj8aAKDXE5ylv+E5IZRQ/BoBGBfnMaYxGgCggNv5 2sl01XEDZpTSy6BOAut0ZxQ= =HaVi -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: cs007fc.vcf Type: text/x-vcard Size: 2146 bytes Desc: not available URL: From hongwei at wustl.edu Thu Jun 9 13:25:09 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Thu, 9 Jun 2005 08:25:09 -0500 (CDT) Subject: local.te (was Re: avc: denied { ioctl }? In-Reply-To: <200506081818.j58IIYjs010934@turing-police.cc.vt.edu> References: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu> <1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil><3495.128.252.85.103.1118240900.squirrel@morpheus.wustl.edu> <200506081818.j58IIYjs010934@turing-police.cc.vt.edu> Message-ID: <1480.128.252.85.103.1118323509.squirrel@morpheus.wustl.edu> > On Wed, 08 Jun 2005 09:28:20 CDT, Hongwei Li said: > >> but no local.te. I don't see it under domain/program/ either. Then, what >> file should I run the above command to? > > You don't have a domain/program/local.te yet because you haven't done any > local > changes to ruleset yet. Go ahead and create it if you decide to 'dontaudit' > that > one avc. I created a file local.te under /etc/selinux/targeted/src/policy/domains/program/ and run: # echo "dontaudit httpd_sys_script_t proc_t:file ioctl;" >> local.te Now, this file has one line dontaudit httpd_sys_script_t proc_t:file ioctl; Then, when I run "make load", I got: # make load mkdir -p tmp ( cd domains/program/ ; for n in *.te ; do echo "define(\`$n')"; done ) > tmp/program_used_flags.te.tmp ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$n')"; done ) >> tmp/program_used_flags.te.tmp mv tmp/program_used_flags.te.tmp tmp/program_used_flags.te make: *** No rule to make target `file_contexts/program/local.fc', needed by `file_contexts/file_contexts'. Stop. What should I put in file_contexts/program/local.fc? Thanks! Hongwei From sds at tycho.nsa.gov Thu Jun 9 13:23:42 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 09 Jun 2005 09:23:42 -0400 Subject: local.te (was Re: avc: denied { ioctl }? In-Reply-To: <1480.128.252.85.103.1118323509.squirrel@morpheus.wustl.edu> References: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu> <1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil> <3495.128.252.85.103.1118240900.squirrel@morpheus.wustl.edu> <200506081818.j58IIYjs010934@turing-police.cc.vt.edu> <1480.128.252.85.103.1118323509.squirrel@morpheus.wustl.edu> Message-ID: <1118323422.30110.18.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-06-09 at 08:25 -0500, Hongwei Li wrote: > Then, when I run "make load", I got: > > # make load > mkdir -p tmp > ( cd domains/program/ ; for n in *.te ; do echo "define(\`$n')"; done ) > > tmp/program_used_flags.te.tmp > ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$n')"; done ) >> > tmp/program_used_flags.te.tmp > mv tmp/program_used_flags.te.tmp tmp/program_used_flags.te > make: *** No rule to make target `file_contexts/program/local.fc', needed by > `file_contexts/file_contexts'. Stop. > > What should I put in file_contexts/program/local.fc? That is why my message said to put local.te under domains/misc, not domains/program. For every .te file under domains/program, the Makefile expects there to be a .fc file under file_contexts/program. So, your options are: - move local.te under domains/misc as I said originally, or - touch file_contexts/program/local.fc to create an empty file there to satisfy the Makefile. -- Stephen Smalley National Security Agency From hongwei at wustl.edu Thu Jun 9 13:40:51 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Thu, 9 Jun 2005 08:40:51 -0500 (CDT) Subject: local.te (was Re: avc: denied { ioctl }? In-Reply-To: <1118323422.30110.18.camel@moss-spartans.epoch.ncsc.mil> References: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu><1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil><3495.128.252.85.103.1118240900.squirrel@morpheus.wustl.edu><200506081818.j58IIYjs010934@turing-police.cc.vt.edu><1480.128.252.85.103.1118323509.squirrel@morpheus.wustl.edu> <1118323422.30110.18.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1681.128.252.85.103.1118324451.squirrel@morpheus.wustl.edu> > On Thu, 2005-06-09 at 08:25 -0500, Hongwei Li wrote: >> Then, when I run "make load", I got: >> >> # make load >> mkdir -p tmp >> ( cd domains/program/ ; for n in *.te ; do echo "define(\`$n')"; done ) > >> tmp/program_used_flags.te.tmp >> ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$n')"; done ) >> >> tmp/program_used_flags.te.tmp >> mv tmp/program_used_flags.te.tmp tmp/program_used_flags.te >> make: *** No rule to make target `file_contexts/program/local.fc', needed by >> `file_contexts/file_contexts'. Stop. >> >> What should I put in file_contexts/program/local.fc? > > That is why my message said to put local.te under domains/misc, not > domains/program. For every .te file under domains/program, the Makefile > expects there to be a .fc file under file_contexts/program. So, your > options are: > - move local.te under domains/misc as I said originally, or > - touch file_contexts/program/local.fc to create an empty file there to > satisfy the Makefile. > > -- > Stephen Smalley > National Security Agency I moved local.te to misc, and it works. Thanks! Hongwei From goeran at uddeborg.se Thu Jun 9 19:51:19 2005 From: goeran at uddeborg.se (=?iso-8859-1?q?G=F6ran_Uddeborg?=) Date: Thu, 9 Jun 2005 21:51:19 +0200 Subject: SELinux and RPM verification Message-ID: <17064.40375.226589.649686@freddi.uddeborg.se> Some days ago it was explained here that RPM packages do not include the context information for the files it contains. Rather it sets context according to the current policy. Occasionally "rpm --verify" puts a "C" in the list of attribute checks: ........C c /root/.bash_logout That bit isn't documented in the manual page for RPM. My assumption was that it meant that the context differed from what the package said. But if the package doesn't say what the context should be, then what does it mean? From sds at tycho.nsa.gov Thu Jun 9 20:11:40 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 09 Jun 2005 16:11:40 -0400 Subject: SELinux and RPM verification In-Reply-To: <17064.40375.226589.649686@freddi.uddeborg.se> References: <17064.40375.226589.649686@freddi.uddeborg.se> Message-ID: <1118347900.30110.204.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-06-09 at 21:51 +0200, G?ran Uddeborg wrote: > Some days ago it was explained here that RPM packages do not include > the context information for the files it contains. Rather it sets > context according to the current policy. > > Occasionally "rpm --verify" puts a "C" in the list of attribute > checks: > > ........C c /root/.bash_logout > > That bit isn't documented in the manual page for RPM. My assumption > was that it meant that the context differed from what the package > said. > > But if the package doesn't say what the context should be, then what > does it mean? It means that the context stored in the file's extended attribute on disk is inconsistent with the file_contexts configuration. To fix, run /sbin/restorecon on the file(s) in question. -- Stephen Smalley National Security Agency From lfsjeremy at gmail.com Thu Jun 9 20:28:27 2005 From: lfsjeremy at gmail.com (Jeremy Utley) Date: Thu, 9 Jun 2005 13:28:27 -0700 Subject: full_user_role macro not working as expected Message-ID: <3aaec88405060913285f826826@mail.gmail.com> Greetings everyone! I'm trying to set up a demonstration of SELinux functionality for a few people, and have been hitting my head against a brick wall on it for 2 days, was hoping that maybe you guys could give me some advice...Background: System: Fedora Core 3, updated to latest packages via "yum update" Strict policy, version 1.19.10-2, and the strict policy sources installed. The Goal: To demonstrate locking down access to a file to only a certain role, privileged_r. User account should have to access that role via the newrole command. The current problem: According to the policy writing docs, a role should be created via the full_user_role() macro. So, in domains/misc/custom_policy.te, I placed the following line (along with other custom rules that have already been compiled successfully and work): full_user_role(privileged) The docs also say that new user roles should be added to the in_user_role macro within macros/user_macros.te, so I did that as well, making that macro look like this: undefine(`in_user_role') define(`in_user_role', ` role user_r types $1; role staff_r types $1; role privileged_r type $1; ') Now, when trying to compile the policy after that, I get the following error: /usr/bin/checkpolicy: loading policy configuration from policy.conf domains/misc/custom_policy.te:13:ERROR 'unknown type privileged_userhelper_t' at token ';' on line 115000: #line 13 allow privileged_mozilla_t privileged_userhelper_t:process transition; /usr/bin/checkpolicy: error(s) encountered while parsing configuration make: *** [/etc/selinux/strict/policy/policy.18] Error 1 I've been banging my head against the wall on this one for a day and a half - have searched the web, read numerous docs on creating policy, looked at how the full_user_role macro is used elsewhere in the policy, and I simply can't figure out what I'm doing wrong. Anyone have any ideas? Jeremy From sds at tycho.nsa.gov Fri Jun 10 12:39:28 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 10 Jun 2005 08:39:28 -0400 Subject: full_user_role macro not working as expected In-Reply-To: <3aaec88405060913285f826826@mail.gmail.com> References: <3aaec88405060913285f826826@mail.gmail.com> Message-ID: <1118407168.3774.32.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-06-09 at 13:28 -0700, Jeremy Utley wrote: > The current problem: > According to the policy writing docs, a role should be created via the > full_user_role() macro. So, in domains/misc/custom_policy.te, I > placed the following line (along with other custom rules that have > already been compiled successfully and work): > > full_user_role(privileged) In order to support role changes via newrole, you need some further rules. These are defined in the role_tty_type_change() macro defined in domains/user.te, which means that you presently have to add rules to domains/user.te; that macro definition should likely be moved to base_user_macros.te or user_macros.te so that it can be used elsewhere. If you want the role to be able to use userhelper, sudo, or su, you also need to include reach_sysadm(privileged); that macro is also presently defined in domains/user.te and should likely be moved to user_macros.te or base_user_macros.te. > Now, when trying to compile the policy after that, I get the following error: > > /usr/bin/checkpolicy: loading policy configuration from policy.conf > domains/misc/custom_policy.te:13:ERROR 'unknown type > privileged_userhelper_t' at token ';' on line 115000: > #line 13 > allow privileged_mozilla_t privileged_userhelper_t:process transition; > /usr/bin/checkpolicy: error(s) encountered while parsing configuration > make: *** [/etc/selinux/strict/policy/policy.18] Error 1 That's a bug in mozilla_macros.te, already removed in the FC4/development strict policy. Remove the userhelper transition from it: --- macros/program/mozilla_macros.te.orig 2005-06-10 08:37:54.636627280 -0400 +++ macros/program/mozilla_macros.te 2005-06-10 08:38:11.886004976 -0400 @@ -116,9 +116,6 @@ dontaudit $1_mozilla_t file_type:dir getattr; allow $1_mozilla_t self:sem create_sem_perms; -ifdef(`userhelper.te', ` -domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) -') dontaudit $1_mozilla_t selinux_config_t:dir search; # -- Stephen Smalley National Security Agency From bobk at ocf.berkeley.edu Fri Jun 10 23:38:58 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 10 Jun 2005 16:38:58 -0700 Subject: home dir issues w/ latest policy Message-ID: <1118446738.4374.5.camel@chaucer> I just upgraded to the latest targeted policy for FC3 and now every file that I create in my home dir gets user_u context. Is this is a bug? [medieval at chaucer ~]$ touch tmpfile [medieval at chaucer ~]$ ls -Z tmpfile -rw-rw-r-- medieval medieval user_u:object_r:user_home_t tmpfile [medieval at chaucer ~]$ rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-3.2 [medieval at chaucer ~]$ /usr/sbin/sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted Policy booleans: allow_execmem active allow_execmod active allow_execstack active allow_kerberos active allow_ypbind active dhcpd_disable_trans inactive httpd_builtin_scripting inactive httpd_can_network_connectinactive httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive use_syslogng inactive winbind_disable_trans inactive ypbind_disable_trans inactive -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From ivg2 at cornell.edu Fri Jun 10 23:46:17 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Fri, 10 Jun 2005 19:46:17 -0400 Subject: home dir issues w/ latest policy In-Reply-To: <1118446738.4374.5.camel@chaucer> References: <1118446738.4374.5.camel@chaucer> Message-ID: <1118447177.1665.1.camel@localhost.localdomain> > [medieval at chaucer ~]$ touch tmpfile > [medieval at chaucer ~]$ ls -Z tmpfile > -rw-rw-r-- medieval medieval user_u:object_r:user_home_t tmpfile The user is user_u, but the type is user_home_t. This is normal. -- Ivan Gyurdiev Cornell University From ivg2 at cornell.edu Fri Jun 10 23:51:33 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Fri, 10 Jun 2005 19:51:33 -0400 Subject: home dir issues w/ latest policy In-Reply-To: <1118447177.1665.1.camel@localhost.localdomain> References: <1118446738.4374.5.camel@chaucer> <1118447177.1665.1.camel@localhost.localdomain> Message-ID: <1118447493.1665.7.camel@localhost.localdomain> On Fri, 2005-06-10 at 19:46 -0400, Ivan Gyurdiev wrote: > > [medieval at chaucer ~]$ touch tmpfile > > [medieval at chaucer ~]$ ls -Z tmpfile > > -rw-rw-r-- medieval medieval user_u:object_r:user_home_t tmpfile > > The user is user_u, but the type is user_home_t. This is normal. Unless you have a user defined in /etc/selinux/targeted/*.users, in which case make sure the policy upgrade didn't replace any of those files, and erase your user. -- Ivan Gyurdiev Cornell University From bobk at ocf.berkeley.edu Sat Jun 11 04:09:55 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 10 Jun 2005 21:09:55 -0700 Subject: home dir issues w/ latest policy In-Reply-To: <1118447493.1665.7.camel@localhost.localdomain> References: <1118446738.4374.5.camel@chaucer> <1118447177.1665.1.camel@localhost.localdomain> <1118447493.1665.7.camel@localhost.localdomain> Message-ID: <1118462995.20368.8.camel@chaucer> On Fri, 2005-06-10 at 19:51 -0400, Ivan Gyurdiev wrote: > On Fri, 2005-06-10 at 19:46 -0400, Ivan Gyurdiev wrote: > > > [medieval at chaucer ~]$ touch tmpfile > > > [medieval at chaucer ~]$ ls -Z tmpfile > > > -rw-rw-r-- medieval medieval user_u:object_r:user_home_t tmpfile > > > > The user is user_u, but the type is user_home_t. This is normal. > > Unless you have a user defined in /etc/selinux/targeted/*.users, > in which case make sure the policy upgrade didn't replace any of > those files, and erase your user. Thanks Ivan for the info. For some reason everything in my home dir was labeled as system_u and so I thought maybe something was up. :) Now for the problem that I'm having: Jun 10 20:57:47 chaucer kernel: audit(1118462267.758:0): avc: denied { execmod } for pid=20348 comm=lt-glib-genmars path=/mnt/hdb1/home/gnome/garnome-2.11-20050610.1755/platform/glib/work/main.d/glib-2.6.4/glib/.libs/libglib-2.0.so.0.600.4 dev=hdb1 ino=4407601 scontext=user_u:system_r:unconfined_t tcontext=user_u:object_r:user_home_t tclass=file When I try to compile garnome in my home dir I get the above avc and the build stops. Do you know what has changed in the most recent policy update that would cause this? Here is the build error that I get: /mnt/hdb1/home/gnome/garnome-2.11-20050610.1755/platform/glib/work/main.d/glib-2.6.4/gobject/.libs/lt-glib-genmarshal: error while loading shared libraries: /mnt/hdb1/home/gnome/garnome-2.11-20050610.1755/platform/glib/work/main.d/glib-2.6.4/glib/.libs/libglib-2.0.so.0: cannot restore segment prot after reloc: Permission denied make[11]: *** [stamp-gmarshal.h] Error 127 When I turn off selinux everything builds fine. Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From bobk at ocf.berkeley.edu Sat Jun 11 04:23:58 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 10 Jun 2005 21:23:58 -0700 Subject: mozilla flashplayer plugin Message-ID: <1118463838.20526.3.camel@chaucer> The mozilla flashplayer plugin no longer works with the latest policy update. Here is the avc: Jun 10 21:18:51 chaucer kernel: audit(1118463531.297:0): avc: denied { execmod } for pid=20428 comm=firefox-bin path=/home/medieval/.mozilla/plugins/libflashplayer.so dev=hda3 ino=8536070 scontext=user_u:system_r:unconfined_t tcontext=user_u:object_r:user_home_t tclass=file It seems related to the other error that I'm getting about loading shared libraries. Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From ivg2 at cornell.edu Sat Jun 11 05:20:41 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sat, 11 Jun 2005 01:20:41 -0400 Subject: home dir issues w/ latest policy In-Reply-To: <1118462995.20368.8.camel@chaucer> References: <1118446738.4374.5.camel@chaucer> <1118447177.1665.1.camel@localhost.localdomain> <1118447493.1665.7.camel@localhost.localdomain> <1118462995.20368.8.camel@chaucer> Message-ID: <1118467241.31894.9.camel@localhost.localdomain> On Fri, 2005-06-10 at 21:09 -0700, Bob Kashani wrote: > On Fri, 2005-06-10 at 19:51 -0400, Ivan Gyurdiev wrote: > > On Fri, 2005-06-10 at 19:46 -0400, Ivan Gyurdiev wrote: > > > > [medieval at chaucer ~]$ touch tmpfile > > > > [medieval at chaucer ~]$ ls -Z tmpfile > > > > -rw-rw-r-- medieval medieval user_u:object_r:user_home_t tmpfile > > > > > > The user is user_u, but the type is user_home_t. This is normal. > > > > Unless you have a user defined in /etc/selinux/targeted/*.users, > > in which case make sure the policy upgrade didn't replace any of > > those files, and erase your user. > > Thanks Ivan for the info. For some reason everything in my home dir was > labeled as system_u and so I thought maybe something was up. :) That's odd...for a home directory I would have expected user_u. However, I haven't ran targeted policy in ages... The user part of the context just represents the SElinux user that created the file, and I don't think it's actually used for anything important...at least not for files on disk. > Now for the problem that I'm having: > > Jun 10 20:57:47 chaucer kernel: audit(1118462267.758:0): avc: denied > { execmod } for pid=20348 comm=lt-glib-genmars > path=/mnt/hdb1/home/gnome/garnome-2.11-20050610.1755/platform/glib/work/main.d/glib-2.6.4/glib/.libs/libglib-2.0.so.0.600.4 dev=hdb1 ino=4407601 scontext=user_u:system_r:unconfined_t tcontext=user_u:object_r:user_home_t tclass=file Looks like text relocations in the library. Try to find out how to get rid of them (readelf -d |grep TEXTREL) > When I try to compile garnome in my home dir I get the above avc and the > build stops. Do you know what has changed in the most recent policy > update that would cause this? No...I'm sorry, I only follow strict policy. -- Ivan Gyurdiev Cornell University From bobk at ocf.berkeley.edu Sat Jun 11 06:18:40 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 10 Jun 2005 23:18:40 -0700 Subject: home dir issues w/ latest policy In-Reply-To: <1118467241.31894.9.camel@localhost.localdomain> References: <1118446738.4374.5.camel@chaucer> <1118447177.1665.1.camel@localhost.localdomain> <1118447493.1665.7.camel@localhost.localdomain> <1118462995.20368.8.camel@chaucer> <1118467241.31894.9.camel@localhost.localdomain> Message-ID: <1118470720.20940.5.camel@chaucer> On Sat, 2005-06-11 at 01:20 -0400, Ivan Gyurdiev wrote: > On Fri, 2005-06-10 at 21:09 -0700, Bob Kashani wrote: > > On Fri, 2005-06-10 at 19:51 -0400, Ivan Gyurdiev wrote: > > > On Fri, 2005-06-10 at 19:46 -0400, Ivan Gyurdiev wrote: > > > > > [medieval at chaucer ~]$ touch tmpfile > > > > > [medieval at chaucer ~]$ ls -Z tmpfile > > > > > -rw-rw-r-- medieval medieval user_u:object_r:user_home_t tmpfile > > > > > > > > The user is user_u, but the type is user_home_t. This is normal. > > > > > > Unless you have a user defined in /etc/selinux/targeted/*.users, > > > in which case make sure the policy upgrade didn't replace any of > > > those files, and erase your user. > > > > Thanks Ivan for the info. For some reason everything in my home dir was > > labeled as system_u and so I thought maybe something was up. :) > > That's odd...for a home directory I would have expected user_u. > However, I haven't ran targeted policy in ages... > The user part of the context just represents the SElinux user > that created the file, and I don't think it's actually used > for anything important...at least not for files on disk. On my rawhide install everything is user_u but in FC3 it was system_u. I changed things to user_u just for good measure. :) > > Now for the problem that I'm having: > > > > Jun 10 20:57:47 chaucer kernel: audit(1118462267.758:0): avc: denied > > { execmod } for pid=20348 comm=lt-glib-genmars > > path=/mnt/hdb1/home/gnome/garnome-2.11-20050610.1755/platform/glib/work/main.d/glib-2.6.4/glib/.libs/libglib-2.0.so.0.600.4 dev=hdb1 ino=4407601 scontext=user_u:system_r:unconfined_t tcontext=user_u:object_r:user_home_t tclass=file > > Looks like text relocations in the library. Try to find out how to get > rid of them (readelf -d |grep TEXTREL) > > > When I try to compile garnome in my home dir I get the above avc and the > > build stops. Do you know what has changed in the most recent policy > > update that would cause this? > > No...I'm sorry, I only follow strict policy. Well, I used audit2allow and it said I needed: allow unconfined_t user_home_t:file execmod; So I added it to the Shared Library section of /etc/selinux/targeted/src/policy/domains/unconfined.te And things seem to work. :) Is this correct? Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From ivg2 at cornell.edu Sat Jun 11 06:37:09 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sat, 11 Jun 2005 02:37:09 -0400 Subject: home dir issues w/ latest policy In-Reply-To: <1118470720.20940.5.camel@chaucer> References: <1118446738.4374.5.camel@chaucer> <1118447177.1665.1.camel@localhost.localdomain> <1118447493.1665.7.camel@localhost.localdomain> <1118462995.20368.8.camel@chaucer> <1118467241.31894.9.camel@localhost.localdomain> <1118470720.20940.5.camel@chaucer> Message-ID: <1118471829.32040.6.camel@localhost.localdomain> > Well, I used audit2allow and it said I needed: > > allow unconfined_t user_home_t:file execmod; > > So I added it to the Shared Library section > of /etc/selinux/targeted/src/policy/domains/unconfined.te > > And things seem to work. :) Is this correct? Correct ..hmm Well, you might have a case for targeted (being un-confined), but in strict this is definitely not ok. The proper solution is to compile the library without text relocations. If that is not possible, the library can be labeled texrel_shlib_t to workaround the problem. However, there's the issue that an unprivileged user, such as yourself, is not allowed to label things texrel_shlib_t. -- Ivan Gyurdiev Cornell University From creasy.bear at gmail.com Sat Jun 11 12:35:38 2005 From: creasy.bear at gmail.com (=?ISO-8859-2?Q?Andrzej_K=B1kolewski?=) Date: Sat, 11 Jun 2005 14:35:38 +0200 Subject: httpd and mysqld Message-ID: <265c074205061105352dc3fd87@mail.gmail.com> Hello I have this selinux warnings: audit(1118492920.045:0): avc: denied { search } for pid=3285 exe=/usr/libexec/mysqld name=nscd dev=dm-0 ino=98349 scontext=user_u:system_r:mysqld_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir audit(1118492923.767:0): avc: denied { search } for pid=3371 exe=/usr/sbin/httpd name=nscd dev=dm-0 ino=98349 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir I did autorelabel but it didn't help. What should I do ? -- Pozdrawiam Andrzej K?kolewski Mail: creasy.bear at gmail.com JID: gnr at jabber.atman.pl From justin.conover at gmail.com Sat Jun 11 16:28:20 2005 From: justin.conover at gmail.com (Justin Conover) Date: Sat, 11 Jun 2005 11:28:20 -0500 Subject: selinux & external hd permissions. Message-ID: Currently I have a server with a raid 5 for my wifes photography backups and some other stuff I keep. I want to get an exteranl hd like a LaCie 500GB firewire/usb for backup of that file system for extra safety. Question is, if that server is running SELinux on CentOS 4.0 and I back stuff up to that exteranl drive, will other box's be able to read that exteranl drive? In the chance that hardware fails and I need to be able to look at that data on another box? Or, would it just be better to format the external with fat32 or something my wife can use her box to pull the data off? From Valdis.Kletnieks at vt.edu Sat Jun 11 18:01:17 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sat, 11 Jun 2005 14:01:17 -0400 Subject: selinux & external hd permissions. In-Reply-To: Your message of "Sat, 11 Jun 2005 11:28:20 CDT." References: Message-ID: <200506111801.j5BI1HmU012570@turing-police.cc.vt.edu> On Sat, 11 Jun 2005 11:28:20 CDT, Justin Conover said: > Question is, if that server is running SELinux on CentOS 4.0 and I > back stuff up to that exteranl drive, will other box's be able to read > that exteranl drive? In the chance that hardware fails and I need to > be able to look at that data on another box? SELinux will enter into it very little. Just make sure that the drive is using a file system the other box has support for. A bigger issue will be "does the other box have support for your file system?". Using reiserfs may be a problem if the other box doesn't have it, and even ext3 will be.. interesting.. if the other box is a Windows box (in which case you're probably better off just making the FS fat32 and mounting it on your SELinux box with fscontext=) Please note that if the other box *writes* to the file system, you'll probably need to run 'restorecon' on it when you mount it back on the SELinux-bsed box before things will really work right, and you are the mercy of the other box'es security while it's mounted there. If you trust the other box to not leave a Trojan on the file system, the quick answer is "go for it, and restorecon when it comes back". If you don't trust the other box, then it gets a lot more interesting.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From fenn at stanford.edu Sun Jun 12 02:28:10 2005 From: fenn at stanford.edu (Tim Fenn) Date: Sat, 11 Jun 2005 19:28:10 -0700 Subject: httpd denied write Message-ID: <20050612022810.GB29206@stanford.edu> I'm still a bit new to selinux, so apologies if this is a silly question. I've been running httpd in the past, but I've recently had errors accessing my mythweb folder (lots of permission denied messages) with the following logged in /var/log/messages: Jun 11 19:11:16 agora kernel: audit(1118542276.660:0): avc: denied { write } for pid=19303 exe=/usr/sbin/httpd name=image_cache dev=sda1 ino=1392658 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir this is from the php scripts in mythweb attempting to write to an image cache, which is also under the mythweb folder. httpd_unified is set to 1, so I would have thought any write call by httpd would be allowed... but I'm obviously missing something simple. Would putting: allow httpd_t httpd_sys_content_t:dir write; in my policy be an appropriate solution? Thanks for any help, Tim F From cviniciusm at terra.com.br Sun Jun 12 12:46:35 2005 From: cviniciusm at terra.com.br (Vinicius) Date: Sun, 12 Jun 2005 09:46:35 -0300 Subject: AVC Denied for thunderbird-bin and firefox-bin. Message-ID: Hello, The /var/log/messages is showing the messages: "Jun 12 09:23:49 mycomputer kernel: audit(1118579029.860:0): avc: denied { execmod } for pid=26414 comm=thunderbird-bin path=/ usr/local/thunderbird/components/libqfaservices.so dev=dm-0 ino=2093301 scontext=user_u:system_r:unconfined_t tcontext=root :object_r:user_home_t tclass=file Jun 12 09:33:43 mycomputer kernel: audit(1118579623.351:0): avc: denied { execmod } for pid=26948 comm=firefox-bin path=/home /cassius/.mozilla/plugins/libflashplayer.so dev=dm-0 ino=2112839 scontext=user_u:system_r:unconfined_t tcontext=user_u:obje ct_r:user_home_t tclass=file" How to resolve these problems, please? TIA, Vinicius. From justin.conover at gmail.com Sun Jun 12 13:12:48 2005 From: justin.conover at gmail.com (Justin Conover) Date: Sun, 12 Jun 2005 08:12:48 -0500 Subject: selinux & external hd permissions. In-Reply-To: <200506111801.j5BI1HmU012570@turing-police.cc.vt.edu> References: <200506111801.j5BI1HmU012570@turing-police.cc.vt.edu> Message-ID: On 6/11/05, Valdis.Kletnieks at vt.edu wrote: > On Sat, 11 Jun 2005 11:28:20 CDT, Justin Conover said: > > > Question is, if that server is running SELinux on CentOS 4.0 and I > > back stuff up to that exteranl drive, will other box's be able to read > > that exteranl drive? In the chance that hardware fails and I need to > > be able to look at that data on another box? > > SELinux will enter into it very little. Just make sure that the drive is using > a file system the other box has support for. A bigger issue will be "does > the other box have support for your file system?". Using reiserfs may be > a problem if the other box doesn't have it, and even ext3 will be.. interesting.. > if the other box is a Windows box (in which case you're probably better off > just making the FS fat32 and mounting it on your SELinux box with fscontext=) > > Please note that if the other box *writes* to the file system, you'll probably > need to run 'restorecon' on it when you mount it back on the SELinux-bsed box > before things will really work right, and you are the mercy of the other box'es > security while it's mounted there. > > If you trust the other box to not leave a Trojan on the file system, the quick > answer is "go for it, and restorecon when it comes back". If you don't trust > the other box, then it gets a lot more interesting.... > The Server is CentOS 4.0 with ext3 and SELinux enabled, all my other box's are Fedora/rawhide using selinux. My wife has two windows box's and the only reason I would connect it to her's is if there was some kind of problem haveing another selinux box read the fs, so thats why I thought maybe it would be best to just put fat32 on there. If the other selinux box's can read it then I wont worry about it. Also the only reason I would mv the exteranl drive off my server is if there was a hardware failure in the server and had to recover the data. From Valdis.Kletnieks at vt.edu Sun Jun 12 13:23:53 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sun, 12 Jun 2005 09:23:53 -0400 Subject: selinux & external hd permissions. In-Reply-To: Your message of "Sun, 12 Jun 2005 08:12:48 CDT." References: <200506111801.j5BI1HmU012570@turing-police.cc.vt.edu> Message-ID: <200506121323.j5CDNscj011064@turing-police.cc.vt.edu> On Sun, 12 Jun 2005 08:12:48 CDT, Justin Conover said: > The Server is CentOS 4.0 with ext3 and SELinux enabled, all my other > box's are Fedora/rawhide using selinux. My wife has two windows box's > and the only reason I would connect it to her's is if there was some > kind of problem haveing another selinux box read the fs, so thats why > I thought maybe it would be best to just put fat32 on there. If the > other selinux box's can read it then I wont worry about it. Also the > only reason I would mv the exteranl drive off my server is if there > was a hardware failure in the server and had to recover the data. The data will be readable off any box that supports ext3 and extended attributes (I can't remember what happens if the kernel doesn't do the extended attributes - whether it won't mount, or it mounts-and-ignores). At worst, you'd need to drop to 'permissive' mode and/or restorecon. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From justin.conover at gmail.com Sun Jun 12 15:04:01 2005 From: justin.conover at gmail.com (Justin Conover) Date: Sun, 12 Jun 2005 10:04:01 -0500 Subject: selinux & external hd permissions. In-Reply-To: <200506121323.j5CDNscj011064@turing-police.cc.vt.edu> References: <200506111801.j5BI1HmU012570@turing-police.cc.vt.edu> <200506121323.j5CDNscj011064@turing-police.cc.vt.edu> Message-ID: On 6/12/05, Valdis.Kletnieks at vt.edu wrote: > On Sun, 12 Jun 2005 08:12:48 CDT, Justin Conover said: > > > The Server is CentOS 4.0 with ext3 and SELinux enabled, all my other > > box's are Fedora/rawhide using selinux. My wife has two windows box's > > and the only reason I would connect it to her's is if there was some > > kind of problem haveing another selinux box read the fs, so thats why > > I thought maybe it would be best to just put fat32 on there. If the > > other selinux box's can read it then I wont worry about it. Also the > > only reason I would mv the exteranl drive off my server is if there > > was a hardware failure in the server and had to recover the data. > > The data will be readable off any box that supports ext3 and extended > attributes (I can't remember what happens if the kernel doesn't do the > extended attributes - whether it won't mount, or it mounts-and-ignores). > At worst, you'd need to drop to 'permissive' mode and/or restorecon. True, I didn't think about that :D From walters at redhat.com Sun Jun 12 16:44:44 2005 From: walters at redhat.com (Colin Walters) Date: Sun, 12 Jun 2005 12:44:44 -0400 Subject: home dir issues w/ latest policy In-Reply-To: <1118462995.20368.8.camel@chaucer> References: <1118446738.4374.5.camel@chaucer> <1118447177.1665.1.camel@localhost.localdomain> <1118447493.1665.7.camel@localhost.localdomain> <1118462995.20368.8.camel@chaucer> Message-ID: <1118594685.3319.1.camel@nexus.verbum.private> On Fri, 2005-06-10 at 21:09 -0700, Bob Kashani wrote: > Jun 10 20:57:47 chaucer kernel: audit(1118462267.758:0): avc: denied > { execmod } for pid=20348 comm=lt-glib-genmars > path=/mnt/hdb1/home/gnome/garnome-2.11-20050610.1755/platform/glib/work/main.d/glib-2.6.4/glib/.libs/libglib-2.0.so.0.600.4 dev=hdb1 ino=4407601 scontext=user_u:system_r:unconfined_t tcontext=user_u:object_r:user_home_t tclass=file You got bitten by an upgrade bug, I think. Try: setsebool -P allow_execmod=true From walters at redhat.com Sun Jun 12 16:51:04 2005 From: walters at redhat.com (Colin Walters) Date: Sun, 12 Jun 2005 12:51:04 -0400 Subject: mozilla flashplayer plugin In-Reply-To: <1118463838.20526.3.camel@chaucer> References: <1118463838.20526.3.camel@chaucer> Message-ID: <1118595064.2143.2.camel@nexus.verbum.private> On Fri, 2005-06-10 at 21:23 -0700, Bob Kashani wrote: > The mozilla flashplayer plugin no longer works with the latest policy > update. > > Here is the avc: > > Jun 10 21:18:51 chaucer kernel: audit(1118463531.297:0): avc: denied > { execmod } for pid=20428 comm=firefox-bin > path=/home/medieval/.mozilla/plugins/libflashplayer.so dev=hda3 > ino=8536070 scontext=user_u:system_r:unconfined_t > tcontext=user_u:object_r:user_home_t tclass=file The setsebool command should fix this too. The allow_execmod boolean defaults to true, but due to a spec file issue from a while ago, the updated /etc/selinux/targeted/booleans file was installed as .rpmnew, thus not giving you the new default value of true. I believe this issue is fixed now, so new FC4 installs will work as well as FC3->FC4 final. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From walters at redhat.com Sun Jun 12 17:02:19 2005 From: walters at redhat.com (Colin Walters) Date: Sun, 12 Jun 2005 13:02:19 -0400 Subject: httpd and mysqld In-Reply-To: <265c074205061105352dc3fd87@mail.gmail.com> References: <265c074205061105352dc3fd87@mail.gmail.com> Message-ID: <1118595739.2143.6.camel@nexus.verbum.private> On Sat, 2005-06-11 at 14:35 +0200, Andrzej K?kolewski wrote: > Hello > I have this selinux warnings: > > audit(1118492920.045:0): avc: denied { search } for pid=3285 > exe=/usr/libexec/mysqld name=nscd dev=dm-0 ino=98349 > scontext=user_u:system_r:mysqld_t > tcontext=system_u:object_r:nscd_var_run_t tclass=dir Can you give us some details? Is this FC3? FC4? Have you changed the mysql configuration in any way? I can't reproduce this by starting nscd and mysqld on rawhide/FC4; is anything else needed? From walters at redhat.com Sun Jun 12 17:03:06 2005 From: walters at redhat.com (Colin Walters) Date: Sun, 12 Jun 2005 13:03:06 -0400 Subject: AVC Denied for thunderbird-bin and firefox-bin. In-Reply-To: References: Message-ID: <1118595786.2143.8.camel@nexus.verbum.private> On Sun, 2005-06-12 at 09:46 -0300, Vinicius wrote: > Hello, > > The /var/log/messages is showing the messages: > "Jun 12 09:23:49 mycomputer kernel: audit(1118579029.860:0): avc: > denied { execmod } for pid=26414 comm=thunderbird-bin path=/ > usr/local/thunderbird/components/libqfaservices.so dev=dm-0 ino=2093301 > scontext=user_u:system_r:unconfined_t tcontext=root > :object_r:user_home_t tclass=file setsebool -P allow_execmod=true It's an upgrade bug, shouldn't appear in FC4 or FC3->FC4 final upgrades. From walters at redhat.com Sun Jun 12 17:05:30 2005 From: walters at redhat.com (Colin Walters) Date: Sun, 12 Jun 2005 13:05:30 -0400 Subject: httpd denied write In-Reply-To: <20050612022810.GB29206@stanford.edu> References: <20050612022810.GB29206@stanford.edu> Message-ID: <1118595930.2143.11.camel@nexus.verbum.private> On Sat, 2005-06-11 at 19:28 -0700, Tim Fenn wrote: > I'm still a bit new to selinux, so apologies if this is a silly > question. I've been running httpd in the past, but I've recently had > errors accessing my mythweb folder (lots of permission denied > messages) with the following logged in /var/log/messages: > > Jun 11 19:11:16 agora kernel: audit(1118542276.660:0): avc: denied { > write } for pid=19303 exe=/usr/sbin/httpd name=image_cache dev=sda1 > ino=1392658 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir > > this is from the php scripts in mythweb attempting to write to an > image cache, which is also under the mythweb folder. httpd_unified is > set to 1, In order to allow httpd to write, you now need both the "httpd_builtin_scripting" and "httpd_unified" booleans enabled. The default for both is true, AFAIK; presumably you were bit by the upgrade bug for the booleans file. From fenn at stanford.edu Sun Jun 12 19:31:25 2005 From: fenn at stanford.edu (Tim Fenn) Date: Sun, 12 Jun 2005 12:31:25 -0700 Subject: httpd denied write In-Reply-To: <1118595930.2143.11.camel@nexus.verbum.private> References: <20050612022810.GB29206@stanford.edu> <1118595930.2143.11.camel@nexus.verbum.private> Message-ID: <20050612193124.GA14370@stanford.edu> On Sun, Jun 12, 2005 at 01:05:30PM -0400, Colin Walters wrote: > On Sat, 2005-06-11 at 19:28 -0700, Tim Fenn wrote: > > I'm still a bit new to selinux, so apologies if this is a silly > > question. I've been running httpd in the past, but I've recently had > > errors accessing my mythweb folder (lots of permission denied > > messages) with the following logged in /var/log/messages: > > > > Jun 11 19:11:16 agora kernel: audit(1118542276.660:0): avc: denied { > > write } for pid=19303 exe=/usr/sbin/httpd name=image_cache dev=sda1 > > ino=1392658 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir > > > > this is from the php scripts in mythweb attempting to write to an > > image cache, which is also under the mythweb folder. httpd_unified is > > set to 1, > > In order to allow httpd to write, you now need both the > "httpd_builtin_scripting" and "httpd_unified" booleans enabled. > The default for both is true, AFAIK; presumably you were bit by the > upgrade bug for the booleans file. > Thanks, Colin. httpd_builtin_scripting was indeed inactive, and "setsebool -P httpd_builtin_scripting=1" did the trick. -Tim From bobk at ocf.berkeley.edu Sun Jun 12 20:06:06 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Sun, 12 Jun 2005 13:06:06 -0700 Subject: home dir issues w/ latest policy In-Reply-To: <1118594685.3319.1.camel@nexus.verbum.private> References: <1118446738.4374.5.camel@chaucer> <1118447177.1665.1.camel@localhost.localdomain> <1118447493.1665.7.camel@localhost.localdomain> <1118462995.20368.8.camel@chaucer> <1118594685.3319.1.camel@nexus.verbum.private> Message-ID: <1118606766.8418.2.camel@chaucer> On Sun, 2005-06-12 at 12:44 -0400, Colin Walters wrote: > On Fri, 2005-06-10 at 21:09 -0700, Bob Kashani wrote: > > > Jun 10 20:57:47 chaucer kernel: audit(1118462267.758:0): avc: denied > > { execmod } for pid=20348 comm=lt-glib-genmars > > path=/mnt/hdb1/home/gnome/garnome-2.11-20050610.1755/platform/glib/work/main.d/glib-2.6.4/glib/.libs/libglib-2.0.so.0.600.4 dev=hdb1 ino=4407601 scontext=user_u:system_r:unconfined_t tcontext=user_u:object_r:user_home_t tclass=file > > You got bitten by an upgrade bug, I think. Try: > > setsebool -P allow_execmod=true Thanks, Colin. That fixed things for me. :) Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From varol.kaptan at gmail.com Mon Jun 13 11:08:30 2005 From: varol.kaptan at gmail.com (varol kaptan) Date: Mon, 13 Jun 2005 12:08:30 +0100 Subject: problems after selinux-policy-targeted-1.17.30-3.2 update Message-ID: <5ce97a22050613040853284bbc@mail.gmail.com> Hi, I have a shared library that I create and use within my application. After the update the thing stopped working. Here is some information: ls -Z /usr/bin/lua -rwxr-xr-x root root system_u:object_r:bin_t /usr/bin/lua ls -Z /home/varol/src/lua/lib/memarray.so -rwxrwxr-x varol varol user_u:object_r:user_home_t /home/varol/src/lua/lib/memarray.so tail -f /var/log/messages Jun 13 12:03:45 thales kernel: audit(1118660625.243:0): avc: denied { execmod } for pid=3021 comm=lua path=/home/varol/src/lua/lib/memarray.so dev=dm-1 ino=753702 scontext=user_u:system_r:unconfined_t tcontext=user_u:object_r:user_home_t tclass=file I had other problems too (acrobat 7) but was able to fix them by going through the mailing lists. My question is: How do I fix the above problem, and is there a way to fix the mess introduced with the latest selinux-policy-targeted-1.17.30-3.2 update once and for all? Thanks in advance, Varol Kaptan From goeran at uddeborg.se Mon Jun 13 11:05:11 2005 From: goeran at uddeborg.se (=?iso-8859-1?q?G=F6ran_Uddeborg?=) Date: Mon, 13 Jun 2005 13:05:11 +0200 Subject: SELinux and RPM verification In-Reply-To: <1118347900.30110.204.camel@moss-spartans.epoch.ncsc.mil> References: <17064.40375.226589.649686@freddi.uddeborg.se> <1118347900.30110.204.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <17069.26727.531087.533488@mimmi.uddeborg.se> Stephen Smalley writes: > It means that the context stored in the file's extended attribute on > disk is inconsistent with the file_contexts configuration. To fix, > run /sbin/restorecon on the file(s) in question. So it isn't really an RPM check then, rather an external check on files choosen by RPM. Thanks for the explanation! There seems to be something more involved, though. When doing "rpm?-Va" I get complaints about a few files. Doing restorecon doesn't change anything. See below for /etc/idmapd.conf as an example. My rpm is from FC3 while SELinux-packages are from FC4 test, in case this could be a compatibility issue. I would like to understand what is going on here. [root at mimmi ~]# rpm -Vf /etc/idmapd.conf ..5....TC c /etc/idmapd.conf S.5....T. c /var/lib/nfs/etab S.5....T. c /var/lib/nfs/rmtab ........? /var/lib/nfs/rpc_pipefs ..?...... c /var/lib/nfs/state ..?....T. c /var/lib/nfs/xtab [root at mimmi ~]# ls -lZ /etc/idmapd.conf -rw-r--r-- root root root:object_r:etc_t /etc/idmapd.conf [root at mimmi ~]# /sbin/restorecon /etc/idmapd.conf [root at mimmi ~]# ls -lZ /etc/idmapd.conf -rw-r--r-- root root root:object_r:etc_t /etc/idmapd.conf [root at mimmi ~]# rpm -Vf /etc/idmapd.conf ..5....TC c /etc/idmapd.conf S.5....T. c /var/lib/nfs/etab S.5....T. c /var/lib/nfs/rmtab ........? /var/lib/nfs/rpc_pipefs ..?...... c /var/lib/nfs/state ..?....T. c /var/lib/nfs/xtab [root at mimmi ~]# rpm -qf /etc/idmapd.conf nfs-utils-1.0.7-6 [root at mimmi ~]# rpm -q rpm selinux-policy-strict-sources selinux-policy-strict rpm-4.3.2-21 selinux-policy-strict-sources-1.23.16-6 selinux-policy-strict-1.23.16-6 From mjc at avtechpulse.com Mon Jun 13 12:33:18 2005 From: mjc at avtechpulse.com (Dr. Michael J. Chudobiak) Date: Mon, 13 Jun 2005 08:33:18 -0400 Subject: CGI scripts stopped working Message-ID: <42AD7D0E.1030505@avtechpulse.com> Hi, My CGI scripts stopped working on Friday, after yum pulled in the latest updates. This is the error I was getting (in permissive mode): Jun 13 08:04:27 www kernel: audit(1118664267.858:0): avc: denied { execute_no_trans } for pid=3483 exe=/usr/sbin/httpd path=/var/www/html/cgi-local/search_engine/search.pl dev=hda3 ino=7095032 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:httpd_sys_content_t tclass=file However, I fixed the problem by enabling httpd_builtin_scripting using system-config-securitylevel. httpd_enable_cgi and httpd_unified are enabled, as before. Is this the expected behavior? Where is "httpd_builtin_scripting" documented for the average user? Googling for it brings back a whopping 3 results... - Mike From sds at tycho.nsa.gov Mon Jun 13 14:11:31 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 13 Jun 2005 10:11:31 -0400 Subject: SELinux and RPM verification In-Reply-To: <17069.26727.531087.533488@mimmi.uddeborg.se> References: <17064.40375.226589.649686@freddi.uddeborg.se> <1118347900.30110.204.camel@moss-spartans.epoch.ncsc.mil> <17069.26727.531087.533488@mimmi.uddeborg.se> Message-ID: <1118671891.24565.64.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-06-13 at 13:05 +0200, G?ran Uddeborg wrote: > There seems to be something more involved, though. When doing > "rpm -Va" I get complaints about a few files. Doing restorecon > doesn't change anything. See below for /etc/idmapd.conf as an > example. > > My rpm is from FC3 while SELinux-packages are from FC4 test, in case > this could be a compatibility issue. > > I would like to understand what is going on here. > > [root at mimmi ~]# rpm -Vf /etc/idmapd.conf > ..5....TC c /etc/idmapd.conf > S.5....T. c /var/lib/nfs/etab > S.5....T. c /var/lib/nfs/rmtab > ........? /var/lib/nfs/rpc_pipefs > ..?...... c /var/lib/nfs/state > ..?....T. c /var/lib/nfs/xtab > [root at mimmi ~]# ls -lZ /etc/idmapd.conf > -rw-r--r-- root root root:object_r:etc_t /etc/idmapd.conf > [root at mimmi ~]# /sbin/restorecon /etc/idmapd.conf > [root at mimmi ~]# ls -lZ /etc/idmapd.conf > -rw-r--r-- root root root:object_r:etc_t /etc/idmapd.conf > [root at mimmi ~]# rpm -Vf /etc/idmapd.conf > ..5....TC c /etc/idmapd.conf > S.5....T. c /var/lib/nfs/etab > S.5....T. c /var/lib/nfs/rmtab > ........? /var/lib/nfs/rpc_pipefs > ..?...... c /var/lib/nfs/state > ..?....T. c /var/lib/nfs/xtab > [root at mimmi ~]# rpm -qf /etc/idmapd.conf > nfs-utils-1.0.7-6 > [root at mimmi ~]# rpm -q rpm selinux-policy-strict-sources selinux-policy-strict > rpm-4.3.2-21 > selinux-policy-strict-sources-1.23.16-6 > selinux-policy-strict-1.23.16-6 Try restorecon -F. By default, restorecon ignores differences in the user identity (root vs. system_u). The initial state is typically system_u (system user), but if a root-owned process later re-creates the file, then it will end up with root. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Jun 13 17:30:50 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Jun 2005 13:30:50 -0400 Subject: httpd and mysqld In-Reply-To: <265c074205061105352dc3fd87@mail.gmail.com> References: <265c074205061105352dc3fd87@mail.gmail.com> Message-ID: <42ADC2CA.9080205@redhat.com> Andrzej K?kolewski wrote: >Hello >I have this selinux warnings: > >audit(1118492920.045:0): avc: denied { search } for pid=3285 >exe=/usr/libexec/mysqld name=nscd dev=dm-0 ino=98349 >scontext=user_u:system_r:mysqld_t >tcontext=system_u:object_r:nscd_var_run_t tclass=dir > >audit(1118492923.767:0): avc: denied { search } for pid=3371 >exe=/usr/sbin/httpd name=nscd dev=dm-0 ino=98349 >scontext=user_u:system_r:httpd_t >tcontext=system_u:object_r:nscd_var_run_t tclass=dir > >I did autorelabel but it didn't help. >What should I do ? > > Are you running in permissive mode? If so please try to duplicate in enforcing mode. AVC messages show up some times in permissive mode that are prevented in enforcing mode. We are concerned with the enforcing mode avc messages or any time SELinux prevents legitimate use of an application. -- From dwalsh at redhat.com Mon Jun 13 17:33:33 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Jun 2005 13:33:33 -0400 Subject: problems after selinux-policy-targeted-1.17.30-3.2 update In-Reply-To: <5ce97a22050613040853284bbc@mail.gmail.com> References: <5ce97a22050613040853284bbc@mail.gmail.com> Message-ID: <42ADC36D.3000508@redhat.com> varol kaptan wrote: >Hi, > >I have a shared library that I create and use within my application. >After the update the thing stopped working. Here is some information: > >ls -Z /usr/bin/lua >-rwxr-xr-x root root system_u:object_r:bin_t /usr/bin/lua >ls -Z /home/varol/src/lua/lib/memarray.so >-rwxrwxr-x varol varol user_u:object_r:user_home_t >/home/varol/src/lua/lib/memarray.so > >tail -f /var/log/messages >Jun 13 12:03:45 thales kernel: audit(1118660625.243:0): avc: denied >{ execmod } for pid=3021 comm=lua >path=/home/varol/src/lua/lib/memarray.so dev=dm-1 ino=753702 >scontext=user_u:system_r:unconfined_t >tcontext=user_u:object_r:user_home_t tclass=file > >I had other problems too (acrobat 7) but was able to fix them by going >through the mailing lists. > >My question is: How do I fix the above problem, and is there a way to >fix the mess introduced with the latest >selinux-policy-targeted-1.17.30-3.2 update once and for all? > >Thanks in advance, >Varol Kaptan > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > setsebool -P allow_execmod=1 -- From goeran at uddeborg.se Mon Jun 13 17:48:45 2005 From: goeran at uddeborg.se (=?iso-8859-1?q?G=F6ran_Uddeborg?=) Date: Mon, 13 Jun 2005 19:48:45 +0200 Subject: SELinux and RPM verification In-Reply-To: <1118671891.24565.64.camel@moss-spartans.epoch.ncsc.mil> References: <17064.40375.226589.649686@freddi.uddeborg.se> <1118347900.30110.204.camel@moss-spartans.epoch.ncsc.mil> <17069.26727.531087.533488@mimmi.uddeborg.se> <1118671891.24565.64.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <17069.50941.573493.944608@mimmi.uddeborg.se> Stephen Smalley writes: > Try restorecon -F. > By default, restorecon ignores differences in the user identity (root > vs. system_u). Aha! That explains a bit more. Thanks! From varol.kaptan at gmail.com Mon Jun 13 22:45:55 2005 From: varol.kaptan at gmail.com (varol kaptan) Date: Mon, 13 Jun 2005 23:45:55 +0100 Subject: problems after selinux-policy-targeted-1.17.30-3.2 update In-Reply-To: <42ADC36D.3000508@redhat.com> References: <5ce97a22050613040853284bbc@mail.gmail.com> <42ADC36D.3000508@redhat.com> Message-ID: <5ce97a2205061315452a004e9d@mail.gmail.com> On 6/13/05, Daniel J Walsh wrote: > varol kaptan wrote: > > >Hi, > > > >I have a shared library that I create and use within my application. > >After the update the thing stopped working. Here is some information: > > > >ls -Z /usr/bin/lua > >-rwxr-xr-x root root system_u:object_r:bin_t /usr/bin/lua > >ls -Z /home/varol/src/lua/lib/memarray.so > >-rwxrwxr-x varol varol user_u:object_r:user_home_t > >/home/varol/src/lua/lib/memarray.so > > > >tail -f /var/log/messages > >Jun 13 12:03:45 thales kernel: audit(1118660625.243:0): avc: denied > >{ execmod } for pid=3021 comm=lua > >path=/home/varol/src/lua/lib/memarray.so dev=dm-1 ino=753702 > >scontext=user_u:system_r:unconfined_t > >tcontext=user_u:object_r:user_home_t tclass=file > > > >I had other problems too (acrobat 7) but was able to fix them by going > >through the mailing lists. > > > >My question is: How do I fix the above problem, and is there a way to > >fix the mess introduced with the latest > >selinux-policy-targeted-1.17.30-3.2 update once and for all? > > > >Thanks in advance, > >Varol Kaptan > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > setsebool -P allow_execmod=1 Nope, does not work. Thanks, Varol Kaptan From russell at coker.com.au Tue Jun 14 06:05:21 2005 From: russell at coker.com.au (Russell Coker) Date: Tue, 14 Jun 2005 16:05:21 +1000 Subject: avc: denied { ioctl }? In-Reply-To: <3495.128.252.85.103.1118240900.squirrel@morpheus.wustl.edu> References: <2114.128.252.85.103.1118150220.squirrel@morpheus.wustl.edu> <1118233798.26902.29.camel@moss-spartans.epoch.ncsc.mil> <3495.128.252.85.103.1118240900.squirrel@morpheus.wustl.edu> Message-ID: <200506141605.25443.russell@coker.com.au> On Thursday 09 June 2005 00:28, "Hongwei Li" wrote: > Another question. I installed selinux-policy-targeted-sources. However, I > could not find local.te under domains/misc. What I see under domain are: The point of the name "local.te" is that it will NEVER be used by any package or distribution of policy source. So if you have not created such a file then it should not exist. Another name reserved for the same purpose is "custom.te" (which I have used in examples of how to write policy). When writing your own policy additions you should avoid using any name that might be used by the system. If you have a name conflict then you risk losing your changes on an upgrade. