fedora-selinux-list Digest, Vol 20, Issue 18

Daniel J Walsh dwalsh at redhat.com
Fri Oct 21 16:43:38 UTC 2005 

Jayendren Anand Maduray wrote:
> Greetings fellow travellers.
>
I would start by trying something like
chcon -t bin_t *`which squidclamav`
Btw where does squidclamav reside?

*
>
> Could someone please help me with the following errors:
>
> *audit(1129788324.500:0): avc:  denied  { execute } for  pid=3105 
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.501:0): avc:  denied  { execute } for  pid=3106 
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.507:0): avc:  denied  { execute } for  pid=3107 
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.510:0): avc:  denied  { execute } for  pid=3108 
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.514:0): avc:  denied  { execute } for  pid=3109 
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.517:0): avc:  denied  { execute } for  pid=3110 
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.521:0): avc:  denied  { execute } for  pid=3111 
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.522:0): avc:  denied  { execute } for  pid=3112 
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.528:0): avc:  denied  { execute } for  pid=3113 
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.529:0): avc:  denied  { execute } for  pid=3114 
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file*
>
>
> These errors are from dmesg, and occured after compiling and 
> installing squidclam from source.
>
> Here is the output of selinuxconf:
>
> [*root at shiva jay]# selinuxconfig
> selinux state="enforcing"
> policypath="/etc/selinux/targeted"
> default_type_path="/etc/selinux/targeted/contexts/default_type"
> default_context_path="/etc/selinux/targeted/contexts/default_contexts"
> default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context"
> binary_policy_path="/etc/selinux/targeted/policy/policy"
> user_contexts_path="/etc/selinux/targeted/contexts/users/"
> contexts_path="/etc/selinux/targeted/contexts"*
>
> Output of uname -a:
> *[root at shiva jay]# uname -a
> Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 
> i686 i386 GNU/Linux*
>
> Any help would be greatly appreciated.
>
> God bless.
>
>
> fedora-selinux-list-request at redhat.com wrote:
>> Send fedora-selinux-list mailing list submissions to
>> 	fedora-selinux-list at redhat.com
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> 	https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> or, via email, send a message with subject or body 'help' to
>> 	fedora-selinux-list-request at redhat.com
>>
>> You can reach the person managing the list at
>> 	fedora-selinux