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From markus_ralser at yahoo.de Tue Jun 14 12:23:13 2005 From: markus_ralser at yahoo.de (Markus Ralser) Date: Tue, 14 Jun 2005 14:23:13 +0200 (CEST) Subject: other problems after selinux-policy-targeted-1.17.30-3.2 Message-ID: <20050614122313.82396.qmail@web26909.mail.ukl.yahoo.com> Dear all, an old error seems to reappear after uptdate to selinux-policy-targeted-1.17.30-3.2. When I try to start my openoffice now, i get /etc/openoffice.org-1.9/program/soffice.bin: error while loading shared libraries: /opt/openoffice.org1.9.104/program/libicudata.so.26: cannot restore segment prot after reloc: Permission denied Can anyobdy help me quickly please? Thank you, Markus ___________________________________________________________ Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de From michael.es.carney at sbcglobal.net Tue Jun 14 17:26:30 2005 From: michael.es.carney at sbcglobal.net (Michael W. Carney) Date: Tue, 14 Jun 2005 10:26:30 -0700 Subject: acrobat 7 stopped working recently... Message-ID: Likely related to recent targeted policy updates...: Jun 14 10:03:09 lucy-01 kernel: audit(1118768589.854:0): avc: denied { execmod } for pid=5660 comm=acroread path=/opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api dev=sdb6 ino=65721 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file Jun 14 10:03:09 lucy-01 kernel: audit(1118768589.868:0): avc: denied { execmod } for pid=5660 comm=acroread path=/opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl dev=sdb6 ino=65676 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file 62> ls -Z /opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api -rwxr-xr-x root root system_u:object_r:usr_t /opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api* 63> ls -Z /opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl -rwxr-xr-x root root system_u:object_r:usr_t /opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl* 64> I'm running FC3, targeted policy: 47> rpm -q -a 'selinux*' selinux-policy-strict-1.19.10-2 selinux-doc-1.14.1-1 selinux-policy-targeted-1.17.30-3.2 48> Could some kind soul clue me into the right incantation to get this working again? Thanks. From michael.es.carney at sbcglobal.net Tue Jun 14 18:00:28 2005 From: michael.es.carney at sbcglobal.net (Michael W. Carney) Date: Tue, 14 Jun 2005 11:00:28 -0700 Subject: acrobat 7 stopped working recently... References: Message-ID: Michael W. Carney wrote: > Likely related to recent targeted policy updates...: > > Jun 14 10:03:09 lucy-01 kernel: audit(1118768589.854:0): avc: denied > { execmod } for pid=5660 comm=acroread > path=/opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api dev=sdb6 > ino=65721 scontext=user_u:system_r:unconfined_t > tcontext=system_u:object_r:usr_t tclass=file > Jun 14 10:03:09 lucy-01 kernel: audit(1118768589.868:0): avc: denied > { execmod } for pid=5660 comm=acroread > path=/opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl dev=sdb6 > ino=65676 scontext=user_u:system_r:unconfined_t > tcontext=system_u:object_r:usr_t tclass=file > > 62> ls -Z /opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api > -rwxr-xr-x root root > system_u:object_r:usr_t > /opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api* 63> ls -Z > /opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl > -rwxr-xr-x root root > system_u:object_r:usr_t > /opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl* 64> > > I'm running FC3, targeted policy: > > 47> rpm -q -a 'selinux*' > selinux-policy-strict-1.19.10-2 > selinux-doc-1.14.1-1 > selinux-policy-targeted-1.17.30-3.2 > 48> > > Could some kind soul clue me into the right incantation to get this > working again? Thanks. Ok, these files are shared libraries, so I imagine the context should be: system_u:object_r:shlib_t rather than system_u:object_r:usr_t. Should I be making changes to: /etc/selinux/targeted/contexts/files/file_contexts and adding entries for these files and then rerun setfiles? From michael.es.carney at sbcglobal.net Tue Jun 14 18:37:51 2005 From: michael.es.carney at sbcglobal.net (Michael W. Carney) Date: Tue, 14 Jun 2005 11:37:51 -0700 Subject: acrobat 7 stopped working recently... References: Message-ID: Michael W. Carney wrote: > Michael W. Carney wrote: > >> Likely related to recent targeted policy updates...: >> >> Jun 14 10:03:09 lucy-01 kernel: audit(1118768589.854:0): avc: denied >> { execmod } for pid=5660 comm=acroread >> path=/opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api dev=sdb6 >> ino=65721 scontext=user_u:system_r:unconfined_t >> tcontext=system_u:object_r:usr_t tclass=file >> Jun 14 10:03:09 lucy-01 kernel: audit(1118768589.868:0): avc: denied >> { execmod } for pid=5660 comm=acroread >> path=/opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl dev=sdb6 >> ino=65676 scontext=user_u:system_r:unconfined_t >> tcontext=system_u:object_r:usr_t tclass=file >> >> 62> ls -Z /opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api >> -rwxr-xr-x root root >> system_u:object_r:usr_t >> /opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api* 63> ls -Z >> /opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl >> -rwxr-xr-x root root >> system_u:object_r:usr_t >> /opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl* 64> >> >> I'm running FC3, targeted policy: >> >> 47> rpm -q -a 'selinux*' >> selinux-policy-strict-1.19.10-2 >> selinux-doc-1.14.1-1 >> selinux-policy-targeted-1.17.30-3.2 >> 48> >> >> Could some kind soul clue me into the right incantation to get this >> working again? Thanks. > > Ok, these files are shared libraries, so I imagine the context should be: > > system_u:object_r:shlib_t rather than system_u:object_r:usr_t. > > Should I be making changes to: > > /etc/selinux/targeted/contexts/files/file_contexts > > and adding entries for these files and then rerun setfiles? Ok, adding explicit security context entries for acrobat worked. See the attachment for the entries I added to: /etc/selinux/targeted/contexts/files/file_contexts which solved the problem. The following question remains: Are the steps I took correct for resolving the problem? Thanks. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: file_contexts.adobe URL: From rirving at antient.org Wed Jun 15 00:52:59 2005 From: rirving at antient.org (Richard Irving) Date: Tue, 14 Jun 2005 19:52:59 -0500 Subject: acrobat 7 stopped working recently... In-Reply-To: References: Message-ID: <42AF7BEB.6000809@antient.org> Michael W. Carney wrote: >Michael W. Carney wrote: > > That isn't *all* that is borked, the realplayer plugin in firefox/mozilla tanked, as well. All audio, no video. The same bug is just being announced in FC4, so I suspect it is related. After a bunch of thumping around, one way or another, an openly *stupid* addition got it working again... in unconfined.te add: allow unconfined_t usr_t:file execmod; So, as long as you don't mind leaving your armors backdoor open, you can get this stuff working again. As far as acrobat, YMMV, but it worked for Realplayer. But, *my* it feels breezy in here... :P I suspect a better fix than this is coming, as they repair the selinux targeted updates they just released. Caveat Emptor. >>Michael W. Carney wrote: >> >> >> >>>Likely related to recent targeted policy updates...: >>> >>>Jun 14 10:03:09 lucy-01 kernel: audit(1118768589.854:0): avc: denied >>>{ execmod } for pid=5660 comm=acroread >>>path=/opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api dev=sdb6 >>>ino=65721 scontext=user_u:system_r:unconfined_t >>>tcontext=system_u:object_r:usr_t tclass=file >>>Jun 14 10:03:09 lucy-01 kernel: audit(1118768589.868:0): avc: denied >>>{ execmod } for pid=5660 comm=acroread >>>path=/opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl dev=sdb6 >>>ino=65676 scontext=user_u:system_r:unconfined_t >>>tcontext=system_u:object_r:usr_t tclass=file >>> >>>62> ls -Z /opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api >>>-rwxr-xr-x root root >>>system_u:object_r:usr_t >>>/opt/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api* 63> ls -Z >>>/opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl >>>-rwxr-xr-x root root >>>system_u:object_r:usr_t >>>/opt/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl* 64> >>> >>>I'm running FC3, targeted policy: >>> >>>47> rpm -q -a 'selinux*' >>>selinux-policy-strict-1.19.10-2 >>>selinux-doc-1.14.1-1 >>>selinux-policy-targeted-1.17.30-3.2 >>>48> >>> >>>Could some kind soul clue me into the right incantation to get this >>>working again? Thanks. >>> >>> >>Ok, these files are shared libraries, so I imagine the context should be: >> >>system_u:object_r:shlib_t rather than system_u:object_r:usr_t. >> >>Should I be making changes to: >> >>/etc/selinux/targeted/contexts/files/file_contexts >> >>and adding entries for these files and then rerun setfiles? >> >> > >Ok, adding explicit security context entries for acrobat worked. See the >attachment for the entries I added to: > >/etc/selinux/targeted/contexts/files/file_contexts > >which solved the problem. The following question remains: Are the steps I >took correct for resolving the problem? Thanks. > > > > >------------------------------------------------------------------------ > ># ># Acrobat7.0... ># >/opt/Acrobat7.0/Browser/.*/nppdf\.so -- system_u:object_r:shlib_t >/opt/Acrobat7.0/Reader/.*/plug_ins/.*\.api -- system_u:object_r:shlib_t >/opt/Acrobat7.0/Reader/.*/SPPlugins/ADMPlugin\.apl -- system_u:object_r:shlib_t > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From knight at baldmt.com Wed Jun 15 02:10:31 2005 From: knight at baldmt.com (Steven Knight) Date: Tue, 14 Jun 2005 22:10:31 -0400 (EDT) Subject: help with Kernel panic after update Message-ID: Help! Yesterday afternoon, my home FC3 system took a power hit (not unusual, unfortunately). Nothing seemed particularly amiss, it came back up on its own (while I was still at work) and I reconnected and used it for several hours without noticing anything unsual. This is probably unrelated to what follows, but I mention it just in case it's not. Upon arriving home, I logged back in on my desktop and noticed my Red Hat update icon on the top taskbar was red and pulsing. I went ahead and su'ed up and fired up "yum update". It asked for permission to update about 17 packages (I noticed GAIM on the list, but otherwise didn't pay much attention), but being used to reliable updates before, I went ahead and installed all of them without a second thought. First sign of trouble: I could no longer ls, df, or do just about anything. Error messages were complaining about "Permission denied" for /lib/tls/libc.so.6 (and possibly other libraries), even when I tried to do anything from my su shell. Figuring (naively) that I had some kind of package version skew, I (naively) tried rebooting to see if that would clear things up. Bad, hasty decision: I now get an immediate kernel panic as follows (modulo typos from transcribing the information by hand): Uncompressing Linux... Ok, booting the kernel. ACPI: BIOS age (1999) fails cutoff (2001, acpi=force is required to enable ACPI audit(1118711202.065:0): initialized Red Hat nash version 4.1.18 starting audit(1118711209.899:0): avc: denied { execmod } for pid=1 comm=init path=/lib/tls/libc-2.3.5.so dev=hdd2 ino=528350 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:filet tcall=file /sbin/init: error while loading shared libraries: /lib/tls/libc.so.6: cannot apply additional memory protection after relocation: Permission denied Kernel panic - not syncing: Attempted to kill init! After poking around, I figured out that this permission error was connected to selinux. My guess is that selinux-policy-target might have been part of the updates I installed, but like I said, I wasn't paying attention. (Note that I installed the selinux RPM(s) by default when I first installed FC, but I've never bothered to really understand or do anything with them, so don't presume any coherent administrative behavior on my part.) Some additional searches pointed me to /sbin/fixfiles, and the idea that relabelling might be necessary. So I tried booting up on Knoppix and mounting my filesystems in their usual configuration relative to each other. I then chroot'ed to the root of my reconstructed file systems and ran "fixfiles relabel". This seemed to relabel a bunch of stuff, but it wouldn't relabel anything on my root partition, claiming that was mounted read-only. (It wasn't relative to Knoppix, so I think that's an artifact of chroot behavior.) Interestingly enough, the /lib/tls/libc.so.6 file mentioned in the error message never showed up as a file that fixfiles tried to relabel. I tried rebooting anyway with the same panic as above. Since I'm not actually "doing anything" with selinux, I'd be fine with completely disabling it and/or removing it from my system, but I can't even figure out how to get to the point of being able to do that. How can I either work the right magic to label the above file appropriate and/or get past this panic, or else just disable/remove selinux so I can get going again? Thanks, --SK From walters at redhat.com Wed Jun 15 02:24:01 2005 From: walters at redhat.com (Colin Walters) Date: Tue, 14 Jun 2005 22:24:01 -0400 Subject: CGI scripts stopped working In-Reply-To: <42AD7D0E.1030505@avtechpulse.com> References: <42AD7D0E.1030505@avtechpulse.com> Message-ID: <1118802241.3930.18.camel@nexus.verbum.private> On Mon, 2005-06-13 at 08:33 -0400, Dr. Michael J. Chudobiak wrote: > Hi, > > My CGI scripts stopped working on Friday, after yum pulled in the latest > updates. This is the error I was getting (in permissive mode): This is rawhide? > However, I fixed the problem by enabling httpd_builtin_scripting using > system-config-securitylevel. > > httpd_enable_cgi and httpd_unified are enabled, as before. > > Is this the expected behavior? The default for the boolean is on; you probably also hit the upgrade bug. > Where is "httpd_builtin_scripting" > documented for the average user? The man page "httpd_selinux" has some brief discussion. I hope to update the Fedora Apache/SELinux guide for all the changes in FC4 soon. From walters at redhat.com Wed Jun 15 02:44:39 2005 From: walters at redhat.com (Colin Walters) Date: Tue, 14 Jun 2005 22:44:39 -0400 Subject: other problems after selinux-policy-targeted-1.17.30-3.2 In-Reply-To: <20050614122313.82396.qmail@web26909.mail.ukl.yahoo.com> References: <20050614122313.82396.qmail@web26909.mail.ukl.yahoo.com> Message-ID: <1118803479.3930.23.camel@nexus.verbum.private> On Tue, 2005-06-14 at 14:23 +0200, Markus Ralser wrote: > Dear all, > > an old error seems to reappear after uptdate to > selinux-policy-targeted-1.17.30-3.2. > > When I try to start my openoffice now, i get > > /etc/openoffice.org-1.9/program/soffice.bin: error > while loading shared libraries: > /opt/openoffice.org1.9.104/program/libicudata.so.26: > cannot restore segment prot after reloc: Permission > denied Try: setsebool -P allow_execmod=true allow_execmem=true This is a workaround for an upgrade bug. From bobk at ocf.berkeley.edu Wed Jun 15 04:49:10 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Tue, 14 Jun 2005 21:49:10 -0700 Subject: help with Kernel panic after update In-Reply-To: References: Message-ID: <1118810950.3694.11.camel@chaucer> On Tue, 2005-06-14 at 22:10 -0400, Steven Knight wrote: > Help! > > Yesterday afternoon, my home FC3 system took a power hit (not > unusual, unfortunately). Nothing seemed particularly amiss, it > came back up on its own (while I was still at work) and I reconnected > and used it for several hours without noticing anything unsual. > This is probably unrelated to what follows, but I mention it just > in case it's not. > > Upon arriving home, I logged back in on my desktop and noticed my > Red Hat update icon on the top taskbar was red and pulsing. I went > ahead and su'ed up and fired up "yum update". It asked for permission > to update about 17 packages (I noticed GAIM on the list, but otherwise > didn't pay much attention), but being used to reliable updates before, > I went ahead and installed all of them without a second thought. > > First sign of trouble: I could no longer ls, df, or do just about > anything. Error messages were complaining about "Permission denied" > for /lib/tls/libc.so.6 (and possibly other libraries), even when I > tried to do anything from my su shell. > > Figuring (naively) that I had some kind of package version skew, I > (naively) tried rebooting to see if that would clear things up. > Bad, hasty decision: I now get an immediate kernel panic as follows > (modulo typos from transcribing the information by hand): > > Uncompressing Linux... Ok, booting the kernel. > ACPI: BIOS age (1999) fails cutoff (2001, acpi=force is required to enable ACPI > audit(1118711202.065:0): initialized > Red Hat nash version 4.1.18 starting > audit(1118711209.899:0): avc: denied { execmod } for pid=1 comm=init path=/lib/tls/libc-2.3.5.so dev=hdd2 ino=528350 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:filet tcall=file > /sbin/init: error while loading shared libraries: /lib/tls/libc.so.6: cannot apply additional memory protection after relocation: Permission denied > Kernel panic - not syncing: Attempted to kill init! > > After poking around, I figured out that this permission error was > connected to selinux. My guess is that selinux-policy-target might > have been part of the updates I installed, but like I said, > I wasn't paying attention. (Note that I installed the selinux > RPM(s) by default when I first installed FC, but I've never bothered > to really understand or do anything with them, so don't presume > any coherent administrative behavior on my part.) > > Some additional searches pointed me to /sbin/fixfiles, and the idea > that relabelling might be necessary. So I tried booting up on > Knoppix and mounting my filesystems in their usual configuration > relative to each other. I then chroot'ed to the root of my > reconstructed file systems and ran "fixfiles relabel". This seemed > to relabel a bunch of stuff, but it wouldn't relabel anything on > my root partition, claiming that was mounted read-only. (It wasn't > relative to Knoppix, so I think that's an artifact of chroot > behavior.) > > Interestingly enough, the /lib/tls/libc.so.6 file mentioned in the > error message never showed up as a file that fixfiles tried to > relabel. > > I tried rebooting anyway with the same panic as above. > > Since I'm not actually "doing anything" with selinux, I'd be fine > with completely disabling it and/or removing it from my system, but > I can't even figure out how to get to the point of being able to > do that. How can I either work the right magic to label the above > file appropriate and/or get past this panic, or else just disable/remove > selinux so I can get going again? You can use the rescue disc...just download and burn the iso and boot it. Then at the commandline type "chroot /mnt/sysimage". It should allow you to get back into your system. Then just turn selinux off in /etc/selinux/config and reboot. http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/iso/FC3-i386-rescuecd.iso Once you get back into your system try Colin's advice: setsebool -P allow_execmod=true Hope this helps. :) Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From zafar at businessplus.tv Wed Jun 15 07:16:45 2005 From: zafar at businessplus.tv (Zafar) Date: Wed, 15 Jun 2005 12:16:45 +0500 Subject: help! Message-ID: <200506150711.j5F7BNJI028003@indigo.go4b.net> Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: '192.168.0.203', Server: '192.168.0.203', Protocol: POP3, Port: 110, Secure(SSL): No, Error Number: 0x800CCC0F -------------- next part -------------- An HTML attachment was scrubbed... URL: From geoff at ERINresearch.co.uk Wed Jun 15 09:20:33 2005 From: geoff at ERINresearch.co.uk (Geoff Hogan) Date: Wed, 15 Jun 2005 10:20:33 +0100 Subject: other problems after selinux-policy-targeted-1.17.30-3.2 Message-ID: <42AFF2E1.3090001@ERINresearch.co.uk> I have had the same problem with openoffice 1.9.104. I tried the setsebool command suggested below without success. I have tried restorecon -v /opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 ls -alZ /opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 returns: -r--r--r-- root root system_u:object_r:usr_t /opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 I am new to SELinux (it has just worked until now). Do I need the policy source package installed to do these things (which I don't), or just the policy rpm? Many thanks. Geoff On Tue, 2005-06-14 at 14:23 +0200, Markus Ralser wrote: > Dear all, > > an old error seems to reappear after uptdate to > selinux-policy-targeted-1.17.30-3.2. > > When I try to start my openoffice now, i get > > /etc/openoffice.org-1.9/program/soffice.bin: error > while loading shared libraries: > /opt/openoffice.org1.9.104/program/libicudata.so.26: > cannot restore segment prot after reloc: Permission > denied Try: setsebool -P allow_execmod=true allow_execmem=true This is a workaround for an upgrade bug. From db-fedora at 3di.it Wed Jun 15 10:25:34 2005 From: db-fedora at 3di.it (Davide Bolcioni) Date: Wed, 15 Jun 2005 12:25:34 +0200 Subject: Error setting allow_execmod (Was: other problems after selinux-policy-targeted-1.17.30-3.2) In-Reply-To: <20050614122313.82396.qmail@web26909.mail.ukl.yahoo.com> References: <20050614122313.82396.qmail@web26909.mail.ukl.yahoo.com> Message-ID: <42B0021E.9040901@3di.it> Markus Ralser wrote: > an old error seems to reappear after uptdate to > selinux-policy-targeted-1.17.30-3.2. I just updated to selinux-policy-targeted-1.17.30-3.2 and tried setsebool -P allow_execmod=true but I get Error setting boolean allow_execmod to value 1 (No such file or directory) Is a reboot required ? I have other FC3 hosts where the setsebool proved unnecessary, as getsebool allow_execmod returned "active", although the same RPM is installed. What's up ? Thank you for your consideration, Davide Bolcioni ?-- There is no place like /home. From stewartetcie at canada.com Thu Jun 9 17:18:33 2005 From: stewartetcie at canada.com (stewartetcie at canada.com) Date: Thu, 09 Jun 2005 10:18:33 -0700 (PDT) Subject: not installing SELinux with Fedora Message-ID: <20050609171833.11503.fh047.wm@smtp.sc0.cp.net> Hi folks, Controlling SELinux, Fedora Core 3 SELinux FAQ at http://fedora.redhat.com/docs/selinux-faq-fc3/ says: "Q: How do I install/not install SELinux?" "A: The installer handles this based on the choice you make in the Firewall Configuration screen. The default running policy is the targeted policy, and it is on by default." Doesn't this beg the question? In fact, doesn't the Firewall Configuration screen merely determine whether SELinux is enabled/disabled? Users of Fedora Core 4 want to know, how do we not, repeat not, install SELinux? Yours truly STEWART & CIE. Steve Stewart From mel2008 at columbia.edu Wed Jun 15 14:25:38 2005 From: mel2008 at columbia.edu (Michael E Locasto) Date: Wed, 15 Jun 2005 10:25:38 -0400 (EDT) Subject: problems after selinux-policy-targeted-1.17.30-3.2 update Message-ID: I have also experienced the error in the new version of the policy boolean file. However, Colin's advice about setting the execmod boolean to 1 doesn't work for me. [root at xoren ~]# /usr/sbin/setsebool -P allow_execmod=true [root at xoren ~]# /usr/sbin/getsebool allow_execmod allow_execmod --> active [root at xoren targeted]# grep execmod booleans allow_execmod=1 [root at xoren targeted]# However, I still cannot start acroread. The Mozilla Flash plugin is also still inoperable. I see messages in /var/log/messages of the form: Jun 15 14:12:28 xoren kernel: audit(1118844748.131:0): avc: denied { execmod } for pid=6438 comm=acroread path=/usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api dev=hda5 ino=29374502 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file I appreciate any advice. Should I reboot or reinitialize the SELinux framework? If so, how? I'm a complete newbie in regards to SELinux. How do I go about disabling selinux (I'd rather not). Version info: [root at xoren ~]# uname -r 2.6.11-1.27_FC3 [root at xoren ~]# rpm -qa | grep selinux libselinux-1.19.1-8 selinux-policy-targeted-1.17.30-3.2 libselinux-devel-1.19.1-8 [root at xoren ~]# Please CC me, I'm not subscribed to the list. Cheers, Michael From linux_4ever at yahoo.com Wed Jun 15 15:06:46 2005 From: linux_4ever at yahoo.com (Steve G) Date: Wed, 15 Jun 2005 08:06:46 -0700 (PDT) Subject: not installing SELinux with Fedora In-Reply-To: <20050609171833.11503.fh047.wm@smtp.sc0.cp.net> Message-ID: <20050615150646.30379.qmail@web51504.mail.yahoo.com> >Users of Fedora Core 4 want to know, how do we not, >repeat not, install SELinux? Why would you want to do that? Its better to fix problems than avoid them. SE Linux has to be installed. libselinux is linked to many apps and the KERNEL is compiled with support for SE Linux. You can disable it, but you have to install it. -Steve Grubb __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From dwalsh at redhat.com Wed Jun 15 15:39:41 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Jun 2005 11:39:41 -0400 Subject: not installing SELinux with Fedora In-Reply-To: <20050615150646.30379.qmail@web51504.mail.yahoo.com> References: <20050615150646.30379.qmail@web51504.mail.yahoo.com> Message-ID: <42B04BBD.1070304@redhat.com> Steve G wrote: >>Users of Fedora Core 4 want to know, how do we not, >>repeat not, install SELinux? >> >> > >Why would you want to do that? Its better to fix problems than avoid them. > >SE Linux has to be installed. libselinux is linked to many apps and the KERNEL is >compiled with support for SE Linux. You can disable it, but you have to install >it. > >-Steve Grubb > > You can choose in the installer to not install with SELinux. This will eliminate most of the SELinux packages and not label the file system. If you later choose to run with selinux you could install the packages and relabel the file system. >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- From dwalsh at redhat.com Wed Jun 15 15:41:50 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Jun 2005 11:41:50 -0400 Subject: other problems after selinux-policy-targeted-1.17.30-3.2 In-Reply-To: <42AFF2E1.3090001@ERINresearch.co.uk> References: <42AFF2E1.3090001@ERINresearch.co.uk> Message-ID: <42B04C3E.6030307@redhat.com> Geoff Hogan wrote: > I have had the same problem with openoffice 1.9.104. I tried the > setsebool command suggested below without success. I have tried > restorecon -v /opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 > > ls -alZ /opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 returns: > -r--r--r-- root root system_u:object_r:usr_t > /opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 > > I am new to SELinux (it has just worked until now). Do I need the > policy source package installed to do these things (which I don't), or > just the policy rpm? > > Many thanks. > > Geoff > > On Tue, 2005-06-14 at 14:23 +0200, Markus Ralser wrote: > > Dear all, > > > > an old error seems to reappear after uptdate to > > selinux-policy-targeted-1.17.30-3.2. > > > > When I try to start my openoffice now, i get > > > > /etc/openoffice.org-1.9/program/soffice.bin: error > > while loading shared libraries: > > /opt/openoffice.org1.9.104/program/libicudata.so.26: > > cannot restore segment prot after reloc: Permission > > denied > > Try: > > setsebool -P allow_execmod=true allow_execmem=true > > This is a workaround for an upgrade bug. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list Policy update is on the way. For now try chcon -t shlib_t /opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 You can get an updated policy from ftp://people.redhat.com/dwalsh/SELinux/FC3 or update to the testers version or wait till tomorrows updates. -- From dwalsh at redhat.com Wed Jun 15 15:44:46 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Jun 2005 11:44:46 -0400 Subject: Error setting allow_execmod (Was: other problems after selinux-policy-targeted-1.17.30-3.2) In-Reply-To: <42B0021E.9040901@3di.it> References: <20050614122313.82396.qmail@web26909.mail.ukl.yahoo.com> <42B0021E.9040901@3di.it> Message-ID: <42B04CEE.9080000@redhat.com> Davide Bolcioni wrote: > Markus Ralser wrote: > >> an old error seems to reappear after uptdate to >> selinux-policy-targeted-1.17.30-3.2. > > > I just updated to selinux-policy-targeted-1.17.30-3.2 and tried > > setsebool -P allow_execmod=true > > but I get > > Error setting boolean allow_execmod to value 1 (No such file or > directory) > > Is a reboot required ? I have other FC3 hosts where the setsebool > proved unnecessary, as > > getsebool allow_execmod > > returned "active", although the same RPM is installed. What's up ? > > Thank you for your consideration, > Davide Bolcioni > ?-- > There is no place like /home. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list olicy update is on the way. For now try setsebool -P allow_execmod=1 chcon -t shlib_t SHAREDLIBARY You can get an updated policy from ftp://people.redhat.com/dwalsh/SELinux/FC3 or update to the testers version or wait till tomorrows updates. -- From dwalsh at redhat.com Wed Jun 15 16:49:14 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Jun 2005 12:49:14 -0400 Subject: problems after selinux-policy-targeted-1.17.30-3.2 update In-Reply-To: References: Message-ID: <42B05C0A.5070503@redhat.com> Michael E Locasto wrote: > > I have also experienced the error in the new version of the policy > boolean > file. However, Colin's advice about setting the execmod boolean to 1 > doesn't work for me. > > [root at xoren ~]# /usr/sbin/setsebool -P allow_execmod=true > [root at xoren ~]# /usr/sbin/getsebool allow_execmod > allow_execmod --> active > [root at xoren targeted]# grep execmod booleans > allow_execmod=1 > [root at xoren targeted]# > > However, I still cannot start acroread. The Mozilla Flash plugin is also > still inoperable. I see messages in /var/log/messages of the form: > > Jun 15 14:12:28 xoren kernel: audit(1118844748.131:0): avc: denied { > execmod } for pid=6438 comm=acroread > path=/usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api > dev=hda5 ino=29374502 scontext=user_u:system_r:unconfined_t > tcontext=system_u:object_r:usr_t tclass=file > > I appreciate any advice. Should I reboot or reinitialize the SELinux > framework? If so, how? I'm a complete newbie in regards to SELinux. > How do I go about disabling selinux (I'd rather not). > > Version info: > > [root at xoren ~]# uname -r > 2.6.11-1.27_FC3 > [root at xoren ~]# rpm -qa | grep selinux > libselinux-1.19.1-8 > selinux-policy-targeted-1.17.30-3.2 > libselinux-devel-1.19.1-8 > [root at xoren ~]# > > Please CC me, I'm not subscribed to the list. > > Cheers, > Michael > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list try chcon -t shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api -- From ad+lists at uni-x.org Wed Jun 15 17:09:59 2005 From: ad+lists at uni-x.org (Alexander Dalloz) Date: Wed, 15 Jun 2005 19:09:59 +0200 Subject: help! In-Reply-To: <200506150711.j5F7BNJI028003@indigo.go4b.net> References: <200506150711.j5F7BNJI028003@indigo.go4b.net> Message-ID: <1118855399.18979.727.camel@serendipity.dogma.lan> Am Mi, den 15.06.2005 schrieb Zafar um 9:16: > Your server has unexpectedly terminated the connection. Possible > causes for this include server problems, network problems, or a long > period of inactivity. Account: '192.168.0.203', Server: > '192.168.0.203', Protocol: POP3, Port: 110, Secure(SSL): No, Error > Number: 0x800CCC0F Why do you think this fits on the SELinux list? You are showing us an error message generated by a Windows? program. So you better ask in a Microsoft products related forum or present us the according log entry on the Fedora server side, showing an audit / avc message. A description what you are doing and your setup would be helpful too. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.27_FC2smp Serendipity 19:05:44 up 22 days, 17:43, load average: 0.10, 0.17, 0.12 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From wakesec at gmail.com Wed Jun 15 18:27:48 2005 From: wakesec at gmail.com (Security News) Date: Wed, 15 Jun 2005 14:27:48 -0400 Subject: distributing custom policy Message-ID: <1e0b31de050615112730557bfd@mail.gmail.com> Anyone have any thoughts on the best way to install my own policy files on a few machines. I have to go out and find a way to install a policy file, install my own file_context files, and then compile and load the new custom policy and fc files. These systems would be running standard FC3 with the targetted policy, but without the targetted sources. I would like to set them all up so that they then have my own version of the strict policy, without having the source files installed. Is rpm the best way to attack this or are there better options out there? As I see it I would have to include the policy-strict-.rpm as well as setools-.rpm within my own rpm file in order to load everything necessary to load the policy and relabel the filesystem. From sds at tycho.nsa.gov Wed Jun 15 18:41:20 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 15 Jun 2005 14:41:20 -0400 Subject: distributing custom policy In-Reply-To: <1e0b31de050615112730557bfd@mail.gmail.com> References: <1e0b31de050615112730557bfd@mail.gmail.com> Message-ID: <1118860880.16874.26.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-06-15 at 14:27 -0400, Security News wrote: > Anyone have any thoughts on the best way to install my own policy > files on a few machines. > > I have to go out and find a way to install a policy file, install my > own file_context files, and then compile and load the new custom > policy and fc files. > > These systems would be running standard FC3 with the targetted policy, > but without the targetted sources. > > I would like to set them all up so that they then have my own version > of the strict policy, without having the source files installed. > > Is rpm the best way to attack this or are there better options out > there? As I see it I would have to include the > policy-strict-.rpm as well as setools-.rpm within my > own rpm file in order to load everything necessary to load the policy > and relabel the filesystem. setools isn't needed for SELinux operation; they are purely optional tools for policy analysis and management. It sounds like you want to perform a wholesale replacement of the policy on these systems. That should be feasible without requiring policy sources on the end systems (in the future, it will be possible to also distribute binary policy modules that can be linked into the base policy on the end systems without requiring sources on the end systems, but that support won't be available until FC5). I'm not sure why you need anything other than a selinux-policy-strict package (which contains the binary policy file, the file_contexts configuration, and other policy-related config files) with a modified post scriptlet in the spec file to perform the conversion (e.g. switch to permissive mode, change /etc/selinux/config, load new policy, relabel filesystems, reboot). Naturally, the devil is in the details; you'll want to try it on a non-production system first. -- Stephen Smalley National Security Agency From mel2008 at columbia.edu Wed Jun 15 18:53:11 2005 From: mel2008 at columbia.edu (Michael E Locasto) Date: Wed, 15 Jun 2005 14:53:11 -0400 (EDT) Subject: problems after selinux-policy-targeted-1.17.30-3.2 update In-Reply-To: <42B05C0A.5070503@redhat.com> References: <42B05C0A.5070503@redhat.com> Message-ID: Daniel, > try > chcon -t shlib_t > /usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api This worked (I also had to do it for the other plugins and intellinux/SPPlugins/ADMPlugin.apl)...thanks very much for your help. Cheers, Michael From wakesec at gmail.com Wed Jun 15 18:53:09 2005 From: wakesec at gmail.com (Security News) Date: Wed, 15 Jun 2005 14:53:09 -0400 Subject: distributing custom policy In-Reply-To: <1118860880.16874.26.camel@moss-spartans.epoch.ncsc.mil> References: <1e0b31de050615112730557bfd@mail.gmail.com> <1118860880.16874.26.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1e0b31de05061511531e455053@mail.gmail.com> Sorry, in the first post I meant to say that I wanted to install the policycoreutils.rpm (the devil really is in the details.) --the reason for needing this rpm is that I am hoping to be able to install a custom policy and file-labelling without installing the source configuration files. This is just so that even a root user could be kept from editing my policy.conf files. I need the coreutils b/c if the source config files are not going to be present then neither is the Makefile, so I would need to use "fixfiles relabel" and "load_policy". Unless, there is a better way to load and relabel when not installing the config source files. I am hoping to have this installation be performed by someone else somewhere else, and to make the installation as mindless as possible for them. Thanks, -Dan On 6/15/05, Stephen Smalley wrote: > On Wed, 2005-06-15 at 14:27 -0400, Security News wrote: > > Anyone have any thoughts on the best way to install my own policy > > files on a few machines. > > > > I have to go out and find a way to install a policy file, install my > > own file_context files, and then compile and load the new custom > > policy and fc files. > > > > These systems would be running standard FC3 with the targetted policy, > > but without the targetted sources. > > > > I would like to set them all up so that they then have my own version > > of the strict policy, without having the source files installed. > > > > Is rpm the best way to attack this or are there better options out > > there? As I see it I would have to include the > > policy-strict-.rpm as well as setools-.rpm within my > > own rpm file in order to load everything necessary to load the policy > > and relabel the filesystem. > > setools isn't needed for SELinux operation; they are purely optional > tools for policy analysis and management. > > It sounds like you want to perform a wholesale replacement of the policy > on these systems. That should be feasible without requiring policy > sources on the end systems (in the future, it will be possible to also > distribute binary policy modules that can be linked into the base policy > on the end systems without requiring sources on the end systems, but > that support won't be available until FC5). > > I'm not sure why you need anything other than a selinux-policy-strict > package (which contains the binary policy file, the file_contexts > configuration, and other policy-related config files) with a modified > post scriptlet in the spec file to perform the conversion (e.g. switch > to permissive mode, change /etc/selinux/config, load new policy, relabel > filesystems, reboot). Naturally, the devil is in the details; you'll > want to try it on a non-production system first. > > -- > Stephen Smalley > National Security Agency > > From sds at tycho.nsa.gov Wed Jun 15 18:54:12 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 15 Jun 2005 14:54:12 -0400 Subject: distributing custom policy In-Reply-To: <1118860880.16874.26.camel@moss-spartans.epoch.ncsc.mil> References: <1e0b31de050615112730557bfd@mail.gmail.com> <1118860880.16874.26.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1118861652.16874.30.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-06-15 at 14:41 -0400, Stephen Smalley wrote: > I'm not sure why you need anything other than a selinux-policy-strict > package (which contains the binary policy file, the file_contexts > configuration, and other policy-related config files) with a modified > post scriptlet in the spec file to perform the conversion (e.g. switch > to permissive mode, change /etc/selinux/config, load new policy, relabel > filesystems, reboot). Naturally, the devil is in the details; you'll > want to try it on a non-production system first. BTW, if it is a custom policy (not just the stock Fedora strict policy), then you should give it another name other than strict and put it under its own subtree of /etc/selinux to avoid conflicts (and potential replacement by the Fedora strict policy upon subsequent updates). -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Jun 15 18:56:04 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 15 Jun 2005 14:56:04 -0400 Subject: distributing custom policy In-Reply-To: <1e0b31de05061511531e455053@mail.gmail.com> References: <1e0b31de050615112730557bfd@mail.gmail.com> <1118860880.16874.26.camel@moss-spartans.epoch.ncsc.mil> <1e0b31de05061511531e455053@mail.gmail.com> Message-ID: <1118861764.16874.33.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-06-15 at 14:53 -0400, Security News wrote: > Sorry, in the first post I meant to say that I wanted to install the > policycoreutils.rpm (the devil really is in the details.) > > --the reason for needing this rpm is that I am hoping to be able to > install a custom policy and file-labelling without installing the > source configuration files. This is just so that even a root user > could be kept from editing my policy.conf files. I need the coreutils > b/c if the source config files are not going to be present then > neither is the Makefile, so I would need to use "fixfiles relabel" and > "load_policy". > > Unless, there is a better way to load and relabel when not installing > the config source files. > > I am hoping to have this installation be performed by someone else > somewhere else, and to make the installation as mindless as possible > for them. policycoreutils is always needed for SELinux, so it should already be installed on the base FC3 systems running targeted policy. You would only need to install a different version of it if your strict policy relies on a newer base version of policycoreutils than the stock FC3 one (at which point you may want to check whether you also require a newer libsepol and libselinux as well). -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Jun 15 19:32:24 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Jun 2005 15:32:24 -0400 Subject: distributing custom policy In-Reply-To: <1118861764.16874.33.camel@moss-spartans.epoch.ncsc.mil> References: <1e0b31de050615112730557bfd@mail.gmail.com> <1118860880.16874.26.camel@moss-spartans.epoch.ncsc.mil> <1e0b31de05061511531e455053@mail.gmail.com> <1118861764.16874.33.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42B08248.6070300@redhat.com> Stephen Smalley wrote: >On Wed, 2005-06-15 at 14:53 -0400, Security News wrote: > > >>Sorry, in the first post I meant to say that I wanted to install the >>policycoreutils.rpm (the devil really is in the details.) >> >>--the reason for needing this rpm is that I am hoping to be able to >>install a custom policy and file-labelling without installing the >>source configuration files. This is just so that even a root user >>could be kept from editing my policy.conf files. I need the coreutils >>b/c if the source config files are not going to be present then >>neither is the Makefile, so I would need to use "fixfiles relabel" and >>"load_policy". >> >>Unless, there is a better way to load and relabel when not installing >>the config source files. >> >>I am hoping to have this installation be performed by someone else >>somewhere else, and to make the installation as mindless as possible >>for them. >> >> > >policycoreutils is always needed for SELinux, so it should already be >installed on the base FC3 systems running targeted policy. You would >only need to install a different version of it if your strict policy >relies on a newer base version of policycoreutils than the stock FC3 one >(at which point you may want to check whether you also require a newer >libsepol and libselinux as well). > > > Also fixfiles/restorecon/setfiles do not require policy sources to be installed. They use the file_context files in /etc/selinux/TYPE/contexts/files/ directory. Dan -- From agenol.medina at hp.com Wed Jun 15 16:52:57 2005 From: agenol.medina at hp.com (Medina, Agenol) Date: Wed, 15 Jun 2005 12:52:57 -0400 Subject: Proper steps to enable /home/*/public_html on Fedora Core 3 Message-ID: <86D9699262FD614D8407FB0F3C2BE1866BA0D0@agdexc01.americas.cpqcorp.net> Hello, I'm Agenol Medina. I recently installed FC3 and I cant get my /home/*/public_html directories availble to thier owners. I can do it with FC2 but since selinux is now in the picture, I dont know how to "activate" my /home/*/public_html directories. I looked for some help in my local bookstores but I found nothing that I didnt know (based on how to do the same for FC2). Can you indicate where to look or what instructions to execute. Thank you for your help. Agenol Medina From bobk at ocf.berkeley.edu Wed Jun 15 20:29:36 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Wed, 15 Jun 2005 13:29:36 -0700 Subject: Proper steps to enable /home/*/public_html on Fedora Core 3 In-Reply-To: <86D9699262FD614D8407FB0F3C2BE1866BA0D0@agdexc01.americas.cpqcorp.net> References: <86D9699262FD614D8407FB0F3C2BE1866BA0D0@agdexc01.americas.cpqcorp.net> Message-ID: <1118867376.2687.2.camel@chaucer> On Wed, 2005-06-15 at 12:52 -0400, Medina, Agenol wrote: > Hello, > > I'm Agenol Medina. > > I recently installed FC3 and I cant get my /home/*/public_html directories availble to thier owners. > > I can do it with FC2 but since selinux is now in the picture, I dont know how to "activate" my /home/*/public_html directories. restorecon -R /home/*/public_html Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From walters at redhat.com Wed Jun 15 20:49:01 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 15 Jun 2005 16:49:01 -0400 Subject: Proper steps to enable /home/*/public_html on Fedora Core 3 In-Reply-To: <1118867376.2687.2.camel@chaucer> References: <86D9699262FD614D8407FB0F3C2BE1866BA0D0@agdexc01.americas.cpqcorp.net> <1118867376.2687.2.camel@chaucer> Message-ID: <1118868541.24338.3.camel@nexus.verbum.private> On Wed, 2005-06-15 at 13:29 -0700, Bob Kashani wrote: > On Wed, 2005-06-15 at 12:52 -0400, Medina, Agenol wrote: > > Hello, > > > > I'm Agenol Medina. > > > > I recently installed FC3 and I cant get my /home/*/public_html directories availble to thier owners. > > > > I can do it with FC2 but since selinux is now in the picture, I dont know how to "activate" my /home/*/public_html directories. > > restorecon -R /home/*/public_html That works, although I tend to tell people to run chcon directly, as in: chcon -R -h -t httpd_user_content_t /home/*/public_html Since restorecon will only work for public_html. Agenol, you might find this page useful too: http://fedora.redhat.com/docs/selinux-apache-fc3/ From christofer.c.bell at gmail.com Thu Jun 16 07:40:54 2005 From: christofer.c.bell at gmail.com (Christofer C. Bell) Date: Thu, 16 Jun 2005 02:40:54 -0500 Subject: help! In-Reply-To: <200506150711.j5F7BNJI028003@indigo.go4b.net> References: <200506150711.j5F7BNJI028003@indigo.go4b.net> Message-ID: <143f0f6c05061600406b4cc7df@mail.gmail.com> On 6/15/05, Zafar wrote: > > Your server has unexpectedly terminated the connection. Possible causes for > this include server problems, network problems, or a long period of > inactivity. Account: '192.168.0.203', Server: '192.168.0.203', Protocol: > POP3, Port: 110, Secure(SSL): No, Error Number: 0x800CCC0F Looking at the return address, why do I get the feeling this person is having an issue with a "unsolicited commercial bulk email" program? -- Chris "With the way things are starting to go in this country, if forced to choose between being caught with a van full of pirated DVDs or heroin you'd actually have to pause and think about it." -- Michael Bell, drunkenblog.com From christofer.c.bell at gmail.com Thu Jun 16 07:43:35 2005 From: christofer.c.bell at gmail.com (Christofer C. Bell) Date: Thu, 16 Jun 2005 02:43:35 -0500 Subject: not installing SELinux with Fedora In-Reply-To: <20050609171833.11503.fh047.wm@smtp.sc0.cp.net> References: <20050609171833.11503.fh047.wm@smtp.sc0.cp.net> Message-ID: <143f0f6c050616004347967660@mail.gmail.com> On 6/9/05, stewartetcie at canada.com wrote: > > Users of Fedora Core 4 want to know, how do we not, > repeat not, install SELinux? Since you're already familiar how to disable SELinux, the short answer to your question is, "you can't." -- Chris "With the way things are starting to go in this country, if forced to choose between being caught with a van full of pirated DVDs or heroin you'd actually have to pause and think about it." -- Michael Bell, drunkenblog.com From sds at tycho.nsa.gov Thu Jun 16 11:23:37 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 16 Jun 2005 07:23:37 -0400 Subject: not installing SELinux with Fedora In-Reply-To: <143f0f6c050616004347967660@mail.gmail.com> References: <20050609171833.11503.fh047.wm@smtp.sc0.cp.net> <143f0f6c050616004347967660@mail.gmail.com> Message-ID: <1118921017.30202.3.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-06-16 at 02:43 -0500, Christofer C. Bell wrote: > On 6/9/05, stewartetcie at canada.com wrote: > > > > Users of Fedora Core 4 want to know, how do we not, > > repeat not, install SELinux? > > Since you're already familiar how to disable SELinux, the short answer > to your question is, "you can't." And just to be clear, disabling SELinux truly does cause SELinux to unhook itself from the kernel's security framework, so that it is no longer called by the kernel. And the userspace SELinux code is bracketed by checks of whether SELinux is enabled in the kernel, so it also ceases to be executed when you disable SELinux in the kernel. -- Stephen Smalley National Security Agency From monk at umich.edu Thu Jun 16 17:11:50 2005 From: monk at umich.edu (Daniel Normolle) Date: Thu, 16 Jun 2005 13:11:50 -0400 Subject: New Policy Doesn't Fix It In-Reply-To: <1118921017.30202.3.camel@moss-spartans.epoch.ncsc.mil> References: <20050609171833.11503.fh047.wm@smtp.sc0.cp.net> <143f0f6c050616004347967660@mail.gmail.com> <1118921017.30202.3.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42B1B2D6.3070705@umich.edu> Hello, All, I am running kernel 2.6.11-1.27_FC3. I had disabled SELinux two policies ago because it caused two applications I depend on, Open Office and SAS, from launching. I relabeled the disk, turned SELinux back on, and updated with today's new, improved policy. My situation is unchanged, launching SAS generates this message: Jun 16 12:50:49 kernel: audit(1118940649.944:0): avc: denied { execmod } for pid=5124 comm=sas path=/usr/local/SAS/SAS_9.1/sasexe/saswzx dev=dm-0 ino=5134594 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file Launching open office generates this message: Jun 16 12:51:01 kernel: audit(1118940661.113:0): avc: denied { execmod } for pid=5152 comm=soffice.bin path=/opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 dev=dm-0 ino=4728657 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file Please let me know if you have sage advice or further questions. Be specific, SELinux is the NEW WORLD for me. Regards, dpn From wakesec at gmail.com Thu Jun 16 19:19:19 2005 From: wakesec at gmail.com (Security News) Date: Thu, 16 Jun 2005 15:19:19 -0400 Subject: Fixfiles path... Message-ID: <1e0b31de0506161219e98b8c2@mail.gmail.com> Hey all, Thank you for your replies to my first post. As a side note to my issue about installing my own custom policy on several remote machines... I have just put my custom policy on a text box with the sources included. I put the sources under /etc/selinux/dan_policy/ I still have the strict source files in the /etc/selinux directory, but I have updated /etc/selinux/config to load the "dan_policy" Now my problem is that when I update the source files and try to "make relabel" or "fixfiles" both programs run the file contexts from the STRICT directory. How do I get these programs to run my own file_context files under /etc/selinux/dan_policy/...? Thanks, Dan From stefan at hoelldampf.net Thu Jun 16 19:26:57 2005 From: stefan at hoelldampf.net (Stefan Hoelldampf) Date: Thu, 16 Jun 2005 21:26:57 +0200 Subject: FC4: losetup does not work anymore Message-ID: <42B1D281.1080602@hoelldampf.net> Hi, after the FC3->FC4 upgrade losetup does not work anymore: # losetup /dev/loop0 test.img audit(1118949662.609:50): avc: denied { search } for pid=24032 comm="losetup" name=root dev=dm-0 ino=1775393 scontext=root:system_r:fsadm_t tcontext=root:object_r:user_home_dir_t tclass=dir loop: can't open device test.img: Permission denied Any hints? TIA, Stefan From sds at tycho.nsa.gov Thu Jun 16 19:30:17 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 16 Jun 2005 15:30:17 -0400 Subject: Fixfiles path... In-Reply-To: <1e0b31de0506161219e98b8c2@mail.gmail.com> References: <1e0b31de0506161219e98b8c2@mail.gmail.com> Message-ID: <1118950217.30202.99.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-06-16 at 15:19 -0400, Security News wrote: > I have just put my custom policy on a text box with the sources > included. I put the sources under /etc/selinux/dan_policy/ > I still have the strict source files in the /etc/selinux directory, > but I have updated /etc/selinux/config to load the "dan_policy" > > Now my problem is that when I update the source files and try to "make > relabel" or "fixfiles" both programs run the file contexts from the > STRICT directory. > > How do I get these programs to run my own file_context files under > /etc/selinux/dan_policy/...? You shouldn't need sources to relabel; relabeling is based on the installed /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts* files. And SELINUXTYPE is read from /etc/selinux/config. I'm a little confused by your description above; /etc/selinux/dan_policy should be a complete policy tree, i.e. /etc/selinux/dan_policy/policy/policy.NN would be the installed binary policy file, /etc/selinux/dan_policy/contexts/files/file_contexts would be the file contexts configuration, and if you happen to install sources (which aren't needed), they would go under /etc/selinux/dan_policy/src/policy. Just like the strict or targeted policies. -- Stephen Smalley National Security Agency From cspp at yahoo.com Thu Jun 16 21:00:17 2005 From: cspp at yahoo.com (lastic miles) Date: Thu, 16 Jun 2005 14:00:17 -0700 (PDT) Subject: fc4 samba errors { read write } { search } { remove_name } Message-ID: <20050616210018.32656.qmail@web51010.mail.yahoo.com> I'm using FC4 and my samba gives me hard time. I'm getting following errors in /var/log/messages: Jun 16 13:11:47 moon kernel: audit(1118952707.301:6371): avc: denied { read write } for pid=23062 comm="smbd" name=0 dev=devpts ino=2 scontext=root:system_r:smbd_t tcontext=root:object_r:devpts_t tclass=chr_file Jun 16 13:11:47 moon kernel: audit(1118952707.539:6375): avc: denied { search } for pid=23062 comm="smbd" name=nscd dev=sda2 ino=388653 scontext=root:system_r:smbd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Jun 16 13:13:15 moon kernel: audit(1118952795.660:6385): avc: denied { remove_name } for pid=23072 comm="smbd" name=4dgw012.log dev=sda2 ino=389496 scontext=root:system_r:smbd_t tcontext=system_u:object_r:samba_log_t tclass=dir I reloaded the policy from /etc/selinux/targeted/src/policy with command make reload, also I activated "samba_enable_home_dirs" and I'm having inactive "use_samba_home_dirs" and "smbd_disable_trans". Don't get me wrong. My samba works, but I'm getting these errors. I would like to know why these errors are there and how to fix them? Btw I'm getting more of these error above when I'm starting smb daemon. After it's started, only "{ remove_name }" error is present all the time. Thanks in advance! -- L. Miles __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From wakesec at gmail.com Thu Jun 16 21:09:22 2005 From: wakesec at gmail.com (Security News) Date: Thu, 16 Jun 2005 17:09:22 -0400 Subject: locking down a secure-file-area Message-ID: <1e0b31de0506161409329db238@mail.gmail.com> OK, what I'm trying to do now is to lock down a particular directory, so that only people in a certain role may use the files in that directory. The best way I can see to do this is to have a user login and the "newrole" their way into the new secure-area domain. Here's what I have done thus far... 1) chcon -t securefiles_t /home/testuser/securefiles 2) I edited the policy/users file to allow certain users into a "secureuser_r" role. 3) I edited policy/rbac to "allow user_r secureuser_r" I created a file called policy/domains/misc/securefiles.te with the following: type secureuser_t, domain; type securefiles_t, file_type; role secureuser_r types secureuser_t; allow secureuser_t securefiles_t:dir *; allow secureuser_t securefiles:file *; domain_auto_trans(user_t, newrole_exec_t, secureuser_t) role_tty_type_change(user, secureuser) allow newrole_t secureuser_t:process transition; I am able to comipile and load the policy, but when I login as testuser and attempt to "newrole -r secureuser_r -t secureuser_t" my terminal screen closes instantly. My error log: avc: denied {transition} for pid=4044 exe=/usr/bin/newrole path=bin/bash ... scontext=testuser:user_r:newrole_t tcontext=testuser:secureuser_r:secureuser_t tclass=process Any thoughts? From roger at gwch.net Fri Jun 17 06:02:49 2005 From: roger at gwch.net (Roger Grosswiler) Date: Fri, 17 Jun 2005 08:02:49 +0200 (CEST) Subject: Change Password mysql for squirrelmail not working Message-ID: <39731.62.2.21.164.1118988169.squirrel@www.gwch.net> Hey, i try to change my squirrel-passwords via mysql, which no longer works on fc4. Could this be a selinux-issue? audit.log unfortunately doesn't help. Here my booleans for httpd: httpd_builtin_scripting --> active httpd_can_network_connect --> active httpd_disable_trans --> active httpd_enable_cgi --> active httpd_enable_homedirs --> active httpd_ssi_exec --> active httpd_suexec_disable_trans --> inactive httpd_tty_comm --> inactive httpd_unified --> active Thankx for your help. Roger From cspp at yahoo.com Fri Jun 17 06:27:07 2005 From: cspp at yahoo.com (lastic miles) Date: Thu, 16 Jun 2005 23:27:07 -0700 (PDT) Subject: Change Password mysql for squirrelmail not working In-Reply-To: <39731.62.2.21.164.1118988169.squirrel@www.gwch.net> Message-ID: <20050617062707.64292.qmail@web51001.mail.yahoo.com> --- Roger Grosswiler wrote: > fc4. Could this be a selinux-issue? audit.log Well, I don't know but you can test if selinux is the issue by turning it off and test. http://fedora.redhat.com/docs/selinux-faq-fc2/index.html#id2659047 -- L. Miles ____________________________________________________ Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com From roger at gwch.net Fri Jun 17 06:49:56 2005 From: roger at gwch.net (Roger Grosswiler) Date: Fri, 17 Jun 2005 08:49:56 +0200 (CEST) Subject: Change Password mysql for squirrelmail not working In-Reply-To: <20050617062624.76306.qmail@web51003.mail.yahoo.com> References: <39731.62.2.21.164.1118988169.squirrel@www.gwch.net> <20050617062624.76306.qmail@web51003.mail.yahoo.com> Message-ID: <48054.62.2.21.164.1118990996.squirrel@www.gwch.net> > --- Roger Grosswiler wrote: > >> fc4. Could this be a selinux-issue? audit.log > > Well, I don't know but you can test if selinux is the > issue by turning it off and test. > > http://fedora.redhat.com/docs/selinux-faq-fc2/index.html#id2659047 > > -- > L. Miles > > I think there must have been a issue with the app & selinux. selinux=disabled did work. now, also with selinux=enabled, it works, as on reboot i think there must be a kind of relabel. Roger From dwalsh at redhat.com Fri Jun 17 10:58:59 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 17 Jun 2005 06:58:59 -0400 Subject: New Policy Doesn't Fix It In-Reply-To: <42B1B2D6.3070705@umich.edu> References: <20050609171833.11503.fh047.wm@smtp.sc0.cp.net> <143f0f6c050616004347967660@mail.gmail.com> <1118921017.30202.3.camel@moss-spartans.epoch.ncsc.mil> <42B1B2D6.3070705@umich.edu> Message-ID: <42B2ACF3.3040504@redhat.com> Daniel Normolle wrote: > Hello, All, > > I am running kernel 2.6.11-1.27_FC3. I had disabled SELinux two > policies ago because it caused two applications I depend on, > Open Office and SAS, from launching. I relabeled the disk, turned > SELinux back on, and updated with today's new, improved policy. > My situation is unchanged, launching SAS generates this message: > > Jun 16 12:50:49 kernel: audit(1118940649.944:0): avc: denied { > execmod } for pid=5124 comm=sas > path=/usr/local/SAS/SAS_9.1/sasexe/saswzx dev=dm-0 ino=5134594 > scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t > tclass=file > > Launching open office generates this message: > > Jun 16 12:51:01 kernel: audit(1118940661.113:0): avc: denied { > execmod } for pid=5152 comm=soffice.bin > path=/opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 dev=dm-0 > ino=4728657 scontext=user_u:system_r:unconfined_t > tcontext=system_u:object_r:usr_t tclass=file > > Please let me know if you have sage advice or further questions. Be > specific, SELinux is the NEW WORLD for me. > > Regards, dpn > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list Are you sure you have allow_execmod set? setsebool -P allow_execmod=1 -- From sds at tycho.nsa.gov Fri Jun 17 11:30:42 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 17 Jun 2005 07:30:42 -0400 Subject: locking down a secure-file-area In-Reply-To: <1e0b31de0506161409329db238@mail.gmail.com> References: <1e0b31de0506161409329db238@mail.gmail.com> Message-ID: <1119007842.12524.11.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-06-16 at 17:09 -0400, Security News wrote: > OK, what I'm trying to do now is to lock down a particular directory, > so that only people in a certain role may use the files in that > directory. The best way I can see to do this is to have a user login > and the "newrole" their way into the new secure-area domain. > > Here's what I have done thus far... > 1) chcon -t securefiles_t /home/testuser/securefiles > 2) I edited the policy/users file to allow certain users into a > "secureuser_r" role. > 3) I edited policy/rbac to "allow user_r secureuser_r" > I created a file called policy/domains/misc/securefiles.te with the following: > > > type secureuser_t, domain; > type securefiles_t, file_type; > > role secureuser_r types secureuser_t; > allow secureuser_t securefiles_t:dir *; > allow secureuser_t securefiles:file *; > domain_auto_trans(user_t, newrole_exec_t, secureuser_t) > role_tty_type_change(user, secureuser) > allow newrole_t secureuser_t:process transition; Use full_user_role(secureuser) to define your new role and domain. Note that the domain_auto_trans rule above is wrong - you don't want user_t to transition to your new user domain automatically upon running newrole; you want it to transition to newrole_t as usual (and this will be covered by full_user_role) and then have newrole explicitly transition to the role specified by the user via the -r option. You'll still need the securefiles_t type declaration and rules and the role_tty_type_change() rule as well, but not the rest of the above. Also, unless you truly want to allow all permissions, don't use *; use one of the macros like create_file_perms and create_dir_perms (e.g. do you really want to allow this domain to execute these files? To relabel them? To mount on them? To be entered by executing these files?). > > > > I am able to comipile and load the policy, but when I login as > testuser and attempt to "newrole -r secureuser_r -t secureuser_t" my > terminal screen closes instantly. > > My error log: > avc: denied {transition} for pid=4044 exe=/usr/bin/newrole > path=bin/bash ... scontext=testuser:user_r:newrole_t > tcontext=testuser:secureuser_r:secureuser_t > tclass=process Looks like the newrole transition took precedence anyway. This denial is being caused by policy/constraints, because you are attempting to change roles and the new domain is not marked with a 'userdomain' attribute. But this will be addressed automatically by using full_user_role() above to define your user role and domain. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Jun 17 11:40:23 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 17 Jun 2005 07:40:23 -0400 Subject: New Policy Doesn't Fix It In-Reply-To: <42B2ACF3.3040504@redhat.com> References: <20050609171833.11503.fh047.wm@smtp.sc0.cp.net> <143f0f6c050616004347967660@mail.gmail.com> <1118921017.30202.3.camel@moss-spartans.epoch.ncsc.mil> <42B1B2D6.3070705@umich.edu> <42B2ACF3.3040504@redhat.com> Message-ID: <1119008423.12524.17.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-06-17 at 06:58 -0400, Daniel J Walsh wrote: > Are you sure you have allow_execmod set? > > setsebool -P allow_execmod=1 Per the avc message, the file was labeled usr_t (/opt/openoffice.org1.9.104/program/libicudata.so.26.0.1). So unless you are allowing execmod to all file types (not a good idea), that wouldn't help. It would need to be texrel_shlib_t (preferably) or at least shlib_t (not sure what you allow in targeted policy). -- Stephen Smalley National Security Agency From walters at redhat.com Fri Jun 17 11:52:12 2005 From: walters at redhat.com (Colin Walters) Date: Fri, 17 Jun 2005 07:52:12 -0400 Subject: New Policy Doesn't Fix It In-Reply-To: <1119008423.12524.17.camel@moss-spartans.epoch.ncsc.mil> References: <20050609171833.11503.fh047.wm@smtp.sc0.cp.net> <143f0f6c050616004347967660@mail.gmail.com> <1118921017.30202.3.camel@moss-spartans.epoch.ncsc.mil> <42B1B2D6.3070705@umich.edu> <42B2ACF3.3040504@redhat.com> <1119008423.12524.17.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1119009133.3577.7.camel@nexus.verbum.private> On Fri, 2005-06-17 at 07:40 -0400, Stephen Smalley wrote: > On Fri, 2005-06-17 at 06:58 -0400, Daniel J Walsh wrote: > > Are you sure you have allow_execmod set? > > > > setsebool -P allow_execmod=1 > > Per the avc message, the file was labeled usr_t > (/opt/openoffice.org1.9.104/program/libicudata.so.26.0.1). So unless > you are allowing execmod to all file types (not a good idea), For the targeted policy I think we need do need to allow it for file_type. The original security goal of the targeted policy was that only a few specific services were confined. We expect Fedora server administrators to understand SELinux and read documentation about how to secure their services using it. We cannot expect the same of all of the many other kinds of people using Fedora; in this particular case, it looks to me like Daniel is a free software enthusiast tracking the latest upstream releases of OpenOffice.org. Until we can have some reasonable expectation of ISV software installers labelling data correctly, I don't think we can use execmod/execmem for unconfined_t at all. From sds at tycho.nsa.gov Fri Jun 17 12:03:46 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 17 Jun 2005 08:03:46 -0400 Subject: New Policy Doesn't Fix It In-Reply-To: <1119009133.3577.7.camel@nexus.verbum.private> References: <20050609171833.11503.fh047.wm@smtp.sc0.cp.net> <143f0f6c050616004347967660@mail.gmail.com> <1118921017.30202.3.camel@moss-spartans.epoch.ncsc.mil> <42B1B2D6.3070705@umich.edu> <42B2ACF3.3040504@redhat.com> <1119008423.12524.17.camel@moss-spartans.epoch.ncsc.mil> <1119009133.3577.7.camel@nexus.verbum.private> Message-ID: <1119009826.12524.34.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-06-17 at 07:52 -0400, Colin Walters wrote: > For the targeted policy I think we need do need to allow it for > file_type. The original security goal of the targeted policy was that > only a few specific services were confined. We expect Fedora server > administrators to understand SELinux and read documentation about how to > secure their services using it. We cannot expect the same of all of the > many other kinds of people using Fedora; in this particular case, it > looks to me like Daniel is a free software enthusiast tracking the > latest upstream releases of OpenOffice.org. Until we can have some > reasonable expectation of ISV software installers labelling data > correctly, I don't think we can use execmod/execmem for unconfined_t at > all. Hmm...well, if so, please limit to the targeted/domains/unconfined.te file and don't alter the unconfined_domain() macro. Looks like you are already allowing execmod to a variety of types in the targeted unconfined.te, but not to all file types. Given the permissive nature of targeted policy (e.g. boolean defaults for apache and execmem/execmod are permissive), I think the release notes or SELinux FAQ should in the future give instructions on how to tighten up the settings for admins who want to do so. Otherwise, they aren't likely to even think about it. -- Stephen Smalley National Security Agency From walters at redhat.com Fri Jun 17 12:18:36 2005 From: walters at redhat.com (Colin Walters) Date: Fri, 17 Jun 2005 08:18:36 -0400 Subject: New Policy Doesn't Fix It In-Reply-To: <1119009826.12524.34.camel@moss-spartans.epoch.ncsc.mil> References: <20050609171833.11503.fh047.wm@smtp.sc0.cp.net> <143f0f6c050616004347967660@mail.gmail.com> <1118921017.30202.3.camel@moss-spartans.epoch.ncsc.mil> <42B1B2D6.3070705@umich.edu> <42B2ACF3.3040504@redhat.com> <1119008423.12524.17.camel@moss-spartans.epoch.ncsc.mil> <1119009133.3577.7.camel@nexus.verbum.private> <1119009826.12524.34.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1119010716.3577.16.camel@nexus.verbum.private> On Fri, 2005-06-17 at 08:03 -0400, Stephen Smalley wrote: > Hmm...well, if so, please limit to the targeted/domains/unconfined.te > file and don't alter the unconfined_domain() macro. Looks like you are > already allowing execmod to a variety of types in the targeted > unconfined.te, but not to all file types. We also need to do so for initrc_t at least, because that is now the domain that services run under by default in FC4. It would be nice though if we could go back to using unconfined_t there, but it seems complicated. Could we do something like: domain_auto_trans(initrc_t, exec_type - targeted_exec_type, unconfined_t) Would need to give e.g. httpd_exec_t the targeted_exec_type attribute, and I'm not sure attribute subtraction works. > Given the permissive nature of targeted policy (e.g. boolean defaults > for apache and execmem/execmod are permissive), I think the release > notes or SELinux FAQ should in the future give instructions on how to > tighten up the settings for admins who want to do so. Otherwise, they > aren't likely to even think about it. Absolutely, this would make a good entry in the FAQ. Although I'd personally really like to see a Fedora security guide, these booleans would me mentioned there too. From alex at milivojevic.org Fri Jun 17 14:58:14 2005 From: alex at milivojevic.org (alex at milivojevic.org) Date: Fri, 17 Jun 2005 09:58:14 -0500 Subject: selinux-policy-targeted and logrotate Message-ID: <20050617095814.zuu9peo6scc8cwc8@www.milivojevic.org> I've installed selinux-policy-targeted-1.17.30-2.88 from RHEL4 U1 on my system. It fixed number of problems with /tmp mounted as tmpfs (and hence having context of tmpfs_t, instead of tmp_t). However, I'm still noticing one problem. Logrotate postrotate scripts fail. Log files show it was SELinux blocking them: Jun 16 04:02:23 mybox kernel: audit(1118912543.190:0): avc: denied { associate } for pid=28151 comm=logrotate name=logrotate.8npXq2 scontext=system_u:object_r:var_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem Jun 17 04:02:18 mybox kernel: audit(1118998938.340:0): avc: denied { associate } for pid=6006 comm=logrotate name=logrotate.aNF9be scontext=system_u:object_r:var_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem As I was typing this email, I noticed Daniel already have SELinux/RHEL4/u2 directory, and chagelog indicated problem with logrotate and tmpfs was tackled after version 1.17.30-2.88 was released. So I downloaded selinux-policy-targeted-1.17.30-3.6 and installed it on test system. I noticed small problem with postinstall script. It calls /sbin/restorecon, and it seems to be relabeling all my file systems as I type this (taking a looong time). Not sure if this would be good idea on production systems that might have some directories with custom labels. For example, I have chrooted Apache on one of my systems, and relabeling would destroy it since all the files in chroot jail would be reset to wrong labels. Also, if I used chcon to give some application access to files in non-default area, relabeling entire file system would trash those too. Another problem I noticed was that file_contexts and policy.18 files were created as dot rpmnew, and than restorecon complains about "invalid labels" or something like that (can't cut&paste it or look exact wording, it scrolled off very fast, I hardly spotted that newrpm thing). I guess there are some new types defined in updated policy, but since policy file was created as rpmnew, the script simply reloaded old policy file, and kernel didn't knew about new types. Anyhow, I believe I had original policy.18 and file_contexts as installed by previous version of the package. Shouldn't in this case RPM install new files instead of creating them as rpmnew? ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From alex at milivojevic.org Fri Jun 17 15:20:13 2005 From: alex at milivojevic.org (alex at milivojevic.org) Date: Fri, 17 Jun 2005 10:20:13 -0500 Subject: NIS trouble after update of targeted policy Message-ID: <20050617102013.qq85ynl7kggw4s0g@www.milivojevic.org> In continuation to my pervious mail to this list (subject was "selinux-policy-targeted and logrotate", but was really more about upgrading from 1.17.30-2.88 to 1.17.30-3.6). After I upgraded to selinux-policy-targeted-1.17.30-3.6 (Daniel's rhel4u2 RPM), several appliactions contolled by targeted policy started complaining about something that looks like lookups to NIS maps were denied. The testing box in question is in permissive mode, so there might be much more of those for boxes running in enforcing mode. The logs are in attachment. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -------------- next part -------------- Jun 17 10:06:58 mybox kernel: audit(1119020818.412:0): avc: denied { search } for pid=2542 comm=ntpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:var_yp_t tclass=dir Jun 17 10:06:58 mybox kernel: audit(1119020818.415:0): avc: denied { read } for pid=2542 comm=ntpd name=milivojevic.org.2 dev=dm-2 ino=112005 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:var_yp_t tclass=file Jun 17 10:06:58 mybox kernel: audit(1119020818.419:0): avc: denied { name_bind } for pid=2542 comm=ntpd src=1022 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket Jun 17 10:06:58 mybox kernel: audit(1119020818.422:0): avc: denied { name_bind } for pid=2542 comm=ntpd src=1023 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket Jun 17 10:06:59 mybox kernel: audit(1119020819.077:0): avc: denied { search } for pid=2576 comm=postmaster name=nscd dev=dm-2 ino=464004 scontext=user_u:system_r:postgresql_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Jun 17 10:07:07 mybox kernel: audit(1119020827.010:0): avc: denied { search } for pid=2642 comm=httpd name=nscd dev=dm-2 ino=464004 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Jun 17 10:07:12 mybox kernel: audit(1119020832.905:0): avc: denied { search } for pid=2827 comm=httpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_yp_t tclass=dir Jun 17 10:07:12 mybox kernel: audit(1119020832.905:0): avc: denied { read } for pid=2827 comm=httpd name=milivojevic.org.2 dev=dm-2 ino=112005 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_yp_t tclass=file Jun 17 10:07:12 mybox kernel: audit(1119020832.906:0): avc: denied { name_bind } for pid=2827 comm=httpd src=883 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket Jun 17 10:07:12 mybox kernel: audit(1119020832.906:0): avc: denied { name_bind } for pid=2827 comm=httpd src=884 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket Jun 17 10:07:12 mybox kernel: audit(1119020832.907:0): avc: denied { connect } for pid=2827 comm=httpd lport=884 scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Jun 17 10:07:13 mybox kernel: audit(1119020833.376:0): avc: denied { name_bind } for pid=2891 comm=httpd src=953 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:rndc_port_t tclass=tcp_socket Jun 17 10:09:05 mybox kernel: audit(1119020945.663:0): avc: denied { search } for pid=2887 comm=httpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_yp_t tclass=dir From bobk at ocf.berkeley.edu Fri Jun 17 17:14:28 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 17 Jun 2005 10:14:28 -0700 Subject: httpd fails to start with latest policy Message-ID: <1119028468.3248.4.camel@chaucer> httpd fails to start with the latest FC3 policy. selinux-policy-targeted-1.17.30-3.9 Here is the AVC message: Jun 17 10:04:48 sorcerer kernel: audit(1119027888.944:0): avc: denied { name_bind } for pid=3265 exe=/usr/sbin/httpd src=2121 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:port_t tclass=tcp_socket Jun 17 10:04:48 sorcerer httpd: (13)Permission denied: make_sock: could not bind to address [::]:2121 Jun 17 10:04:48 sorcerer httpd: no listening sockets available, shutting down Jun 17 10:04:48 sorcerer httpd: Unable to open logs Jun 17 10:04:48 sorcerer httpd: httpd startup failed I normally use port 80 and 2121. How do I fix this? Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From sds at tycho.nsa.gov Fri Jun 17 17:26:08 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 17 Jun 2005 13:26:08 -0400 Subject: httpd fails to start with latest policy In-Reply-To: <1119028468.3248.4.camel@chaucer> References: <1119028468.3248.4.camel@chaucer> Message-ID: <1119029168.15306.43.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-06-17 at 10:14 -0700, Bob Kashani wrote: > httpd fails to start with the latest FC3 policy. > > selinux-policy-targeted-1.17.30-3.9 > > Here is the AVC message: > > Jun 17 10:04:48 sorcerer kernel: audit(1119027888.944:0): avc: denied > { name_bind } for pid=3265 exe=/usr/sbin/httpd src=2121 > scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:port_t > tclass=tcp_socket > Jun 17 10:04:48 sorcerer httpd: (13)Permission denied: make_sock: could > not bind to address [::]:2121 > Jun 17 10:04:48 sorcerer httpd: no listening sockets available, shutting > down > Jun 17 10:04:48 sorcerer httpd: Unable to open logs > Jun 17 10:04:48 sorcerer httpd: httpd startup failed > > I normally use port 80 and 2121. How do I fix this? As a workaround, you can add a definition for 2121 to /etc/selinux/targeted/src/policy/net_contexts, likewise mapping it to http_port_t, e.g. portcon tcp 2121 system_u:object_r:http_port_t Naturally, that won't survive updates. There isn't presently a clean way to do local customization of network-related contexts, but that is planned (but isn't likely to be included until FC5). Alternative is to let httpd bind to any non-reserved port at all, i.e. allow httpd_t port_t:tcp_socket name_bind; in /etc/selinux/targeted/src/policy/domains/misc/local.te (or any name not used by the policy package), which would survive updates. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Jun 17 17:53:10 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 17 Jun 2005 13:53:10 -0400 Subject: selinux-policy-targeted and logrotate In-Reply-To: <20050617095814.zuu9peo6scc8cwc8@www.milivojevic.org> References: <20050617095814.zuu9peo6scc8cwc8@www.milivojevic.org> Message-ID: <1119030790.15306.61.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-06-17 at 09:58 -0500, alex at milivojevic.org wrote: > I've installed selinux-policy-targeted-1.17.30-2.88 from RHEL4 U1 on my system. > It fixed number of problems with /tmp mounted as tmpfs (and hence having context > of tmpfs_t, instead of tmp_t). However, I'm still noticing one problem. > Logrotate postrotate scripts fail. Log files show it was SELinux blocking > them: > > Jun 16 04:02:23 mybox kernel: audit(1118912543.190:0): avc: denied { associate > } for pid=28151 comm=logrotate name=logrotate.8npXq2 > scontext=system_u:object_r:var_t tcontext=system_u:object_r:tmpfs_t > tclass=filesystem > Jun 17 04:02:18 mybox kernel: audit(1118998938.340:0): avc: denied { associate > } for pid=6006 comm=logrotate name=logrotate.aNF9be > scontext=system_u:object_r:var_t tcontext=system_u:object_r:tmpfs_t > tclass=filesystem Hmm...tmpfs_t instead of logrotate_tmp_t? Ok, I had thought that Dan had come up with a solution that would be equivalent to mounting with fscontext=system_u:object_r:tmp_t and running restorecon /tmp, but I guess he didn't. Just running restorecon /tmp is only going to change the context on /tmp; any further files will end up transitioning from the superblock context (which is still tmpfs_t in the absence of using fscontext=), so they would end up requiring tmpfs_domain for each domain with /tmp files and labeling those /tmp files with xxx_tmpfs_t instead. At which point the xxx_tmp_t types become unused and irrelevant. > As I was typing this email, I noticed Daniel already have SELinux/RHEL4/u2 > directory, and chagelog indicated problem with logrotate and tmpfs was tackled > after version 1.17.30-2.88 was released. So I downloaded > selinux-policy-targeted-1.17.30-3.6 and installed it on test system. I noticed > small problem with postinstall script. It calls /sbin/restorecon, and it seems > to be relabeling all my file systems as I type this (taking a looong time). > Not sure if this would be good idea on production systems that might have some > directories with custom labels. For example, I have chrooted Apache on one of > my systems, and relabeling would destroy it since all the files in chroot jail > would be reset to wrong labels. Also, if I used chcon to give some application > access to files in non-default area, relabeling entire file system would trash > those too. Yes, blind relabeling considered harmful. Not sure what went into RHEL4 updates, but FC only runs fixfiles -C to do a selective relabel based on a diff of the old and new file contexts (which can still degenerate to a full relabel if the diff is too large). > Another problem I noticed was that file_contexts and policy.18 files were > created as dot rpmnew, and than restorecon complains about "invalid labels" or > something like that (can't cut&paste it or look exact wording, it scrolled off > very fast, I hardly spotted that newrpm thing). I guess there are some new > types defined in updated policy, but since policy file was created as rpmnew, > the script simply reloaded old policy file, and kernel didn't knew about new > types. > > Anyhow, I believe I had original policy.18 and file_contexts as installed by > previous version of the package. Shouldn't in this case RPM install new files > instead of creating them as rpmnew? Yes, if they truly were the originals. rpm -V selinux-policy-targeted. I suspect that the problem is that you installed selinux-policy-targeted-sources, which performs a make load in the policy source directory as part of the %post sources, thereby overwriting the files from selinux-policy-targeted. rpm then thinks that you have customized the built files even if you never actually modified policy sources themselves. Of course, if you update policy sources, then that should rebuild your policy. -- Stephen Smalley National Security Agency From narayan_ak at yahoo.com Fri Jun 17 18:05:35 2005 From: narayan_ak at yahoo.com (Narayan Krishnamurthy) Date: Fri, 17 Jun 2005 11:05:35 -0700 (PDT) Subject: How to build modules Message-ID: <20050617180535.29726.qmail@web53608.mail.yahoo.com> Hi, I just installed Fedora Core 3 on my desktop which is a Dell Dimension XPS T450. Pentium III 450 Mhz. How do I build modules? viz. USB modules? Any detailed assistance would be appreciated -regards Narayan --------------------------------- Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football -------------- next part -------------- An HTML attachment was scrubbed... URL: From narayan_ak at yahoo.com Fri Jun 17 20:02:52 2005 From: narayan_ak at yahoo.com (Narayan Krishnamurthy) Date: Fri, 17 Jun 2005 13:02:52 -0700 (PDT) Subject: Module compilation issues in Fedore core 3 Message-ID: <20050617200253.82435.qmail@web53607.mail.yahoo.com> Hi all, I ran make modules from the Linux--- directory and after some time I go the following error. drivers/scsi/qla2xxx/qla_os.c: In function `qla2x00_queuecommand': drivers/scsi/qla2xxx/qla_os.c:315: sorry, unimplemented: inlining failed in call to 'qla2x00_callback': function not considered for inlining drivers/scsi/qla2xxx/qla_os.c:269: sorry, unimplemented: called from here drivers/scsi/qla2xxx/qla_os.c:315: sorry, unimplemented: inlining failed in call to 'qla2x00_callback': function not considered for inlining drivers/scsi/qla2xxx/qla_os.c:269: sorry, unimplemented: called from here make[3]: *** [drivers/scsi/qla2xxx/qla_os.o] Error 1 make[2]: *** [drivers/scsi/qla2xxx] Error 2 make[1]: *** [drivers/scsi] Error 2 Anybody know how to handle this error. I am using the native compiler which came with Fedora core 3 (gcc ver 3.4.2) Thanks for any help -Narayan --------------------------------- Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bobk at ocf.berkeley.edu Fri Jun 17 23:15:20 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 17 Jun 2005 16:15:20 -0700 Subject: httpd fails to start with latest policy In-Reply-To: <1119029168.15306.43.camel@moss-spartans.epoch.ncsc.mil> References: <1119028468.3248.4.camel@chaucer> <1119029168.15306.43.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1119050120.29334.9.camel@chaucer> On Fri, 2005-06-17 at 13:26 -0400, Stephen Smalley wrote: > On Fri, 2005-06-17 at 10:14 -0700, Bob Kashani wrote: > > httpd fails to start with the latest FC3 policy. > > > > selinux-policy-targeted-1.17.30-3.9 > > > > Here is the AVC message: > > > > Jun 17 10:04:48 sorcerer kernel: audit(1119027888.944:0): avc: denied > > { name_bind } for pid=3265 exe=/usr/sbin/httpd src=2121 > > scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:port_t > > tclass=tcp_socket > > Jun 17 10:04:48 sorcerer httpd: (13)Permission denied: make_sock: could > > not bind to address [::]:2121 > > Jun 17 10:04:48 sorcerer httpd: no listening sockets available, shutting > > down > > Jun 17 10:04:48 sorcerer httpd: Unable to open logs > > Jun 17 10:04:48 sorcerer httpd: httpd startup failed > > > > I normally use port 80 and 2121. How do I fix this? > > As a workaround, you can add a definition for 2121 > to /etc/selinux/targeted/src/policy/net_contexts, likewise mapping it to > http_port_t, e.g. > portcon tcp 2121 system_u:object_r:http_port_t > > Naturally, that won't survive updates. There isn't presently a clean > way to do local customization of network-related contexts, but that is > planned (but isn't likely to be included until FC5). > > Alternative is to let httpd bind to any non-reserved port at all, i.e. > allow httpd_t port_t:tcp_socket name_bind; > in /etc/selinux/targeted/src/policy/domains/misc/local.te (or any name > not used by the policy package), which would survive updates. Thanks, Stephen, it worked. I ended up using the local.te method so that an upgrade won't whack my web server again. :) Also, is this behavior the same in FC4? My desktop is currently running FC4 and I'm going to upgrade my home server soon to FC4, so I was just wondering. Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From bobk at ocf.berkeley.edu Sat Jun 18 01:38:22 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 17 Jun 2005 18:38:22 -0700 Subject: squirrelmail not working after policy update Message-ID: <1119058702.3403.7.camel@chaucer> FC3 selinux-policy-targeted-1.17.30-3.9 Arrgh...squirrelmail is not working. I ran audit2allow and it told me to add this: allow httpd_t self:tcp_socket connect; Which makes everything work now. Is this correct? Here is the AVC error that I was getting: Jun 17 18:32:26 sorcerer kernel: audit(1119058346.336:0): avc: denied { connect } for pid=3388 exe=/usr/sbin/httpd scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From cspp at yahoo.com Sat Jun 18 18:24:07 2005 From: cspp at yahoo.com (lastic miles) Date: Sat, 18 Jun 2005 11:24:07 -0700 (PDT) Subject: fc4 samba errors { read write } { search } { remove_name } - second part Message-ID: <20050618182407.44873.qmail@web51002.mail.yahoo.com> Hello! I found some things. With the command 'audit2allow' and the log I've got these rules: allow nmbd_t devpts_t:chr_file { read write }; allow smbd_t devpts_t:chr_file { read write }; allow smbd_t nscd_var_run_t:dir search; allow smbd_t samba_log_t:dir remove_name; How and where to apply them into the security policy on my fc4? Thanks! -- L. Miles ____________________________________________________ Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com From ivg2 at cornell.edu Sat Jun 18 20:36:05 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sat, 18 Jun 2005 16:36:05 -0400 Subject: fc4 samba errors { read write } { search } { remove_name } - second part In-Reply-To: <20050618182407.44873.qmail@web51002.mail.yahoo.com> References: <20050618182407.44873.qmail@web51002.mail.yahoo.com> Message-ID: <1119126965.24723.6.camel@localhost.localdomain> On Sat, 2005-06-18 at 11:24 -0700, lastic miles wrote: > Hello! > > I found some things. With the command 'audit2allow' > and the log I've got these rules: > > allow nmbd_t devpts_t:chr_file { read write }; > allow smbd_t devpts_t:chr_file { read write }; I don't like these two... > allow smbd_t nscd_var_run_t:dir search; Add nscd_client_domain to the daemon_domain call for smbd > allow smbd_t samba_log_t:dir remove_name; Samba's currently not allowed to delete logs - it seems this was done on purpose. Why, I'm not sure - so you can't erase valuable audit trail I suppose... --- By the way, notice how samba doesn't use standard log macros for this (append_logdir_domain). The only reason for this appears to be that the type is shared across multiple types. This is not a very good reason. IMHO we need to change all those log/var/etc macros to address this issue. If you look at home_macros.te you'll see one (rather ugly) way to address this - separate macro in one declaration part, and another "access" part. -- Ivan Gyurdiev Cornell University From iocc at fedora-selinux.lists.flashdance.cx Sun Jun 19 00:30:48 2005 From: iocc at fedora-selinux.lists.flashdance.cx (Peter Magnusson) Date: Sun, 19 Jun 2005 02:30:48 +0200 (CEST) Subject: problem with selinux-policy-targeted FC3 Message-ID: I run FC3 on an box. I have selinux enabled. Last selinux-policy-targeted fucked up so my webserver didnt start, I think its very irresponsible of the fedora team to fuckup a lot of peoples httpds like this. I have; apt-get update &>/dev/null apt-get upgrade -y in cron.daily. I have many vhosts. All are in /www like /www/domain1.net /www/domain2.net and so on. If it matters its NFS exported to an other computer running FC3. No, I dont wanna move it to /var/www . It would say; Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] does not exist Jun 19 00:32:27 sysbabe kernel: audit(1119133946.358:0): avc: denied { search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] does not exist Jun 19 00:32:27 sysbabe kernel: audit(1119133946.358:0): avc: denied { search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] does not exist Jun 19 00:32:27 sysbabe kernel: audit(1119133946.359:0): avc: denied { search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] does not exist Jun 19 00:32:27 sysbabe kernel: audit(1119133946.361:0): avc: denied { search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir on EACH subdir inside /www. I know nothing about selinux, only restorecon. I tried restorecon -R /www/ but it didnt help. I got some help on irc (thanks again) and did setsebool -P httpd_disable_trans 1 and now the webserver at least work. But I guess the PROPER way would be to set system_r:httpd_t perms on all files inside /www ? But how do I do that without rebooting? touch /.autorelabel and reboot... is a reboot. From bobk at ocf.berkeley.edu Sun Jun 19 05:46:49 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Sat, 18 Jun 2005 22:46:49 -0700 Subject: problem with selinux-policy-targeted FC3 In-Reply-To: References: Message-ID: <1119160009.2580.5.camel@chaucer> On Sun, 2005-06-19 at 02:30 +0200, Peter Magnusson wrote: > I run FC3 on an box. I have selinux enabled. Last selinux-policy-targeted > fucked up so my webserver didnt start, I think its very irresponsible of > the fedora team to fuckup a lot of peoples httpds like this. > I have; > apt-get update &>/dev/null > apt-get upgrade -y > in cron.daily. > > I have many vhosts. All are in /www like /www/domain1.net /www/domain2.net > and so on. If it matters its NFS exported to an other computer running FC3. > No, I dont wanna move it to /var/www . > > It would say; > > Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] > does not exist > Jun 19 00:32:27 sysbabe kernel: audit(1119133946.358:0): avc: denied { > search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 > scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t > tclass=dir > Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] > does not exist > Jun 19 00:32:27 sysbabe kernel: audit(1119133946.358:0): avc: denied { > search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 > scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t > tclass=dir > Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] > does not exist > Jun 19 00:32:27 sysbabe kernel: audit(1119133946.359:0): avc: denied { > search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 > scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t > tclass=dir > Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] > does not exist > Jun 19 00:32:27 sysbabe kernel: audit(1119133946.361:0): avc: denied { > search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 > scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t > tclass=dir > > on EACH subdir inside /www. I know nothing about selinux, only restorecon. > I tried restorecon -R /www/ but it didnt help. > > I got some help on irc (thanks again) and did > setsebool -P httpd_disable_trans 1 and now the webserver at least work. But > I guess the PROPER way would be to set system_r:httpd_t perms on all files > inside /www ? But how do I do that without rebooting? > touch /.autorelabel and reboot... is a reboot. Hrmm...all my www dirs are labeled either as: system_u:object_r:httpd_sys_content_t or user_u:object_r:httpd_user_content_t To change the selinux context you can use "chcon": chcon -R system_u:object_r:httpd_sys_content_t www Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From ivg2 at cornell.edu Sun Jun 19 05:56:26 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sun, 19 Jun 2005 01:56:26 -0400 Subject: problem with selinux-policy-targeted FC3 In-Reply-To: <1119160009.2580.5.camel@chaucer> References: <1119160009.2580.5.camel@chaucer> Message-ID: <1119160587.3418.6.camel@localhost.localdomain> > > I have; > > apt-get update &>/dev/null > > apt-get upgrade -y > > in cron.daily. > > > > I have many vhosts. All are in /www like /www/domain1.net /www/domain2.net > > and so on. If it matters its NFS exported to an other computer running FC3. > > No, I dont wanna move it to /var/www . Why is that... That's what causes your problem, since nonstandard locations are labeled as default_t. You can relabel your content httpd_sys_content_t, and this should fix the problem. However, the standard location for web content is /var/www. -- Ivan Gyurdiev Cornell University From russell at coker.com.au Sun Jun 19 08:00:24 2005 From: russell at coker.com.au (Russell Coker) Date: Sun, 19 Jun 2005 18:00:24 +1000 Subject: selinux & external hd permissions. In-Reply-To: <200506121323.j5CDNscj011064@turing-police.cc.vt.edu> References: <200506121323.j5CDNscj011064@turing-police.cc.vt.edu> Message-ID: <200506191800.28538.russell@coker.com.au> On Sunday 12 June 2005 23:23, Valdis.Kletnieks at vt.edu wrote: > The data will be readable off any box that supports ext3 and extended > attributes (I can't remember what happens if the kernel doesn't do the > extended attributes - whether it won't mount, or it mounts-and-ignores). > At worst, you'd need to drop to 'permissive' mode and/or restorecon. Code to support XATTRs in Ext2/3 has been there for quite a while. Code that works properly (and base Ext2/3 code that has no bugs related to this) is a bit newer. If you have a file system with XATTRs on sym-links (SE Linux puts XATTRs on all file system objects) and then try to mount it on an older 2.4.x kernel then there will be problems, I can't remember if the problems merely made the file system unusable of whether a full kernel panic occurred. In any case the result was not good. If you need to share a disk with an old 2.4.x machine then a good solution is to mount it with -o context=... Then the context is stored in kernel memory and never written to disk (unless you use a program such as mv or cp that does it - but it will not be done automatically by the kernel). For an external device the context= mount option is good for security too. Devices that are mounted nosuid also inhibit domain_auto_trans() rules, but having arbitrary data types on files is not desirable. But generally the answer is that there is no serious issue no matter what you want to do. You just have to do it in the right way. Also note that some new file system features in recent 2.6.x kernels are not supported on 2.4.x. So you may have some issues with using an old kernel even if not using SE Linux. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From Valdis.Kletnieks at vt.edu Sun Jun 19 16:23:48 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sun, 19 Jun 2005 12:23:48 -0400 Subject: selinux & external hd permissions. In-Reply-To: Your message of "Sun, 19 Jun 2005 18:00:24 +1000." <200506191800.28538.russell@coker.com.au> References: <200506121323.j5CDNscj011064@turing-police.cc.vt.edu> <200506191800.28538.russell@coker.com.au> Message-ID: <200506191623.j5JGNp1I013042@turing-police.cc.vt.edu> On Sun, 19 Jun 2005 18:00:24 +1000, Russell Coker said: > On Sunday 12 June 2005 23:23, Valdis.Kletnieks at vt.edu wrote: > > The data will be readable off any box that supports ext3 and extended > > attributes (I can't remember what happens if the kernel doesn't do the > > extended attributes - whether it won't mount, or it mounts-and-ignores). > > At worst, you'd need to drop to 'permissive' mode and/or restorecon. > > Code to support XATTRs in Ext2/3 has been there for quite a while. Code that > works properly (and base Ext2/3 code that has no bugs related to this) is a > bit newer. I was thinking more along the lines of somebody who had build themselves a custom kernel that had CONFIG_EXT[23]_FS_XATTR disabled -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From jreiser at BitWagon.com Sun Jun 19 19:18:33 2005 From: jreiser at BitWagon.com (John Reiser) Date: Sun, 19 Jun 2005 12:18:33 -0700 Subject: allow execmod and execmem for self debugging process [targeted] Message-ID: <42B5C509.3060607@BitWagon.com> A self-debugging process wants arbitrary mmap() and mprotect() on itself, but gets EACCES with "avc: denied { execmod }" when it tries. What needs to be done to allow this? There are three cases: a) well-known named filesystem path as most-recent execve() b) process with "self-debug" as leaf name of most-recent execve() c) any execve() of a file with some assignable attribute [context] Using selinux-policy-targeted-1.23.16-6 enforcing under Fedora Core 4 kernel-2.6.11-1.1369_FC4, I see complaints such as ---- type=AVC_PATH msg=audit(1119151560.280:466428): \ path="/path/to/self-debugger/shared-library" type=SYSCALL msg=audit(1119151560.280:466428): arch=40000003 syscall=125 per=400000 \ success=no exit=-13 a0=3000 a1=1000 a2=5 a3=0 items=0 pid=2701 auid=4294967295 \ uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 \ comm="self-debug" exe="/path/to/self-debugger/self-debug" type=AVC msg=audit(1119151560.280:466428): avc: denied { execmod } for pid=2701 \ comm="self-debug" name=shared-library dev=hda7 ino=4104583 \ scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:file_t tclass=file ---- Booting the kernel with "enforcing=0" allows the mprotect() to succeed; auditd.log still shows similar messages, except with "success=yes exit=0". I'd like to retain the safeguards of the targeted enforcing policy, but allow "known cases" the capabilities that they need. [Yes, this is a technique that malware may try to exploit. "Bonware" deserves the chance to exploit it, too.] /etc/selinux/targeted/booleans has ----- allow_execmod=1 allow_execmem=1 ----- Shouldn't these two values have allowed any mprotect? The self-debugger wants to re-write PROT_EXEC + MAP_PRIVATE pages of itself and other files that have been mmap()ed into the same process. Code in .a archive library such as http://BitWagon.com/tub/tub.html gives an application more control over its address space by "hooking" all mmap(), etc. Complicated watchpoints run thousands of times faster in contrast to requiring ptrace() by a second process [gdb], etc. -- From jon at internection.com Sun Jun 19 19:53:40 2005 From: jon at internection.com (Jon August) Date: Sun, 19 Jun 2005 15:53:40 -0400 Subject: having trouble getting dhcpd started In-Reply-To: <42B5C509.3060607@BitWagon.com> References: <42B5C509.3060607@BitWagon.com> Message-ID: <9E7AD73D-D698-4E1D-844C-C1B5F17CE100@internection.com> Hi there, I just installed FC4 and I'm trying to get DHCP started, so I pulled my dhcpd.conf from the machine we're moving it from, and checked to see if any of the syntax had changed. All looks good, but when I try to start dhcpd I get the following. Is SELinux preventing dhcp from binding to the port? I don't see any audit messages in /var/log/messages. There are no other dhcp servers running on this machine or the rest of the network for that matter. Thanks, -Jon Jun 19 15:39:17 fc4machine dhcpd: Internet Systems Consortium DHCP Server V3.0.2 Jun 19 15:39:17 fc4machine dhcpd: Copyright 2004 Internet Systems Consortium. Jun 19 15:39:17 fc4machine dhcpd: All rights reserved. Jun 19 15:39:17 fc4machine dhcpd: For info, please visit http:// www.isc.org/sw/dhcp/ Jun 19 15:39:17 fc4machine dhcpd: Wrote 0 deleted host decls to leases file. Jun 19 15:39:17 fc4machine dhcpd: Wrote 0 new dynamic host decls to leases file. Jun 19 15:39:17 fc4machine dhcpd: Wrote 0 leases to leases file. Jun 19 15:39:17 fc4machine dhcpd: Listening on LPF/ eth0/00:11:43:d8:ec:21/208.226.79/24 Jun 19 15:39:17 fc4machine dhcpd: Sending on LPF/ eth0/00:11:43:d8:ec:21/208.226.79/24 Jun 19 15:39:17 fc4machine dhcpd: Can't bind to dhcp address: Permission denied ============================^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Jun 19 15:39:17 fc4machine dhcpd: Please make sure there is no other dhcp server Jun 19 15:39:17 fc4machine dhcpd: running and that there's no entry for dhcp or Jun 19 15:39:17 fc4machine dhcpd: bootp in /etc/inetd.conf. Also make sure you Jun 19 15:39:17 fc4machine dhcpd: are not running HP JetAdmin software, which Jun 19 15:39:17 fc4machine dhcpd: includes a bootp server. Jun 19 15:39:17 fc4machine dhcpd: Jun 19 15:39:17 fc4machine dhcpd: If you did not get this software from ftp.isc.org, please Jun 19 15:39:17 fc4machine dhcpd: get the latest from ftp.isc.org and install that before Jun 19 15:39:17 fc4machine dhcpd: requesting help. Jun 19 15:39:17 fc4machine dhcpd: Jun 19 15:39:17 fc4machine dhcpd: If you did get this software from ftp.isc.org and have not Jun 19 15:39:17 fc4machine dhcpd: yet read the README, please read it before requesting help. Jun 19 15:39:17 fc4machine dhcpd: If you intend to request help from the dhcp-server at isc.org Jun 19 15:39:17 fc4machine dhcpd: mailing list, please read the section on the README about Jun 19 15:39:17 fc4machine dhcpd: submitting bug reports and requests for help. Jun 19 15:39:17 fc4machine dhcpd: Jun 19 15:39:17 fc4machine dhcpd: Please do not under any circumstances send requests for Jun 19 15:39:17 fc4machine dhcpd: help directly to the authors of this software - please Jun 19 15:39:17 fc4machine dhcpd: send them to the appropriate mailing list as described in Jun 19 15:39:17 fc4machine dhcpd: the README file. Jun 19 15:39:17 fc4machine dhcpd: Jun 19 15:39:17 fc4machine dhcpd: exiting. Jun 19 15:39:17 fc4machine dhcpd: dhcpd startup failed From ivg2 at cornell.edu Sun Jun 19 20:01:12 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sun, 19 Jun 2005 16:01:12 -0400 Subject: having trouble getting dhcpd started In-Reply-To: <9E7AD73D-D698-4E1D-844C-C1B5F17CE100@internection.com> References: <42B5C509.3060607@BitWagon.com> <9E7AD73D-D698-4E1D-844C-C1B5F17CE100@internection.com> Message-ID: <1119211272.17213.11.camel@localhost.localdomain> On Sun, 2005-06-19 at 15:53 -0400, Jon August wrote: > Hi there, > > I just installed FC4 and I'm trying to get DHCP started, so I pulled > my dhcpd.conf from the machine we're moving it from, and checked to > see if any of the syntax had changed. All looks good, but when I try > to start dhcpd I get the following. > > Is SELinux preventing dhcp from binding to the port? I don't see any > audit messages in /var/log/messages. What about /var/log/audit.log ? Is audit running? You can run SELinux in permissive mode to check. (/usr/sbin/setenforce 0; /etc/init.d/dhcpd restart; /usr/sbin/setenforce 1;) From jon at internection.com Sun Jun 19 20:05:29 2005 From: jon at internection.com (Jon August) Date: Sun, 19 Jun 2005 16:05:29 -0400 Subject: having trouble getting dhcpd started In-Reply-To: <1119211149.17213.10.camel@localhost.localdomain> References: <42B5C509.3060607@BitWagon.com> <9E7AD73D-D698-4E1D-844C-C1B5F17CE100@internection.com> <1119211149.17213.10.camel@localhost.localdomain> Message-ID: <932DDDA6-3281-439C-89D7-A58C4243036D@internection.com> Ah ha! So it is SELinux. How do I tell SELinux to let this happen? (major SELinux newbie) Thanks! type=AVC msg=audit(1119209957.460:1957770): avc: denied { name_bind } for pid=3636 comm="dhcpd" src=67 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket type=SYSCALL msg=audit(1119209957.460:1957770): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7ffffff31010 a2=10 a3=7ffffff3102c items=0 pid=3636 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd" exe="/usr/sbin/dhcpd" On Jun 19, 2005, at 3:59 PM, Ivan Gyurdiev wrote: > On Sun, 2005-06-19 at 15:53 -0400, Jon August wrote: > >> Hi there, >> >> I just installed FC4 and I'm trying to get DHCP started, so I pulled >> my dhcpd.conf from the machine we're moving it from, and checked to >> see if any of the syntax had changed. All looks good, but when I try >> to start dhcpd I get the following. >> >> Is SELinux preventing dhcp from binding to the port? I don't see any >> audit messages in /var/log/messages. >> > > What about /var/log/audit.log ? > Is audit running? > > You can run SELinux in permissive mode to check. > (/usr/sbin/setenforce 0; > /etc/init.d/dhcpd restart; > /usr/sbin/setenforce 1;) > > > From gyurdiev at redhat.com Sun Jun 19 20:17:32 2005 From: gyurdiev at redhat.com (Ivan Gyurdiev) Date: Sun, 19 Jun 2005 16:17:32 -0400 Subject: having trouble getting dhcpd started In-Reply-To: <932DDDA6-3281-439C-89D7-A58C4243036D@internection.com> References: <42B5C509.3060607@BitWagon.com> <9E7AD73D-D698-4E1D-844C-C1B5F17CE100@internection.com> <1119211149.17213.10.camel@localhost.localdomain> <932DDDA6-3281-439C-89D7-A58C4243036D@internection.com> Message-ID: <1119212252.17213.14.camel@localhost.localdomain> On Sun, 2005-06-19 at 16:05 -0400, Jon August wrote: > Ah ha! So it is SELinux. How do I tell SELinux to let this happen? > (major SELinux newbie) Wait for Dan to merge the following patch.. this is clearly a policy bug. Otherwise you can patch policy sources yourself... -------------- next part -------------- A non-text attachment was scrubbed... Name: selinux.diff Type: text/x-patch Size: 1782 bytes Desc: not available URL: From gyurdiev at redhat.com Sun Jun 19 21:01:41 2005 From: gyurdiev at redhat.com (Ivan Gyurdiev) Date: Sun, 19 Jun 2005 17:01:41 -0400 Subject: having trouble getting dhcpd started In-Reply-To: <1119212252.17213.14.camel@localhost.localdomain> References: <42B5C509.3060607@BitWagon.com> <9E7AD73D-D698-4E1D-844C-C1B5F17CE100@internection.com> <1119211149.17213.10.camel@localhost.localdomain> <932DDDA6-3281-439C-89D7-A58C4243036D@internection.com> <1119212252.17213.14.camel@localhost.localdomain> Message-ID: <1119214901.17213.42.camel@localhost.localdomain> On Sun, 2005-06-19 at 16:17 -0400, Ivan Gyurdiev wrote: > On Sun, 2005-06-19 at 16:05 -0400, Jon August wrote: > > Ah ha! So it is SELinux. How do I tell SELinux to let this happen? > > (major SELinux newbie) > > Wait for Dan to merge the following patch.. > this is clearly a policy bug. Actually the ifdef should stay around the dhcpc port - not around the dhcpd one. From netdxr at gmail.com Sun Jun 19 22:26:41 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Sun, 19 Jun 2005 16:26:41 -0600 Subject: Problem building new rpm's for FC4... Message-ID: <863ff4520506191526353298c7@mail.gmail.com> I've been using the checkinstall utility (http://asic-linux.com.mx/~izto/checkinstall/) to build RPM's from source packages since RH9. It's been recently fixed to work with a few changes in FC4... but there is a lingering SELinux issue that I'm hoping someone here can shed some light on. After building a few RPM's, I noticed these two lines in the file lists of the RPM's I generated: /selinux /selinux/context This causes the following error during the RPM install: root at fc4-builder:~ # rpm -i /usr/src/redhat/RPMS/i386/fwlogwatch-1.0-1.i386.rpm error: unpacking of archive failed on file /selinux/context;42b5e311: cpio: open failed - Permission denied Does anyone know why selinux/context has been inserted into the file list? Is this a new thing that's been added to rpmbuild in FC4? Best regards, -Tom From linux_4ever at yahoo.com Sun Jun 19 23:09:43 2005 From: linux_4ever at yahoo.com (Steve G) Date: Sun, 19 Jun 2005 16:09:43 -0700 (PDT) Subject: not installing SELinux with Fedora In-Reply-To: <20050619182229.28250.fh050.wm@smtp.sc0.cp.net> Message-ID: <20050619230943.77138.qmail@web51507.mail.yahoo.com> Hi, >Steve, take a look at "sHype: Secure Hypervisor >Approach to Trusted Virtualized Systems" an IBM OK. If you are running Xen, there may need to be some adjustments. I haven't taken a deep look at that yet. >"Mandatory access control has been designed and >implemented for the Linux operating system (cf. SELinux >[1]). However, controlling access of processes to >kernel data structures has led to an extremely complex >security policy. I don't think this is correct. SE Linux doesn't control access per se to kernel structures. The enforcement is between user space entities. I would agree that some work can be done to better visualize what the policy is doing. As soon as I wrap up work on the audit system, I want to look into this. >Therefore, SELinux does not enforce >strong isolation properties equivalent to those offered >when running applications on separate hardware >platforms. This is true. One machine cannot really corrupt another machine. But I find it to be flawed logic to say that because the author thinks policy is complex, it doesn't offer the same protection as having 2 distinct machines. Its flawed thinking. >Operating system security controls such as >those offered by SELinux are more appropriate for >enforcing mandatory access control among a set of >closely cooperating applications, which naturally share >a hardware platform. This wording suggests the author has an alterior motive. SE Linux is good for controling the flow of information at the OS level. Any virtualization scheme is going to have similar needs. In a hypervisor system, most information flow will be via tcp/ip. An exploit in one level may allow the breach of another level. But because you don't have a policy across the virtualization levels, you have no way of making centralized decisions. There is protection offered in that corruption of one image doesn't immediately affect the others. But there are blind spots, too. >The point is that SELinux is: (1) so complex as to be >unmanageable; (2) inappropriate for all cases, I'll agree with the fact that its not needed in all cases. However, if you have a machine with exposure to hostile traffic, you are better off with it than without. If you are in a protected lab with no chance of rogue processes and pushing the machine to its limit, I'd say you really don't need it. >On a more general note Steve, take a look at Ken >Thompson's 1984 ACM Turing Award lecture, "Reflections >on Trusting Trust" wherein the author of the UNIX >operating system illustrates why you shouldn't trust >sneaky folks like him. Sure, all this open source software could have hidden holes in it. Your best protection in this case is to stay with the herd and hope someone spots the hole before anyone gets hacked. The more eyes looking, the better chances of problems getting fixed. > By extension, I'm a little >suspicious of the NSA's motives in distributing a >system for mandatory access control that is needlessly >complex and, essentially, unmanageable I think you are missing one major element. People not associated with NSA are peer reviewing it. There's a lot more people involved in it. To say all the contributions came from the NSA is misleading. >at a time when snort Snort is crap. I code reviewed it and argued with the developers and they just didn't get it. ACID is crap. Everything related to snort is crap. Besides, this isn't protection. By the time snort says you are being attacked, it might be over. You'll spend a day reinstalling the machine. I put my review of snort on their mail list. There's so much code, I think I broke it up into 5-6 smaller reviews. >and tripwire, for example, are widely available But if someone compromises the machine, you can't trust tripwire anymore. Again, its only capable of telling you something happened, not protecting you against exploit. >and a stateful firewall is built into the Linux kernel. Right. IPtables is good. >Chris and Steve, you're abolutely correct. Fedora is >the only widely used Linux distribution to incorporate >SELinux in such a manner that it cannot be removed. No. I removed it once. Its very easy to do, but you will be running your own distro. :) Just get a RH9 build host and use the rookery build system. It'll let you know which packages need TLC. >If its so important, how come everybody else can get along >without it? Well, they are using DAC and hoping that code reviews have caught all the problems. SE Linux is an evolution in thinking. Suppose there are holes in the apps that we don't know about and bad guys do. How do you even begin to protect a system? The only symptom that you have is that suddenly bind want to run a shell. How do you spot variances like that? This is what SE Linux was designed to stop. >Perhaps we might consider an alternative >Fedora Core 4 distro that is free of this one-stop >security panacea? All you have to do is turn it off. If you can spot security hole in that configuration that is not DAC related...a whole lot of people will want to know. SE Linux does need some help in managing policy. I see it kind of like when IP Tables was introduced. At first you have to code rules by hand. Then later apps like firewall builder came along and you could drop and drag firewall rules. This is what's missing from SE Linux. A good configuration for the non-security expert. I cannot possibly convince you to use it. Nor will I try. I think each installation may be unique in its needs. You are right in questioning it as it may not fit what you are doing. But if you compile your own distro, you will be moving away from the herd and possibly susceptible to attacks that everyone else survives. -Steve ____________________________________________________ Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com From stewartetcie at canada.com Sun Jun 19 18:22:28 2005 From: stewartetcie at canada.com (stewartetcie at canada.com) Date: Sun, 19 Jun 2005 11:22:28 -0700 (PDT) Subject: not installing SELinux with Fedora Message-ID: <20050619182229.28250.fh050.wm@smtp.sc0.cp.net> On 6/9/05, I wrote: Users of Fedora Core 4 want to know, how do we not, repeat not, install SELinux? Steve Grubb replied: >Why would you want to do that? Its better to fix >problems than avoid them. >SE Linux has to be installed. libselinux is linked to >many apps and the KERNEL is compiled with support for >SE Linux. You can disable it, but you have to install >it. Chris Bell replied: >Since you're already familiar how to disable SELinux, >the short answer to your question is, "you can't." Please allow me to reply to these responses. Steve, take a look at "sHype: Secure Hypervisor Approach to Trusted Virtualized Systems" an IBM research report published on February 2, 2005. On page 6, the authors say: "Mandatory access control has been designed and implemented for the Linux operating system (cf. SELinux [1]). However, controlling access of processes to kernel data structures has led to an extremely complex security policy. Therefore, SELinux does not enforce strong isolation properties equivalent to those offered when running applications on separate hardware platforms. Operating system security controls such as those offered by SELinux are more appropriate for enforcing mandatory access control among a set of closely cooperating applications, which naturally share a hardware platform. In a hypervisor system, there are few resources shared on the virtualization level. This results in simple security policies when compared to those for operating system controls." The point is that SELinux is: (1) so complex as to be unmanageable; (2) inappropriate for all cases, virtualization being a case in point. By the way, sHype is available as a patch for Xen, which is distributed with Fedora Core 4. On a more general note Steve, take a look at Ken Thompson's 1984 ACM Turing Award lecture, "Reflections on Trusting Trust" wherein the author of the UNIX operating system illustrates why you shouldn't trust sneaky folks like him. By extension, I'm a little suspicious of the NSA's motives in distributing a system for mandatory access control that is needlessly complex and, essentially, unmanageable at a time when snort and tripwire, for example, are widely available and a stateful firewall is built into the Linux kernel. Chris and Steve, you're abolutely correct. Fedora is the only widely used Linux distribution to incorporate SELinux in such a manner that it cannot be removed. If its so important, how come everybody else can get along without it? Perhaps we might consider an alternative Fedora Core 4 distro that is free of this one-stop security panacea? Yours truly, STEWART & CIE. Steve Stewart From russell at coker.com.au Mon Jun 20 07:19:34 2005 From: russell at coker.com.au (Russell Coker) Date: Mon, 20 Jun 2005 17:19:34 +1000 Subject: file contexts in FC4 Message-ID: <200506201719.38341.russell@coker.com.au> The attached patch fixes the following errors: matchpathcon_filespec_add: conflicting specifications for /etc/sysconfig/networking/devices/ifcfg-eth0 and /etc/sysconfig/network-scripts/ifcfg-eth0, using system_u:object_r:net_conf_t. matchpathcon_filespec_add: conflicting specifications for /etc/sysconfig/networking/profiles/default/ifcfg-eth0 and /etc/sysconfig/networking/devices/ifcfg-eth0, using system_u:object_r:net_conf_t. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- A non-text attachment was scrubbed... Name: diff Type: text/x-diff Size: 874 bytes Desc: not available URL: From sds at tycho.nsa.gov Mon Jun 20 14:10:36 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 20 Jun 2005 10:10:36 -0400 Subject: not installing SELinux with Fedora In-Reply-To: <20050619182229.28250.fh050.wm@smtp.sc0.cp.net> References: <20050619182229.28250.fh050.wm@smtp.sc0.cp.net> Message-ID: <1119276636.19648.53.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2005-06-19 at 11:22 -0700, stewartetcie at canada.com wrote: > The point is that SELinux is: (1) so complex as to be > unmanageable; (2) inappropriate for all cases, > virtualization being a case in point. By the way, sHype > is available as a patch for Xen, which is distributed > with Fedora Core 4. SELinux doesn't create complexity; it just reveals the existing complexity of what is already occurring on your computing system and provides you with a mechanism that allows to control that complexity. In the absence of such a mechanism, you have no chance of knowing what is occurring on your system or being able to control it, and thus no way to counter the risk posed by malicious and flawed applications. Virtualization gives you a way to confine/isolate at very coarse granularity with very strong isolation guarantees (which can indeed be useful, and can be used in combination with SELinux), but doesn't really solve the problem of fine-grained controlled sharing and confinement of malicious/flawed applications on the OS. > On a more general note Steve, take a look at Ken > Thompson's 1984 ACM Turing Award lecture, "Reflections > on Trusting Trust" wherein the author of the UNIX > operating system illustrates why you shouldn't trust > sneaky folks like him. By extension, I'm a little > suspicious of the NSA's motives in distributing a > system for mandatory access control that is needlessly > complex and, essentially, unmanageable at a time when > snort and tripwire, for example, are widely available > and a stateful firewall is built into the Linux kernel. None of what you list above is a mechanism for mandatory access control, and all of them can be used in combination with SELinux just fine. SELinux is the right foundation for mandatory access control - its generality and comprehensiveness are exactly what one needs for a general purpose OS that needs to deal with a wide range of security requirements, and it provides an extensible infrastructure for applications so that the same kinds of controls can be easily applied to application abstractions as well. > Fedora is > the only widely used Linux distribution to incorporate > SELinux in such a manner that it cannot be removed. If > its so important, how come everybody else can get along > without it? Perhaps we might consider an alternative > Fedora Core 4 distro that is free of this one-stop > security panacea? I'm not sure what you mean by "cannot be removed". As stated, Fedora certainly allows you to disable SELinux. Other 2.6-based distributions include the SELinux code as well, although they may disable it by default. Most distributions don't want to have to ship multiple variations of the kernel and userland, so they naturally don't want to have to ship a SELinux and non-SELinux variant of kernel, coreutils, etc. And as far as I know, no one (and certainly not the NSA) has suggested that SELinux is a one-stop security panacea - we have always been careful to note the limitations of SELinux. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Jun 20 14:44:34 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 20 Jun 2005 10:44:34 -0400 Subject: allow execmod and execmem for self debugging process [targeted] In-Reply-To: <42B5C509.3060607@BitWagon.com> References: <42B5C509.3060607@BitWagon.com> Message-ID: <1119278674.21546.16.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2005-06-19 at 12:18 -0700, John Reiser wrote: > A self-debugging process wants arbitrary mmap() and mprotect() on itself, > but gets EACCES with "avc: denied { execmod }" when it tries. > What needs to be done to allow this? There are three cases: > a) well-known named filesystem path as most-recent execve() > b) process with "self-debug" as leaf name of most-recent execve() > c) any execve() of a file with some assignable attribute [context] > > Using selinux-policy-targeted-1.23.16-6 enforcing under Fedora Core 4 > kernel-2.6.11-1.1369_FC4, I see complaints such as > ---- > type=AVC_PATH msg=audit(1119151560.280:466428): \ > path="/path/to/self-debugger/shared-library" > type=SYSCALL msg=audit(1119151560.280:466428): arch=40000003 syscall=125 per=400000 \ > success=no exit=-13 a0=3000 a1=1000 a2=5 a3=0 items=0 pid=2701 auid=4294967295 \ > uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 \ > comm="self-debug" exe="/path/to/self-debugger/self-debug" > type=AVC msg=audit(1119151560.280:466428): avc: denied { execmod } for pid=2701 \ > comm="self-debug" name=shared-library dev=hda7 ino=4104583 \ > scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:file_t tclass=file > ---- > Booting the kernel with "enforcing=0" allows the mprotect() to succeed; > auditd.log still shows similar messages, except with "success=yes exit=0". > I'd like to retain the safeguards of the targeted enforcing policy, > but allow "known cases" the capabilities that they need. > [Yes, this is a technique that malware may try to exploit. > "Bonware" deserves the chance to exploit it, too.] > > /etc/selinux/targeted/booleans has > ----- > allow_execmod=1 > allow_execmem=1 > ----- > Shouldn't these two values have allowed any mprotect? > > The self-debugger wants to re-write PROT_EXEC + MAP_PRIVATE pages > of itself and other files that have been mmap()ed into the same process. > Code in .a archive library such as http://BitWagon.com/tub/tub.html > gives an application more control over its address space by "hooking" > all mmap(), etc. Complicated watchpoints run thousands of times faster > in contrast to requiring ptrace() by a second process [gdb], etc. execmem is purely a task-self check, i.e. a process can either make an anonymous mapping executable (and thus execute arbitrary code) or not. execmod is a task-file check to allow finer granularity for the case of text relocations; it is applied when a process attempts to make a modified private file mapping executable, which normally only occurs for text relocations. Thus, under strict policy, execmod is normally restricted to a particular file type (texrel_shlib_t) and all files requiring text relocation must be explicitly labeled with that type in order to allow the relocation. allow_execmod just controls whether or not execmod is _ever_ allowed, but even when it is enabled, you are still limited to texrel_shlib_t. Under targeted policy, it appears that a wider set of file types is allowed by allow_execmod, including common shared objects and executables, and there have been discussions on this list about extending it to all file types by default there. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Jun 20 15:14:41 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Jun 2005 11:14:41 -0400 Subject: squirrelmail not working after policy update In-Reply-To: <1119058702.3403.7.camel@chaucer> References: <1119058702.3403.7.camel@chaucer> Message-ID: <42B6DD61.2030007@redhat.com> Bob Kashani wrote: >FC3 selinux-policy-targeted-1.17.30-3.9 > >Arrgh...squirrelmail is not working. I ran audit2allow and it told me to >add this: > >allow httpd_t self:tcp_socket connect; > >Which makes everything work now. Is this correct? > >Here is the AVC error that I was getting: > >Jun 17 18:32:26 sorcerer kernel: audit(1119058346.336:0): avc: denied >{ connect } for pid=3388 exe=/usr/sbin/httpd >scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t >tclass=tcp_socket > >Bob > > > Set the boolean squid_connect_any setsebool -P squid_connect_any=1 This will allow the above rule. -- From dwalsh at redhat.com Mon Jun 20 15:55:43 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Jun 2005 11:55:43 -0400 Subject: NIS trouble after update of targeted policy In-Reply-To: <20050617102013.qq85ynl7kggw4s0g@www.milivojevic.org> References: <20050617102013.qq85ynl7kggw4s0g@www.milivojevic.org> Message-ID: <42B6E6FF.8080105@redhat.com> alex at milivojevic.org wrote: >In continuation to my pervious mail to this list (subject was >"selinux-policy-targeted and logrotate", but was really more about upgrading >from 1.17.30-2.88 to 1.17.30-3.6). > >After I upgraded to selinux-policy-targeted-1.17.30-3.6 (Daniel's rhel4u2 RPM), >several appliactions contolled by targeted policy started complaining about >something that looks like lookups to NIS maps were denied. The testing box in >question is in permissive mode, so there might be much more of those for boxes >running in enforcing mode. > >The logs are in attachment. > >---------------------------------------------------------------- >This message was sent using IMP, the Internet Messaging Program. > > >------------------------------------------------------------------------ > >Jun 17 10:06:58 mybox kernel: audit(1119020818.412:0): avc: denied { search } for pid=2542 comm=ntpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:var_yp_t tclass=dir >Jun 17 10:06:58 mybox kernel: audit(1119020818.415:0): avc: denied { read } for pid=2542 comm=ntpd name=milivojevic.org.2 dev=dm-2 ino=112005 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:var_yp_t tclass=file >Jun 17 10:06:58 mybox kernel: audit(1119020818.419:0): avc: denied { name_bind } for pid=2542 comm=ntpd src=1022 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket >Jun 17 10:06:58 mybox kernel: audit(1119020818.422:0): avc: denied { name_bind } for pid=2542 comm=ntpd src=1023 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket >Jun 17 10:06:59 mybox kernel: audit(1119020819.077:0): avc: denied { search } for pid=2576 comm=postmaster name=nscd dev=dm-2 ino=464004 scontext=user_u:system_r:postgresql_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir >Jun 17 10:07:07 mybox kernel: audit(1119020827.010:0): avc: denied { search } for pid=2642 comm=httpd name=nscd dev=dm-2 ino=464004 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir >Jun 17 10:07:12 mybox kernel: audit(1119020832.905:0): avc: denied { search } for pid=2827 comm=httpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_yp_t tclass=dir >Jun 17 10:07:12 mybox kernel: audit(1119020832.905:0): avc: denied { read } for pid=2827 comm=httpd name=milivojevic.org.2 dev=dm-2 ino=112005 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_yp_t tclass=file >Jun 17 10:07:12 mybox kernel: audit(1119020832.906:0): avc: denied { name_bind } for pid=2827 comm=httpd src=883 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket >Jun 17 10:07:12 mybox kernel: audit(1119020832.906:0): avc: denied { name_bind } for pid=2827 comm=httpd src=884 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket >Jun 17 10:07:12 mybox kernel: audit(1119020832.907:0): avc: denied { connect } for pid=2827 comm=httpd lport=884 scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket >Jun 17 10:07:13 mybox kernel: audit(1119020833.376:0): avc: denied { name_bind } for pid=2891 comm=httpd src=953 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:rndc_port_t tclass=tcp_socket >Jun 17 10:09:05 mybox kernel: audit(1119020945.663:0): avc: denied { search } for pid=2887 comm=httpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_yp_t tclass=dir > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-listDo > Do you have allow_ypbind set? setsebool -P allow_ypbind=1 -- From alex at milivojevic.org Mon Jun 20 16:15:36 2005 From: alex at milivojevic.org (alex at milivojevic.org) Date: Mon, 20 Jun 2005 11:15:36 -0500 Subject: selinux-policy-targeted and logrotate In-Reply-To: <20050617095814.zuu9peo6scc8cwc8@www.milivojevic.org> References: <20050617095814.zuu9peo6scc8cwc8@www.milivojevic.org> Message-ID: <20050620111536.2qye3e27z0kkk4gw@www.milivojevic.org> I've checked logs on my test system, and logrotate still fails after upgrading it with the latest RPMs from ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u2/ # rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-3.6 # grep audit /var/log/messages.1 Jun 19 04:02:50 wis165 kernel: audit(1119171770.797:0): avc: denied { associate } for pid=27692 comm=logrotate name=logrotate.rKrWNN scontext=system_u:object_r:var_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From alex at milivojevic.org Mon Jun 20 16:18:53 2005 From: alex at milivojevic.org (alex at milivojevic.org) Date: Mon, 20 Jun 2005 11:18:53 -0500 Subject: NIS trouble after update of targeted policy In-Reply-To: <42B6E6FF.8080105@redhat.com> References: <20050617102013.qq85ynl7kggw4s0g@www.milivojevic.org> <42B6E6FF.8080105@redhat.com> Message-ID: <20050620111853.uaf1y8ea044co40k@www.milivojevic.org> Quoting Daniel J Walsh : > Do you have allow_ypbind set? > > setsebool -P allow_ypbind=1 Hmmm... No, I haven't had it. Wasn't aware of it. Now I do have it. Many thanks. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From cspp at yahoo.com Mon Jun 20 19:12:59 2005 From: cspp at yahoo.com (lastic miles) Date: Mon, 20 Jun 2005 12:12:59 -0700 (PDT) Subject: fc4 samba errors { read write } { search } { remove_name } - second part In-Reply-To: <1119126965.24723.6.camel@localhost.localdomain> Message-ID: <20050620191300.99078.qmail@web51010.mail.yahoo.com> --- Ivan Gyurdiev wrote: > Add nscd_client_domain to the daemon_domain call for > smbd What does that mean? > Samba's currently not allowed to delete logs - it > seems this was > done on purpose. Why, I'm not sure - so you can't > erase valuable > audit trail I suppose... > > --- > > By the way, notice how samba doesn't use standard > log macros for > this (append_logdir_domain). The only reason for > this appears to > be that the type is shared across multiple types. > This is not a very > good reason. IMHO we need to change all those > log/var/etc macros > to address this issue. If you look at home_macros.te > you'll see one > (rather ugly) way to address this - separate macro > in one declaration > part, and another "access" part. In general you are saying "Do not touch for now. It works." Thank you for your time! -- L. Miles ____________________________________________________ Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com From lfelipe.sanchez at gmail.com Mon Jun 20 21:32:44 2005 From: lfelipe.sanchez at gmail.com (=?ISO-8859-1?Q?Felipe_S=E1nchez?=) Date: Mon, 20 Jun 2005 16:32:44 -0500 Subject: problems with selinux and amsn Message-ID: <711a765a05062014324f60ecae@mail.gmail.com> Hi there, well i think i have a problem with selinux policy and amsn, turns out that after one upgrade amsn stoped working, then it says that i have to download the TLS module, wich i had before, i download it but keeps doing the same, then i googled a litle and some people had that problem and fixed it installing another tls module, i installed tls1.5, nothing happened, i use fedora 3. Then i tryed in fedora 4 and i have the same problem. Really i need some help, my sister is killing ME!!!! ;-) we only use linux... -------------- next part -------------- An HTML attachment was scrubbed... URL: From tjikkun at xs4all.nl Mon Jun 20 22:31:01 2005 From: tjikkun at xs4all.nl (Sander Hoentjen) Date: Tue, 21 Jun 2005 00:31:01 +0200 Subject: problems with selinux and amsn In-Reply-To: <711a765a05062014324f60ecae@mail.gmail.com> References: <711a765a05062014324f60ecae@mail.gmail.com> Message-ID: <1119306661.6516.7.camel@tjikkun.dyndns.org> CC-ing amsn-devel since it involves.. well.. amsn On Mon, 2005-06-20 at 16:32 -0500, Felipe S?nchez wrote: > > Hi there, well i think i have a problem with selinux policy and amsn, > turns out that after one upgrade amsn stoped working, then it says > that i have to download the TLS module, wich i had before, i download > it but keeps doing the same, then i googled a litle and some people > had that problem and fixed it installing another tls module, i > installed tls1.5, nothing happened, i use fedora 3. Then i tryed in > fedora 4 and i have the same problem. Really i need some help, my > sister is killing ME!!!! ;-) we only use linux... > I had the same problem and yes tls1.4 doesn't work with SELinux but 1.5 does. What might be the problem is that your tls module links to /lib/libssl.so.0.9.7 and /lib/libcrypto.so.0.9.7 they don't exist so what I did was make symlinks to /lib/libssl.so.0.9.7f and /lib/libcrypto.so.0.9.7f This fixed it for me. When amsn 0.95 comes out (not very long anymore) these problems will be fixed in the rpm From ivg2 at cornell.edu Mon Jun 20 23:42:43 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 20 Jun 2005 19:42:43 -0400 Subject: fc4 samba errors { read write } { search } { remove_name } - second part In-Reply-To: <20050620191300.99078.qmail@web51010.mail.yahoo.com> References: <20050620191300.99078.qmail@web51010.mail.yahoo.com> Message-ID: <1119310963.24172.7.camel@localhost.localdomain> On Mon, 2005-06-20 at 12:12 -0700, lastic miles wrote: > --- Ivan Gyurdiev wrote: > > > Add nscd_client_domain to the daemon_domain call for > > smbd > > What does that mean? nscd caches passwords and dns lookups, and similar things - it's part of libc. It seems like samba is trying to access the nscd cache, and is failing. By adding the attribute "nscd_client_domain" to the proper macro call in the policy, it will make it work. I realize that you possibly do not know how to do this yourself, but my email was addressed to the list with the purpose that Dan Walsh (the policy maintainer) may see and fix it. The other things which you posted are less clear, since they have to do with samba writing to the terminal, and samba erasing its logs. It may be the case that we should not allow those things. -- Ivan Gyurdiev Cornell University From bobk at ocf.berkeley.edu Tue Jun 21 02:52:11 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Mon, 20 Jun 2005 19:52:11 -0700 Subject: squirrelmail not working after policy update In-Reply-To: <42B6DD61.2030007@redhat.com> References: <1119058702.3403.7.camel@chaucer> <42B6DD61.2030007@redhat.com> Message-ID: <1119322331.4547.4.camel@chaucer> On Mon, 2005-06-20 at 11:14 -0400, Daniel J Walsh wrote: > Bob Kashani wrote: > > >FC3 selinux-policy-targeted-1.17.30-3.9 > > > >Arrgh...squirrelmail is not working. I ran audit2allow and it told me to > >add this: > > > >allow httpd_t self:tcp_socket connect; > > > >Which makes everything work now. Is this correct? > > > >Here is the AVC error that I was getting: > > > >Jun 17 18:32:26 sorcerer kernel: audit(1119058346.336:0): avc: denied > >{ connect } for pid=3388 exe=/usr/sbin/httpd > >scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t > >tclass=tcp_socket > > > >Bob > > > > > > > Set the boolean squid_connect_any > > setsebool -P squid_connect_any=1 > > This will allow the above rule. It didn't work. :( I still get the same error. Also, I don't have squid installed...does that matter? Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From iocc at fedora-selinux.lists.flashdance.cx Tue Jun 21 03:42:17 2005 From: iocc at fedora-selinux.lists.flashdance.cx (Peter Magnusson) Date: Tue, 21 Jun 2005 05:42:17 +0200 (CEST) Subject: problem with selinux-policy-targeted FC3 In-Reply-To: <1119160009.2580.5.camel@chaucer> References: <1119160009.2580.5.camel@chaucer> Message-ID: On Sat, 18 Jun 2005, Bob Kashani wrote: > Hrmm...all my www dirs are labeled either as: > > system_u:object_r:httpd_sys_content_t > or > user_u:object_r:httpd_user_content_t > > To change the selinux context you can use "chcon": > > chcon -R system_u:object_r:httpd_sys_content_t www chcon -R system_u:object_r:httpd_sys_content_t /www chcon -R system_u:object_r:httpd_log_t /var/log/httpd-inget_alls and then setsebool -P httpd_disable_trans 0 to turn on selinux for apache. Now it works. Thanks. From iocc at fedora-selinux.lists.flashdance.cx Tue Jun 21 03:49:28 2005 From: iocc at fedora-selinux.lists.flashdance.cx (Peter Magnusson) Date: Tue, 21 Jun 2005 05:49:28 +0200 (CEST) Subject: problem with selinux-policy-targeted FC3 In-Reply-To: <1119160587.3418.6.camel@localhost.localdomain> References: <1119160009.2580.5.camel@chaucer> <1119160587.3418.6.camel@localhost.localdomain> Message-ID: On Sun, 19 Jun 2005, Ivan Gyurdiev wrote: > Why is that... Maybe because /www is 5.1 GB and doesnt fit on / ? And I want a separate partition for it. > That's what causes your problem, since nonstandard locations > are labeled as default_t. You can relabel your content > httpd_sys_content_t, and this should fix the problem. Yes, its fixed now. I have relabel them. Im not only one that have web content in non-standard locations. I know others that got the same problem as I did efter the selinux policy change. I think the fedora team should have thought about that before pushing out an selinux policy change that breaks stuff. Thats all what Im saying. > However, the standard location for web content is /var/www. I know. From iocc at fedora-selinux.lists.flashdance.cx Tue Jun 21 05:11:31 2005 From: iocc at fedora-selinux.lists.flashdance.cx (Peter Magnusson) Date: Tue, 21 Jun 2005 07:11:31 +0200 (CEST) Subject: more latest selinux policy change problems Message-ID: A little script that runs in cron complained about stuff after I turned on selinux for apache again; mv: cannot set setfscreatecon `user_u:object_r:httpd_sys_script_rw_t': Permission denied so I changed the selinux perms on these files. Hope it will work next time I turn on selinux for apache. Because now its off again because of this: Tested what gallery (http://gallery.sourceforge.net/) would think about selinux. It didnt like it at all. It said that it has no rights to write in the userfile. And how would I know what I should set the perms to get it working? Jun 21 06:27:25 sysbabe kernel: audit(1119328045.441:0): avc: denied { write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2 ino=688180 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Jun 21 06:27:25 sysbabe kernel: audit(1119328045.442:0): avc: denied { write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2 ino=688180 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file is what is says. Same problem on an other vhost with an counter, just other name= of course. This is thing above is just the mainpage. It must be able to write dirs also, when creating new albums. It must also be able to execute /usr/bin/convert and maybe other programs also. Hmm, and it stores tmp files in /tmp also. httpd_sys_content_execute_tmpfiles_t on /tmp maybe? :) I have no idea how many fixes that are needed to get everything working. Is it any *generic* for apache-can-write-whatever-it wants in selinux? As long that apache cant write in *system files* or execute anything as root Im quite happy. Did the fedora team expect problems like this to be created with the latest selinux policy change or is it a suprise for you? Its fine to have it by default in new release of fedora but not CHANGE it in a update. From therods at gmail.com Tue Jun 21 05:31:40 2005 From: therods at gmail.com (huang mingyou) Date: Tue, 21 Jun 2005 13:31:40 +0800 Subject: selinux cant't auto load at system bootup. Message-ID: <40b6d52e05062022317cf15a81@mail.gmail.com> hello,all. My system is trustix3.0 .I use the 2.6.11.11 kernel and use selinux.install the selinux package .but the selinux can't auto load at system bootup.I cant'f find where is error. pleases help me. From netdxr at gmail.com Tue Jun 21 06:33:48 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Tue, 21 Jun 2005 00:33:48 -0600 Subject: more latest selinux policy change problems In-Reply-To: References: Message-ID: <863ff45205062023337abe52a7@mail.gmail.com> On 6/20/05, Peter Magnusson wrote: > Its fine to have it by > default in new release of fedora but not CHANGE it in a update. I agree. The 1.17.30-3.9 update was a scary experience. Fortunately none of my production servers broke, but some of the Slackware boxes I'm currently converting to Fedora have deeply embedded /www directories. If they'd been in service and I had applied 1.17.30-3.9, I guess they would have gone down. Suggestion: Functional changes that can break existing installs shouldn't be provided as normal updates... they should be included in the next OS version. Otherwise, if the update policy is perceived to put running servers at risk, it won't be long before the community stops taking Fedora seriously. Best regards, -Tom From cra at WPI.EDU Tue Jun 21 06:52:40 2005 From: cra at WPI.EDU (Chuck Anderson) Date: Tue, 21 Jun 2005 02:52:40 -0400 Subject: more latest selinux policy change problems In-Reply-To: <863ff45205062023337abe52a7@mail.gmail.com> References: <863ff45205062023337abe52a7@mail.gmail.com> Message-ID: <20050621065240.GK2693@angus.ind.WPI.EDU> On Tue, Jun 21, 2005 at 12:33:48AM -0600, Tom Lisjac wrote: > Suggestion: Functional changes that can break existing installs > shouldn't be provided as normal updates... they should be included in > the next OS version. Otherwise, if the update policy is perceived to > put running servers at risk, it won't be long before the community > stops taking Fedora seriously. That isn't the goal of Fedora, though. Updates are specifically NOT backported to older trees. Instead, you get the update for the latest OS release, rebuilt for the older releases. If you want a more stable tree with backported fixes, then use RHEL. From dwalsh at redhat.com Tue Jun 21 11:04:16 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 21 Jun 2005 07:04:16 -0400 Subject: squirrelmail not working after policy update In-Reply-To: <1119322331.4547.4.camel@chaucer> References: <1119058702.3403.7.camel@chaucer> <42B6DD61.2030007@redhat.com> <1119322331.4547.4.camel@chaucer> Message-ID: <42B7F430.5060205@redhat.com> Bob Kashani wrote: >On Mon, 2005-06-20 at 11:14 -0400, Daniel J Walsh wrote: > > >>Bob Kashani wrote: >> >> >> >>>FC3 selinux-policy-targeted-1.17.30-3.9 >>> >>>Arrgh...squirrelmail is not working. I ran audit2allow and it told me to >>>add this: >>> >>>allow httpd_t self:tcp_socket connect; >>> >>>Which makes everything work now. Is this correct? >>> >>>Here is the AVC error that I was getting: >>> >>>Jun 17 18:32:26 sorcerer kernel: audit(1119058346.336:0): avc: denied >>>{ connect } for pid=3388 exe=/usr/sbin/httpd >>>scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t >>>tclass=tcp_socket >>> >>>Bob >>> >>> >>> >>> >>> >>Set the boolean squid_connect_any >> >>setsebool -P squid_connect_any=1 >> >>This will allow the above rule. >> >> > >It didn't work. :( I still get the same error. Also, I don't have squid >installed...does that matter? > >Bob > > > SHould have said httpd_can_network_connect setsebool -P httpd_can_network_connect=1 Answering multiple bugs at the same time, sorry. -- From bobk at ocf.berkeley.edu Tue Jun 21 17:23:41 2005 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Tue, 21 Jun 2005 10:23:41 -0700 Subject: squirrelmail not working after policy update In-Reply-To: <42B7F430.5060205@redhat.com> References: <1119058702.3403.7.camel@chaucer> <42B6DD61.2030007@redhat.com> <1119322331.4547.4.camel@chaucer> <42B7F430.5060205@redhat.com> Message-ID: <1119374621.2585.2.camel@chaucer> On Tue, 2005-06-21 at 07:04 -0400, Daniel J Walsh wrote: > >It didn't work. :( I still get the same error. Also, I don't have squid > >installed...does that matter? > > > >Bob > > > > > > > SHould have said > httpd_can_network_connect > setsebool -P httpd_can_network_connect=1 > > Answering multiple bugs at the same time, sorry. Hehe...ok, this worked. I figured you probably meant something else. I can just imagine how much mail you have to read thru on a daily basis. :) Thanks, Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome From zico at algohotellet.se Wed Jun 22 12:10:59 2005 From: zico at algohotellet.se (pi) Date: Wed, 22 Jun 2005 14:10:59 +0200 Subject: ftp,smb and atalk stopped working in FC4 Message-ID: <4431d137809b42799b801f4f3c67eea6@algohotellet.se> From FC4 ftp seems to be part of the selinux-policy. I have managed the httpd part of it, getting different user/public_html to work, so i know the syntax to make them ok. When it comes to ftp i cannot find anything to read up on and the same goes for smb, wich i need for some pc?s. and atalk for macs. I installed proftpd in favor of vsftpd. I know i can turn selinux protection off for the specified services, but i want it . Can anyone hint me in the right direction here, where i can read up on it? Regards /pi From netdxr at gmail.com Wed Jun 22 19:29:48 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Wed, 22 Jun 2005 13:29:48 -0600 Subject: more latest selinux policy change problems In-Reply-To: <20050621065240.GK2693@angus.ind.WPI.EDU> References: <863ff45205062023337abe52a7@mail.gmail.com> <20050621065240.GK2693@angus.ind.WPI.EDU> Message-ID: <863ff4520506221229f2379bc@mail.gmail.com> On 6/21/05, Chuck Anderson wrote: > On Tue, Jun 21, 2005 at 12:33:48AM -0600, Tom Lisjac wrote: > > Suggestion: Functional changes that can break existing installs > > shouldn't be provided as normal updates... they should be included in > > the next OS version. Otherwise, if the update policy is perceived to > > put running servers at risk, it won't be long before the community > > stops taking Fedora seriously. > > That isn't the goal of Fedora, though. Updates are specifically NOT > backported to older trees. Instead, you get the update for the latest > OS release, rebuilt for the older releases. Thanks for the clarification. Could you refer me to the place where this policy is stated? The only reference I can find that might allude to it is item 3 on this page: http://fedora.redhat.com/about/objectives.html Woudn't it be better to simply stop pushing SELinux updates to older versions rather then continuing to apply new and possibliy incompatible features of the newer release? > If you want a more stable > tree with backported fixes, then use RHEL. We can't afford RHEL. If updating installed Fedoras is going to cause them to become unstable after a new version release, we'll have no choice but to migrate to another OS. Best regards, -Tom From sds at tycho.nsa.gov Wed Jun 22 19:33:43 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 22 Jun 2005 15:33:43 -0400 Subject: more latest selinux policy change problems In-Reply-To: <863ff4520506221229f2379bc@mail.gmail.com> References: <863ff45205062023337abe52a7@mail.gmail.com> <20050621065240.GK2693@angus.ind.WPI.EDU> <863ff4520506221229f2379bc@mail.gmail.com> Message-ID: <1119468823.13181.204.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-06-22 at 13:29 -0600, Tom Lisjac wrote: > Woudn't it be better to simply stop pushing SELinux updates to older > versions rather then continuing to apply new and possibliy > incompatible features of the newer release? I don't think that the breakage was intentional/expected. As I understand it, Dan only pushes updated policies to older releases as needed to fix specific bugs or to deal with newer kernels (which may introduce newer SELinux permission checks, and thus require new policy allowing those permissions). I'd view the breakage as a bug. -- Stephen Smalley National Security Agency From i.pilcher at comcast.net Wed Jun 22 19:34:47 2005 From: i.pilcher at comcast.net (Ian Pilcher) Date: Wed, 22 Jun 2005 14:34:47 -0500 Subject: Targeted policy blocks PostgreSQL ident authentication Message-ID: The gory details are at: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161383 It looks like SELinux is preventing PostgreSQL from opening a TCP socket to 127.0.0.1:113. Can anyone suggest a workaround (other than turning off SELinux for PostgreSQL)? Thanks! -- ======================================================================== Ian Pilcher i.pilcher at comcast.net ======================================================================== From sds at tycho.nsa.gov Wed Jun 22 19:41:14 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 22 Jun 2005 15:41:14 -0400 Subject: more latest selinux policy change problems In-Reply-To: References: Message-ID: <1119469274.13181.210.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-06-21 at 07:11 +0200, Peter Magnusson wrote: > And how would I know what I should set the perms to get it working? > > Jun 21 06:27:25 sysbabe kernel: audit(1119328045.441:0): avc: denied { > write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2 > ino=688180 scontext=root:system_r:httpd_t > tcontext=system_u:object_r:httpd_sys_content_t tclass=file > Jun 21 06:27:25 sysbabe kernel: audit(1119328045.442:0): avc: denied { > write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2 > ino=688180 scontext=root:system_r:httpd_t > tcontext=system_u:object_r:httpd_sys_content_t tclass=file > > is what is says. Same problem on an other vhost with an counter, just other > name= of course. Per earlier postings on this list, have you tried: setsebool -P httpd_builtin_scripting=1 httpd_unified=1 > Did the fedora team expect problems like this to be created with the latest > selinux policy change or is it a suprise for you? Its fine to have it by > default in new release of fedora but not CHANGE it in a update. I think it was a bug in the spec file's handling of the booleans file. -- Stephen Smalley National Security Agency From monk at umich.edu Wed Jun 22 21:35:26 2005 From: monk at umich.edu (Daniel Normolle) Date: Wed, 22 Jun 2005 17:35:26 -0400 Subject: more latest selinux policy change problems In-Reply-To: <863ff4520506221229f2379bc@mail.gmail.com> References: <863ff45205062023337abe52a7@mail.gmail.com> <20050621065240.GK2693@angus.ind.WPI.EDU> <863ff4520506221229f2379bc@mail.gmail.com> Message-ID: <42B9D99E.7030200@umich.edu> Tom Lisjac wrote: > > We can't afford RHEL. If updating installed Fedoras is going to cause > them to become unstable after a new version release, we'll have no > choice but to migrate to another OS. I backed out of the problematic policy update by getting the source for the previous update, using rpmbuild to construct the binary .rpm and using the --force option to return to the earlier policy. If I can do it, you can do it. It was inconvenient, but nothing compared to my peer Windoze users' weekly struggles with the latest and greatest anti-virus software. dpn -- Daniel Normolle, Ph.D. Research Assistant Professor Senior Research Associate Department of Radiation Oncology UMCCC Biostatistics Unit Room 8D22 Voice: 734-764-2473 300 North Ingalls E-mail: monk at umich.edu Ann Arbor, MI 48109-0473 FAX: 734-936-9582 http://www-personal.umich.edu/~monk From jon at internection.com Wed Jun 22 21:41:51 2005 From: jon at internection.com (Jon August) Date: Wed, 22 Jun 2005 17:41:51 -0400 Subject: How do I tell if SELinux is working? Message-ID: <35025D43-3EC7-481B-9DE1-A0CCF91B49F6@internection.com> I updated the policy after I found that there was a bug with starting DHCP and since then I haven't had any issues getting things to work. Things like a CGI script running sendmail to send an email - which used to show up in the audit log, now work fine. What can I do to see if SELinux is still paying attention? -Jon From walters at redhat.com Wed Jun 22 22:35:34 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 22 Jun 2005 18:35:34 -0400 Subject: How do I tell if SELinux is working? In-Reply-To: <35025D43-3EC7-481B-9DE1-A0CCF91B49F6@internection.com> References: <35025D43-3EC7-481B-9DE1-A0CCF91B49F6@internection.com> Message-ID: <1119479734.3842.4.camel@nexus.verbum.private> On Wed, 2005-06-22 at 17:41 -0400, Jon August wrote: > I updated the policy after I found that there was a bug with starting > DHCP and since then I haven't had any issues getting things to work. > Things like a CGI script running sendmail to send an email - which > used to show up in the audit log, now work fine. > > What can I do to see if SELinux is still paying attention? You can run 'ps axZ | grep processname' to see the security context that a process is running under. For example, [root at nexus walters]# ps axZ | grep httpd root:system_r:httpd_t 2723 ? Ss 0:00 /usr/sbin/httpd If you see httpd_t then you can be pretty sure your CGI script is confined. The only way it could not be, off the top of my head, is if you have a script labeled with the type httpd_unconfined_script_exec_t. From jon at internection.com Wed Jun 22 22:45:25 2005 From: jon at internection.com (Jon August) Date: Wed, 22 Jun 2005 18:45:25 -0400 Subject: How do I tell if SELinux is working? In-Reply-To: <1119479734.3842.4.camel@nexus.verbum.private> References: <35025D43-3EC7-481B-9DE1-A0CCF91B49F6@internection.com> <1119479734.3842.4.camel@nexus.verbum.private> Message-ID: <9072D912-84D1-4FB8-BCAB-4A7F4479B199@internection.com> httpd is running with type: root:system_r:unconfined_t What does this mean? Is httpd a vulnerability on this machine? On Jun 22, 2005, at 6:35 PM, Colin Walters wrote: > On Wed, 2005-06-22 at 17:41 -0400, Jon August wrote: > >> I updated the policy after I found that there was a bug with starting >> DHCP and since then I haven't had any issues getting things to work. >> Things like a CGI script running sendmail to send an email - which >> used to show up in the audit log, now work fine. >> >> What can I do to see if SELinux is still paying attention? >> > > You can run 'ps axZ | grep processname' to see the security context > that > a process is running under. For example, > > [root at nexus walters]# ps axZ | grep httpd > root:system_r:httpd_t 2723 ? Ss 0:00 /usr/ > sbin/httpd > > If you see httpd_t then you can be pretty sure your CGI script is > confined. The only way it could not be, off the top of my head, is if > you have a script labeled with the type > httpd_unconfined_script_exec_t. > > From walters at redhat.com Wed Jun 22 23:29:15 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 22 Jun 2005 19:29:15 -0400 Subject: How do I tell if SELinux is working? In-Reply-To: <9072D912-84D1-4FB8-BCAB-4A7F4479B199@internection.com> References: <35025D43-3EC7-481B-9DE1-A0CCF91B49F6@internection.com> <1119479734.3842.4.camel@nexus.verbum.private> <9072D912-84D1-4FB8-BCAB-4A7F4479B199@internection.com> Message-ID: <1119482955.4541.7.camel@nexus.verbum.private> On Wed, 2005-06-22 at 18:45 -0400, Jon August wrote: > httpd is running with type: > > root:system_r:unconfined_t > > What does this mean? Is httpd a vulnerability on this machine? This means that httpd is not confined by the SELinux policy. This means you have less protection against a compromise or misconfiguration of httpd or CGI scripts. Since the default is for it to be enabled, someone (possibly you) disabled SELinux protection for httpd; you can reenable it by using system-config-securitylevel (or "setsebool -P httpd_disable_trans=false"). From jon at internection.com Thu Jun 23 02:14:17 2005 From: jon at internection.com (Jon August) Date: Wed, 22 Jun 2005 22:14:17 -0400 Subject: How do I tell if SELinux is working? In-Reply-To: <1119482955.4541.7.camel@nexus.verbum.private> References: <35025D43-3EC7-481B-9DE1-A0CCF91B49F6@internection.com> <1119479734.3842.4.camel@nexus.verbum.private> <9072D912-84D1-4FB8-BCAB-4A7F4479B199@internection.com> <1119482955.4541.7.camel@nexus.verbum.private> Message-ID: Would compiling my own version of apache and installing it myself rather than using yum, for example, to install it result in a unconfined httpd? On Jun 22, 2005, at 7:29 PM, Colin Walters wrote: > On Wed, 2005-06-22 at 18:45 -0400, Jon August wrote: > > >> httpd is running with type: >> >> root:system_r:unconfined_t >> >> What does this mean? Is httpd a vulnerability on this machine? >> >> > > This means that httpd is not confined by the SELinux policy. This > means > you have less protection against a compromise or misconfiguration of > httpd or CGI scripts. > > Since the default is for it to be enabled, someone (possibly you) > disabled SELinux protection for httpd; you can reenable it by using > system-config-securitylevel (or > "setsebool -P httpd_disable_trans=false"). > > > From walters at redhat.com Thu Jun 23 02:25:07 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 22 Jun 2005 22:25:07 -0400 Subject: How do I tell if SELinux is working? In-Reply-To: References: <35025D43-3EC7-481B-9DE1-A0CCF91B49F6@internection.com> <1119479734.3842.4.camel@nexus.verbum.private> <9072D912-84D1-4FB8-BCAB-4A7F4479B199@internection.com> <1119482955.4541.7.camel@nexus.verbum.private> Message-ID: <1119493507.12222.10.camel@nexus.verbum.private> On Wed, 2005-06-22 at 22:14 -0400, Jon August wrote: > Would compiling my own version of apache and installing it myself > rather than using yum, for example, to install it result in a > unconfined httpd? Probably, yes. The way the Fedora Apache SELinux setup works is by /usr/sbin/httpd having the type httpd_exec_t (see ls -Z /usr/sbin/httpd). If you installed an Apache binary in /usr/local/bin/httpd for example, it might work to do: chcon -t httpd_exec_t /usr/local/bin/httpd However you may need to change the types of other files as well (e.g. if you use /usr/local/etc/httpd, you should probably: chcon -R -h -t httpd_config_t /usr/local/etc/httpd An easier (or least more well-tested) route would be to recompile the Fedora SRPM. Even easier and more well-tested would be to find a way to do what you want without compiling your own version of Apache httpd. Why did you do that, anyways? From TobyD at wolke7.net Thu Jun 23 10:50:40 2005 From: TobyD at wolke7.net (TobyD at wolke7.net) Date: Thu, 23 Jun 2005 12:50:40 +0200 (MEST) Subject: Individual Domains for Particular PHP Scripts. References: <10906.1119523511@www2.gmx.net> Message-ID: <2392.1119523840@www2.gmx.net> Hi SELinux users! I've read: http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains My Testbed: FC4 with selinux-policy-strict-sources-1.23.16-6. My Steps: #ls -laZ /var/www/html/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_php_script_a_t a.php -rw-r--r-- root root system_u:object_r:httpd_php_script_b_t b.php -rw-r--r-- root root system_u:object_r:httpd_sys_content_t index.html #cat a.php #cat myphp.te #file types httpd_php_script_x_t type httpd_php_script_a_t, file_type, sysadmfile; type httpd_php_script_b_t, file_type, sysadmfile; #process domains httpd_php_domain_x_t type httpd_php_domain_a_t, domain, privmail; type httpd_php_domain_b_t, domain, privmail; #allow apache acces the new types allow httpd_t httpd_php_script_a_t:file { getattr read }; allow httpd_t httpd_php_script_b_t:file { getattr read }; #authorize system_r for httpd_php_domain_x_t; role system_r types httpd_php_domain_a_t; role system_r types httpd_php_domain_b_t; #domain auto transition domain_auto_trans(httpd_t, httpd_php_script_a_t, httpd_php_domain_a_t); domain_auto_trans(httpd_t, httpd_php_script_b_t, httpd_php_domain_a_t); # make reload #cat /selinux/enforce 1 Now, i'll expect an Error, or Acces Denied while Browseraccess to http://localhost/a.php, but a.php reports "sorry, could access the another domain :-(". Neither avc denied messages, nor any other Errors. What's wrong in my policy? Doesn't works the domain auto transition properly ? How to separate PHP Scripts in their own domains? Any Help welcome! Thanks in Advance! Toby -- -- TobyD Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis ++ Jetzt anmelden & testen ++ http://www.gmx.net/de/go/promail ++ From sds at tycho.nsa.gov Thu Jun 23 12:29:07 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 23 Jun 2005 08:29:07 -0400 Subject: How do I tell if SELinux is working? In-Reply-To: <35025D43-3EC7-481B-9DE1-A0CCF91B49F6@internection.com> References: <35025D43-3EC7-481B-9DE1-A0CCF91B49F6@internection.com> Message-ID: <1119529747.28493.6.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-06-22 at 17:41 -0400, Jon August wrote: > I updated the policy after I found that there was a bug with starting > DHCP and since then I haven't had any issues getting things to work. > Things like a CGI script running sendmail to send an email - which > used to show up in the audit log, now work fine. > > What can I do to see if SELinux is still paying attention? In addition to what others have said, /usr/sbin/sestatus is a tool for checking the status of SELinux. sestatus -v also provides further information based on the contents of /etc/sestatus.conf, so you can configure it to check the contexts of specific processes and program files. Might want to add httpd to that list. sestatus was contributed by the Hardened Gentoo folks, specifically Chris PeBenito. BTW, I've noticed that FC4 systems seem to be losing the type on /etc/shadow, likely when firstboot creates the first user account. I then have to manually restorecon /etc/shadow, because the patched libraries and utilities are coded to just preserve whatever context is on the file when they update it, so if the context is ever wrong, it will remain wrong for subsequent updates. Possibly they should be using matchpathcon() instead. -- Stephen Smalley National Security Agency From tiziano at conticars.be Thu Jun 23 13:00:51 2005 From: tiziano at conticars.be (Tiziano Demaria) Date: Thu, 23 Jun 2005 15:00:51 +0200 Subject: SELINUX with APACHE and PHPBB Message-ID: <42BAB283.4030603@conticars.be> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: C:\firma.jpg Type: image/jpeg Size: 33343 bytes Desc: not available URL: From dwalsh at redhat.com Thu Jun 23 15:09:25 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 23 Jun 2005 11:09:25 -0400 Subject: more latest selinux policy change problems In-Reply-To: <863ff4520506221229f2379bc@mail.gmail.com> References: <863ff45205062023337abe52a7@mail.gmail.com> <20050621065240.GK2693@angus.ind.WPI.EDU> <863ff4520506221229f2379bc@mail.gmail.com> Message-ID: <42BAD0A5.2070102@redhat.com> Tom Lisjac wrote: >On 6/21/05, Chuck Anderson wrote: > > >>On Tue, Jun 21, 2005 at 12:33:48AM -0600, Tom Lisjac wrote: >> >> >>>Suggestion: Functional changes that can break existing installs >>>shouldn't be provided as normal updates... they should be included in >>>the next OS version. Otherwise, if the update policy is perceived to >>>put running servers at risk, it won't be long before the community >>>stops taking Fedora seriously. >>> >>> >>That isn't the goal of Fedora, though. Updates are specifically NOT >>backported to older trees. Instead, you get the update for the latest >>OS release, rebuilt for the older releases. >> >> > >Thanks for the clarification. Could you refer me to the place where >this policy is stated? The only reference I can find that might allude >to it is item 3 on this page: > >http://fedora.redhat.com/about/objectives.html > >Woudn't it be better to simply stop pushing SELinux updates to older >versions rather then continuing to apply new and possibliy >incompatible features of the newer release? > > > >>If you want a more stable >>tree with backported fixes, then use RHEL. >> >> > >We can't afford RHEL. If updating installed Fedoras is going to cause >them to become unstable after a new version release, we'll have no >choice but to migrate to another OS. > >Best regards, > >-Tom > > > The goal is not to make it unstable, and we still have not figured out what went wrong. But Fedora updates to the latest kernel, for security updates, rather than backporting like we do for RHEL. So when a Kernel gets updated, we needed to update policy, and that is where the fun began. Currently FC4 is going through major bug fixes in Policy, so I don't envision many more changes to FC3. >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- From dwalsh at redhat.com Thu Jun 23 16:14:49 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 23 Jun 2005 12:14:49 -0400 Subject: ftp,smb and atalk stopped working in FC4 In-Reply-To: <4431d137809b42799b801f4f3c67eea6@algohotellet.se> References: <4431d137809b42799b801f4f3c67eea6@algohotellet.se> Message-ID: <42BADFF9.4040909@redhat.com> pi wrote: > From FC4 ftp seems to be part of the selinux-policy. I have managed > the httpd part of it, getting different user/public_html to work, so i > know the syntax to make them ok. When it comes to ftp i cannot find > anything to read up on and the same goes for smb, wich i need for some > pc?s. and atalk for macs. > > I installed proftpd in favor of vsftpd. You could set proftpd to be ftpd_exec_t and see what happens. man ftpd_selinux explains some stuff. What is brokem in smb and atalk? AVC Messages? > > I know i can turn selinux protection off for the specified services, > but i want it . Can anyone hint me in the right direction here, where > i can read up on it? > > Regards > /pi > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- From dwalsh at redhat.com Thu Jun 23 16:27:22 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 23 Jun 2005 12:27:22 -0400 Subject: Individual Domains for Particular PHP Scripts. In-Reply-To: <2392.1119523840@www2.gmx.net> References: <10906.1119523511@www2.gmx.net> <2392.1119523840@www2.gmx.net> Message-ID: <42BAE2EA.7070307@redhat.com> TobyD at wolke7.net wrote: >Hi SELinux users! > >I've >read: >http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains > >My Testbed: FC4 with selinux-policy-strict-sources-1.23.16-6. > >My Steps: > >#ls -laZ /var/www/html/ >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. >-rw-r--r-- root root system_u:object_r:httpd_php_script_a_t a.php >-rw-r--r-- root root system_u:object_r:httpd_php_script_b_t b.php >-rw-r--r-- root root system_u:object_r:httpd_sys_content_t >index.html > >#cat a.php >$fp = fopen("b.php","r"); >if ($fp) >{ >echo "sorry, could access the another domain :-("; >} >fclose($fp); >?> > >#cat myphp.te >#file types httpd_php_script_x_t >type httpd_php_script_a_t, file_type, sysadmfile; >type httpd_php_script_b_t, file_type, sysadmfile; > >#process domains httpd_php_domain_x_t >type httpd_php_domain_a_t, domain, privmail; >type httpd_php_domain_b_t, domain, privmail; > >#allow apache acces the new types >allow httpd_t httpd_php_script_a_t:file { getattr read }; >allow httpd_t httpd_php_script_b_t:file { getattr read }; > >#authorize system_r for httpd_php_domain_x_t; >role system_r types httpd_php_domain_a_t; >role system_r types httpd_php_domain_b_t; > >#domain auto transition >domain_auto_trans(httpd_t, httpd_php_script_a_t, httpd_php_domain_a_t); >domain_auto_trans(httpd_t, httpd_php_script_b_t, httpd_php_domain_a_t); > ># make reload > >#cat /selinux/enforce >1 > >Now, i'll expect an Error, or Acces Denied while Browseraccess >to http://localhost/a.php, but a.php reports "sorry, could access >the another domain :-(". Neither avc denied messages, nor any other Errors. > >What's wrong in my policy? Doesn't works the domain auto transition >properly ? How to separate PHP Scripts in their own domains? > >Any Help welcome! Thanks in Advance! >Toby > > > > A better approach would be to create a te file with the following more domains/program/myphp.te #myphp.te apache_domain(myphp) And more file_contexts/program/myphp.fc /var/www/cgi-bin/myphp -- system_u:object_r:httpd_myphp_script_exec_t This will create file_types of type httpd_myphp_content_t, file_type, httpdcontent, sysadmfile, customizable; type httpd_myphp_htaccess_t, file_type, sysadmfile, customizable; type httpd_myphp_script_exec_t, file_type, sysadmfile, customizable; type httpd_myphp_script_ro_t, file_type, httpdcontent, sysadmfile, customizable; type httpd_myphp_script_rw_t, file_type, httpdcontent, sysadmfile, customizable; type httpd_myphp_script_ra_t, file_type, httpdcontent, sysadmfile, customizable; Which you can define in your fc file to files/directories depending on what your script wants to do. You can also add additional allow rules to your te file to grant it access. From sds at tycho.nsa.gov Thu Jun 23 20:12:29 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 23 Jun 2005 16:12:29 -0400 Subject: not installing SELinux with Fedora In-Reply-To: <20050623185818.23976.fh047.wm@smtp.sc0.cp.net> References: <20050623185818.23976.fh047.wm@smtp.sc0.cp.net> Message-ID: <1119557549.28493.270.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-06-23 at 11:58 -0700, stewartetcie at canada.com wrote: > Beware of forks masquerading as subsystems. The offer > of mandatory access control is seductive, but the > SELinux implementation is flawed if it amounts to a > fork in the Linux code base. It doesn't. SELinux is upstream, in the mainline kernel. No forking here. > If that were the only problem, it would be enough to > preclude the inclusion of SELinux from a general > purpose Linux distribution until such time as good > management tools are available. Chicken and the egg problem. People aren't motivated to create good management tools until they see that the system is mainstream. What management tools exist for POSIX ACLs on Linux? Yet the kernel mechanism is included, which allows people who want to do so to leverage them. In much the same way, including SELinux with a relatively simple policy (targeted) is a natural first step. And there are certainly other kernel features that have followed the same path. > One candidate is Linux (a. k. a. non-SELinux). If I > have to roll my own distro from Fedora in order to > optimize performance by removing unnecessary > subsystems, such as mandatory access control on an > isolated system, then Fedora is no longer a general > purpose system and it is no longer Linux, now it is > SELinux. Um, no. First, you can completely disable SELinux, at which point it is no longer registered with the kernel's security framework and imposes no performance overhead. That actually goes well beyond what many kernel features offer, most of which are going to be enabled in a stock Fedora kernel simply because it is intended for general use. Second, you always have the freedom to rebuild the Fedora kernel SRPM or an upstream kernel with SELinux completely omitted. You are applying an unfair criteria to SELinux that doesn't exist for any other kernel feature. > These comments are offered in the spirit of > constructive criticism. I'm grateful you declared your > bias, for your spirited defence of your product and > very grateful SELinux was contributed to the open > source community, warts and all. However, SELinux isn't > the only possible implementation of mandatory access > control for Linux (cf. sHype). If my criticicms are > valid, SELinux must either be improved, or it'll be > replaced by a better implementation. Perhaps I'm wrong. > Time will tell. Meanwhile, thanks for listening. It is certainly true that SELinux is not the only possible implementation of MAC for Linux, although I think you are misunderstanding the sHype report itself (don't confuse their explanation of how virtualization offers stronger isolation with fewer shared resources vs. finer-grained controlled sharing available via OS-level controls as a criticism of OS-level MAC - they are just explaining the differing roles played by virtualization vs. OS-level controls). And you are certainly free to use any such alternative MAC implementation you wish; just disable SELinux (via selinux=0 in your grub.conf or via /etc/selinux/config SELINUIX=disabled) and load your favorite loadable module (of course, if your alternative MAC implementation requires a kernel patch, then you'd need to rebuild your kernel with that patch, but that is not affected by SELinux in any way). So your freedom is not limited in any manner by SELinux being included in Fedora. But remember that SELinux is: - upstream (in the mainline Linux 2.6 kernel), - open source (kernel code and userland and policy), - a truly community-based project (with significant contributions by external developers and users) ever since its initial release by the NSA in 2000, - a generalized access control architecture and model suitable for a general purpose operating system, - extensible to support application security needs. So don't dismiss it too quickly. Thanks ;) -- Stephen Smalley National Security Agency From stewartetcie at canada.com Thu Jun 23 18:58:16 2005 From: stewartetcie at canada.com (stewartetcie at canada.com) Date: Thu, 23 Jun 2005 11:58:16 -0700 (PDT) Subject: not installing SELinux with Fedora Message-ID: <20050623185818.23976.fh047.wm@smtp.sc0.cp.net> On Sunday, 2005-06-19 at 16:08 (PDT) Steve G wrote: >Its very easy to do, but you will be running your own >distro. :) Just get a RH9 build host and use the >rookery build system. It'll let you know which >packages need TLC. Beware of forks masquerading as subsystems. The offer of mandatory access control is seductive, but the SELinux implementation is flawed if it amounts to a fork in the Linux code base. >SE Linux does need some help in managing policy. ... >This what's missing from SE Linux. >A good configuration for the non-security expert. If that were the only problem, it would be enough to preclude the inclusion of SELinux from a general purpose Linux distribution until such time as good management tools are available. On Monday, 2005-06-20 at 07:10 (PDT) Stephen Smalley wrote: >Most distributions don't want to have to ship >multiple variations of the kernel and userland, so >they naturally don't want to have ship a SELinux and >non-SELinux variant of kernel, coreutils, etc. Yikes, I should have anticipated this, given the forum and the topic, but, in the immortal words of Monte Python, "No-one ever expects the Spanish inquisition!" Let's be clear about one thing. I am neither a devil, nor am I a devil's advocate and I really can't find the time right now for an extended vacation at a U.S. resort in Cuba, or even an unscheduled layover in Syria. I know you guys listen to everything, all the time, everywhere, but when my girl friend said, "Oh, you devil," that was just a figure of speech. Really. Now, let's approach the topic under discussion one step at a time, as a Jesuit would. Connecting to the internet can be risky, because we don't know who else has an internet connection, or what malicious plans they may have. So intellectual property developers often disconnect clusters used as render farms for movie production, or compile farms used for code production, from external networks. This is as appropriate for protecting open source products from damage as it is for protecting proprietary products from theft. In fact, many private nets don't connect to the internet. SWIFT, the Society for Worldwide Interchange and Funds Transfer, is a case in point. Isolation provides strong security and we're not likely to stop doing it anytime soon, but it is inappropriate for all cases. That's why we use multi-homed firewalls to interconnect the internet to a DMZ for the servers that provide internet services and to the internal firewalls that protect local area networks. This works pretty well, even better since IP Tables came along, and the proof is that most of the systems compromised by intruders either lack such protection, or don't have it configured properly. Wouldn't it be nice to have a general purpose operating system that could be pruned and tuned for optimal performance on isolated systems, firewalls, servers, workstations, or laptops for road warriors? Oh, and it must be open source, because we can't validate system security unless we can audit the code. Certification requires certainty. A number of operating systems meet these criteria. One candidate is Linux (a. k. a. non-SELinux). If I have to roll my own distro from Fedora in order to optimize performance by removing unnecessary subsystems, such as mandatory access control on an isolated system, then Fedora is no longer a general purpose system and it is no longer Linux, now it is SELinux. These comments are offered in the spirit of constructive criticism. I'm grateful you declared your bias, for your spirited defence of your product and very grateful SELinux was contributed to the open source community, warts and all. However, SELinux isn't the only possible implementation of mandatory access control for Linux (cf. sHype). If my criticicms are valid, SELinux must either be improved, or it'll be replaced by a better implementation. Perhaps I'm wrong. Time will tell. Meanwhile, thanks for listening. From TobyD at wolke7.net Thu Jun 23 22:44:39 2005 From: TobyD at wolke7.net (Tobias) Date: Fri, 24 Jun 2005 00:44:39 +0200 (MEST) Subject: Individual Domains for Particular PHP Scripts. References: <42BAE2EA.7070307@redhat.com> Message-ID: <27641.1119566679@www39.gmx.net> Hi Daniel, hi Maillist, > A better approach would be to create a te file with the following > > > more domains/program/myphp.te > #myphp.te > apache_domain(myphp) > > And > more file_contexts/program/myphp.fc > /var/www/cgi-bin/myphp -- > system_u:object_r:httpd_myphp_script_exec_t > It doesn't work, or we got us wrong. #cat myphp.te apache_domain(myphp_a); apache_domain(myphp_b); # ls -laZ /var/www/html/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_myphp_a_script_exec_t a.php -rw-r--r-- root root system_u:object_r:httpd_myphp_b_script_exec_t b.php # cat /var/www/html/a.php Script a.php will try to open (read) Script b.php. My goal is to protect/separate script b.php from script a.php and a.php from b.php, so when one is buggy, this one couldn't access the another script (same szenario as above mentioned on: http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains but there are .cgi scripts and here .php). A thought crossed my mind, i'll assign invidual domains for a.php and b.php and use a domain_auto_trans, so that requested a.php transit automatically from httpd_t into his new domain and now occur access denied while try to read b.php with his new type. With Daniel's proposal to use macro apache_domain(myphp_X) it doesn't works. a.php still opens b.php. Have You any Idea how to tix that ? Thanks! :) Toby -- Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl From walters at redhat.com Fri Jun 24 00:22:25 2005 From: walters at redhat.com (Colin Walters) Date: Thu, 23 Jun 2005 20:22:25 -0400 Subject: Individual Domains for Particular PHP Scripts. In-Reply-To: <2392.1119523840@www2.gmx.net> References: <10906.1119523511@www2.gmx.net> <2392.1119523840@www2.gmx.net> Message-ID: <1119572545.3611.3.camel@nexus.verbum.private> On Thu, 2005-06-23 at 12:50 +0200, TobyD at wolke7.net wrote: > Hi SELinux users! > > I've > read: > http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains Need to update that for FC4...soon, hopefully :) > What's wrong in my policy? Doesn't works the domain auto transition > properly ? How to separate PHP Scripts in their own domains? Are these PHP scripts actually being executed as separate processes? SELinux policy is applied at the level of processes; there is no builtin mechanism for confining different PHP scripts that run in the same httpd process. It would be possible to achieve some level of security by using dynamic domain transitions e.g. with an Apache module, but no one has written it yet. From maillist at wolke7.net Fri Jun 24 01:05:35 2005 From: maillist at wolke7.net (Tobias) Date: Fri, 24 Jun 2005 03:05:35 +0200 (MEST) Subject: Individual Domains for Particular PHP Scripts. References: <1119572545.3611.3.camel@nexus.verbum.private> Message-ID: <1389.1119575135@www49.gmx.net> Hi Colin, hi ML, >http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains > > Need to update that for FC4...soon, hopefully :) :) > > > What's wrong in my policy? Doesn't works the domain auto transition > > properly ? How to separate PHP Scripts in their own domains? > > Are these PHP scripts actually being executed as separate processes? > > SELinux policy is applied at the level of processes; there is no builtin > mechanism for confining different PHP scripts that run in the same httpd > process. It would be possible to achieve some level of security by > using dynamic domain transitions e.g. with an Apache module, but no one > has written it yet. I've a bit experience with domain_auto_trans related by executable binaries (flow: user_t->execute binary->newtype_t->other_rights_than_user_t) and i hoped apache and php-scripts are similar (flow: httpd_t->execute script->httpd_new_t->other_rights_than_httpd_t). See my previous email (reply to Daniel Walsh), please. TIA :) Toby -- Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl From r.penco at scasinet.com Fri Jun 24 07:58:22 2005 From: r.penco at scasinet.com (Riccardo Penco) Date: Fri, 24 Jun 2005 09:58:22 +0200 Subject: problem connecting to a sql server (httpd / php / freetds ) Message-ID: <42BBBD1E.5070106@scasinet.com> Hi all, It's the first time I write to this list, I'm absolutely not a SELinux expert, so I apologize if my question is poor (and for my english). I'm running a server with FC3 (fully updated). I wrote php scripts which connect to a MS-SQL Server 2k with FreeTDS (I installed the binary downloaded from http://phprpms.sf.net). They worked right. This morning (after a reboot of the Linux server), the scripts can no longer connect to the sql server; in /var/log/messages appear these avc lines when I try to connect: kernel: audit(1119598362.919:0): avc: denied { connect } for pid=3571 exe=/usr/sbin/httpd scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Can anybody help me understand where is the problem? Thank You very much Riki From sds at tycho.nsa.gov Fri Jun 24 12:16:14 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 24 Jun 2005 08:16:14 -0400 Subject: Individual Domains for Particular PHP Scripts. In-Reply-To: <1389.1119575135@www49.gmx.net> References: <1119572545.3611.3.camel@nexus.verbum.private> <1389.1119575135@www49.gmx.net> Message-ID: <1119615374.12865.50.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-06-24 at 03:05 +0200, Tobias wrote: > I've a bit experience with domain_auto_trans related by executable binaries > (flow: user_t->execute binary->newtype_t->other_rights_than_user_t) > and i hoped apache and php-scripts are similar > (flow: httpd_t->execute script->httpd_new_t->other_rights_than_httpd_t). > > See my previous email (reply to Daniel Walsh), please. Depends on whether apache forks and execs the interpreter in a separate process, or just directly executes an interpreter in its own process (via mod_php). My impression was that php is typically run in-process by apache, thus you couldn't change domains for it without introducing some kind of mod_dyntras module that performs a dynamic domain transition in the apache process. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Jun 24 12:30:25 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 24 Jun 2005 08:30:25 -0400 Subject: problem connecting to a sql server (httpd / php / freetds ) In-Reply-To: <42BBBD1E.5070106@scasinet.com> References: <42BBBD1E.5070106@scasinet.com> Message-ID: <1119616225.12865.67.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-06-24 at 09:58 +0200, Riccardo Penco wrote: > kernel: audit(1119598362.919:0): avc: denied { connect } for pid=3571 > exe=/usr/sbin/httpd scontext=user_u:system_r:httpd_t > tcontext=user_u:system_r:httpd_t tclass=tcp_socket > > Can anybody help me understand where is the problem? /usr/sbin/getsebool -a | grep httpd -- Stephen Smalley National Security Agency From r.penco at scasinet.com Fri Jun 24 13:07:10 2005 From: r.penco at scasinet.com (Riccardo Penco) Date: Fri, 24 Jun 2005 15:07:10 +0200 Subject: problem connecting to a sql server (httpd / php / freetds ) In-Reply-To: <1119616225.12865.67.camel@moss-spartans.epoch.ncsc.mil> References: <42BBBD1E.5070106@scasinet.com> <1119616225.12865.67.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42BC057E.8000804@scasinet.com> Stephen Smalley ha scritto: > On Fri, 2005-06-24 at 09:58 +0200, Riccardo Penco wrote: > > /usr/sbin/getsebool -a | grep httpd > Thanks for your prompt answer. Here it is what I get: httpd_builtin_scripting --> active httpd_can_network_connect --> inactive <-------- httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> active httpd_ssi_exec --> active httpd_tty_comm --> inactive httpd_unified --> active Is the problem related to the second line? From sds at tycho.nsa.gov Fri Jun 24 13:07:42 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 24 Jun 2005 09:07:42 -0400 Subject: problem connecting to a sql server (httpd / php / freetds ) In-Reply-To: <42BC057E.8000804@scasinet.com> References: <42BBBD1E.5070106@scasinet.com> <1119616225.12865.67.camel@moss-spartans.epoch.ncsc.mil> <42BC057E.8000804@scasinet.com> Message-ID: <1119618462.12865.69.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-06-24 at 15:07 +0200, Riccardo Penco wrote: > Thanks for your prompt answer. Here it is what I get: > > > httpd_builtin_scripting --> active > httpd_can_network_connect --> inactive <-------- > httpd_disable_trans --> inactive > httpd_enable_cgi --> active > httpd_enable_homedirs --> active > httpd_ssi_exec --> active > httpd_tty_comm --> inactive > httpd_unified --> active > > Is the problem related to the second line? Yes. /usr/sbin/setsebool -P httpd_can_network_connect=1 -- Stephen Smalley National Security Agency From r.penco at scasinet.com Fri Jun 24 13:24:51 2005 From: r.penco at scasinet.com (Riccardo Penco) Date: Fri, 24 Jun 2005 15:24:51 +0200 Subject: problem connecting to a sql server (httpd / php / freetds ) In-Reply-To: <1119618462.12865.69.camel@moss-spartans.epoch.ncsc.mil> References: <42BBBD1E.5070106@scasinet.com> <1119616225.12865.67.camel@moss-spartans.epoch.ncsc.mil> <42BC057E.8000804@scasinet.com> <1119618462.12865.69.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42BC09A3.3050207@scasinet.com> Stephen Smalley ha scritto: > On Fri, 2005-06-24 at 15:07 +0200, Riccardo Penco wrote: > > Yes. /usr/sbin/setsebool -P httpd_can_network_connect=1 > OK It works!! Now ... how can I make it permanent so that httpd_can_network_connect=1 after a reboot? thanks Riki From walters at redhat.com Fri Jun 24 14:22:23 2005 From: walters at redhat.com (Colin Walters) Date: Fri, 24 Jun 2005 10:22:23 -0400 Subject: problem connecting to a sql server (httpd / php / freetds ) In-Reply-To: <42BC09A3.3050207@scasinet.com> References: <42BBBD1E.5070106@scasinet.com> <1119616225.12865.67.camel@moss-spartans.epoch.ncsc.mil> <42BC057E.8000804@scasinet.com> <1119618462.12865.69.camel@moss-spartans.epoch.ncsc.mil> <42BC09A3.3050207@scasinet.com> Message-ID: <1119622944.20200.1.camel@nexus.verbum.private> On Fri, 2005-06-24 at 15:24 +0200, Riccardo Penco wrote: > Stephen Smalley ha scritto: > > On Fri, 2005-06-24 at 15:07 +0200, Riccardo Penco wrote: > > > > Yes. /usr/sbin/setsebool -P httpd_can_network_connect=1 > > > > OK It works!! > > Now ... how can I make it permanent so that httpd_can_network_connect=1 > after a reboot? -P means permanent, so the boolean should remain set after reboot. From maillist at wolke7.net Fri Jun 24 14:24:11 2005 From: maillist at wolke7.net (Tobias) Date: Fri, 24 Jun 2005 16:24:11 +0200 (MEST) Subject: Individual Domains for Particular PHP Scripts. References: <1119615374.12865.50.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <8626.1119623051@www63.gmx.net> Hi Stephen, hi ML, > On Fri, 2005-06-24 at 03:05 +0200, Tobias wrote: > > I've a bit experience with domain_auto_trans related by executable > binaries > > (flow: user_t->execute binary->newtype_t->other_rights_than_user_t) > > and i hoped apache and php-scripts are similar > > (flow: httpd_t->execute script->httpd_new_t->other_rights_than_httpd_t). > > > > See my previous email (reply to Daniel Walsh), please. > > Depends on whether apache forks and execs the interpreter in a separate > process, or just directly executes an interpreter in its own process > (via mod_php). My impression was that php is typically run in-process > by apache, thus you couldn't change domains for it without introducing > some kind of mod_dyntras module that performs a dynamic domain > transition in the apache process. I see. This means that my goal is only possible, when use php as cgi modules, or? Thanks for the clarification! Now, i know my way. Maybe can Colin write examples in his update for "Understanding and Customizing the Apache HTTP SELinux Policy" ;) Cheers Toby > -- > Stephen Smalley > National Security Agency > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl From sds at tycho.nsa.gov Fri Jun 24 14:38:41 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 24 Jun 2005 10:38:41 -0400 Subject: Individual Domains for Particular PHP Scripts. In-Reply-To: <8626.1119623051@www63.gmx.net> References: <1119615374.12865.50.camel@moss-spartans.epoch.ncsc.mil> <8626.1119623051@www63.gmx.net> Message-ID: <1119623921.12865.83.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-06-24 at 16:24 +0200, Tobias wrote: > I see. This means that my goal is only possible, > when use php as cgi modules, or? Yes, any mechanism that causes it to exec the script in a separate process. Looks like there is some information at http://www.php.net/manual/en/security.cgi-bin.php FWIW. > Thanks for the clarification! Now, i know my way. > > Maybe can Colin write examples in his update for > "Understanding and Customizing the Apache HTTP SELinux Policy" ;) Yes. It would also likely be an interesting project for someone to try writing an apache module that uses setcon() to perform a dynamic context transition for scripts that are directly run by apache, so that they could at least run with reduced permissions. exec-based transitions are certainly preferable, but that may not be an option for everyone. -- Stephen Smalley National Security Agency From rnicholsNOSPAM at comcast.net Fri Jun 24 14:42:10 2005 From: rnicholsNOSPAM at comcast.net (Robert Nichols) Date: Fri, 24 Jun 2005 09:42:10 -0500 Subject: Deleting file contexts Message-ID: I'm running with selinux=0 and would like to delete the no longer updated security contexts from my file systems. Is there a way to do that short of mke2fs + restore from backup? -- Bob Nichols Yes, "NOSPAM" is really part of my email address. From fedora at transposed.org Fri Jun 24 20:36:23 2005 From: fedora at transposed.org (Alex Charrett) Date: Fri, 24 Jun 2005 21:36:23 +0100 (BST) Subject: dhcpd with selinux-policy-targeted-1.17.30-3.9 in FC3 Message-ID: Hi All, Ever since I've upgraded to selinux-policy-targeted-1.17.30-3.9 in FC3, selinux seems to be preventing me starting dhcpd: audit(1119637866.872:0): avc: denied { name_bind } for pid=3842 exe=/usr/sbin/dhcpd src=67 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket Running audit2allow over this gives me the follwing: allow dhcpd_t reserved_port_t:udp_socket name_bind; But I can't work out what configuration file to put this in, any pointers would be much appreciated. Is there any reason updating the policy should prevent dhcpd from running, was that the intention? It certainly would seem like a funny thing do to do me. Cheers, Alex. From rich at storix.com Fri Jun 24 23:36:49 2005 From: rich at storix.com (rich turner) Date: Fri, 24 Jun 2005 16:36:49 -0700 Subject: unable to login Message-ID: <1119656209.4573.83.camel@rich> i am attempting to login as a normal user (fedora core 4) but am receiving the following error message: su[1697]:Warning! Could not relabel /dev/console with user_u:object_r:console_su:/bin/bash:Permission denied this does not happen when i login as root or when i "setenforce 0". anyone have any ideas? i am attempting to login as a normal user (fc4 system) but i am receiving the following error message: su[1697]:Warning! Could not relabel /dev/console with user_u:object_r:console_su:/bin/bash:Permission denied this does not happen when i login as root or when i "setenforce 0". i know i will not have any problems if i turn selinux off, but i also lose the extra security. anyone have any ideas? From ivg2 at cornell.edu Fri Jun 24 23:40:14 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Fri, 24 Jun 2005 19:40:14 -0400 Subject: dhcpd with selinux-policy-targeted-1.17.30-3.9 in FC3 In-Reply-To: References: Message-ID: <1119656414.32167.3.camel@localhost.localdomain> > audit(1119637866.872:0): avc: denied { name_bind } for pid=3842 > exe=/usr/sbin/dhcpd src=67 scontext=root:system_r:dhcpd_t > tcontext=system_u:object_r:reserved_port_t tclass=udp_socket This was fixed in rawhide strict, and possibly targeted, but I guess the fix hasn't been pushed to updates. -- Ivan Gyurdiev Cornell University From alex at transposed.org Fri Jun 24 20:32:45 2005 From: alex at transposed.org (Alex Charrett) Date: Fri, 24 Jun 2005 21:32:45 +0100 (BST) Subject: dhcpd with selinux-policy-targeted-1.17.30-3.9 in FC3 Message-ID: Hi All, Ever since I've upgraded to selinux-policy-targeted-1.17.30-3.9 in FC3, selinux seems to be preventing me starting dhcpd: audit(1119637866.872:0): avc: denied { name_bind } for pid=3842 exe=/usr/sbin/dhcpd src=67 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket Running audit2allow over this gives me the follwing: allow dhcpd_t reserved_port_t:udp_socket name_bind; But I can't work out what configuration file to put this in, any pointers would be much appreciated. Is there any reason updating the policy should prevent dhcpd from running, was that the intention? Cheers, Alex. From christofer.c.bell at gmail.com Sat Jun 25 03:35:46 2005 From: christofer.c.bell at gmail.com (Christofer C. Bell) Date: Fri, 24 Jun 2005 22:35:46 -0500 Subject: unable to login In-Reply-To: <1119656209.4573.83.camel@rich> References: <1119656209.4573.83.camel@rich> Message-ID: <143f0f6c050624203516a4abc2@mail.gmail.com> On 6/24/05, rich turner wrote: > i am attempting to login as a normal user (fedora core 4) but am > receiving the following error message: > > su[1697]:Warning! Could not relabel /dev/console with > user_u:object_r:console_su:/bin/bash:Permission denied > > this does not happen when i login as root or when i "setenforce 0". > > anyone have any ideas? I admit that I don't know what the issue is, but I would suggest the following: get root access on the machine (wether you need to disable SELinux for that or not for a root login, I don't know), touch /.autorelabel, and reboot. This will ensure that every file on your system is labeled with the correct SELinux security context. It will be easier to move forward from there with troubleshooting if your environment is in a known state. -- Chris "With the way things are starting to go in this country, if forced to choose between being caught with a van full of pirated DVDs or heroin you'd actually have to pause and think about it." -- Michael Bell, drunkenblog.com From treed at ultraviolet.org Sat Jun 25 08:23:04 2005 From: treed at ultraviolet.org (Tracy R Reed) Date: Sat, 25 Jun 2005 15:23:04 +0700 Subject: SE Linux lacks proper user notification for security violations Message-ID: <42BD1468.8030301@ultraviolet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all! Yesterday I ran into a very odd problem which I think highlights a serious weakness in the current selinux implementation. A newbie linux/web developer was testing a perl based cgi on his fedora box. If he put the cgi progran in /var/www/cgi-bin it would not produce any output nor error messages. It just seemed to exit. If he ran it from his ~/ it produced the expected output. It took me a good 15 min of scratching my head over this before I realized this must be an selinux thing due to the context of the cgi-bin dir and of course I was right. This highlights a serious concern of mine: Lots of time is being wasted tracking down strange problems because the only place SE Linux has to report security errors is in dmesg and the system log. When the cgi program would not produce any output at all it was not even obvious that it was a security problem. This is not acceptable for general use. My users won't think to check the system log for possible security policy violations relating to their activities and even I often forget to do it because security policy violation is often not the first thing that comes to my mind when something like this happens. And even if we do think of it, we should not have to go check the logs every time something odd happens suspecting SE Linux. It should be immediately obvious. Traditionally when there is a security policy violation you get a "permission denied" on the tty. We have got to find a way to make an error appear on the tty associated with the process that caused the violation. I think I am going to look into setting up syslog to log all such security messages to all tty's until I can find a better solution. But what is the better solution? I suspect that now that we have a very granular way of specifying security policy we will need a more granular way to report errors back to the user. I am having a rather difficult time selling SE Linux in my business due to issues like this. People really hate it when this cool new security feature causes things to fail in dark and mysterious ways. I have been forced to disable it on all of our machines lest we have a developer uprising. - -- Tracy R Reed http://ultraviolet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCvRRn9PIYKZYVAq0RAvsvAJ4xRlOfEIcgYPPoVwEKOuRqOr6z7QCfQvcm XVkZUwoM8+2ot0Neg15RkYA= =W6Qq -----END PGP SIGNATURE----- From bojan at rexursive.com Sat Jun 25 09:11:14 2005 From: bojan at rexursive.com (Bojan Smojver) Date: Sat, 25 Jun 2005 19:11:14 +1000 Subject: Weird denials at initialisation on FC4 Message-ID: <1119690674.2512.13.camel@coyote.rexursive.com> First a bit of background. I have been experimenting on this system with suspend2 patches, which caused my root filesystem (which sits on /dev/hda2) to go nuts (probably not the fault of suspend2 patches, but rather my unusual experiments with it). The file system check would report "Resize inode invalid", which appears to be one of those conditions where e2fsck doesn't know what to do and gives up. Anyway, after a while and because I could still mount that file system, I decided to copy all files to another file system (from the rescue mode), recreate the file system and copy all the files back, while preserving ownership, permissions, attributes etc. After that, I stared my system with selinux=0, which stuffed up (on purpose) some SELinux attributes, which then forced relabelling on the next reboot. Just to be sure I'm back on the baseline. All right, one would think that I would have a fully working system and no issues whatsoever after this with targeted policy. Well, everything I do actually does work, it's just that I get the following strange stuff happening at boot: ------------------------------------------------ security: 3 users, 6 roles, 775 types, 89 bools security: 55 classes, 183262 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda2, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labelin g SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts audit(1119689719.414:2): avc: denied { search } for pid=465 comm="hotplug" name=proc dev=hda2 ino=439777 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:default_t tclass=dir audit(1119689719.420:3): avc: denied { search } for pid=468 comm="default.hotplug" name=proc dev=hda2 ino=439777 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:default_t tclass=dir audit(1119689719.427:4): avc: denied { search } for pid=466 comm="hotplug" name=proc dev=hda2 ino=439777 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:default_t tclass=dir audit(1119689719.434:5): avc: denied { search } for pid=470 comm="default.hotplug" name=proc dev=hda2 ino=439777 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:default_t tclass=dir [... SNIP ...] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts ------------------------------------------------ The above denials actually go on for 40 lines. They all appear to be referring to inode 439777 on /dev/hda2, which I could not locate with find. Anyone has any ideas as to what's going on here? -- Bojan From linux_4ever at yahoo.com Sat Jun 25 12:48:21 2005 From: linux_4ever at yahoo.com (Steve G) Date: Sat, 25 Jun 2005 05:48:21 -0700 (PDT) Subject: SE Linux lacks proper user notification for security violations In-Reply-To: <42BD1468.8030301@ultraviolet.org> Message-ID: <20050625124821.88890.qmail@web51509.mail.yahoo.com> Hi, >This highlights a serious concern of mine: Lots of time is being wasted >tracking down strange problems because the only place SE Linux has to >report security errors is in dmesg and the system log. The avc denial goes to the kernel audit system. It in turn decides whether to send it to the audit daemon or syslog. The audit daemon is the preferred disposition for avc messages. >When the cgi program would not produce any output at all it was not >even obvious that it was a security problem. This problem is really caused by the fact that cgi programs should not output errors or you will draw the attention of hackers. The rule of the road is that each program is responsible for reporting its own errors. >Traditionally when there is a security policy violation you get a >"permission denied" on the tty. And guess who is responsible for writing that message? Its not the kernel. >We have got to find a way to make an error appear on the tty associated >with the process that caused the violation. I think I am going to look >into setting up syslog to log all such security messages to all tty's >until I can find a better solution. A better solution is to check the return code of any OS related syscall and write the error to a log. This is what I do when I write cgi-bin apps. You can't write them to stdout or you are asking to be hacked. >But what is the better solution? I suspect that now that we have a very >granular way of specifying security policy we will need a more granular >way to report errors back to the user. tail -f /var/log/audit/audit.log will show you something in realtime. The audit daemon will be getting some event dispatcher code over the next month or two. This will help out as you could have a client app that write it to the console for you. >I am having a rather difficult time selling SE Linux in my business due >to issues like this. People really hate it when this cool new security >feature causes things to fail in dark and mysterious ways. I have been >forced to disable it on all of our machines lest we have a developer >uprising. Your problem is not really SE Linux, its that every syscall needs to have its return code checked. Your applications need to handle errors in a way that you can do post-mortum analysis. If it reports permission denied, you should take a look at file permissions and review audit events. It really is that simple. I think you can use dmesg -n xx to make syslog messages appear on the console, too. Maybe that will help in the interim? Hope this helps... -Steve Grubb __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail From Valdis.Kletnieks at vt.edu Sat Jun 25 13:21:35 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sat, 25 Jun 2005 09:21:35 -0400 Subject: SE Linux lacks proper user notification for security violations In-Reply-To: Your message of "Sat, 25 Jun 2005 15:23:04 +0700." <42BD1468.8030301@ultraviolet.org> References: <42BD1468.8030301@ultraviolet.org> Message-ID: <200506251321.j5PDLacR004313@turing-police.cc.vt.edu> On Sat, 25 Jun 2005 15:23:04 +0700, Tracy R Reed said: > Yesterday I ran into a very odd problem which I think highlights a > serious weakness in the current selinux implementation. A newbie > linux/web developer was testing a perl based cgi on his fedora box This isn't a serious weakness in SELinux. This is a serious weakness in the way you train your newbie developers. > This highlights a serious concern of mine: Lots of time is being wasted > tracking down strange problems because the only place SE Linux has to > report security errors is in dmesg and the system log. And where *else* is your Apache supposed to write things, besides the various system log files? ;) > Traditionally when there is a security policy violation you get a > "permission denied" on the tty. We have got to find a way to make an > error appear on the tty associated with the process that caused the > violation. I think I am going to look into setting up syslog to log all > such security messages to all tty's until I can find a better solution. If you're not getting a "permission denied", that means that *your* code failed to check the return code of a syscall and call perror() (or language equivalent) if needed. Don't blame SELinux for your failure to write correct code. What would you have wanted the system to do at that same line of code, if the rejection was due to the file being chmod'ed or chown/chgrp to the wrong value? Just as an aside: You want "make an error appear on the tty associated". Now think this through - if the problem had been the *reverse* (works when run from ~/, but fails when it's in the system cgi-bin and called by Apache), where exactly is the "associated TTY"? Hand the error message back to the browser of the attacker in some eastern European country? How smart is *that*? ;) > But what is the better solution? I suspect that now that we have a very > granular way of specifying security policy we will need a more granular > way to report errors back to the user. Better solution: 1) Tell your programmers to (a) test the return values of system calls and (b) *call perror() if something fails*. Remember - "permission denied" messages come from *your program*, not the system. 2) If you get "permission denied", the traditional solution has been to do an 'ls -l' of the target and ponder the mode/uid/gid. Replace that with: do an 'ls -lZ' of the target and ponder the mode/uid/gid/context. For your newbie Perl programmers, the proper solution is to replace all your: open (FOO, $file); with open (FOO, $file) || die "Failed trying to open $file - $!, stopped"; If 'die' is too heavy-weight, at least use 'warn'. > I am having a rather difficult time selling SE Linux in my business due > to issues like this. People really hate it when this cool new security > feature causes things to fail in dark and mysterious ways. I have been > forced to disable it on all of our machines lest we have a developer > uprising. Developers riot when forced to write proper code. Film at 11. Unfortunately, if your organization has decided that letting the coders write slack code is more important than security, SELinux is probably the wrong choice for you, and both you and us are probably better off if you don't use it. There's no amount of magic pixie dust we can sprinkle over SELinux to make it do proper security on systems where programmers are writing code that doesn't even bother checking return codes. Unfortunately, that's true of *any* security system. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From Valdis.Kletnieks at vt.edu Sat Jun 25 13:27:51 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sat, 25 Jun 2005 09:27:51 -0400 Subject: Weird denials at initialisation on FC4 In-Reply-To: Your message of "Sat, 25 Jun 2005 19:11:14 +1000." <1119690674.2512.13.camel@coyote.rexursive.com> References: <1119690674.2512.13.camel@coyote.rexursive.com> Message-ID: <200506251327.j5PDRpT9004640@turing-police.cc.vt.edu> On Sat, 25 Jun 2005 19:11:14 +1000, Bojan Smojver said: > The above denials actually go on for 40 lines. They all appear to be > referring to inode 439777 on /dev/hda2, which I could not locate with > find. > > Anyone has any ideas as to what's going on here? Most likely, the context on a mount point is stuffed up, so what happens is: 1) You get the error on the /usr directory (or whichever one it is) because *that* directory (inode 439777) is stuffed. 2) You get further in rc.sysinit, and something gets mounted over /usr. 3) Now you can't find the inode anymore, because it's been mounted over. Try booting off a rescue CD, and mounting your / partition *only*, and then see if you can find that inode. I bet it's a mount point. (Been there, done that - ended up using the rescue CD to chcon the mount points). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From bojan at rexursive.com Sun Jun 26 01:57:26 2005 From: bojan at rexursive.com (Bojan Smojver) Date: Sun, 26 Jun 2005 11:57:26 +1000 Subject: Weird denials at initialisation on FC4 In-Reply-To: <200506251327.j5PDRpT9004640@turing-police.cc.vt.edu> References: <1119690674.2512.13.camel@coyote.rexursive.com> <200506251327.j5PDRpT9004640@turing-police.cc.vt.edu> Message-ID: <20050626115726.0u4y59jlc04kksk0@imp.rexursive.com> Quoting Valdis.Kletnieks at vt.edu: > Most likely, the context on a mount point is stuffed up, so what happens is: > > 1) You get the error on the /usr directory (or whichever one it is) because > *that* directory (inode 439777) is stuffed. > 2) You get further in rc.sysinit, and something gets mounted over /usr. > 3) Now you can't find the inode anymore, because it's been mounted over. > > Try booting off a rescue CD, and mounting your / partition *only*, and then > see if you can find that inode. I bet it's a mount point. > > (Been there, done that - ended up using the rescue CD to chcon the > mount points). Thanks, that did it! The culprit? /proc. It needed to be relabelled to proc_t. -- Bojan From tdiehl at rogueind.com Sun Jun 26 02:51:54 2005 From: tdiehl at rogueind.com (Tom Diehl) Date: Sat, 25 Jun 2005 22:51:54 -0400 (EDT) Subject: Big brother and httpd Message-ID: Hi, I am trying to get Big Brother working on EL4. I have the following in the httpd.conf Alias /bb /home/bb/bb/www With SELinux enabled I get the following in the logs when I try to access the BB web page : Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc: denied { search } for pid=20700 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc: denied { getattr } for pid=20700 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc: denied { search } for pid=23158 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc: denied { getattr } for pid=23158 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir If I disable SELinux for apache, I can access the BB web pages just fine. I relabeled /home/bb/bb/www but I still get the errors. (pocono pts31) # ll -Z ~bb/bb/www -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-ack.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hist.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-histlog.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hostsvc.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-rep.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-replog.sh -rw-rw-r-- bb bb user_u:object_r:user_home_t bb.html -rw-rw-r-- bb bb user_u:object_r:user_home_t bb2.html drwxr-xr-x bb bb root:object_r:httpd_sys_content_t gifs drwxr-xr-x bb bb root:object_r:httpd_sys_content_t help drwxr-xr-x bb bb root:object_r:httpd_sys_content_t html -rw-r--r-- bb bb root:object_r:httpd_sys_content_t index.html drwxr-xr-x bb bb root:object_r:httpd_sys_content_t newbldg drwxr-xr-x bb bb root:object_r:httpd_sys_content_t notes drwxrwxr-x bb apache root:object_r:httpd_sys_content_t rep drwxr-xr-x bb bb root:object_r:httpd_sys_content_t reynolds drwxr-xr-x bb bb root:object_r:httpd_sys_content_t rogueind drwxr-xr-x bb bb root:object_r:httpd_sys_content_t routers drwxr-xr-x bb bb root:object_r:httpd_sys_content_t xo (pocono pts31) # I tried relabeling bb.html and bb2.html but they keep reverting to user_u:object_r:user_home_t. I suspect this is my problem but I am new to SELinux so I am not sure. Can someone suggest how to fix this?? Regards, Tom Diehl tdiehl at rogueind.com Spamtrap address mtd123 at rogueind.com From adrier at acm.org Sun Jun 26 03:08:35 2005 From: adrier at acm.org (Abe Drier) Date: Sat, 25 Jun 2005 23:08:35 -0400 Subject: Problem encountered with x-windows in Fedora FC4 Message-ID: <1119755315.4227.24.camel@acs.name> I'll begin by mentioning my system works fine under FC3. I currently have a dual boot system with FC3 and FC4. Trying to do the clean FC4 install using the windowing option resulted in a white screen. Retried the installation in text mode and the installation completed successfully. When the system booted, post installation, the same white screen reappeared. Rebooted with "init 3" to come up in text mode. Only one anomaly was noted. About every fifth keyboard entry results in the appearance of one white square character in the center of the screen that lasts for one keystroke. Tried "startx" and was confronted with the white screen. Switching to a virtual console results in a confused mess of blue and gray box characters. Can log in successfully after which the screen has a blue border with a working screen within the border. The first few pixels of the character that should be on the left edge are actually on the right edge. That is the first character of the line is split on the right and left edge. The "xorg.conf" configuration file is the same in FC3 and FC4. So for the moment I am perplexed. The hardware is the same and the configuration file is the same. I have appended the configuration file. Any suggestions would be most welcome. (I have installed all the updates as of June 25 2005. I can't execute system-config-display from the console in that I get a white screen. Was unable to locate xorgcfg or xorgsetup in Fedora as mentioned on the x.org site.) ===================================================================== # XFree86 4 configuration created by pyxf86config Section "ServerLayout" Identifier "Default Layout" Screen 0 "Screen0" 0 0 InputDevice "Mouse0" "CorePointer" InputDevice "Keyboard0" "CoreKeyboard" EndSection Section "Files" # RgbPath is the location of the RGB database. Note, this is the name of the # file minus the extension (like ".txt" or ".db"). There is normally # no need to change the default. # Multiple FontPath entries are allowed (they are concatenated together) # By default, Red Hat 6.0 and later now use a font server independent of # the X server to render fonts. RgbPath "/usr/X11R6/lib/X11/rgb" FontPath "unix/:7100" EndSection Section "Module" Load "dbe" Load "extmod" Load "fbdevhw" Load "glx" Load "record" Load "freetype" Load "type1" Load "dri" EndSection Section "InputDevice" # Specify which keyboard LEDs can be user-controlled (eg, with xset(1)) # Option "Xleds" "1 2 3" # To disable the XKEYBOARD extension, uncomment XkbDisable. # Option "XkbDisable" # To customise the XKB settings to suit your keyboard, modify the # lines below (which are the defaults). For example, for a non-U.S. # keyboard, you will probably want to use: # Option "XkbModel" "pc102" # If you have a US Microsoft Natural keyboard, you can use: # Option "XkbModel" "microsoft" # # Then to change the language, change the Layout setting. # For example, a german layout can be obtained with: # Option "XkbLayout" "de" # or: # Option "XkbLayout" "de" # Option "XkbVariant" "nodeadkeys" # # If you'd like to switch the positions of your capslock and # control keys, use: # Option "XkbOptions" "ctrl:swapcaps" # Or if you just want both to be control, use: # Option "XkbOptions" "ctrl:nocaps" # Identifier "Keyboard0" Driver "kbd" Option "XkbModel" "pc105" Option "XkbLayout" "us" EndSection Section "InputDevice" Identifier "Mouse0" Driver "mouse" Option "Protocol" "IMPS/2" Option "Device" "/dev/input/mice" Option "ZAxisMapping" "4 5" Option "Emulate3Buttons" "yes" EndSection Section "Monitor" Identifier "Monitor0" VendorName "Monitor Vendor" ModelName "Sony CPD-200SF" DisplaySize 330 240 HorizSync 30.0 - 80.0 VertRefresh 50.0 - 120.0 Option "dpms" EndSection Section "Device" Identifier "Videocard0" Driver "trident" VendorName "Videocard vendor" BoardName "Trident CyberBlade (generic)" EndSection Section "Screen" Identifier "Screen0" Device "Videocard0" Monitor "Monitor0" DefaultDepth 24 SubSection "Display" Viewport 0 0 Depth 16 Modes "800x600" "640x480" EndSubSection SubSection "Display" Viewport 0 0 Depth 24 Modes "1024x768" "800x600" "640x480" EndSubSection EndSection Section "DRI" Group 0 Mode 0666 EndSection From james.zheng.li at gmail.com Sun Jun 26 04:39:47 2005 From: james.zheng.li at gmail.com (James Z. Li) Date: Sun, 26 Jun 2005 00:39:47 -0400 Subject: SELINUX with APACHE and PHPBB In-Reply-To: <42BAB283.4030603@conticars.be> References: <42BAB283.4030603@conticars.be> Message-ID: <8a239a56050625213973d93d5a@mail.gmail.com> Hi, I am also working on SElinux policy for Gallery 1.5 (gallery.menalto.com). I have not finished yet. Some guy post a solution for this Gallery under FC3 targeted policy. You may find it helpful for your configuring. http://gallery.menalto.com/modules.php?op=modload&name=GalleryDocs&file=index&page=gallery1-install.unix-shell.php see User Contributed Notes by "macemoneta" James On 6/23/05, Tiziano Demaria wrote: > hello > > I'm new, my name is Tiziano > > I've Fedora Core 3 with SELINUX and Apache 2.0.52. > > i've installed PHPBB forum and COPPERMINE PHOTO GALLARY on my website. > With SELINUX activated, I'm NOT able to upload images (avatar in phpbb and > photos in the Coppermine), while with SELINUX deactivated, I'm able to do > that. > > Now...I ask how to be able to upload images, in phpbb forum and coppermine, > with SELINUX ACTIVATED...Could you help me please ? > > Thank you very much > > Tiziano > > -- > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From james.zheng.li at gmail.com Sun Jun 26 05:13:21 2005 From: james.zheng.li at gmail.com (James Z. Li) Date: Sun, 26 Jun 2005 01:13:21 -0400 Subject: Big brother and httpd In-Reply-To: References: Message-ID: <8a239a56050625221315d0bcb0@mail.gmail.com> How did u relabel bb.html and bb2.html? Did you change the apache.fc file to label the files and dirs under /home/bb/bb/www, followed by "make load" and then "setfiles" / "restorecon"? James On 6/25/05, Tom Diehl wrote: > Hi, > > I am trying to get Big Brother working on EL4. I have the following in > the httpd.conf > > Alias /bb /home/bb/bb/www > > With SELinux enabled I get the following in the logs when I try to access > the BB web page > : > Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc: denied { search } for pid=20700 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir > Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc: denied { getattr } for pid=20700 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir > Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc: denied { search } for pid=23158 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir > Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc: denied { getattr } for pid=23158 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir > > If I disable SELinux for apache, I can access the BB web pages just fine. > > I relabeled /home/bb/bb/www but I still get the errors. > > (pocono pts31) # ll -Z ~bb/bb/www > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-ack.sh > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hist.sh > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-histlog.sh > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hostsvc.sh > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-rep.sh > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-replog.sh > -rw-rw-r-- bb bb user_u:object_r:user_home_t bb.html > -rw-rw-r-- bb bb user_u:object_r:user_home_t bb2.html > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t gifs > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t help > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t html > -rw-r--r-- bb bb root:object_r:httpd_sys_content_t index.html > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t newbldg > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t notes > drwxrwxr-x bb apache root:object_r:httpd_sys_content_t rep > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t reynolds > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t rogueind > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t routers > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t xo > (pocono pts31) # > > I tried relabeling bb.html and bb2.html but they keep reverting to > user_u:object_r:user_home_t. I suspect this is my problem but I am new > to SELinux so I am not sure. > > Can someone suggest how to fix this?? > > Regards, > > Tom Diehl tdiehl at rogueind.com Spamtrap address mtd123 at rogueind.com > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From ivg2 at cornell.edu Sun Jun 26 05:59:49 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sun, 26 Jun 2005 01:59:49 -0400 Subject: Big brother and httpd In-Reply-To: <8a239a56050625221315d0bcb0@mail.gmail.com> References: <8a239a56050625221315d0bcb0@mail.gmail.com> Message-ID: <1119765589.15190.4.camel@localhost.localdomain> On Sun, 2005-06-26 at 01:13 -0400, James Z. Li wrote: > How did u relabel bb.html and bb2.html? > Did you change the apache.fc file to label the files and dirs > under /home/bb/bb/www, followed by "make load" and > then "setfiles" / "restorecon"? It should not be necessary to change policy to label httpd content, as this type is marked customizable (therefore it survives a restorecon). Can you check and make sure /home/bb/bb/www is marked httpd_*_content_t, and not user_home_t... From tdiehl at rogueind.com Sun Jun 26 12:35:57 2005 From: tdiehl at rogueind.com (Tom Diehl) Date: Sun, 26 Jun 2005 08:35:57 -0400 (EDT) Subject: Big brother and httpd In-Reply-To: <8a239a56050625221315d0bcb0@mail.gmail.com> References: <8a239a56050625221315d0bcb0@mail.gmail.com> Message-ID: On Sun, 26 Jun 2005, James Z. Li wrote: > > On 6/25/05, Tom Diehl wrote: > > Hi, > > > > I am trying to get Big Brother working on EL4. I have the following in > > the httpd.conf > > > > Alias /bb /home/bb/bb/www > > > > With SELinux enabled I get the following in the logs when I try to access > > the BB web page > > : > > Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc: denied { search } for pid=20700 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir > > Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc: denied { getattr } for pid=20700 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir > > Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc: denied { search } for pid=23158 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir > > Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc: denied { getattr } for pid=23158 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir > > > > If I disable SELinux for apache, I can access the BB web pages just fine. > > > > I relabeled /home/bb/bb/www but I still get the errors. > > > > (pocono pts31) # ll -Z ~bb/bb/www > > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-ack.sh > > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hist.sh > > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-histlog.sh > > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hostsvc.sh > > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-rep.sh > > -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-replog.sh > > -rw-rw-r-- bb bb user_u:object_r:user_home_t bb.html > > -rw-rw-r-- bb bb user_u:object_r:user_home_t bb2.html > > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t gifs > > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t help > > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t html > > -rw-r--r-- bb bb root:object_r:httpd_sys_content_t index.html > > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t newbldg > > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t notes > > drwxrwxr-x bb apache root:object_r:httpd_sys_content_t rep > > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t reynolds > > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t rogueind > > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t routers > > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t xo > > (pocono pts31) # > > > > I tried relabeling bb.html and bb2.html but they keep reverting to > > user_u:object_r:user_home_t. I suspect this is my problem but I am new > > to SELinux so I am not sure. > > > > Can someone suggest how to fix this?? > How did u relabel bb.html and bb2.html? > Did you change the apache.fc file to label the files and dirs > under /home/bb/bb/www, followed by "make load" and > then "setfiles" / "restorecon"? No, I did the following: "chcon -R -h -t httpd_sys_content_t www" I also tried "chcon -t httpd_sys_content_t bb.html" I do not seem to have an apache.fc file. Regards, Tom Diehl tdiehl at rogueind.com Spamtrap address mtd123 at rogueind.com From tdiehl at rogueind.com Sun Jun 26 12:42:18 2005 From: tdiehl at rogueind.com (Tom Diehl) Date: Sun, 26 Jun 2005 08:42:18 -0400 (EDT) Subject: Big brother and httpd In-Reply-To: <1119765589.15190.4.camel@localhost.localdomain> References: <8a239a56050625221315d0bcb0@mail.gmail.com> <1119765589.15190.4.camel@localhost.localdomain> Message-ID: On Sun, 26 Jun 2005, Ivan Gyurdiev wrote: > On Sun, 2005-06-26 at 01:13 -0400, James Z. Li wrote: > > How did u relabel bb.html and bb2.html? > > Did you change the apache.fc file to label the files and dirs > > under /home/bb/bb/www, followed by "make load" and > > then "setfiles" / "restorecon"? > > > It should not be necessary to change policy to > label httpd content, as this type is marked customizable > (therefore it survives a restorecon). > > Can you check and make sure /home/bb/bb/www is marked > httpd_*_content_t, and not user_home_t... (pocono pts16) # la -Z /home/bb/bb/www drwxr-xr-x bb bb root:object_r:httpd_sys_content_t . drwxr-xr-x bb bb root:object_r:user_home_t .. -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-ack.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hist.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-histlog.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hostsvc.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-rep.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-replog.sh -rw-rw-r-- bb bb user_u:object_r:user_home_t bb.html -rw-rw-r-- bb bb user_u:object_r:user_home_t bb2.html drwxr-xr-x bb bb root:object_r:httpd_sys_content_t gifs drwxr-xr-x bb bb root:object_r:httpd_sys_content_t help drwxr-xr-x bb bb root:object_r:httpd_sys_content_t html -rw-r--r-- bb bb root:object_r:httpd_sys_content_t index.html drwxr-xr-x bb bb root:object_r:httpd_sys_content_t newbldg drwxr-xr-x bb bb root:object_r:httpd_sys_content_t notes drwxrwxr-x bb apache root:object_r:httpd_sys_content_t rep drwxr-xr-x bb bb root:object_r:httpd_sys_content_t reynolds drwxr-xr-x bb bb root:object_r:httpd_sys_content_t rogueind drwxr-xr-x bb bb root:object_r:httpd_sys_content_t routers drwxr-xr-x bb bb root:object_r:httpd_sys_content_t xo (pocono pts16) # The bb.html and bb2.html files are created every time bb polls the machines (every 5 minutes). I have tried doing chcon -t httpd_sys_content_t bb?.html on them but they always change back. Do I have to do something with the bb daemon itself? Here is what how the binaries are labeled: (pocono pts16) # la -Z /home/bb/bb/bin drwxr-xr-x bb bb root:object_r:httpd_sys_content_t . drwxr-xr-x bb bb root:object_r:user_home_t .. -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-combo.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-display.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-mailack.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-network.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-ping.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bbd -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bbmv -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bbmv.DIST -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bbnet -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bbprune -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bbprune.DIST -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bbrm -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bbrm.DIST -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bbrun -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bbstat -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t dumphostsvc -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t getipaddr -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t getipaddr.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t sendmsg -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t sendsms -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t touchtime (pocono pts16) # Regards, Tom Diehl tdiehl at rogueind.com Spamtrap address mtd123 at rogueind.com From james.zheng.li at gmail.com Sun Jun 26 17:53:47 2005 From: james.zheng.li at gmail.com (James Z. Li) Date: Sun, 26 Jun 2005 13:53:47 -0400 Subject: where is ping.te in targeted policy FC4 Message-ID: <8a239a560506261053368a347e@mail.gmail.com> Hi all, I just installed FC4. In strict policy, both ping.te and ping.fc exist. However, in targeted policy, I also find ping.fc file, which label ping binary files as the type ping_exec_t. Since there is no ping.te file, where is ping_exec_t defined? Thanks, James From ivg2 at cornell.edu Sun Jun 26 20:40:57 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sun, 26 Jun 2005 16:40:57 -0400 Subject: Big brother and httpd In-Reply-To: References: <8a239a56050625221315d0bcb0@mail.gmail.com> <1119765589.15190.4.camel@localhost.localdomain> Message-ID: <1119818457.3957.1.camel@localhost.localdomain> > > The bb.html and bb2.html files are created every time bb polls the > machines (every 5 minutes). I have tried doing > chcon -t httpd_sys_content_t bb?.html on them but they always change back. Are you sure they're not stored somewhere else, and then copied into the directory? -- Ivan Gyurdiev Cornell University From ivg2 at cornell.edu Sun Jun 26 20:44:41 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sun, 26 Jun 2005 16:44:41 -0400 Subject: Big brother and httpd In-Reply-To: <1119818457.3957.1.camel@localhost.localdomain> References: <8a239a56050625221315d0bcb0@mail.gmail.com> <1119765589.15190.4.camel@localhost.localdomain> <1119818457.3957.1.camel@localhost.localdomain> Message-ID: <1119818681.3995.1.camel@localhost.localdomain> On Sun, 2005-06-26 at 16:41 -0400, Ivan Gyurdiev wrote: > > > > The bb.html and bb2.html files are created every time bb polls the > > machines (every 5 minutes). I have tried doing > > chcon -t httpd_sys_content_t bb?.html on them but they always change back. > > Are you sure they're not stored somewhere else, > and then copied into the directory? Or rather...moved there. Also, what exactly is Big Brother, and what process context does it run under? -- Ivan Gyurdiev Cornell University From tdiehl at rogueind.com Mon Jun 27 01:34:39 2005 From: tdiehl at rogueind.com (Tom Diehl) Date: Sun, 26 Jun 2005 21:34:39 -0400 (EDT) Subject: Big brother and httpd In-Reply-To: <1119818681.3995.1.camel@localhost.localdomain> References: <8a239a56050625221315d0bcb0@mail.gmail.com> <1119765589.15190.4.camel@localhost.localdomain> <1119818457.3957.1.camel@localhost.localdomain> <1119818681.3995.1.camel@localhost.localdomain> Message-ID: On Sun, 26 Jun 2005, Ivan Gyurdiev wrote: > On Sun, 2005-06-26 at 16:41 -0400, Ivan Gyurdiev wrote: > > > > > > The bb.html and bb2.html files are created every time bb polls the > > > machines (every 5 minutes). I have tried doing > > > chcon -t httpd_sys_content_t bb?.html on them but they always change back. > > > > Are you sure they're not stored somewhere else, > > and then copied into the directory? > > Or rather...moved there. Not 100% sure but I do not think so. I will investigete that possibility further. > Also, what exactly is Big Brother, and what It is a system and network monitoring tool . I am using the BTF version. > process context does it run under? Not sure. How can I tell?? It runs as a user called bb. So I guess its context is whatever normal users run under. Tom Diehl tdiehl at rogueind.com Spamtrap address mtd123 at rogueind.com From adrier at acm.org Mon Jun 27 02:00:32 2005 From: adrier at acm.org (Abe Drier) Date: Sun, 26 Jun 2005 22:00:32 -0400 Subject: Problem encountered with x-windows in Fedora FC4 In-Reply-To: <1119755315.4227.24.camel@acs.name> References: <1119755315.4227.24.camel@acs.name> Message-ID: <1119837632.4316.12.camel@acs.name> After searching on the web, discovered a work-around by setting the driver in the xorg.conf to "vesa". The only problem with this work- around, it seems the display may be limited to 800 by 600, Thinks to all the people on the net. On Sat, 2005-06-25 at 23:08 -0400, Abe Drier wrote: On Sat, 2005-06-25 at 23:08 -0400, Abe Drier wrote: > I'll begin by mentioning my system works fine under FC3. I currently > have a dual boot system with FC3 and FC4. > > Trying to do the clean FC4 install using the windowing option resulted > in a white screen. Retried the installation in text mode and the > installation completed successfully. When the system booted, post > installation, the same white screen reappeared. > > Rebooted with "init 3" to come up in text mode. Only one anomaly was > noted. About every fifth keyboard entry results in the appearance of > one white square character in the center of the screen that lasts for > one keystroke. > > Tried "startx" and was confronted with the white screen. Switching to a > virtual console results in a confused mess of blue and gray box > characters. Can log in successfully after which the screen has a blue > border with a working screen within the border. The first few pixels of > the character that should be on the left edge are actually on the right > edge. That is the first character of the line is split on the right and > left edge. > > The "xorg.conf" configuration file is the same in FC3 and FC4. So for > the moment I am perplexed. The hardware is the same and the > configuration file is the same. I have appended the configuration file. > > Any suggestions would be most welcome. > > (I have installed all the updates as of June 25 2005. I can't execute > system-config-display from the console in that I get a white screen. > Was unable to locate xorgcfg or xorgsetup in Fedora as mentioned on the > x.org site.) From russell at coker.com.au Mon Jun 27 03:05:32 2005 From: russell at coker.com.au (Russell Coker) Date: Mon, 27 Jun 2005 13:05:32 +1000 Subject: Big brother and httpd In-Reply-To: References: <1119765589.15190.4.camel@localhost.localdomain> Message-ID: <200506271305.35259.russell@coker.com.au> On Sunday 26 June 2005 22:42, Tom Diehl wrote: > > Can you check and make sure /home/bb/bb/www is marked > > httpd_*_content_t, and not user_home_t... > > (pocono pts16) # la -Z /home/bb/bb/www > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t . > drwxr-xr-x bb bb root:object_r:user_home_t .. [...] > The bb.html and bb2.html files are created every time bb polls the > machines (every 5 minutes). I have tried doing > chcon -t httpd_sys_content_t bb?.html on them but they always change back. Those files are apparently created somewhere else, maybe /home/bb/bb? Maybe if you run your chcon -R operation on /home/bb the results will be better. A change to bb might help. You could either have it create the files in an appropriate directory that has the desired label or have it chcon them after creation (but before moving). How is the bb program run? Is it a daemon or a cron job? There has been some work on getting NAGIOS running under SE Linux. It seems that NAGIOS is the leading product in this area. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Mon Jun 27 03:14:35 2005 From: russell at coker.com.au (Russell Coker) Date: Mon, 27 Jun 2005 13:14:35 +1000 Subject: FC4: losetup does not work anymore In-Reply-To: <42B1D281.1080602@hoelldampf.net> References: <42B1D281.1080602@hoelldampf.net> Message-ID: <200506271314.38781.russell@coker.com.au> On Friday 17 June 2005 05:26, Stefan Hoelldampf wrote: > after the FC3->FC4 upgrade losetup does not work anymore: > > # losetup /dev/loop0 test.img > audit(1118949662.609:50): avc: denied { search } for pid=24032 > comm="losetup" name=root dev=dm-0 ino=1775393 > scontext=root:system_r:fsadm_t tcontext=root:object_r:user_home_dir_t > tclass=dir > loop: can't open device test.img: Permission denied In the strict policy it's always been this way. Probably the correct solution is to have losetup policy and not have it run as fsadm_t. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From fedora at transposed.org Mon Jun 27 11:15:43 2005 From: fedora at transposed.org (Alex Charrett) Date: Mon, 27 Jun 2005 12:15:43 +0100 (BST) Subject: dhcpd with selinux-policy-targeted-1.17.30-3.9 in FC3 In-Reply-To: <1119656414.32167.3.camel@localhost.localdomain> References: <1119656414.32167.3.camel@localhost.localdomain> Message-ID: On Fri, 24 Jun 2005, Ivan Gyurdiev wrote: >> audit(1119637866.872:0): avc: denied { name_bind } for pid=3842 >> exe=/usr/sbin/dhcpd src=67 scontext=root:system_r:dhcpd_t >> tcontext=system_u:object_r:reserved_port_t tclass=udp_socket > > This was fixed in rawhide strict, and possibly targeted, > but I guess the fix hasn't been pushed to updates. Hi, This morning I've updated to the newly released selinux-policy-targeted-1.17.30-3.13. This seems to have resolved the above error, but now I'm getting denied acess to the leases file: audit(1119870654.402:0): avc: denied { read } for pid=3242 exe=/usr/sbin/dhcpd name=dhcpd.leases dev=md1 ino=476194 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:file_t tclass=file The line refering to dhcp.leases in /etc/selinux/targeted/contexts/files/file_contexts looks like it should work ok: /var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t Any more ideas? Cheers, Alex. From dwalsh at redhat.com Mon Jun 27 11:34:46 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 27 Jun 2005 07:34:46 -0400 Subject: Big brother and httpd In-Reply-To: <200506271305.35259.russell@coker.com.au> References: <1119765589.15190.4.camel@localhost.localdomain> <200506271305.35259.russell@coker.com.au> Message-ID: <42BFE456.5080007@redhat.com> Russell Coker wrote: >On Sunday 26 June 2005 22:42, Tom Diehl wrote: > > >>>Can you check and make sure /home/bb/bb/www is marked >>>httpd_*_content_t, and not user_home_t... >>> >>> >>(pocono pts16) # la -Z /home/bb/bb/www >>drwxr-xr-x bb bb root:object_r:httpd_sys_content_t . >>drwxr-xr-x bb bb root:object_r:user_home_t .. >> >> >[...] > > >>The bb.html and bb2.html files are created every time bb polls the >>machines (every 5 minutes). I have tried doing >>chcon -t httpd_sys_content_t bb?.html on them but they always change back. >> >> > >Those files are apparently created somewhere else, maybe /home/bb/bb? Maybe >if you run your chcon -R operation on /home/bb the results will be better. > >A change to bb might help. You could either have it create the files in an >appropriate directory that has the desired label or have it chcon them after >creation (but before moving). How is the bb program run? Is it a daemon or >a cron job? > >There has been some work on getting NAGIOS running under SE Linux. It seems >that NAGIOS is the leading product in this area. > > > Can you change the program to cp the files rather than mv them? That would allow it to get the right context. -- From ivg2 at cornell.edu Mon Jun 27 11:46:55 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 27 Jun 2005 07:46:55 -0400 Subject: dhcpd with selinux-policy-targeted-1.17.30-3.9 in FC3 In-Reply-To: References: <1119656414.32167.3.camel@localhost.localdomain> Message-ID: <1119872815.12716.5.camel@localhost.localdomain> > The line refering to dhcp.leases in > /etc/selinux/targeted/contexts/files/file_contexts looks like it should > work ok: > /var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t You can run matchpathcon or restorecon to find out if this is a labeling problem or not.. matchpathcon will show you if the regexp is working, and restorecon will actually change it to context that matches the regexp. Strangely, on my machine the entire folder is labeled dhcp_state_t, with no dhcpd_state_t... (but this is strict policy rawhide). -- Ivan Gyurdiev Cornell University From dwalsh at redhat.com Mon Jun 27 11:52:50 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 27 Jun 2005 07:52:50 -0400 Subject: problem connecting to a sql server (httpd / php / freetds ) In-Reply-To: <1119622944.20200.1.camel@nexus.verbum.private> References: <42BBBD1E.5070106@scasinet.com> <1119616225.12865.67.camel@moss-spartans.epoch.ncsc.mil> <42BC057E.8000804@scasinet.com> <1119618462.12865.69.camel@moss-spartans.epoch.ncsc.mil> <42BC09A3.3050207@scasinet.com> <1119622944.20200.1.camel@nexus.verbum.private> Message-ID: <42BFE892.3010103@redhat.com> Colin Walters wrote: >On Fri, 2005-06-24 at 15:24 +0200, Riccardo Penco wrote: > > >>Stephen Smalley ha scritto: >> >> >>>On Fri, 2005-06-24 at 15:07 +0200, Riccardo Penco wrote: >>> >>>Yes. /usr/sbin/setsebool -P httpd_can_network_connect=1 >>> >>> >>> >>OK It works!! >> >>Now ... how can I make it permanent so that httpd_can_network_connect=1 >>after a reboot? >> >> > >-P means permanent, so the boolean should remain set after reboot. > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > BTW... man httpd_selinux explains most of httpd booleans. -- From russell at coker.com.au Mon Jun 27 11:48:14 2005 From: russell at coker.com.au (Russell Coker) Date: Mon, 27 Jun 2005 21:48:14 +1000 Subject: Big brother and httpd In-Reply-To: <42BFE456.5080007@redhat.com> References: <200506271305.35259.russell@coker.com.au> <42BFE456.5080007@redhat.com> Message-ID: <200506272148.18720.russell@coker.com.au> On Monday 27 June 2005 21:34, Daniel J Walsh wrote: > Can you change the program to cp the files rather than mv them? That > would allow it to get the > right context. cp is not an atomic operation, so that probably wouldn't be a good idea. BB could create the file in the target directory but I guess that it's been intentionally written to not do so to give an atomic replacement of the old version. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at tycho.nsa.gov Mon Jun 27 12:59:26 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 27 Jun 2005 08:59:26 -0400 Subject: Deleting file contexts In-Reply-To: References: Message-ID: <1119877166.32316.17.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-06-24 at 09:42 -0500, Robert Nichols wrote: > I'm running with selinux=0 and would like to delete the no longer > updated security contexts from my file systems. Is there a way to > do that short of mke2fs + restore from backup? find / -exec setfattr -x security.selinux {} \; You might want to further qualify the find statement to avoid noise on filesystems that don't support security contexts, e.g. find / \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -exec setfattr -x security.selinux {} \; -- Stephen Smalley National Security Agency From dragoran at feuerpokemon.de Mon Jun 27 13:11:23 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Mon, 27 Jun 2005 15:11:23 +0200 Subject: hal+selinux problems Message-ID: <42BFFAFB.7040105@feuerpokemon.de> I have a very strange problem: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161781 in dmesg I see: kernel: audit(1119866301.866:4): avc: denied { write } for pid=3389 comm="hald" name=[25057] dev=pipefs ino=25057 scontext=root:system_r:hald_t tcontext=root:system_r:unconfined_t tclass=fifo_file I am running fc4+lastest policy target. I also tryed to relabel but nothing seems to help. From i.pilcher at comcast.net Mon Jun 27 13:19:33 2005 From: i.pilcher at comcast.net (Ian Pilcher) Date: Mon, 27 Jun 2005 08:19:33 -0500 Subject: Bug 160292 (cups-lpd) - back in 1.23.18-16? Message-ID: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160292 says that this bug is fixed in selinux-policy-targeted-1.23.18-12. I'm running 1.23.18-16 (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161383) and this bug is definitely present. I've tried futzing with cupsd_lpd_disable_trans and cupsd_config_disable_trans to no avail. (Are these documented anywhere?) Am I nuts? -- ======================================================================== Ian Pilcher i.pilcher at comcast.net ======================================================================== From tdiehl at rogueind.com Mon Jun 27 13:23:30 2005 From: tdiehl at rogueind.com (Tom Diehl) Date: Mon, 27 Jun 2005 09:23:30 -0400 (EDT) Subject: Big brother and httpd In-Reply-To: <200506271305.35259.russell@coker.com.au> References: <1119765589.15190.4.camel@localhost.localdomain> <200506271305.35259.russell@coker.com.au> Message-ID: On Mon, 27 Jun 2005, Russell Coker wrote: > On Sunday 26 June 2005 22:42, Tom Diehl wrote: > > > Can you check and make sure /home/bb/bb/www is marked > > > httpd_*_content_t, and not user_home_t... > > > > (pocono pts16) # la -Z /home/bb/bb/www > > drwxr-xr-x bb bb root:object_r:httpd_sys_content_t . > > drwxr-xr-x bb bb root:object_r:user_home_t .. > [...] > > The bb.html and bb2.html files are created every time bb polls the > > machines (every 5 minutes). I have tried doing > > chcon -t httpd_sys_content_t bb?.html on them but they always change back. > > Those files are apparently created somewhere else, maybe /home/bb/bb? Maybe > if you run your chcon -R operation on /home/bb the results will be better. The whole bb structure lives inside of /home/bb/bb so I just tried chcon -R on it and no joy. selinux will not even allow bb to start. here are a few of the avc messages: Jun 27 09:05:18 pocono kernel: audit(1119877518.646:0): avc: denied { read write } for pid=6955 comm=runbb.sh name=13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file Jun 27 09:05:18 pocono kernel: audit(1119877518.646:0): avc: denied { read write } for pid=6955 comm=runbb.sh path=/dev/pts/13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file Jun 27 09:05:18 pocono last message repeated 2 times Jun 27 09:05:18 pocono kernel: audit(1119877518.722:0): avc: denied { execute_no_trans } for pid=7010 comm=nohup path=/home/bb/bbc1.9f-btf/bin/bbrun dev=dm-1 ino=6407895 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_sys_content_t tclass=file Jun 27 09:05:21 pocono kernel: audit(1119877521.644:0): avc: denied { read write } for pid=7012 comm=runbb.sh name=13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file Jun 27 09:05:21 pocono kernel: audit(1119877521.644:0): avc: denied { read write } for pid=7012 comm=runbb.sh path=/dev/pts/13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file Jun 27 09:05:21 pocono last message repeated 2 times Jun 27 09:05:21 pocono kernel: audit(1119877521.716:0): avc: denied { execute_no_trans } for pid=7064 comm=runbb.sh path=/home/bb/bb1.9f-btf/bin/bbd dev=dm-1 ino=6407874 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_sys_content_t tclass=file Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc: denied { getattr } for pid=7067 comm=ps path=/proc/1 dev=proc ino=65538 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc: denied { getattr } for pid=7067 comm=ps path=/proc/2 dev=proc ino=131074 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc: denied { getattr } for pid=7067 comm=ps path=/proc/3 dev=proc ino=196610 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir ... > A change to bb might help. You could either have it create the files in an > appropriate directory that has the desired label or have it chcon them after > creation (but before moving). How is the bb program run? Is it a daemon or > a cron job? daemon. It has a master daemon that that calls the helper programs and shell scripts periodically to poll the systems and generate the web pages. > There has been some work on getting NAGIOS running under SE Linux. It seems > that NAGIOS is the leading product in this area. I agree except that IMO the user interface for bb is so much nicer for non-technical people to grok (green is good, red is bad, etc.). The real problem with bb is that it was bought out by Quest software several years ago and development on the free version has all but stopped. They only provide minor fixes for it approx once a year. Regards, Tom Diehl tdiehl at rogueind.com Spamtrap address mtd123 at rogueind.com From ivg2 at cornell.edu Mon Jun 27 13:34:37 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 27 Jun 2005 09:34:37 -0400 Subject: Big brother and httpd In-Reply-To: References: <1119765589.15190.4.camel@localhost.localdomain> <200506271305.35259.russell@coker.com.au> Message-ID: <1119879278.12040.18.camel@celtics.boston.redhat.com> > Jun 27 09:05:18 pocono kernel: audit(1119877518.646:0): avc: denied { read write } for pid=6955 comm=runbb.sh name=13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file > Jun 27 09:05:18 pocono kernel: audit(1119877518.646:0): avc: denied { read write } for pid=6955 comm=runbb.sh path=/dev/pts/13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file > Jun 27 09:05:18 pocono last message repeated 2 times runbb.sh is now ran as an http script (because you changed its context). As such, it is not allowed to write to the terminal (because web scripts shouldn't be writing to the terminal). > Jun 27 09:05:18 pocono kernel: audit(1119877518.722:0): avc: denied { execute_no_trans } for pid=7010 comm=nohup path=/home/bb/bbc1.9f-btf/bin/bbrun dev=dm-1 ino=6407895 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_sys_content_t tclass=file Here you have a script trying to execute something marked as content, so it makes sense that it's denied. > Jun 27 09:05:21 pocono kernel: audit(1119877521.644:0): avc: denied { read write } for pid=7012 comm=runbb.sh name=13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file > Jun 27 09:05:21 pocono kernel: audit(1119877521.644:0): avc: denied { read write } for pid=7012 comm=runbb.sh path=/dev/pts/13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file > Jun 27 09:05:21 pocono last message repeated 2 times More of the same... > Jun 27 09:05:21 pocono kernel: audit(1119877521.716:0): avc: denied { execute_no_trans } for pid=7064 comm=runbb.sh path=/home/bb/bb1.9f-btf/bin/bbd dev=dm-1 ino=6407874 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_sys_content_t tclass=file Same problem here.. > Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc: denied { getattr } for pid=7067 comm=ps path=/proc/1 dev=proc ino=65538 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir > Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc: denied { getattr } for pid=7067 comm=ps path=/proc/2 dev=proc ino=131074 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir > Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc: denied { getattr } for pid=7067 comm=ps path=/proc/3 dev=proc ino=196610 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir > ... Looks like it's trying to run ps, and gets denials because it's not allowed to gain information about things running in unconfined_t. That sounds legit to me - I don't see why it should be allowed . From sds at tycho.nsa.gov Mon Jun 27 13:49:38 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 27 Jun 2005 09:49:38 -0400 Subject: SE Linux lacks proper user notification for security violations In-Reply-To: <200506251321.j5PDLacR004313@turing-police.cc.vt.edu> References: <42BD1468.8030301@ultraviolet.org> <200506251321.j5PDLacR004313@turing-police.cc.vt.edu> Message-ID: <1119880178.32316.34.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2005-06-25 at 09:21 -0400, Valdis.Kletnieks at vt.edu wrote: > If you're not getting a "permission denied", that means that *your* code > failed to check the return code of a syscall and call perror() (or language > equivalent) if needed. To be fair, SELinux will sometimes prevent such error reporting by the application because it will have already closed stdin/stdout/stderr and re-opened them to the null device due to a policy denial on the inherited descriptor at exec time (upon a domain change). Hence, the only safe approach is to log such error reports to a log file (and naturally, to ensure that the application has the necessary permissions to append to the log file). -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Jun 27 14:56:40 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 27 Jun 2005 10:56:40 -0400 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <42C00B99.1060903@dzr-web.com> References: <42C00B99.1060903@dzr-web.com> Message-ID: <1119884200.32316.80.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-06-27 at 15:22 +0100, D. D. Brierton wrote: > I ran sudo yum update today and selinux-policy-targeted was updated > (along with another selinux related package whose name I can't remember) > and immediately my system became unresponsive and I had to do a hard reboot. > > Now I cannot boot into FC3 at all (I'm posting this from Windows). This > is the error I get: > > audit(1119882959.657:0): avc: denied { execmod } for pid=1 comm=init > path=/lib/tls/libc-2.3.5.so dev=hda3 ino=2638668 > scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:shlib_t > tclass=file > /sbin/init: error while loading shared libraries : /lib/tls/libc.so.6: > cannot apply additional memory protection after relocation: Permission > denied > Kernel panic - not syncing: Attempted to kill init! > > Any suggestions on what to do? > > I know I can boot with selinux=0. After that, what? Attempt to reinstall > selinux? What is your hardware? ppc32 by any chance? execmod has to be allowed to all file types on that platform (or, as in kernel 2.6.12, the check has to be disabled completely for ppc32). /usr/sbin/getsebool allow_execmod shows what? -- Stephen Smalley National Security Agency From apassariello at resalehost.networksolutions.com Mon Jun 27 09:25:10 2005 From: apassariello at resalehost.networksolutions.com (alberto passariello) Date: Mon, 27 Jun 2005 11:25:10 +0200 Subject: selinux fedora 3 last update breaks some programs Message-ID: <1119864310.4438.90.camel@tiger.byworks.com> i jusp upgraded my fedora core to selinux-policy-targeted-1.17.30-3.13 and a java application I use now produces this message ... Jun 27 10:23:43 tiger kernel: audit(1119860623.918:0): avc: denied { execmod } for pid=6218 comm=java path=/lib64/tls/libc-2.3.5.so dev=sda2 ino=16780747 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file acrobast reader 7 produces thi error Jun 27 11:22:17 tiger kernel: audit(1119864137.180:0): avc: denied { execmod } for pid=18874 comm=acroread path=/lib/tls/libc-2.3.5.so dev=sda2 ino=41946582 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:shlib_t tclass=file how cai I solve the problem? ---------------------------------------- Alberto Passariello Byte Works Sistemi S.r.l. Cisco Systems partner Premier certified Viale Liegi 44, 00198 Roma Tel: +39 6 863.863.22 Fax: +39 6 863.863.23 Email: apassariello at byworks.com ----------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at atc-nycorp.com Mon Jun 27 16:00:39 2005 From: steve at atc-nycorp.com (Steve Brueckner) Date: Mon, 27 Jun 2005 12:00:39 -0400 Subject: the labeling procedure Message-ID: <60D45469A1AAD311A04C009027B6BF68059142AB@server20.inside.oracorp.com> I'm having some problems with some of my filesystem labeling. I'm running FC3 with the latest SELinux updates (but not rawhide). When I run #make relabel, /home gets labeled as default_t. However, when I run #/sbin/restorecon /home, /home gets labeled as home_root_t. This confuses me, since according to the O'Reilly book both commands refer to /src/policy/file_contexts/file_contexts. Where else might /sbin/restorecon be getting its information from? Furthermore, I notice that /src/policy/file_contexts/file_contexts does not contain the string home_root_t. I suppose that home_root_t comes from the homedir_template file during the Make process, but then why doesn't #make relabel correctly label /home? I also notice that my context/files/file_contexts file is stale. Doing #make relabel or #make reload doesn't update it. Does this file ever get referenced anyway, since all the relabeling utilities seem to use /src/policy/file_contexts/file_contexts instead? If it does get used, who uses it? And how can I be sure it gets updated to match src/policy/file_contexts/file_contexts? Any help in demystifying the file labeling procedure is appreciated! Thanks, Stephen Brueckner, ATC-NY From rnicholsNOSPAM at comcast.net Mon Jun 27 16:01:58 2005 From: rnicholsNOSPAM at comcast.net (Robert Nichols) Date: Mon, 27 Jun 2005 11:01:58 -0500 Subject: Deleting file contexts In-Reply-To: <1119877166.32316.17.camel@moss-spartans.epoch.ncsc.mil> References: <1119877166.32316.17.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Stephen Smalley wrote: > On Fri, 2005-06-24 at 09:42 -0500, Robert Nichols wrote: > >>I'm running with selinux=0 and would like to delete the no longer >>updated security contexts from my file systems. Is there a way to >>do that short of mke2fs + restore from backup? > > > find / -exec setfattr -x security.selinux {} \; > > You might want to further qualify the find statement to avoid noise on > filesystems that don't support security contexts, e.g. > find / \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) > -exec setfattr -x security.selinux {} \; Thanks. It seems I need to have SELinux enabled temporarily in order to do that, which is why I wasn't having any luck trying to find the way myself. I'll reconsider SELinux when there are some reasonably friendly tools for constructing local policy. About the only place SELinux would benefit me (desktop system providing no externally accessible services) would be to restrict my web browser, and with somewhat nonstandard partitioning (e.g., "mount -o bind /var/home /home") and several widely scattered directories where I like to store stuff, no standardized policy is likely to work for me. -- Bob Nichols Yes, "NOSPAM" is really part of my email address. From sds at tycho.nsa.gov Mon Jun 27 16:09:06 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 27 Jun 2005 12:09:06 -0400 Subject: the labeling procedure In-Reply-To: <60D45469A1AAD311A04C009027B6BF68059142AB@server20.inside.oracorp.com> References: <60D45469A1AAD311A04C009027B6BF68059142AB@server20.inside.oracorp.com> Message-ID: <1119888546.32316.117.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-06-27 at 12:00 -0400, Steve Brueckner wrote: > When I run #make relabel, /home gets labeled as default_t. However, when I > run #/sbin/restorecon /home, /home gets labeled as home_root_t. This > confuses me, since according to the O'Reilly book both commands refer to > /src/policy/file_contexts/file_contexts. Where else might /sbin/restorecon > be getting its information from? restorecon doesn't rely on having policy sources (selinux-policy-targeted-sources) installed. It uses the installed file_contexts configuration created by the policy (selinux-policy-targeted) package. That lives under /etc/selinux/targeted/contexts/files. make relabel is run from the policy sources directory, and thus works from the policy sources. But fixfiles and restorecon are what you would typically use on a production system, and they operate on the installed file. A make install in the policy sources directory should overwrite the installed file with the one built from the sources directory, but it sounds like you shouldn't do that at present, as it sounds as though there is something wrong with your policy sources (or possibly the associated build tools, e.g. genhomedircon from policycoreutils). > I also notice that my context/files/file_contexts file is stale. Doing > #make relabel or #make reload doesn't update it. Does this file ever get > referenced anyway, since all the relabeling utilities seem to use > /src/policy/file_contexts/file_contexts instead? If it does get used, who > uses it? And how can I be sure it gets updated to match > src/policy/file_contexts/file_contexts? SELinux utilities don't rely on having the policy sources available, as you likely don't want them on production systems. make relabel is really only for developers, and hardly used at all anymore (it predates having fixfiles and restorecon). -- Stephen Smalley National Security Agency From gyurdiev at redhat.com Mon Jun 27 16:13:41 2005 From: gyurdiev at redhat.com (Ivan Gyurdiev) Date: Mon, 27 Jun 2005 12:13:41 -0400 Subject: the labeling procedure In-Reply-To: <60D45469A1AAD311A04C009027B6BF68059142AB@server20.inside.oracorp.com> References: <60D45469A1AAD311A04C009027B6BF68059142AB@server20.inside.oracorp.com> Message-ID: <1119888822.25672.19.camel@celtics.boston.redhat.com> > When I run #make relabel, /home gets labeled as default_t. However, when I > run #/sbin/restorecon /home, /home gets labeled as home_root_t. This > confuses me, since according to the O'Reilly book both commands refer to > /src/policy/file_contexts/file_contexts. Where else might /sbin/restorecon > be getting its information from? Not sure, but I thought make relabel skipped /home entirely. > Furthermore, I notice that /src/policy/file_contexts/file_contexts does not > contain the string home_root_t. I suppose that home_root_t comes from the > homedir_template file during the Make process, but then why doesn't #make > relabel correctly label /home? That sounds like a bug, but I'm not seeing the same thing on rawhide. Then again, I run strict policy. home_root_t goes into file_contexts.homedirs (and that gets created from the template) > I also notice that my context/files/file_contexts file is stale. Doing > #make relabel or #make reload doesn't update it. I think that was fixed in rawhide. Try make install? > Does this file ever get > referenced anyway, since all the relabeling utilities seem to use > /src/policy/file_contexts/file_contexts instead? They do? Nothing should be using that file, except things involved in installing the policy sources. > If it does get used, who > uses it? And how can I be sure it gets updated to match > src/policy/file_contexts/file_contexts? make load *should* be sufficient, but you might be seeing a bug - try make install. > Any help in demystifying the file labeling procedure is appreciated! Hopefully others on this list can help you more, but basically, everything should be using contexts/files/file_contexts, and the file_contexts.homedirs. Nothing should be using the src file - that's strictly policy sources. From steve at atc-nycorp.com Mon Jun 27 17:35:14 2005 From: steve at atc-nycorp.com (Steve Brueckner) Date: Mon, 27 Jun 2005 13:35:14 -0400 Subject: the labeling procedure Message-ID: <60D45469A1AAD311A04C009027B6BF68059142AC@server20.inside.oracorp.com> > restorecon doesn't rely on having policy sources > (selinux-policy-targeted-sources) installed. It uses the installed > file_contexts configuration created by the policy > (selinux-policy-targeted) package. That lives > under /etc/selinux/targeted/contexts/files. Aha, I think the O'Reilly book is just out of date. Not surprising considering the moving target that is SELinux. > SELinux utilities don't rely on having the policy sources available, > as you likely don't want them on production systems. make relabel is > really only for developers, and hardly used at all anymore (it > predates having fixfiles and restorecon). Actually I am developing here. My problem is that I have a huge chroot directory (basically a full duplicate of the whole system) and I want to get everything in there labeled as if it was outside chroot. To do this I duplicated file_contexts/types.fc and used sed to prepend the chroot directory to every line. It seems to work pretty well, but I'm still having trouble getting the user home directories inside chroot labeled properly. The homedirs macros and files are apparently throwing me. I'd appreciate any suggestions on a better way to label the chroot filesystem. And any ideas on how to get those chrooted homedirs labeled correctly. Stephen Brueckner, ATC-NY From sds at tycho.nsa.gov Mon Jun 27 17:58:20 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 27 Jun 2005 13:58:20 -0400 Subject: the labeling procedure In-Reply-To: <60D45469A1AAD311A04C009027B6BF68059142AC@server20.inside.oracorp.com> References: <60D45469A1AAD311A04C009027B6BF68059142AC@server20.inside.oracorp.com> Message-ID: <1119895100.32316.161.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-06-27 at 13:35 -0400, Steve Brueckner wrote: > Actually I am developing here. My problem is that I have a huge chroot > directory (basically a full duplicate of the whole system) and I want to get > everything in there labeled as if it was outside chroot. To do this I > duplicated file_contexts/types.fc and used sed to prepend the chroot > directory to every line. It seems to work pretty well, but I'm still having > trouble getting the user home directories inside chroot labeled properly. > The homedirs macros and files are apparently throwing me. > > I'd appreciate any suggestions on a better way to label the chroot > filesystem. And any ideas on how to get those chrooted homedirs labeled > correctly. If you want to apply the same contexts, you can use setfiles -r. But note that there can be an advantage to using separate types on the chroot'd environment, and then not allowing any access by that process' domain to the base types used on the real filesystem. Any chance you can update to FC4? -- Stephen Smalley National Security Agency From steve at atc-nycorp.com Mon Jun 27 18:07:32 2005 From: steve at atc-nycorp.com (Steve Brueckner) Date: Mon, 27 Jun 2005 14:07:32 -0400 Subject: the labeling procedure Message-ID: <60D45469A1AAD311A04C009027B6BF68059142AD@server20.inside.oracorp.com> Stephen Smalley wrote: > If you want to apply the same contexts, you can use setfiles -r. But > note that there can be an advantage to using separate types on the > chroot'd environment, and then not allowing any access by that > process' domain to the base types used on the real filesystem. > > Any chance you can update to FC4? I've got to release a beta this week so I'm sticking with FC3 at the moment. I'll certainly upgrade for the next version. I don't see the -r option in man setfiles. Is it a new option in FC4? From sds at tycho.nsa.gov Mon Jun 27 18:19:00 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 27 Jun 2005 14:19:00 -0400 Subject: the labeling procedure In-Reply-To: <60D45469A1AAD311A04C009027B6BF68059142AD@server20.inside.oracorp.com> References: <60D45469A1AAD311A04C009027B6BF68059142AD@server20.inside.oracorp.com> Message-ID: <1119896340.32316.174.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-06-27 at 14:07 -0400, Steve Brueckner wrote: > I've got to release a beta this week so I'm sticking with FC3 at the moment. > I'll certainly upgrade for the next version. > > I don't see the -r option in man setfiles. Is it a new option in FC4? No, never trust the documentation. /usr/sbin/setfiles -r /path/to/chroot /path/to/file_contexts /path/to/chroot -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Jun 27 18:32:14 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 27 Jun 2005 14:32:14 -0400 Subject: seaudit crashes with segmentation fault In-Reply-To: <1119896133.21088.5.camel@junior> References: <1119896133.21088.5.camel@junior> Message-ID: <1119897134.32316.183.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-06-27 at 13:15 -0500, John Bray wrote: > every time i try to run seaudit, it immediately crashes with a > segmentation fault. the following errors appear, with or without any > arguments on the commandline: > > [root at junior setools-2.1.0]# seaudit -l /var/log/messages > -p /etc/selinux/targeted/src/policy/policy.conf > > wonder if anyone has any ideas or suggestions? - Post to fedora-selinux-list for SELinux questions. - What is your base system, FC3 or FC4? - In FC4, unless you disable auditd, audit messages are sent by the kernel to auditd and are written by auditd to /var/log/audit/audit.log. - Not sure that seaudit has been updated for the associated changes. -- Stephen Smalley National Security Agency From rich at storix.com Mon Jun 27 18:42:14 2005 From: rich at storix.com (rich turner) Date: Mon, 27 Jun 2005 11:42:14 -0700 Subject: unable to login In-Reply-To: <143f0f6c050624203516a4abc2@mail.gmail.com> References: <1119656209.4573.83.camel@rich> <143f0f6c050624203516a4abc2@mail.gmail.com> Message-ID: <1119897734.4580.7.camel@rich> i touched the file /.autorelabel, rebooted and saw a message that "SELinux relabel is required ...". Once it finished and booted to init level 5 i was still unable to login through the graphical login. i wish i would have written down the error message but i did not. at this point i rebooted the system to single user mode and switch the default init level to 3. now after rebooting again it is hung up on "Initializing hardware ...". This has to be a selinux issue because if i issue selinux=0 to the kernel then i do not have any problems. anyone have any ideas? On Fri, 2005-06-24 at 22:35 -0500, Christofer C. Bell wrote: > On 6/24/05, rich turner wrote: > > i am attempting to login as a normal user (fedora core 4) but am > > receiving the following error message: > > > > su[1697]:Warning! Could not relabel /dev/console with > > user_u:object_r:console_su:/bin/bash:Permission denied > > > > this does not happen when i login as root or when i "setenforce 0". > > > > anyone have any ideas? > > I admit that I don't know what the issue is, but I would suggest the > following: get root access on the machine (wether you need to disable > SELinux for that or not for a root login, I don't know), touch > /.autorelabel, and reboot. > > This will ensure that every file on your system is labeled with the > correct SELinux security context. It will be easier to move forward > from there with troubleshooting if your environment is in a known > state. > From michael.es.carney at sbcglobal.net Mon Jun 27 21:48:42 2005 From: michael.es.carney at sbcglobal.net (Michael W. Carney) Date: Mon, 27 Jun 2005 14:48:42 -0700 Subject: fc3 selinux-policy-targeted.noarch 1.17.30-3.13 problems? Message-ID: Just when I thought the selinux problems were licked, I'm now encountering problems with gpg, etc after updating with the latest version of targeted policy: Details: 60# rpm -q -a selinux-policy-targeted selinux-policy-targeted-1.17.30-3.13 uname -a 61# uname -a Linux lucy-01 2.6.11-1.35_FC3smp #1 SMP Mon Jun 13 01:17:35 EDT 2005 i686 i686 i386 GNU/Linux 62# /var/log/messages (duplicates pruned): Jun 27 14:08:26 lucy-01 kernel: audit(1119906506.025:0): avc: denied { execmod } for pid=5151 comm=X path=/usr/lib/tls/libnvidia-tls.so.1.0.7174 dev=sdb5 ino=220031 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:shlib_t tclass=file Jun 27 14:08:35 lucy-01 kernel: audit(1119906515.090:0): avc: denied { execmod } for pid=5323 comm=kdeinit path=/usr/lib/libmcop.so.1.0.0 dev=sdb5 ino=214284 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:shlib_t tclass=file Jun 27 14:08:44 lucy-01 kernel: audit(1119906524.703:0): avc: denied { execmod } for pid=5410 comm=gpg path=/usr/bin/gpg dev=sdb5 ino=67343 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t tclass=file Suggestions, please? From fenn at stanford.edu Mon Jun 27 22:11:29 2005 From: fenn at stanford.edu (Tim Fenn) Date: Mon, 27 Jun 2005 15:11:29 -0700 Subject: fc3 selinux-policy-targeted.noarch 1.17.30-3.13 problems? In-Reply-To: References: Message-ID: <20050627221126.GD28314@stanford.edu> On Mon, Jun 27, 2005 at 02:48:42PM -0700, Michael W. Carney wrote: > Just when I thought the selinux problems were licked, I'm now encountering > problems with gpg, etc after updating with the latest version of targeted > policy: > > Details: > > 60# rpm -q -a selinux-policy-targeted > selinux-policy-targeted-1.17.30-3.13 > uname -a > 61# uname -a > Linux lucy-01 2.6.11-1.35_FC3smp #1 SMP Mon Jun 13 01:17:35 EDT 2005 i686 > i686 i386 GNU/Linux > 62# > > /var/log/messages (duplicates pruned): > Jun 27 14:08:26 lucy-01 kernel: audit(1119906506.025:0): avc: denied > { execmod } for pid=5151 comm=X > path=/usr/lib/tls/libnvidia-tls.so.1.0.7174 dev=sdb5 ino=220031 > scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:shlib_t > tclass=file > Jun 27 14:08:35 lucy-01 kernel: audit(1119906515.090:0): avc: denied > { execmod } for pid=5323 comm=kdeinit path=/usr/lib/libmcop.so.1.0.0 > dev=sdb5 ino=214284 scontext=user_u:system_r:unconfined_t > tcontext=system_u:object_r:shlib_t tclass=file > Jun 27 14:08:44 lucy-01 kernel: audit(1119906524.703:0): avc: denied > { execmod } for pid=5410 comm=gpg path=/usr/bin/gpg dev=sdb5 ino=67343 > scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t > tclass=file > > Suggestions, please? > See: https://www.redhat.com/archives/fedora-list/2005-June/msg05248.html and: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161834 In short: downgrade. :( HTH, Tim From michael.es.carney at sbcglobal.net Mon Jun 27 22:53:09 2005 From: michael.es.carney at sbcglobal.net (Michael W. Carney) Date: Mon, 27 Jun 2005 15:53:09 -0700 Subject: fc3 selinux-policy-targeted.noarch 1.17.30-3.13 problems? References: <20050627221126.GD28314@stanford.edu> Message-ID: Tim Fenn wrote: > On Mon, Jun 27, 2005 at 02:48:42PM -0700, Michael W. Carney wrote: >> Just when I thought the selinux problems were licked, I'm now >> encountering problems with gpg, etc after updating with the latest >> version of targeted policy: >> >> Details: >> >> 60# rpm -q -a selinux-policy-targeted >> selinux-policy-targeted-1.17.30-3.13 >> uname -a >> 61# uname -a >> Linux lucy-01 2.6.11-1.35_FC3smp #1 SMP Mon Jun 13 01:17:35 EDT 2005 i686 >> i686 i386 GNU/Linux >> 62# >> >> /var/log/messages (duplicates pruned): >> Jun 27 14:08:26 lucy-01 kernel: audit(1119906506.025:0): avc: denied >> { execmod } for pid=5151 comm=X >> path=/usr/lib/tls/libnvidia-tls.so.1.0.7174 dev=sdb5 ino=220031 >> scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:shlib_t >> tclass=file >> Jun 27 14:08:35 lucy-01 kernel: audit(1119906515.090:0): avc: denied >> { execmod } for pid=5323 comm=kdeinit path=/usr/lib/libmcop.so.1.0.0 >> dev=sdb5 ino=214284 scontext=user_u:system_r:unconfined_t >> tcontext=system_u:object_r:shlib_t tclass=file >> Jun 27 14:08:44 lucy-01 kernel: audit(1119906524.703:0): avc: denied >> { execmod } for pid=5410 comm=gpg path=/usr/bin/gpg dev=sdb5 ino=67343 >> scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t >> tclass=file >> >> Suggestions, please? >> > > See: > > https://www.redhat.com/archives/fedora-list/2005-June/msg05248.html > > and: > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161834 > > In short: downgrade. :( > > HTH, > Tim Thanks, that worked. From rturner at san.rr.com Tue Jun 28 00:02:43 2005 From: rturner at san.rr.com (rich turner) Date: Mon, 27 Jun 2005 17:02:43 -0700 Subject: permission denied on shared library Message-ID: <200506271702.43306.rturner@san.rr.com> i have installed a 3rd party application that worked with fc3 but no longer works with fc4. i am getting the following error: stio: error while loading shared libraries: /usr/lib/libstorix.so: cannot restore segment prot after reloc: Permission denied. when i run the command "setenforce 0" it works so my thoughts are that it is not setup properly with selinux. # ls -l /usr/lib/libstorix.so lrwxrwxrwx 1 root root 28 Jun 26 05:14 /usr/lib/libstorix.so -> /opt/storix/lib/libstorix.so # ls -lZ /usr/lib/libstorix.so lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib/libstorix.so # ls -lZ /opt/storix/lib/libstorix.so -rw-r--r-- root root system_u:object_r:shlib_t /opt/storix/lib/libstorix.so i have seen this error in a number of searches, and the most common solution is to turn selinux off. there must be a better way to get this to work. From ivg2 at cornell.edu Tue Jun 28 00:40:51 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 27 Jun 2005 20:40:51 -0400 Subject: permission denied on shared library In-Reply-To: <200506271702.43306.rturner@san.rr.com> References: <200506271702.43306.rturner@san.rr.com> Message-ID: <1119919251.13497.5.camel@localhost.localdomain> > i have seen this error in a number of searches, and the most common solution > is to turn selinux off. I would hardly consider that a solution :) > there must be a better way to get this to work. The application which you are trying to run likely requires text relocations to work properly. You can check that by running readelf -d on the application and looking for TEXTREL. The proper fix is to work with the application developers to compile it without this requirement. A workaround is to relabel the application as texrel_shlib_t (chcon -t texrel_shlib_t ), and then to enable the allow_execmem boolean. You can do that through the system-config-securitylevel tool, or by running setsebool -P allow_execmod 1 That's my best guess, which could be incorrect.. From russell at coker.com.au Tue Jun 28 07:15:43 2005 From: russell at coker.com.au (Russell Coker) Date: Tue, 28 Jun 2005 17:15:43 +1000 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <1119884200.32316.80.camel@moss-spartans.epoch.ncsc.mil> References: <42C00B99.1060903@dzr-web.com> <1119884200.32316.80.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200506281715.49060.russell@coker.com.au> On Tuesday 28 June 2005 00:56, Stephen Smalley wrote: > > Now I cannot boot into FC3 at all (I'm posting this from Windows). This > > is the error I get: > > > > audit(1119882959.657:0): avc: denied { execmod } for pid=1 comm=init > > path=/lib/tls/libc-2.3.5.so dev=hda3 ino=2638668 > > scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:shlib_t > > tclass=file > > /sbin/init: error while loading shared libraries : /lib/tls/libc.so.6: > > cannot apply additional memory protection after relocation: Permission > > denied > > Kernel panic - not syncing: Attempted to kill init! > > What is your hardware? ppc32 by any chance? execmod has to be allowed > to all file types on that platform (or, as in kernel 2.6.12, the check > has to be disabled completely for ppc32). > > /usr/sbin/getsebool allow_execmod shows what? I've just tried reproducing this on a P4-1.5GHz machine specifically installed for the purpose. I upgraded to all the latest packages including kernel-2.6.11-1.35_FC3 and selinux-policy-targeted-sources-1.17.30-3.13. Things worked fine. Until I get more detail on this (type of CPU, kernel version, etc) I'll conclude that it was a broken configuration. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161867 The above bugzilla has a similar bug report, I've closed it with WORKSFORME. The person who reported it can reopen the bug if they have more information that may allow me to reproduce the bug. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From tiziano at conticars.be Tue Jun 28 08:50:43 2005 From: tiziano at conticars.be (Tiziano Demaria) Date: Tue, 28 Jun 2005 10:50:43 +0200 Subject: {Scanned} Update FC3 SElinux and no more possible to login!!!! HELP !!! Message-ID: <42C10F63.2060901@conticars.be> Hello to everybody I think that the problem is serious...I'va updated today the poilicies of SELINUX Fedora Core 3... And it's impossible now to login...like root or any other client...I don't know ho to do...coudl you help me please ? Best regards Tiziano -- From ben at burbong.com Tue Jun 28 12:07:46 2005 From: ben at burbong.com (Ben Stringer) Date: Tue, 28 Jun 2005 22:07:46 +1000 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <200506281715.49060.russell@coker.com.au> References: <42C00B99.1060903@dzr-web.com> <1119884200.32316.80.camel@moss-spartans.epoch.ncsc.mil> <200506281715.49060.russell@coker.com.au> Message-ID: <1119960466.5069.7.camel@ben8600> On Tue, 2005-06-28 at 17:15 +1000, Russell Coker wrote: > > I've just tried reproducing this on a P4-1.5GHz machine specifically installed > for the purpose. > > I upgraded to all the latest packages including kernel-2.6.11-1.35_FC3 and > selinux-policy-targeted-sources-1.17.30-3.13. Things worked fine. > > Until I get more detail on this (type of CPU, kernel version, etc) I'll > conclude that it was a broken configuration. Hi Russell, I got hit by this one. Some details: Dell Inspiron 8600 laptop, Centrino 1.6Ghz, running 2.6.11-1.27_FC3. An "everything" installation of FC3, kept updated from fedora-updates and livna. Using the 2100 wireless NIC at the time. I did an update this afternoon, which included the selinux policy update and the latest kernel (kernel-2.6.11-1.35_FC3). During the yum update, things started breaking as the update applied the new policies (eg. I couldn't use ssh from the laptop to other hosts). When I tried to shutdown, I got many messages like this: Jun 28 18:56:00 ben8600 kernel: audit(1119948960.209:0): avc: denied { execmod } for pid=13420 comm=mingetty path=/lib/tls/libc-2.3.5.so dev=hda11 ino=20455 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file My only option was to power off the laptop. I then had to boot with enforcing=0 (and a considerable amount of fscking) to get back up. If there is any other information I can give you to help reproduce this, let me know. Cheers, Ben From russell at coker.com.au Tue Jun 28 12:27:53 2005 From: russell at coker.com.au (Russell Coker) Date: Tue, 28 Jun 2005 22:27:53 +1000 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <1119960466.5069.7.camel@ben8600> References: <42C00B99.1060903@dzr-web.com> <200506281715.49060.russell@coker.com.au> <1119960466.5069.7.camel@ben8600> Message-ID: <200506282227.58812.russell@coker.com.au> On Tuesday 28 June 2005 22:07, Ben Stringer wrote: > On Tue, 2005-06-28 at 17:15 +1000, Russell Coker wrote: > > I've just tried reproducing this on a P4-1.5GHz machine specifically > > installed for the purpose. > > > > I upgraded to all the latest packages including kernel-2.6.11-1.35_FC3 > > and selinux-policy-targeted-sources-1.17.30-3.13. Things worked fine. > Dell Inspiron 8600 laptop, Centrino 1.6Ghz, running 2.6.11-1.27_FC3. An > "everything" installation of FC3, kept updated from fedora-updates and > livna. Using the 2100 wireless NIC at the time. > > I did an update this afternoon, which included the selinux policy update > and the latest kernel (kernel-2.6.11-1.35_FC3). During the yum update, > things started breaking as the update applied the new policies (eg. I > couldn't use ssh from the laptop to other hosts). Did things work better after you had booted the new kernel? Maybe the problem is a combination of new policy and slightly older kernel. > When I tried to shutdown, I got many messages like this: > > Jun 28 18:56:00 ben8600 kernel: audit(1119948960.209:0): avc: denied > { execmod } for pid=13420 comm=mingetty path=/lib/tls/libc-2.3.5.so > dev=hda11 ino=20455 scontext=user_u:system_r:unconfined_t > tcontext=system_u:object_r:lib_t tclass=file That's an example of a .so file which is mis-labeled. What version of glibc? Mine is glibc-2.3.5-0.fc3.1. > My only option was to power off the laptop. I then had to boot with > enforcing=0 (and a considerable amount of fscking) to get back up. > > If there is any other information I can give you to help reproduce this, > let me know. What state is the machine in now? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From ben at burbong.com Tue Jun 28 13:11:56 2005 From: ben at burbong.com (Ben Stringer) Date: Tue, 28 Jun 2005 23:11:56 +1000 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <200506282227.58812.russell@coker.com.au> References: <42C00B99.1060903@dzr-web.com> <200506281715.49060.russell@coker.com.au> <1119960466.5069.7.camel@ben8600> <200506282227.58812.russell@coker.com.au> Message-ID: <1119964316.5120.6.camel@ben8600> On Tue, 2005-06-28 at 22:27 +1000, Russell Coker wrote: > > > > I did an update this afternoon, which included the selinux policy update > > and the latest kernel (kernel-2.6.11-1.35_FC3). During the yum update, > > things started breaking as the update applied the new policies (eg. I > > couldn't use ssh from the laptop to other hosts). > > Did things work better after you had booted the new kernel? Maybe the problem > is a combination of new policy and slightly older kernel. Still have not tried the new kernel yet. I will give this a go. > > > When I tried to shutdown, I got many messages like this: > > > > Jun 28 18:56:00 ben8600 kernel: audit(1119948960.209:0): avc: denied > > { execmod } for pid=13420 comm=mingetty path=/lib/tls/libc-2.3.5.so > > dev=hda11 ino=20455 scontext=user_u:system_r:unconfined_t > > tcontext=system_u:object_r:lib_t tclass=file > > That's an example of a .so file which is mis-labeled. > > What version of glibc? Mine is glibc-2.3.5-0.fc3.1. Mine is the same. > > > My only option was to power off the laptop. I then had to boot with > > enforcing=0 (and a considerable amount of fscking) to get back up. > > > > If there is any other information I can give you to help reproduce this, > > let me know. > > What state is the machine in now? I have dropped back to the previous policy and relabelled, using these steps, as posted here earlier today: rpm -ev selinux-policy-targeted selinux-policy-targeted-sources rm -fR /etc/selinux/targeted/ rpm -ivh /var/cache/yum/updates-released/packages/selinux- policy-targeted-1.17.30-3.9.noarch.rpm /var/cache/yum/updates- released/packages/selinux-policy-targeted-sources-1.17.30-3.9.noarch.rpm touch /.autorelabel Everything seems to be back to normal. My next steps (when I can afford the time of having the laptop unavailable) will be to boot into the new kernel. still using the previous policy file, confirm all is good with that, then re-apply the new policy update and see if the same problems occur. Cheers, Ben From sds at tycho.nsa.gov Tue Jun 28 13:39:13 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 28 Jun 2005 09:39:13 -0400 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <200506281715.49060.russell@coker.com.au> References: <42C00B99.1060903@dzr-web.com> <1119884200.32316.80.camel@moss-spartans.epoch.ncsc.mil> <200506281715.49060.russell@coker.com.au> Message-ID: <1119965953.22225.52.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-06-28 at 17:15 +1000, Russell Coker wrote: > I've just tried reproducing this on a P4-1.5GHz machine specifically installed > for the purpose. > > I upgraded to all the latest packages including kernel-2.6.11-1.35_FC3 and > selinux-policy-targeted-sources-1.17.30-3.13. Things worked fine. > > Until I get more detail on this (type of CPU, kernel version, etc) I'll > conclude that it was a broken configuration. That doesn't reproduce the sequence for real users, because they would have gone through a series of policy and kernel updates over time, with any potential pairing of released policies and kernels running at any given time. If you look at the diffs between successive policy updates for FC3, there are some obvious issues there. I started with 2.96 and did incremental diffs up to 3.13. Note that: - shlib_t is a type alias for lib_t in 2.96, but in 3.13, is suddenly changed to a separate type. So if you booted your kernel any policy prior to 3.13 and just did policy reload for the update to 3.13, you will have incore inodes that have already been mapped to lib_t internally that should be shlib_t, and any rules on shlib_t will no longer be applied to them. - texrel_shlib_t is a separate type in 3.2, is changed to a type alias for lib_t in 3.9, and is changed back to a separate type in 3.13. Similar issues, albeit with lesser impact. - allow rules for execmem/execmod that were added for backward compatibility in FC3 when the 2.6.11-based kernel update was released are suddenly dropped in 3.13. These were necessary because 2.6.11 lacked the checkreqprot and ppc32 compatibility code that was included in early FC4/devel kernels and ultimately upstreamed into 2.6.12, and for whatever reason, the FC3 update kernel for 2.6.11 did not include that patch, so the policy had to include those allow rules instead. However, I'm still not clear as to why FC3 users are seeing the particular denials that they are seeing (e.g. on x86, for /sbin/init, execmod to /lib/tls/libc.*), and that would be worth investigating further. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Tue Jun 28 13:41:56 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 28 Jun 2005 09:41:56 -0400 Subject: {Scanned} Update FC3 SElinux and no more possible to login!!!! HELP !!! In-Reply-To: <42C10F63.2060901@conticars.be> References: <42C10F63.2060901@conticars.be> Message-ID: <1119966116.22225.55.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-06-28 at 10:50 +0200, Tiziano Demaria wrote: > Hello to everybody > > I think that the problem is serious...I'va updated today the poilicies > of SELINUX Fedora Core 3... > > And it's impossible now to login...like root or any other client...I > don't know ho to do...coudl you help me please ? Reboot with enforcing=0 on the kernel command line, then downgrade your selinux-policy-targeted package to the prior version. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161834 -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Tue Jun 28 13:42:59 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 28 Jun 2005 09:42:59 -0400 Subject: selinux fedora 3 last update breaks some programs In-Reply-To: <1119864310.4438.90.camel@tiger.byworks.com> References: <1119864310.4438.90.camel@tiger.byworks.com> Message-ID: <1119966179.22225.57.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-06-27 at 11:25 +0200, alberto passariello wrote: > i jusp upgraded my fedora core to > selinux-policy-targeted-1.17.30-3.13 > > > and a java application I use now produces this message ... > Jun 27 10:23:43 tiger kernel: audit(1119860623.918:0): avc: denied > { execmod } for pid=6218 comm=java path=/lib64/tls/libc-2.3.5.so > dev=sda2 ino=16780747 scontext=user_u:system_r:unconfined_t > tcontext=system_u:object_r:lib_t tclass=file > > acrobast reader 7 produces thi error > Jun 27 11:22:17 tiger kernel: audit(1119864137.180:0): avc: denied > { execmod } for pid=18874 comm=acroread path=/lib/tls/libc-2.3.5.so > dev=sda2 ino=41946582 scontext=user_u:system_r:unconfined_t > tcontext=system_u:object_r:shlib_t tclass=file > > > how cai I solve the problem? Bug in the policy package, see: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161834 -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Tue Jun 28 14:04:49 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 28 Jun 2005 10:04:49 -0400 Subject: SELinux context for data to be shared using both httpd and samba? In-Reply-To: <1119906139.2732.71.camel@laurel.intra.city-fan.org> References: <1119906139.2732.71.camel@laurel.intra.city-fan.org> Message-ID: <1119967489.22225.70.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-06-27 at 22:02 +0100, Paul Howarth wrote: > Perhaps this is really a question for the selinux list, but I expect > someone here must have come across this before. > > I've got a software archive sitting on a file server, and this includes > both Windows software (to be shared out using samba) and a local yum > repository (to be shared out using httpd). > > The SELinux manual tells me to use one set of contexts for sharing data > using httpd and another set for sharing data using samba. The files can > each only have one context as far as I know, so how do I resolve this > conflict without turning off SELinux protection for one of the daemons? > Add permissions for one daemon to be able to access the other's data? > What's the way other people handle this? Define a new type for this purpose, and allow both httpd and samba to access it. Presently requires installing policy sources, modifying them accordingly, and rebuilding your policy. Support for policy modules is coming, but not until FC5. -- Stephen Smalley National Security Agency From tiziano at conticars.be Tue Jun 28 14:16:21 2005 From: tiziano at conticars.be (Tiziano Demaria) Date: Tue, 28 Jun 2005 16:16:21 +0200 Subject: {Scanned} Re: Update FC3 SElinux and no more possible to login!!!! HELP !!! In-Reply-To: <1119966116.22225.55.camel@moss-spartans.epoch.ncsc.mil> References: <42C10F63.2060901@conticars.be> <1119966116.22225.55.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42C15BB5.9010104@conticars.be> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: C:\firma.jpg Type: image/jpeg Size: 33343 bytes Desc: not available URL: From tiziano at conticars.be Tue Jun 28 14:20:30 2005 From: tiziano at conticars.be (Tiziano Demaria) Date: Tue, 28 Jun 2005 16:20:30 +0200 Subject: {Scanned} Re: {Scanned} Re: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <1119964316.5120.6.camel@ben8600> References: <42C00B99.1060903@dzr-web.com> <200506281715.49060.russell@coker.com.au> <1119960466.5069.7.camel@ben8600> <200506282227.58812.russell@coker.com.au> <1119964316.5120.6.camel@ben8600> Message-ID: <42C15CAE.2030508@conticars.be> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: C:\firma.jpg Type: image/jpeg Size: 33343 bytes Desc: not available URL: From cgbookho at ncsu.edu Tue Jun 28 14:50:57 2005 From: cgbookho at ncsu.edu (Chris Bookholt) Date: Tue, 28 Jun 2005 10:50:57 -0400 Subject: Policy Testing Procedures Message-ID: <42C163D1.7060205@ncsu.edu> Greetings to all, My systems were also adversely affected (no login, etc.) by the most recent policy upgrade that came from the official updates-released yum repository. What, if any, are the fedora testing procedures for SELinux policy? I know developers make mistakes, but I thought that's what the development repos were for. I don't intend to flame, but rather to express the need for testing to address the recent flood of policy problems in packages coming from what are supposed to be reasonably stable repos. Since I don't see a lack of reliability in other packages coming from updates-released, it makes me think that the typical development->test->release cycle does not apply to SELinux policy packages. If this is the case, why? If not, what other reason is there for the lack of comparable quality? Clearly you, the fedora SELinux policy developers, are trying hard to avoid scaring users away by incrementally tightening the policies. However, each time a broken policy is released as stable, you lose the trust you so patiently built. So, my message is this: Please test. If you already test, please test more. Thanks for your hard work and brilliant ideas; I'm a big fan of adding MAC into mainstream distros. Best Regards, Chris -- Christopher G. Bookholt, RHCE cgbookho at ncsu.edu From sds at tycho.nsa.gov Tue Jun 28 14:51:01 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 28 Jun 2005 10:51:01 -0400 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <200506282227.58812.russell@coker.com.au> References: <42C00B99.1060903@dzr-web.com> <200506281715.49060.russell@coker.com.au> <1119960466.5069.7.camel@ben8600> <200506282227.58812.russell@coker.com.au> Message-ID: <1119970261.22225.96.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-06-28 at 22:27 +1000, Russell Coker wrote: > > Jun 28 18:56:00 ben8600 kernel: audit(1119948960.209:0): avc: denied > > { execmod } for pid=13420 comm=mingetty path=/lib/tls/libc-2.3.5.so > > dev=hda11 ino=20455 scontext=user_u:system_r:unconfined_t > > tcontext=system_u:object_r:lib_t tclass=file > > That's an example of a .so file which is mis-labeled. Not necessarily. Prior to -3.13, shlib_t was a typealias for lib_t in the targeted policy, so it would be normal for audit messages to display lib_t here for a .so. Real question is why is an execmod check being triggered on /lib/tls/libc-2.3.5.so, as it should only occur on attempts to make executable a previously modified private file mapping, typically text relocation. -- Stephen Smalley National Security Agency From tiziano at conticars.be Tue Jun 28 14:57:45 2005 From: tiziano at conticars.be (Tiziano Demaria) Date: Tue, 28 Jun 2005 16:57:45 +0200 Subject: {Scanned} Re: {Scanned} Policy Testing Procedures In-Reply-To: <42C163D1.7060205@ncsu.edu> References: <42C163D1.7060205@ncsu.edu> Message-ID: <42C16569.6080501@conticars.be> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: C:\firma.jpg Type: image/jpeg Size: 33343 bytes Desc: not available URL: From sds at tycho.nsa.gov Tue Jun 28 15:20:03 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 28 Jun 2005 11:20:03 -0400 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <1119964316.5120.6.camel@ben8600> References: <42C00B99.1060903@dzr-web.com> <200506281715.49060.russell@coker.com.au> <1119960466.5069.7.camel@ben8600> <200506282227.58812.russell@coker.com.au> <1119964316.5120.6.camel@ben8600> Message-ID: <1119972003.22225.102.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-06-28 at 23:11 +1000, Ben Stringer wrote: > Everything seems to be back to normal. My next steps (when I can afford > the time of having the laptop unavailable) will be to boot into the new > kernel. still using the previous policy file, confirm all is good with > that, then re-apply the new policy update and see if the same problems > occur. When/if you do that, put the machine into permissive mode (setenforce 0), clear /var/log/messages, and enable syscall auditing (auditctl -e 1) prior to applying the policy update. It would also help to run one of the failing programs under strace and collect that output. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Tue Jun 28 16:02:07 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 28 Jun 2005 12:02:07 -0400 Subject: Policy Testing Procedures In-Reply-To: <42C163D1.7060205@ncsu.edu> References: <42C163D1.7060205@ncsu.edu> Message-ID: <1119974527.22225.135.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-06-28 at 10:50 -0400, Chris Bookholt wrote: > Greetings to all, > > My systems were also adversely affected (no login, etc.) by the most > recent policy upgrade that came from the official updates-released yum > repository. > > What, if any, are the fedora testing procedures for SELinux policy? I > know developers make mistakes, but I thought that's what the development > repos were for. > > I don't intend to flame, but rather to express the need for testing to > address the recent flood of policy problems in packages coming from what > are supposed to be reasonably stable repos. > > Since I don't see a lack of reliability in other packages coming from > updates-released, it makes me think that the typical > development->test->release cycle does not apply to SELinux policy > packages. If this is the case, why? If not, what other reason is there > for the lack of comparable quality? > > Clearly you, the fedora SELinux policy developers, are trying hard to > avoid scaring users away by incrementally tightening the policies. > However, each time a broken policy is released as stable, you lose the > trust you so patiently built. > > So, my message is this: > > Please test. If you already test, please test more. Thanks for your > hard work and brilliant ideas; I'm a big fan of adding MAC into > mainstream distros. I have nothing to do with any updates for Fedora, but my impression (possibly wrong) was that the procedure for all Fedora updates was the same, i.e. developer tests on his own box to whatever degree he feels comfortable, puts the updated package into the updates-testing tree and announces it on fedora-test-list, some subset of the Fedora community is expected to provide testing of the update at that point, and then after some period of time in the absence of any bug reports, puts the updated package into the updates-released tree. Looking at the fedora-test-list archives, I don't see a test release of this policy update (3.13), although oddly I do see an announcement of a 3.15 test update on the same day. Not sure what happened there, or if I am missing something. I'm also not sure we understand yet what exactly happened with the policy update. Some users reported selective execmod denials (e.g. gpg, acroread) that make sense in light of the changes in the policy update and wouldn't have shown up without exercising those specific programs, while others have reported pervasive execmod denials for the entire system, as in the bugzilla report, that I don't understand yet, as these should not involve text relocations at all. Russell wasn't able to easily reproduce on his machine. -- Stephen Smalley National Security Agency From tibbs at math.uh.edu Tue Jun 28 16:13:48 2005 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Tue, 28 Jun 2005 11:13:48 -0500 Subject: Policy Testing Procedures In-Reply-To: <42C163D1.7060205@ncsu.edu> (Chris Bookholt's message of "Tue, 28 Jun 2005 10:50:57 -0400") References: <42C163D1.7060205@ncsu.edu> Message-ID: >>>>> "CB" == Chris Bookholt writes: CB> Please test. If you already test, please test more. Did you note the new policy packages in the updates-testing repository? Try them out. Watch the CVS commits list and build the in-development packages. There's really no other way to know if things are going to break on your systems. I use secure LDAP and nscd; it seems pretty obvious to me that Red Hat did not test that specific configuration. But this is Fedora, a community project, and after the initial shock of having my systems broken I had to figure out how to fix it myself, which I did, and that fix is in the current policy. - J< From gyurdiev at redhat.com Tue Jun 28 17:27:56 2005 From: gyurdiev at redhat.com (Ivan Gyurdiev) Date: Tue, 28 Jun 2005 13:27:56 -0400 Subject: Policy Testing Procedures In-Reply-To: References: <42C163D1.7060205@ncsu.edu> Message-ID: <1119979677.4806.15.camel@celtics.boston.redhat.com> > I use secure LDAP and nscd; it seems pretty obvious to me that Red Hat > did not test that specific configuration. But this is Fedora, a > community project, and after the initial shock of having my systems > broken I had to figure out how to fix it myself, which I did, and that > fix is in the current policy. What fix is that? If you let us know, we can include it in the next policy package.. From tibbs at math.uh.edu Tue Jun 28 17:40:17 2005 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Tue, 28 Jun 2005 12:40:17 -0500 Subject: Policy Testing Procedures In-Reply-To: <1119979677.4806.15.camel@celtics.boston.redhat.com> (Ivan Gyurdiev's message of "Tue, 28 Jun 2005 13:27:56 -0400") References: <42C163D1.7060205@ncsu.edu> <1119979677.4806.15.camel@celtics.boston.redhat.com> Message-ID: >>>>> "IG" == Ivan Gyurdiev writes: IG> What fix is that? The one to allow nscd_t to read cert_t. IG> If you let us know, we can include it in the next policy package.. Well, it's in the current policy. I reported it in the bugzilla entry that was opened to track the original issue: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160038 and it was incorporated in 1.17.30-3.11. - J< From cra at WPI.EDU Tue Jun 28 17:46:58 2005 From: cra at WPI.EDU (Chuck Anderson) Date: Tue, 28 Jun 2005 13:46:58 -0400 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <200506282227.58812.russell@coker.com.au> References: <42C00B99.1060903@dzr-web.com> <200506281715.49060.russell@coker.com.au> <1119960466.5069.7.camel@ben8600> <200506282227.58812.russell@coker.com.au> Message-ID: <20050628174658.GQ8426@angus.ind.WPI.EDU> On Tue, Jun 28, 2005 at 10:27:53PM +1000, Russell Coker wrote: > On Tuesday 28 June 2005 22:07, Ben Stringer wrote: > > I did an update this afternoon, which included the selinux policy update > > and the latest kernel (kernel-2.6.11-1.35_FC3). During the yum update, > > things started breaking as the update applied the new policies (eg. I > > couldn't use ssh from the laptop to other hosts). > > Did things work better after you had booted the new kernel? Maybe the problem > is a combination of new policy and slightly older kernel. I updated the bz ticket #161867. All the systems I had this problem with were running 2.6.11-1.27_FC3 at the time the update was done. The systems running 2.6.11-1.35_FC3 didn't experience the problem. So it does appear that the problem is the older kernel and the newer policy. From sds at tycho.nsa.gov Tue Jun 28 18:18:29 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 28 Jun 2005 14:18:29 -0400 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <20050628174658.GQ8426@angus.ind.WPI.EDU> References: <42C00B99.1060903@dzr-web.com> <200506281715.49060.russell@coker.com.au> <1119960466.5069.7.camel@ben8600> <200506282227.58812.russell@coker.com.au> <20050628174658.GQ8426@angus.ind.WPI.EDU> Message-ID: <1119982709.22225.202.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-06-28 at 13:46 -0400, Chuck Anderson wrote: > I updated the bz ticket #161867. All the systems I had this problem > with were running 2.6.11-1.27_FC3 at the time the update was done. > The systems running 2.6.11-1.35_FC3 didn't experience the problem. So > it does appear that the problem is the older kernel and the newer > policy. Hmmm...interesting, since AFAIK, the SELinux code didn't change between those two kernels, and FC3 kernel has no SELinux-related patches in it (it just uses the upstream code). Side effect of another patch in the FC3 kernel? -- Stephen Smalley National Security Agency From jmblin at comcast.net Tue Jun 28 19:31:10 2005 From: jmblin at comcast.net (John Bray) Date: Tue, 28 Jun 2005 14:31:10 -0500 Subject: seaudit crashes with segmentation fault Message-ID: <1119987070.30484.1.camel@junior> i'm posting this per stephen's request: On Mon, 2005-06-27 at 14:32 -0400, Stephen Smalley wrote: > On Mon, 2005-06-27 at 13:15 -0500, John Bray wrote: > > every time i try to run seaudit, it immediately crashes with a > > segmentation fault. the following errors appear, with or without any > > arguments on the commandline: > > > > [root at junior setools-2.1.0]# seaudit -l /var/log/messages > > -p /etc/selinux/targeted/src/policy/policy.conf > > > > > wonder if anyone has any ideas or suggestions? > > - Post to fedora-selinux-list for SELinux questions. > - What is your base system, FC3 or FC4? > - In FC4, unless you disable auditd, audit messages are sent by the > kernel to auditd and are written by auditd to /var/log/audit/audit.log. > - Not sure that seaudit has been updated for the associated changes. > thanks stephen. i didn't even know that there was such a list. :-) its FC4. clean install. auditd is running. i guess i'd misunderstood. i'd thought that with it running, the audit.log as well as to messages. however, if i point at audit.log instead, it does NOT segfault, but finds no messages either. :-) thanks for your help. i will see about getting to the selinux list. hope your day is going well. john From mole at quadra.ru Tue Jun 28 20:10:21 2005 From: mole at quadra.ru (Oleg Makarenko) Date: Wed, 29 Jun 2005 00:10:21 +0400 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <1119982709.22225.202.camel@moss-spartans.epoch.ncsc.mil> References: <42C00B99.1060903@dzr-web.com> <200506281715.49060.russell@coker.com.au> <1119960466.5069.7.camel@ben8600> <200506282227.58812.russell@coker.com.au> <20050628174658.GQ8426@angus.ind.WPI.EDU> <1119982709.22225.202.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42C1AEAD.7050505@quadra.ru> Stephen Smalley wrote: >On Tue, 2005-06-28 at 13:46 -0400, Chuck Anderson wrote: > > >>I updated the bz ticket #161867. All the systems I had this problem >>with were running 2.6.11-1.27_FC3 at the time the update was done. >>The systems running 2.6.11-1.35_FC3 didn't experience the problem. So >>it does appear that the problem is the older kernel and the newer >>policy. >> >> > >Hmmm...interesting, since AFAIK, the SELinux code didn't change between >those two kernels, and FC3 kernel has no SELinux-related patches in it >(it just uses the upstream code). Side effect of another patch in the >FC3 kernel? > > > Just to add more confusion... or probably give some hints to somebody... I have the same problem on _both_ 1.27_FC3 and 1.35_FC3 kernels. On 1.35_FC3 machine (remote 2 Xeon x686 server) sshd and mingetty were broken after the recent policy update. I rebooted it with enforcing=0 (using remote console) and then make -W users reload (I have policy sources installed on the machine) Everything works fine since then with selinux-policy-targeted-1.17.30-3.13 and kernel-smp-2.6.11-1.35_FC3. My policy sources have very minor changes in apache.te and mysqld.te files only. Some http related booleans are also different... May be the binary policy in the package is broken? On my home 1.27_FC3 machine I have just updated the policy and have not rebooted yet. Just after the update a lot of things are broken. For example I am unable to start a new (gnome-)terminal etc etc setenforce 0 in the root's window (that I happen to run yum from) helps. Now I am able to start new non root's terminal and mozilla to write this e-mail :) If I then do setenforce 1 and try to ls I get: [oleg at mole ~]$ ls ls: error while loading shared libraries: /lib/tls/librt.so.1: cannot apply additional memory protection after relocation: Permission denied and in /var/log/messages I see Jun 28 23:42:01 localhost kernel: audit(1119987721.476:0): avc: denied { execmod } for pid=5873 comm=ls path=/lib/tls/librt-2.3.5.so dev=hda3 ino=16719 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file when I try to run ssh I get: [oleg at mole ~]$ ssh localhost ssh: error while loading shared libraries: /lib/libdl.so.2: cannot apply additional memory protection after relocation: Permission denied and Jun 28 23:44:29 localhost kernel: audit(1119987869.572:0): avc: denied { execmod } for pid=5882 comm=ssh path=/lib/libdl-2.3.5.so dev=hda3 ino=2052530 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file in the root's terminal everything works fine even with setenforcing 1 hope this information may be useful. =oleg From mole at quadra.ru Tue Jun 28 21:39:31 2005 From: mole at quadra.ru (Oleg Makarenko) Date: Wed, 29 Jun 2005 01:39:31 +0400 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <42C1AEAD.7050505@quadra.ru> References: <42C00B99.1060903@dzr-web.com> <200506281715.49060.russell@coker.com.au> <1119960466.5069.7.camel@ben8600> <200506282227.58812.russell@coker.com.au> <20050628174658.GQ8426@angus.ind.WPI.EDU> <1119982709.22225.202.camel@moss-spartans.epoch.ncsc.mil> <42C1AEAD.7050505@quadra.ru> Message-ID: <42C1C393.1070108@quadra.ru> Oleg Makarenko wrote: > Just to add more confusion... or probably give some hints to somebody... > >I have the same problem on _both_ 1.27_FC3 and 1.35_FC3 kernels. > >On 1.35_FC3 machine (remote 2 Xeon x686 server) sshd and mingetty were >broken after the recent policy update. > >I rebooted it with enforcing=0 (using remote console) and then > >make -W users reload > >(I have policy sources installed on the machine) > >Everything works fine since then with >selinux-policy-targeted-1.17.30-3.13 and kernel-smp-2.6.11-1.35_FC3. My >policy sources have very minor changes in apache.te and mysqld.te files >only. Some http related booleans are also different... May be the binary >policy in the package is broken? > >On my home 1.27_FC3 machine I have just updated the policy and have not >rebooted yet. Just after the update a lot of things are broken. For >example I am unable to start a new (gnome-)terminal etc etc > >setenforce 0 in the root's window (that I happen to run yum from) helps. >Now I am able to start new non root's terminal and mozilla to write this >e-mail :) > >If I then do setenforce 1 and try to ls I get: > >[oleg at mole ~]$ ls >ls: error while loading shared libraries: /lib/tls/librt.so.1: cannot >apply additional memory protection after relocation: Permission denied > >and in /var/log/messages I see > >Jun 28 23:42:01 localhost kernel: audit(1119987721.476:0): avc: denied >{ execmod } for pid=5873 comm=ls path=/lib/tls/librt-2.3.5.so dev=hda3 >ino=16719 scontext=user_u:system_r:unconfined_t >tcontext=system_u:object_r:lib_t tclass=file > > when I try to run ssh I get: > >[oleg at mole ~]$ ssh localhost >ssh: error while loading shared libraries: /lib/libdl.so.2: cannot apply >additional memory protection after relocation: Permission denied > >and > >Jun 28 23:44:29 localhost kernel: audit(1119987869.572:0): avc: denied >{ execmod } for pid=5882 comm=ssh path=/lib/libdl-2.3.5.so dev=hda3 >ino=2052530 scontext=user_u:system_r:unconfined_t >tcontext=system_u:object_r:lib_t tclass=file > >in the root's terminal everything works fine even with setenforcing 1 > >hope this information may be useful. > >=oleg > > I have installed 1.35_FC3 kernel on my 1.27_FC3 machine and it works fine with the latest policy without any additional tricks. With exactly the same settings and policy 1.27_FC3 doesn't boot as /sbin/init triggers avc: denied { execmod }. 1.14 doesn't work either while kernel-2.6.10-1.770_FC3 works fine with the new policy. Policy rebuilding doesn't help here so probably my 1.35_FC3 machine actually run kernel 1.27_FC3 at the update time. Sorry for confusion. So I also see the problem only on 1.14 and 1.27 kernels. =oleg From cviniciusm at terra.com.br Wed Jun 29 08:41:38 2005 From: cviniciusm at terra.com.br (Vinicius) Date: Wed, 29 Jun 2005 05:41:38 -0300 Subject: avc denied about hwclock. Message-ID: Hello, I'm getting the following on FC4: "audit(1119989359.942:2): avc: denied { read } for pid=1427 comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file audit(1119989359.942:3): avc: denied { read } for pid=1427 comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file" How to resolve this problem, please? TIA, Vinicius. From ivg2 at cornell.edu Wed Jun 29 09:34:09 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Wed, 29 Jun 2005 05:34:09 -0400 Subject: avc denied about hwclock. In-Reply-To: References: Message-ID: <1120037649.21131.9.camel@localhost.localdomain> On Wed, 2005-06-29 at 05:41 -0300, Vinicius wrote: > Hello, > > I'm getting the following on FC4: > "audit(1119989359.942:2): avc: denied { read } for pid=1427 > comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s > ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file > audit(1119989359.942:3): avc: denied { read } for pid=1427 > comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s > ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file" > > How to resolve this problem, please? The file is incorrectly labeled for some reason. Do: restorecon /etc/localtime as root. The type should be locale_t -- Ivan Gyurdiev Cornell University From sds at tycho.nsa.gov Wed Jun 29 13:48:48 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 29 Jun 2005 09:48:48 -0400 Subject: FC4 dhcp, firestarter and SE Linux permission denied messages In-Reply-To: <1120052322.7965.33.camel@Jenny> References: <1120052322.7965.33.camel@Jenny> Message-ID: <1120052928.3553.71.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-06-29 at 09:38 -0400, David Niemi wrote: > I appear to be having audit problems with some of the things that > firestarter wants to do when starting up and SE Linux. Initially dhcpd > was giving errors and I found that dhcpd.conf contained some really > strange IP addresses (136.54.10.8, whois -> Ford motor company???) as > the subnet, netmask, etc. Got that straighted out and firestarter > appears to be starting though I haven't plugged my home network into it > yet to check. > > I am still getting errors when in the graphical part of the boot when > services are starting (sorry, don't know the proper name) from > firestarter about cp and "resolv.conf.predhclient" and some output from > the dhcpd. > > Checking /var/log/messages I have found ~57 lines like: > > Jun 29 08:55:24 localhost kernel: audit(1120049722.072:2): avc: denied > { write } for pid=1791 comm="cp" name=resolv.conf.predhclient dev=hda3 > ino=680749 scontext=system_u:system_r:dhcpc_t > tcontext=system_u:object_r:etc_runtime_t tclass=file > Jun 29 08:55:24 localhost kernel: audit(1120049722.072:3): avc: denied > { unlink } for pid=1791 comm="cp" name=resolv.conf.predhclient dev=hda3 > ino=680749 scontext=system_u:system_r:dhcpc_t > tcontext=system_u:object_r:etc_runtime_t tclass=file > Jun 29 08:55:24 localhost kernel: audit(1120049722.164:4): avc: denied > { execute } for pid=1831 comm="sh" name=modprobe dev=hda3 ino=129716 > scontext=system_u:system_r:dhcpc_t > tcontext=system_u:object_r:insmod_exec_t tclass=file > > about modeprobe and iptables also. > > I've read the messages about "Re: Can't bind to dhcp address: Permission > denied??" and tried Alexander's disable and reenable the protection on > dhcpd and it didn't work. > > All of the message that I've kept from the past couple of weeks on dhcp > haven't really helped, nor the messages about the policies. > > I've got VERY little knowledge of SE Linux policies, messages, and > commands, so any help would be GREATLY appreciated fedora-selinux-list is typically a better place to ask about SELinux issues. cc'd. -- Stephen Smalley National Security Agency From dadams at rentawheel.net Wed Jun 29 14:40:57 2005 From: dadams at rentawheel.net (Darrel Adams) Date: Wed, 29 Jun 2005 09:40:57 -0500 Subject: gssftp server on FC4 Message-ID: <200506291441.j5TEf9c2003226@mail842.megamailservers.com> I'm just trying to get my feet wet using Fedora Core. I want to set up a test server for http, ftp, and possibly mail services. Any tips or guidance would be great. I was able to get the httpd running but am having some difficulty connecting to the ftp server. I get the following error: Connected to 192.168.4.95 220 test06.rentawheel.us FTP server (Version 5.60) ready. User (192.168.4.95:(none)): dadams 530 Must perform authentication before identifying USER. Thanks, Darrel -------------- next part -------------- An HTML attachment was scrubbed... URL: From db-fedora at 3di.it Wed Jun 29 15:55:22 2005 From: db-fedora at 3di.it (Davide Bolcioni) Date: Wed, 29 Jun 2005 17:55:22 +0200 Subject: Cannot load shared library Message-ID: <42C2C46A.3050309@3di.it> Greetings, I have the following in /var/log/messages: kernel: audit(...): avc: denied { execmod } for pid=14208 comm=hicgi path=/opt/highway/bin/hssock.so dev=dm-2 ino=4177 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t tclass=file where "hicgi" is an executable attempting to load the shared library "/opt/highway/bin/hssock.so" ... and failing. The contexts are: # ls -Z hicgi -rwx------ highway highway system_u:object_r:bin_t hicgi # ls -Z hssock.so -rwxr-xr-x highway highway system_u:object_r:bin_t hssock.so Thank you for your consideration, Davide Bolcioni -- There is no place like /home. From nalin at redhat.com Wed Jun 29 16:05:42 2005 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 29 Jun 2005 12:05:42 -0400 Subject: gssftp server on FC4 In-Reply-To: <200506291441.j5TEf9c2003226@mail842.megamailservers.com> References: <200506291441.j5TEf9c2003226@mail842.megamailservers.com> Message-ID: <20050629160542.GC26119@redhat.com> On Wed, Jun 29, 2005 at 09:40:57AM -0500, Darrel Adams wrote: > I'm just trying to get my feet wet using Fedora Core. I want to set up a > test server for http, ftp, and possibly mail services. Any tips or guidance > would be great. I was able to get the httpd running but am having some > difficulty connecting to the ftp server. I get the following error: > > Connected to 192.168.4.95 > 220 test06.rentawheel.us FTP server (Version 5.60) ready. > User (192.168.4.95:(none)): dadams > 530 Must perform authentication before identifying USER. The default xinetd configuration for gssftp calls ftpd with the "-a" flag, which requires clients to authenticate using strong authentication first, and it appears that your client software isn't doing that. Which client software are you using? Do you already have Kerberos credentials for 'dadams' before you try to connect to the server? If you're not looking to be using Kerberos, then I suggest turning off the gssftp service and using vsftpd instead. HTH, Nalin From justin at jdjlab.com Wed Jun 29 17:24:22 2005 From: justin at jdjlab.com (Justin Willmert) Date: Wed, 29 Jun 2005 12:24:22 -0500 Subject: SELinux Blocking LDAP Connections In-Reply-To: <1120047504.3553.6.camel@moss-spartans.epoch.ncsc.mil> References: <42C1DBAA.8050608@jdjlab.com> <1120047504.3553.6.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42C2D946.4020501@jdjlab.com> Stephen Smalley wrote: >On Tue, 2005-06-28 at 18:22 -0500, Justin Willmert wrote: > > >>Does anybody know of any problems with the new SELinux installed in >>Fedora Core 4? I have OpenLDAP 2.2.23-5 installed and use it for my user >>accounts. Fedora (throught the system-auth PAM module and nsswitch) will >>log in correctly, but dovecot (version 0.99.14-4.fc4) and apache >>(version 2.0.54-10) cannot connect to the ldap server when SELinux is >>enabled. I use dovecot-ldap.conf for dovecot to get the users and their >>home directories. In Apache, I use basic authentication through LDAP to >>protect a WebDAV accessible folder. For a long time, I thought Dovecot >>wasn't working correctly, but after I set up Apache and it too didn't >>work with OpenLDAP, I came to think that SELinux is blocking something. >>Now the problem is I am not well enough informed about SELinux to be >>able to debug where the problem may reside. >> >>This is the message I get in /var/log/maillog when SELinux is enabled: >> Jun 28 17:21:14 netserv dovecot-auth: LDAP: ldap_result() failed: >>Can't contact LDAP server >> >>And this is the error I get in /etc/httpd/logs/mydomain.com-error_log >> [Tue Jun 28 17:21:37 2005] [warn] [client 192.168.1.1] [5962] >>auth_ldap authenticate: user myuser authentication failed; URI >>/calendars/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] >> >>I can get you SELinux contexts for certain files if you need them, but I >>don't have a clue on which ones to include. >> >> > >Look in /var/log/audit/audit.log, particularly for messages with the >type=AVC prefix. SELinux permission denials are now logged there by the >audit daemon (previously they would go to /var/log/messages). And >report them to fedora-selinux-list. > > > Ok. I've been told (as you can see above) to report this problem to this list instead of fedora-list (Just used a mailing list for the first time yesterday, so I'm still learning about them). As you can see above, I'm having a problem with SELinux and Dovecot and Apache. After looking through my audit.log file, these are the lines I thought were most important. This is what I found concerning apache: type=AVC msg=audit(1119048563.037:3670666): avc: denied { name_connect } for pid=6051 comm="httpd" dest=389 scontext=root:system_r:httpd_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket type=SOCKETCALL msg=audit(1119048563.054:3670776): nargs=3 a0=19 a1=8347e80 a2=10 type=SOCKADDR msg=audit(1119048563.054:3670776): saddr=02000185C0A801940000000000000000 type=SYSCALL msg=audit(1119048563.054:3670776): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfcf1ad0 a2=3c94cb8 a3=19 items=0 pid=6052 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" And this is what I found concerning Dovecot: type=AVC msg=audit(1119053800.290:1566630): avc: denied { read } for pid=7472 comm="dovecot" name=stderr dev=tmpfs ino=2345 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t tclass=lnk_file type=PATH msg=audit(1119053800.291:1566631): item=0 name="/dev" inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 rdev=00:00 type=SYSCALL msg=audit(1119053800.291:1566631): arch=40000003 syscall=33 success=no exit=-13 a0=94e8100 a1=2 a2=94e8100 a3=739ca0 items=1 pid=7472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot" type=AVC msg=audit(1119053800.291:1566631): avc: denied { write } for pid=7472 comm="dovecot" name=/ dev=tmpfs ino=534 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t tclass=dir type=PATH msg=audit(1119053900.137:1641147): item=0 name="/dev/stderr" inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 rdev=00:00 Both of these sets were repeated multiple times throughout the log. Justin Willmert From dwalsh at redhat.com Wed Jun 29 18:43:44 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Jun 2005 14:43:44 -0400 Subject: permission denied on shared library In-Reply-To: <200506271702.43306.rturner@san.rr.com> References: <200506271702.43306.rturner@san.rr.com> Message-ID: <42C2EBE0.1090303@redhat.com> rich turner wrote: >i have installed a 3rd party application that worked with fc3 but no longer >works with fc4. i am getting the following error: > >stio: error while loading shared libraries: /usr/lib/libstorix.so: cannot >restore segment prot after reloc: Permission denied. > >when i run the command "setenforce 0" it works so my thoughts are that it is >not setup properly with selinux. > ># ls -l /usr/lib/libstorix.so >lrwxrwxrwx 1 root root 28 Jun 26 05:14 /usr/lib/libstorix.so >-> /opt/storix/lib/libstorix.so > ># ls -lZ /usr/lib/libstorix.so >lrwxrwxrwx root root >system_u:object_r:lib_t /usr/lib/libstorix.so > ># ls -lZ /opt/storix/lib/libstorix.so >-rw-r--r-- root root >system_u:object_r:shlib_t /opt/storix/lib/libstorix.so > >i have seen this error in a number of searches, and the most common solution >is to turn selinux off. there must be a better way to get this to work. > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Tonights Fedora Policy selinux-policy-targeted-1.17.30-3.15 should fix this. The .16 test release is available on ftp://people.redhat.com/dwalsh/SELinux/FC3 -- From dwalsh at redhat.com Wed Jun 29 19:05:15 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Jun 2005 15:05:15 -0400 Subject: SELinux Blocking LDAP Connections In-Reply-To: <42C2D946.4020501@jdjlab.com> References: <42C1DBAA.8050608@jdjlab.com> <1120047504.3553.6.camel@moss-spartans.epoch.ncsc.mil> <42C2D946.4020501@jdjlab.com> Message-ID: <42C2F0EB.7050106@redhat.com> Justin Willmert wrote: > Stephen Smalley wrote: > >> On Tue, 2005-06-28 at 18:22 -0500, Justin Willmert wrote: >> >> >>> Does anybody know of any problems with the new SELinux installed in >>> Fedora Core 4? I have OpenLDAP 2.2.23-5 installed and use it for my >>> user accounts. Fedora (throught the system-auth PAM module and >>> nsswitch) will log in correctly, but dovecot (version 0.99.14-4.fc4) >>> and apache (version 2.0.54-10) cannot connect to the ldap server >>> when SELinux is enabled. I use dovecot-ldap.conf for dovecot to get >>> the users and their home directories. In Apache, I use basic >>> authentication through LDAP to protect a WebDAV accessible folder. >>> For a long time, I thought Dovecot wasn't working correctly, but >>> after I set up Apache and it too didn't work with OpenLDAP, I came >>> to think that SELinux is blocking something. Now the problem is I am >>> not well enough informed about SELinux to be able to debug where the >>> problem may reside. >>> >>> This is the message I get in /var/log/maillog when SELinux is enabled: >>> Jun 28 17:21:14 netserv dovecot-auth: LDAP: ldap_result() failed: >>> Can't contact LDAP server >>> >>> And this is the error I get in /etc/httpd/logs/mydomain.com-error_log >>> [Tue Jun 28 17:21:37 2005] [warn] [client 192.168.1.1] [5962] >>> auth_ldap authenticate: user myuser authentication failed; URI >>> /calendars/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP >>> server] >>> >>> I can get you SELinux contexts for certain files if you need them, >>> but I don't have a clue on which ones to include. >>> >> >> >> Look in /var/log/audit/audit.log, particularly for messages with the >> type=AVC prefix. SELinux permission denials are now logged there by the >> audit daemon (previously they would go to /var/log/messages). And >> report them to fedora-selinux-list. >> >> >> > Ok. I've been told (as you can see above) to report this problem to > this list instead of fedora-list (Just used a mailing list for the > first time yesterday, so I'm still learning about them). As you can > see above, I'm having a problem with SELinux and Dovecot and Apache. > After looking through my audit.log file, these are the lines I thought > were most important. > > This is what I found concerning apache: > > type=AVC msg=audit(1119048563.037:3670666): avc: denied { > name_connect } for pid=6051 comm="httpd" dest=389 > scontext=root:system_r:httpd_t > tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket > type=SOCKETCALL msg=audit(1119048563.054:3670776): nargs=3 a0=19 > a1=8347e80 a2=10 > type=SOCKADDR msg=audit(1119048563.054:3670776): > saddr=02000185C0A801940000000000000000 > type=SYSCALL msg=audit(1119048563.054:3670776): arch=40000003 > syscall=102 success=no exit=-13 a0=3 a1=bfcf1ad0 a2=3c94cb8 a3=19 > items=0 pid=6052 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 > egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" > > And this is what I found concerning Dovecot: > > type=AVC msg=audit(1119053800.290:1566630): avc: denied { read } > for pid=7472 comm="dovecot" name=stderr dev=tmpfs ino=2345 > scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t > tclass=lnk_file > type=PATH msg=audit(1119053800.291:1566631): item=0 name="/dev" > inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 rdev=00:00 > type=SYSCALL msg=audit(1119053800.291:1566631): arch=40000003 > syscall=33 success=no exit=-13 a0=94e8100 a1=2 a2=94e8100 a3=739ca0 > items=1 pid=7472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot" > type=AVC msg=audit(1119053800.291:1566631): avc: denied { write } > for pid=7472 comm="dovecot" name=/ dev=tmpfs ino=534 > scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t > tclass=dir > type=PATH msg=audit(1119053900.137:1641147): item=0 > name="/dev/stderr" inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 > rdev=00:00 > > Both of these sets were repeated multiple times throughout the log. > > Justin Willmert > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list You can allow httpd to connect via the boolean setsebool -P httpd_can_network_connect=1 Any idea what dovecot is trying to create in the /dev directory? Dan -- From dwalsh at redhat.com Wed Jun 29 19:07:05 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Jun 2005 15:07:05 -0400 Subject: selinux fedora 3 last update breaks some programs In-Reply-To: <1119966179.22225.57.camel@moss-spartans.epoch.ncsc.mil> References: <1119864310.4438.90.camel@tiger.byworks.com> <1119966179.22225.57.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42C2F159.7090508@redhat.com> Stephen Smalley wrote: >On Mon, 2005-06-27 at 11:25 +0200, alberto passariello wrote: > > >>i jusp upgraded my fedora core to >>selinux-policy-targeted-1.17.30-3.13 >> >> >>and a java application I use now produces this message ... >>Jun 27 10:23:43 tiger kernel: audit(1119860623.918:0): avc: denied >>{ execmod } for pid=6218 comm=java path=/lib64/tls/libc-2.3.5.so >>dev=sda2 ino=16780747 scontext=user_u:system_r:unconfined_t >>tcontext=system_u:object_r:lib_t tclass=file >> >>acrobast reader 7 produces thi error >>Jun 27 11:22:17 tiger kernel: audit(1119864137.180:0): avc: denied >>{ execmod } for pid=18874 comm=acroread path=/lib/tls/libc-2.3.5.so >>dev=sda2 ino=41946582 scontext=user_u:system_r:unconfined_t >>tcontext=system_u:object_r:shlib_t tclass=file >> >> >>how cai I solve the problem? >> >> > >Bug in the policy package, see: > >https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161834 > > > > selinux-policy-targeted-1.17.30-3.15 fixes this problem. Coming in tonights updates. -- From justin at jdjlab.com Wed Jun 29 19:12:13 2005 From: justin at jdjlab.com (Justin Willmert) Date: Wed, 29 Jun 2005 14:12:13 -0500 Subject: SELinux Blocking LDAP Connections In-Reply-To: <42C2F0EB.7050106@redhat.com> References: <42C1DBAA.8050608@jdjlab.com> <1120047504.3553.6.camel@moss-spartans.epoch.ncsc.mil> <42C2D946.4020501@jdjlab.com> <42C2F0EB.7050106@redhat.com> Message-ID: <42C2F28D.9050208@jdjlab.com> Daniel J Walsh wrote: > Justin Willmert wrote: > >> Stephen Smalley wrote: >> >>> On Tue, 2005-06-28 at 18:22 -0500, Justin Willmert wrote: >>> >>> >>>> Does anybody know of any problems with the new SELinux installed in >>>> Fedora Core 4? I have OpenLDAP 2.2.23-5 installed and use it for my >>>> user accounts. Fedora (throught the system-auth PAM module and >>>> nsswitch) will log in correctly, but dovecot (version >>>> 0.99.14-4.fc4) and apache (version 2.0.54-10) cannot connect to the >>>> ldap server when SELinux is enabled. I use dovecot-ldap.conf for >>>> dovecot to get the users and their home directories. In Apache, I >>>> use basic authentication through LDAP to protect a WebDAV >>>> accessible folder. For a long time, I thought Dovecot wasn't >>>> working correctly, but after I set up Apache and it too didn't work >>>> with OpenLDAP, I came to think that SELinux is blocking something. >>>> Now the problem is I am not well enough informed about SELinux to >>>> be able to debug where the problem may reside. >>>> >>>> This is the message I get in /var/log/maillog when SELinux is enabled: >>>> Jun 28 17:21:14 netserv dovecot-auth: LDAP: ldap_result() >>>> failed: Can't contact LDAP server >>>> >>>> And this is the error I get in /etc/httpd/logs/mydomain.com-error_log >>>> [Tue Jun 28 17:21:37 2005] [warn] [client 192.168.1.1] [5962] >>>> auth_ldap authenticate: user myuser authentication failed; URI >>>> /calendars/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP >>>> server] >>>> >>>> I can get you SELinux contexts for certain files if you need them, >>>> but I don't have a clue on which ones to include. >>>> >>> >>> >>> >>> Look in /var/log/audit/audit.log, particularly for messages with the >>> type=AVC prefix. SELinux permission denials are now logged there by >>> the >>> audit daemon (previously they would go to /var/log/messages). And >>> report them to fedora-selinux-list. >>> >>> >>> >> Ok. I've been told (as you can see above) to report this problem to >> this list instead of fedora-list (Just used a mailing list for the >> first time yesterday, so I'm still learning about them). As you can >> see above, I'm having a problem with SELinux and Dovecot and Apache. >> After looking through my audit.log file, these are the lines I >> thought were most important. >> >> This is what I found concerning apache: >> >> type=AVC msg=audit(1119048563.037:3670666): avc: denied { >> name_connect } for pid=6051 comm="httpd" dest=389 >> scontext=root:system_r:httpd_t >> tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket >> type=SOCKETCALL msg=audit(1119048563.054:3670776): nargs=3 a0=19 >> a1=8347e80 a2=10 >> type=SOCKADDR msg=audit(1119048563.054:3670776): >> saddr=02000185C0A801940000000000000000 >> type=SYSCALL msg=audit(1119048563.054:3670776): arch=40000003 >> syscall=102 success=no exit=-13 a0=3 a1=bfcf1ad0 a2=3c94cb8 a3=19 >> items=0 pid=6052 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 >> egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" >> >> And this is what I found concerning Dovecot: >> >> type=AVC msg=audit(1119053800.290:1566630): avc: denied { read } >> for pid=7472 comm="dovecot" name=stderr dev=tmpfs ino=2345 >> scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t >> tclass=lnk_file >> type=PATH msg=audit(1119053800.291:1566631): item=0 name="/dev" >> inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 rdev=00:00 >> type=SYSCALL msg=audit(1119053800.291:1566631): arch=40000003 >> syscall=33 success=no exit=-13 a0=94e8100 a1=2 a2=94e8100 a3=739ca0 >> items=1 pid=7472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >> egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot" >> type=AVC msg=audit(1119053800.291:1566631): avc: denied { write } >> for pid=7472 comm="dovecot" name=/ dev=tmpfs ino=534 >> scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t >> tclass=dir >> type=PATH msg=audit(1119053900.137:1641147): item=0 >> name="/dev/stderr" inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 >> rdev=00:00 >> >> Both of these sets were repeated multiple times throughout the log. >> >> Justin Willmert >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > You can allow httpd to connect via the boolean > setsebool -P httpd_can_network_connect=1 > > Any idea what dovecot is trying to create in the /dev directory? > > Dan > OK, I've reset the boolean, but I can't really test it because if I enable SELinux again, dovecot is going to stop working. To the issue of what dovecot is doing to /dev, your guess is as good as mine. When I still ran FC3, I was using the University of Washington IMAP server, but FC4 wouldn't allow me to use it, so I upgraded to Dovecot. I'm still learning about it, so I have no clue it is trying to do to my /dev directory. I guess it's an issue I can look into (or someone can tell me if they know...It'd be faster ^_^ ) Justin From dwalsh at redhat.com Wed Jun 29 19:17:37 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Jun 2005 15:17:37 -0400 Subject: avc denied about hwclock. In-Reply-To: References: Message-ID: <42C2F3D1.7010006@redhat.com> Vinicius wrote: > Hello, > > I'm getting the following on FC4: > "audit(1119989359.942:2): avc: denied { read } for pid=1427 > comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s > ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file > audit(1119989359.942:3): avc: denied { read } for pid=1427 > comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s > ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file" > > How to resolve this problem, please? restorecon /etc/localtime Any idea how this file is getting created? > > > TIA, > > Vinicius. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- From dwalsh at redhat.com Wed Jun 29 19:23:19 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Jun 2005 15:23:19 -0400 Subject: Bug 160292 (cups-lpd) - back in 1.23.18-16? In-Reply-To: References: Message-ID: <42C2F527.80701@redhat.com> Ian Pilcher wrote: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160292 says that > this bug is fixed in selinux-policy-targeted-1.23.18-12. I'm running > 1.23.18-16 (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161383) > and this bug is definitely present. > > I've tried futzing with cupsd_lpd_disable_trans and > cupsd_config_disable_trans to no avail. (Are these documented > anywhere?) > > Am I nuts? > Probably not. What avc messages are you seeing? Dan -- From dwalsh at redhat.com Wed Jun 29 19:34:22 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Jun 2005 15:34:22 -0400 Subject: SELinux Blocking LDAP Connections In-Reply-To: <42C2F28D.9050208@jdjlab.com> References: <42C1DBAA.8050608@jdjlab.com> <1120047504.3553.6.camel@moss-spartans.epoch.ncsc.mil> <42C2D946.4020501@jdjlab.com> <42C2F0EB.7050106@redhat.com> <42C2F28D.9050208@jdjlab.com> Message-ID: <42C2F7BE.8020605@redhat.com> Justin Willmert wrote: > Daniel J Walsh wrote: > >> Justin Willmert wrote: >> >>> Stephen Smalley wrote: >>> >>>> On Tue, 2005-06-28 at 18:22 -0500, Justin Willmert wrote: >>>> >>>> >>>>> Does anybody know of any problems with the new SELinux installed >>>>> in Fedora Core 4? I have OpenLDAP 2.2.23-5 installed and use it >>>>> for my user accounts. Fedora (throught the system-auth PAM module >>>>> and nsswitch) will log in correctly, but dovecot (version >>>>> 0.99.14-4.fc4) and apache (version 2.0.54-10) cannot connect to >>>>> the ldap server when SELinux is enabled. I use dovecot-ldap.conf >>>>> for dovecot to get the users and their home directories. In >>>>> Apache, I use basic authentication through LDAP to protect a >>>>> WebDAV accessible folder. For a long time, I thought Dovecot >>>>> wasn't working correctly, but after I set up Apache and it too >>>>> didn't work with OpenLDAP, I came to think that SELinux is >>>>> blocking something. Now the problem is I am not well enough >>>>> informed about SELinux to be able to debug where the problem may >>>>> reside. >>>>> >>>>> This is the message I get in /var/log/maillog when SELinux is >>>>> enabled: >>>>> Jun 28 17:21:14 netserv dovecot-auth: LDAP: ldap_result() >>>>> failed: Can't contact LDAP server >>>>> >>>>> And this is the error I get in /etc/httpd/logs/mydomain.com-error_log >>>>> [Tue Jun 28 17:21:37 2005] [warn] [client 192.168.1.1] [5962] >>>>> auth_ldap authenticate: user myuser authentication failed; URI >>>>> /calendars/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP >>>>> server] >>>>> >>>>> I can get you SELinux contexts for certain files if you need them, >>>>> but I don't have a clue on which ones to include. >>>>> >>>> >>>> >>>> >>>> >>>> Look in /var/log/audit/audit.log, particularly for messages with the >>>> type=AVC prefix. SELinux permission denials are now logged there >>>> by the >>>> audit daemon (previously they would go to /var/log/messages). And >>>> report them to fedora-selinux-list. >>>> >>>> >>>> >>> Ok. I've been told (as you can see above) to report this problem to >>> this list instead of fedora-list (Just used a mailing list for the >>> first time yesterday, so I'm still learning about them). As you can >>> see above, I'm having a problem with SELinux and Dovecot and Apache. >>> After looking through my audit.log file, these are the lines I >>> thought were most important. >>> >>> This is what I found concerning apache: >>> >>> type=AVC msg=audit(1119048563.037:3670666): avc: denied { >>> name_connect } for pid=6051 comm="httpd" dest=389 >>> scontext=root:system_r:httpd_t >>> tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket >>> type=SOCKETCALL msg=audit(1119048563.054:3670776): nargs=3 a0=19 >>> a1=8347e80 a2=10 >>> type=SOCKADDR msg=audit(1119048563.054:3670776): >>> saddr=02000185C0A801940000000000000000 >>> type=SYSCALL msg=audit(1119048563.054:3670776): arch=40000003 >>> syscall=102 success=no exit=-13 a0=3 a1=bfcf1ad0 a2=3c94cb8 a3=19 >>> items=0 pid=6052 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 >>> egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" >>> >>> And this is what I found concerning Dovecot: >>> >>> type=AVC msg=audit(1119053800.290:1566630): avc: denied { read } >>> for pid=7472 comm="dovecot" name=stderr dev=tmpfs ino=2345 >>> scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t >>> tclass=lnk_file >>> type=PATH msg=audit(1119053800.291:1566631): item=0 name="/dev" >>> inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 rdev=00:00 >>> type=SYSCALL msg=audit(1119053800.291:1566631): arch=40000003 >>> syscall=33 success=no exit=-13 a0=94e8100 a1=2 a2=94e8100 a3=739ca0 >>> items=1 pid=7472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >>> egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot" >>> type=AVC msg=audit(1119053800.291:1566631): avc: denied { write } >>> for pid=7472 comm="dovecot" name=/ dev=tmpfs ino=534 >>> scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t >>> tclass=dir >>> type=PATH msg=audit(1119053900.137:1641147): item=0 >>> name="/dev/stderr" inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 >>> rdev=00:00 >>> >>> Both of these sets were repeated multiple times throughout the log. >>> >>> Justin Willmert >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> >> >> You can allow httpd to connect via the boolean >> setsebool -P httpd_can_network_connect=1 >> >> Any idea what dovecot is trying to create in the /dev directory? >> >> Dan >> > OK, I've reset the boolean, but I can't really test it because if I > enable SELinux again, dovecot is going to stop working. > > To the issue of what dovecot is doing to /dev, your guess is as good > as mine. When I still ran FC3, I was using the University of > Washington IMAP server, but FC4 wouldn't allow me to use it, so I > upgraded to Dovecot. I'm still learning about it, so I have no clue it > is trying to do to my /dev directory. I guess it's an issue I can look > into (or someone can tell me if they know...It'd be faster ^_^ ) > > Justin If you run enforcing=0 for SELinux you should be able to get the error messages, without enforcing the errors. So dovecot would work. Dan -- From justin at jdjlab.com Wed Jun 29 20:23:11 2005 From: justin at jdjlab.com (Justin Willmert) Date: Wed, 29 Jun 2005 15:23:11 -0500 Subject: SELinux Blocking LDAP Connections In-Reply-To: <42C2F7BE.8020605@redhat.com> References: <42C1DBAA.8050608@jdjlab.com> <1120047504.3553.6.camel@moss-spartans.epoch.ncsc.mil> <42C2D946.4020501@jdjlab.com> <42C2F0EB.7050106@redhat.com> <42C2F28D.9050208@jdjlab.com> <42C2F7BE.8020605@redhat.com> Message-ID: <42C3032F.4090406@jdjlab.com> Daniel J Walsh wrote: > Justin Willmert wrote: > >> Daniel J Walsh wrote: >> >>> Justin Willmert wrote: >>> >>>> Stephen Smalley wrote: >>>> >>>>> On Tue, 2005-06-28 at 18:22 -0500, Justin Willmert wrote: >>>>> >>>>> >>>>>> Does anybody know of any problems with the new SELinux installed >>>>>> in Fedora Core 4? I have OpenLDAP 2.2.23-5 installed and use it >>>>>> for my user accounts. Fedora (throught the system-auth PAM module >>>>>> and nsswitch) will log in correctly, but dovecot (version >>>>>> 0.99.14-4.fc4) and apache (version 2.0.54-10) cannot connect to >>>>>> the ldap server when SELinux is enabled. I use dovecot-ldap.conf >>>>>> for dovecot to get the users and their home directories. In >>>>>> Apache, I use basic authentication through LDAP to protect a >>>>>> WebDAV accessible folder. For a long time, I thought Dovecot >>>>>> wasn't working correctly, but after I set up Apache and it too >>>>>> didn't work with OpenLDAP, I came to think that SELinux is >>>>>> blocking something. Now the problem is I am not well enough >>>>>> informed about SELinux to be able to debug where the problem may >>>>>> reside. >>>>>> >>>>>> This is the message I get in /var/log/maillog when SELinux is >>>>>> enabled: >>>>>> Jun 28 17:21:14 netserv dovecot-auth: LDAP: ldap_result() >>>>>> failed: Can't contact LDAP server >>>>>> >>>>>> And this is the error I get in >>>>>> /etc/httpd/logs/mydomain.com-error_log >>>>>> [Tue Jun 28 17:21:37 2005] [warn] [client 192.168.1.1] [5962] >>>>>> auth_ldap authenticate: user myuser authentication failed; URI >>>>>> /calendars/ [LDAP: ldap_simple_bind_s() failed][Can't contact >>>>>> LDAP server] >>>>>> >>>>>> I can get you SELinux contexts for certain files if you need >>>>>> them, but I don't have a clue on which ones to include. >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Look in /var/log/audit/audit.log, particularly for messages with the >>>>> type=AVC prefix. SELinux permission denials are now logged there >>>>> by the >>>>> audit daemon (previously they would go to /var/log/messages). And >>>>> report them to fedora-selinux-list. >>>>> >>>>> >>>>> >>>> Ok. I've been told (as you can see above) to report this problem to >>>> this list instead of fedora-list (Just used a mailing list for the >>>> first time yesterday, so I'm still learning about them). As you can >>>> see above, I'm having a problem with SELinux and Dovecot and >>>> Apache. After looking through my audit.log file, these are the >>>> lines I thought were most important. >>>> >>>> This is what I found concerning apache: >>>> >>>> type=AVC msg=audit(1119048563.037:3670666): avc: denied { >>>> name_connect } for pid=6051 comm="httpd" dest=389 >>>> scontext=root:system_r:httpd_t >>>> tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket >>>> type=SOCKETCALL msg=audit(1119048563.054:3670776): nargs=3 a0=19 >>>> a1=8347e80 a2=10 >>>> type=SOCKADDR msg=audit(1119048563.054:3670776): >>>> saddr=02000185C0A801940000000000000000 >>>> type=SYSCALL msg=audit(1119048563.054:3670776): arch=40000003 >>>> syscall=102 success=no exit=-13 a0=3 a1=bfcf1ad0 a2=3c94cb8 a3=19 >>>> items=0 pid=6052 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 >>>> egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" >>>> >>>> And this is what I found concerning Dovecot: >>>> >>>> type=AVC msg=audit(1119053800.290:1566630): avc: denied { read } >>>> for pid=7472 comm="dovecot" name=stderr dev=tmpfs ino=2345 >>>> scontext=root:system_r:dovecot_t >>>> tcontext=system_u:object_r:device_t >>>> tclass=lnk_file >>>> type=PATH msg=audit(1119053800.291:1566631): item=0 name="/dev" >>>> inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 rdev=00:00 >>>> type=SYSCALL msg=audit(1119053800.291:1566631): arch=40000003 >>>> syscall=33 success=no exit=-13 a0=94e8100 a1=2 a2=94e8100 a3=739ca0 >>>> items=1 pid=7472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >>>> egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot" >>>> type=AVC msg=audit(1119053800.291:1566631): avc: denied { write } >>>> for pid=7472 comm="dovecot" name=/ dev=tmpfs ino=534 >>>> scontext=root:system_r:dovecot_t >>>> tcontext=system_u:object_r:device_t >>>> tclass=dir >>>> type=PATH msg=audit(1119053900.137:1641147): item=0 >>>> name="/dev/stderr" inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 >>>> rdev=00:00 >>>> >>>> Both of these sets were repeated multiple times throughout the log. >>>> >>>> Justin Willmert >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >>> >>> >>> You can allow httpd to connect via the boolean >>> setsebool -P httpd_can_network_connect=1 >>> >>> Any idea what dovecot is trying to create in the /dev directory? >>> >>> Dan >>> >> OK, I've reset the boolean, but I can't really test it because if I >> enable SELinux again, dovecot is going to stop working. >> >> To the issue of what dovecot is doing to /dev, your guess is as good >> as mine. When I still ran FC3, I was using the University of >> Washington IMAP server, but FC4 wouldn't allow me to use it, so I >> upgraded to Dovecot. I'm still learning about it, so I have no clue >> it is trying to do to my /dev directory. I guess it's an issue I can >> look into (or someone can tell me if they know...It'd be faster ^_^ ) >> >> Justin > > > If you run enforcing=0 for SELinux you should be able to get the error > messages, without enforcing the errors. So dovecot would work. > > Dan > I've temporarily gotten around the problems by setting the boolean Dan mentioned above and by disabling protection for Dovecot through the system-config-security interface. If anybody needs more information on this problem so it can be addressed and possibly fixed in a update to the policy, feel free to contact me. Thanks for the help Dan. Justin Willmert From cviniciusm at terra.com.br Thu Jun 30 00:04:23 2005 From: cviniciusm at terra.com.br (Vinicius) Date: Wed, 29 Jun 2005 21:04:23 -0300 Subject: avc denied about hwclock. In-Reply-To: <42C2F3D1.7010006@redhat.com> References: <42C2F3D1.7010006@redhat.com> Message-ID: Daniel J Walsh escreveu: > Vinicius wrote: > >> Hello, >> >> I'm getting the following on FC4: >> "audit(1119989359.942:2): avc: denied { read } for pid=1427 >> comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s >> ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file >> audit(1119989359.942:3): avc: denied { read } for pid=1427 >> comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s >> ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file" >> >> How to resolve this problem, please? > > > restorecon /etc/localtime > > Any idea how this file is getting created? > > >> >> >> TIA, >> >> Vinicius. >> through the program *zic*, we can create a file that contains time zone information. The output of the zic is renamed to /etc/localtime. It's very useful on Brazil because of the daylight time savings. I have the source information in brazilian portuguese if you wish. Best regards, Vinicius. From cviniciusm at terra.com.br Thu Jun 30 00:16:13 2005 From: cviniciusm at terra.com.br (Vinicius) Date: Wed, 29 Jun 2005 21:16:13 -0300 Subject: avc denied about hwclock. In-Reply-To: References: <42C2F3D1.7010006@redhat.com> Message-ID: Vinicius escreveu: > Daniel J Walsh escreveu: > >> Vinicius wrote: >> >>> Hello, >>> >>> I'm getting the following on FC4: >>> "audit(1119989359.942:2): avc: denied { read } for pid=1427 >>> comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s >>> ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file >>> audit(1119989359.942:3): avc: denied { read } for pid=1427 >>> comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s >>> ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file" >>> >>> How to resolve this problem, please? >> >> >> >> restorecon /etc/localtime >> >> Any idea how this file is getting created? >> >> >>> >>> >>> TIA, >>> >>> Vinicius. >>> > > through the program *zic*, we can create a file that contains time zone > information. The output of the zic is renamed to /etc/localtime. It's > very useful on Brazil because of the daylight time savings. > > I have the source information in brazilian portuguese if you wish. > > Best regards, > > Vinicius. > instead of "daylight time savings", I mean "summer time" (I think). Bad translation, sorry :-(. Vinicius. From i.pilcher at comcast.net Thu Jun 30 01:06:15 2005 From: i.pilcher at comcast.net (Ian Pilcher) Date: Wed, 29 Jun 2005 20:06:15 -0500 Subject: Bug 160292 (cups-lpd) - back in 1.23.18-16? In-Reply-To: <42C2F527.80701@redhat.com> References: <42C2F527.80701@redhat.com> Message-ID: Daniel J Walsh wrote: > Probably not. What avc messages are you seeing? Clean install of selinux-policy-targeted-1.23.18-17: * rpm -e selinux-policy-targeted * rm -rf /etc/selinux * yum install selinux-policy-targeted * reboot Printer is set as shared in printconf-gui and LPD is enabled. xinetd is running and cups-lpd is enabled. ('nmap localhost' shows port 515 is open.) Try "Print Test Page" on my Windows XP laptop which has this printer configured. /var/log/secure: Jun 29 19:48:33 home xinetd[2014]: START: printer pid=5767 from=192.168.1.128 /var/log/messages: Jun 29 19:48:33 home cups-lpd[5767]: Unable to get client address - Socket operation on non-socket Jun 29 19:48:33 home cups-lpd[5767]: Unable to get command line from client! /var/log/audit/audit.log: type=AVC msg=audit(1120092513.256:10611097): avc: denied { read write } for pid=5767 comm="cups-lpd" name=[11317] dev=sockfs ino=11317 scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:inetd_t tclass=tcp_socket type=AVC msg=audit(1120092513.256:10611097): avc: denied { read write } for pid=5767 comm="cups-lpd" name=[11317] dev=sockfs ino=11317 scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:inetd_t tclass=tcp_socket type=AVC msg=audit(1120092513.256:10611097): avc: denied { read write } for pid=5767 comm="cups-lpd" name=[11317] dev=sockfs ino=11317 scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:inetd_t tclass=tcp_socket type=PATH msg=audit(1120092513.256:10611097): item=1 inode=362148 dev=09:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1120092513.256:10611097): item=0 name="/usr/lib/cups/daemon/cups-lpd" inode=295106 dev=09:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC_PATH msg=audit(1120092513.256:10611097): path="socket:[11317]" type=AVC_PATH msg=audit(1120092513.256:10611097): path="socket:[11317]" type=AVC_PATH msg=audit(1120092513.256:10611097): path="socket:[11317]" type=SYSCALL msg=audit(1120092513.256:10611097): arch=40000003 syscall=11 success=yes exit=0 a0=9d7e678 a1=9d7e668 a2=9d7ee10 a3=bfed5ba4 items=2 pid=5767 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 comm="cups-lpd" exe="/usr/lib/cups/daemon/cups-lpd" (The same messages, with different PIDs, are repeated, presumably as Windows retries the job.) getsebool -a: NetworkManager_disable_trans --> inactive allow_execmem --> active allow_execmod --> active allow_execstack --> active allow_kerberos --> active allow_write_xshm --> inactive allow_ypbind --> active apmd_disable_trans --> inactive arpwatch_disable_trans --> inactive auditd_disable_trans --> inactive bluetooth_disable_trans --> inactive canna_disable_trans --> inactive cardmgr_disable_trans --> inactive comsat_disable_trans --> inactive cupsd_config_disable_trans --> inactive cupsd_disable_trans --> inactive cupsd_lpd_disable_trans --> inactive cvs_disable_trans --> inactive cyrus_disable_trans --> inactive dbskkd_disable_trans --> inactive dhcpc_disable_trans --> inactive dhcpd_disable_trans --> inactive dovecot_disable_trans --> inactive fingerd_disable_trans --> inactive ftp_home_dir --> active ftpd_disable_trans --> inactive ftpd_is_daemon --> active hald_disable_trans --> inactive hotplug_disable_trans --> inactive howl_disable_trans --> inactive hplip_disable_trans --> inactive httpd_builtin_scripting --> active httpd_can_network_connect --> inactive httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> active httpd_ssi_exec --> active httpd_suexec_disable_trans --> inactive httpd_tty_comm --> inactive httpd_unified --> active i18n_input_disable_trans --> inactive inetd_child_disable_trans --> inactive inetd_disable_trans --> inactive innd_disable_trans --> inactive kadmind_disable_trans --> inactive klogd_disable_trans --> inactive krb5kdc_disable_trans --> inactive ktalkd_disable_trans --> inactive lpd_disable_trans --> inactive mysqld_disable_trans --> inactive named_disable_trans --> inactive named_write_master_zones --> inactive nfs_export_all_ro --> active nfs_export_all_rw --> active nmbd_disable_trans --> inactive nscd_disable_trans --> inactive ntpd_disable_trans --> inactive portmap_disable_trans --> inactive postgresql_disable_trans --> inactive pppd_disable_trans --> inactive pppd_for_user --> inactive privoxy_disable_trans --> inactive ptal_disable_trans --> inactive radiusd_disable_trans --> inactive radvd_disable_trans --> inactive read_default_t --> active rlogind_disable_trans --> inactive rsync_disable_trans --> inactive samba_enable_home_dirs --> inactive saslauthd_disable_trans --> inactive slapd_disable_trans --> inactive smbd_disable_trans --> inactive snmpd_disable_trans --> inactive squid_connect_any --> inactive squid_disable_trans --> inactive stunnel_disable_trans --> inactive stunnel_is_daemon --> inactive syslogd_disable_trans --> inactive system_dbusd_disable_trans --> inactive telnetd_disable_trans --> inactive tftpd_disable_trans --> inactive udev_disable_trans --> inactive use_nfs_home_dirs --> inactive use_samba_home_dirs --> inactive user_ping --> inactive uucpd_disable_trans --> inactive winbind_disable_trans --> inactive ypbind_disable_trans --> inactive ypserv_disable_trans --> inactive zebra_disable_trans --> inactive Thanks! -- ======================================================================== Ian Pilcher i.pilcher at comcast.net ======================================================================== From cviniciusm at terra.com.br Thu Jun 30 04:24:51 2005 From: cviniciusm at terra.com.br (Vinicius) Date: Thu, 30 Jun 2005 01:24:51 -0300 Subject: Avc denied about python and hplip. Message-ID: Hello, I'm trying to install HPLIP driver (http://sourceforge.net/projects/hpinkjet/), but I'm getting this: "type=AVC msg=audit(1120103235.648:24617): avc: denied { write } for pid=2062 comm="python" name=base dev=dm-0 ino=144003 4 scontext=system_u:system_r:hplip_t tcontext=root:object_r:usr_t tclass=dir type=PATH msg=audit(1120103235.687:24702): item=0 name="/usr/share/hplip/base/status.pyc" inode=1440034 dev=fd:00 mode=0407 55 ouid=0 ogid=0 rdev=00:00" How to solve this problem, please? TIA, Vinicius. From twaugh at redhat.com Thu Jun 30 08:23:40 2005 From: twaugh at redhat.com (Tim Waugh) Date: Thu, 30 Jun 2005 09:23:40 +0100 Subject: Avc denied about python and hplip. In-Reply-To: References: Message-ID: <20050630082340.GU2911@redhat.com> On Thu, Jun 30, 2005 at 01:24:51AM -0300, Vinicius wrote: > How to solve this problem, please? I need to rebuild hplip so that the Python modules get compiled. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From ben at burbong.com Thu Jun 30 12:48:13 2005 From: ben at burbong.com (Ben Stringer) Date: Thu, 30 Jun 2005 22:48:13 +1000 Subject: [FC3] kernel panic after selinux-policy-targeted update In-Reply-To: <1119972003.22225.102.camel@moss-spartans.epoch.ncsc.mil> References: <42C00B99.1060903@dzr-web.com> <200506281715.49060.russell@coker.com.au> <1119960466.5069.7.camel@ben8600> <200506282227.58812.russell@coker.com.au> <1119964316.5120.6.camel@ben8600> <1119972003.22225.102.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1120135694.5028.1.camel@ben8600> On Tue, 2005-06-28 at 11:20 -0400, Stephen Smalley wrote: > On Tue, 2005-06-28 at 23:11 +1000, Ben Stringer wrote: > > Everything seems to be back to normal. My next steps (when I can afford > > the time of having the laptop unavailable) will be to boot into the new > > kernel. still using the previous policy file, confirm all is good with > > that, then re-apply the new policy update and see if the same problems > > occur. > > When/if you do that, put the machine into permissive mode (setenforce > 0), clear /var/log/messages, and enable syscall auditing (auditctl -e 1) > prior to applying the policy update. It would also help to run one of > the failing programs under strace and collect that output. > The upgrade to selinux-policy-targeted-1.17.30-3.15 went without a hitch when done whilst running kernel-2.6.11-1.35_FC3. Cheers, Ben From vincenzo_yahoo_addressguard-gmane at yahoo.it Thu Jun 30 13:17:38 2005 From: vincenzo_yahoo_addressguard-gmane at yahoo.it (Vincenzo Ciancia) Date: Thu, 30 Jun 2005 15:17:38 +0200 Subject: acpid, killing processes or accessing ttys with selinux on fc4 Message-ID: Hi all, I was addressed here from the fedora-general list. When I try to kill kwin (workaround I am trying for a bug) which is not owned by root, from an acpid event handler, I see ============== type=PATH msg=audit(1120137170.131:15862051): item=0 name="/home/vincenzo" inode=2 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00 type=SYSCALL msg=audit(1120137170.131:15862051): arch=40000003 syscall=195 success=no exit=-13 a0=8608218 a1=bfaec42c a2=236ff4 a3=bfaec42c items=1 pid=2381 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=AVC msg=audit(1120137170.131:15862051): avc: denied { search } for pid=2381 comm="sh" name=/ dev=hda3 ino=2 scontext=root:system_r:apmd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1120137170.138:15862566): arch=40000003 syscall=37 success=no exit=-1 a0=b97 a1=9 a2=0 a3=b97 items=0 pid=2381 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="killall" exe="/usr/bin/killall" type=AVC msg=audit(1120137170.138:15862566): avc: denied { kill } for pid=2381 comm="killall" capability=5 scontext=root:system_r:apmd_t tcontext=root:system_r:apmd_t tclass=capability =============== in audit.log Also, if I try to use action=chvt 1 < /dev/tty10 (because chvt needs a tty to operate) I find ======== type=PATH msg=audit(1120137360.814:62404): item=0 name="/home/vincenzo" inode=2 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00 type=SYSCALL msg=audit(1120137360.814:62404): arch=40000003 syscall=195 success=no exit=-13 a0=957e218 a1=bfb7578c a2=987ff4 a3=bfb7578c items=1 pid=2450 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=AVC msg=audit(1120137360.814:62404): avc: denied { search } for pid=2450 comm="sh" name=/ dev=hda3 ino=2 scontext=root:system_r:apmd_t tcontext=system_u:object_r:home_root_t tclass=dir ======== even if /dev/tty10 is owned by root. How do I allow both operations? I can't find any reference to acpid in the selinux configuration tool. Bye and thanks Vincenzo Ciancia -- Please note that I do not read the e-mail address used in the from field but I read vincenzo_ml at yahoo dot it Attenzione: non leggo l'indirizzo di posta usato nel campo from, ma leggo vincenzo_ml at yahoo dot it From tibbs at math.uh.edu Thu Jun 30 15:04:36 2005 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Thu, 30 Jun 2005 10:04:36 -0500 Subject: What's the proper way to set context on locally installed files? Message-ID: Matlab, it seems, puts shared libs and binaries in the same directory. I will freely admit that Matlab is a piece of crap, but I have no choice but to support it. Until recent policy updates the location of the libraries was not an issue, but under selinux-policy-targeted-1.17.30-3.15 Matlab fails to start at all because it can't load its libraries. On my system they live under /usr/lib/matlab-14.2/bin/glnx86, and I suppose due to that they end up with system_u:object_r:bin_t context. If I do chcon system_u:object_r:shlib_t /usr/lib/matlab-14.2/bin/glnx86/*.so everything is happy. I'm going to see if I can hack Matlab to look for its libraries elsewhere, but if I can't I wonder if there's any way for me to include local file context overrides for things like this. - J< From sds at tycho.nsa.gov Thu Jun 30 15:10:05 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 30 Jun 2005 11:10:05 -0400 Subject: What's the proper way to set context on locally installed files? In-Reply-To: References: Message-ID: <1120144205.11798.74.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-06-30 at 10:04 -0500, Jason L Tibbitts III wrote: > Matlab, it seems, puts shared libs and binaries in the same > directory. I will freely admit that Matlab is a piece of crap, but I > have no choice but to support it. > > Until recent policy updates the location of the libraries was not an > issue, but under selinux-policy-targeted-1.17.30-3.15 Matlab fails to > start at all because it can't load its libraries. On my system they > live under /usr/lib/matlab-14.2/bin/glnx86, and I suppose due to that > they end up with system_u:object_r:bin_t context. If I do > > chcon system_u:object_r:shlib_t /usr/lib/matlab-14.2/bin/glnx86/*.so > > everything is happy. > > I'm going to see if I can hack Matlab to look for its libraries > elsewhere, but if I can't I wonder if there's any way for me to > include local file context overrides for things like this. In FC4, there is an optional /etc/selinux/targeted/contexts/files/file_contexts.local file that can be created for local overrides. I don't think that support is in FC3, unless they back port the corresponding changes to matchpathcon/setfiles. -- Stephen Smalley National Security Agency From apassariello at byworks.com Thu Jun 30 17:32:54 2005 From: apassariello at byworks.com (alberto passariello) Date: Thu, 30 Jun 2005 19:32:54 +0200 Subject: selinux fedora 3 selinux-policy-targeted-1.17.30-3.15 update breaks some programs Message-ID: <1120152774.4326.160.camel@tiger.byworks.com> while this update fixes some problems there are some still open. Jun 30 17:14:58 tiger kernel: audit(1120144498.202:0): avc: denied { execmod } for pid=6950 comm=python path=/usr/lib/wingide2.0/bin/2.3/external/pyscintilla2/_scintilla.so dev=sda2 ino=8555070 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t tclass=file this was caught while starting wing IDE ( a python RAD software ) ---------------------------------------- Alberto Passariello Byte Works Sistemi S.r.l. Cisco Systems partner Premier certified Viale Liegi 44, 00198 Roma Tel: +39 6 863.863.22 Fax: +39 6 863.863.23 Email: apassariello at byworks.com ----------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: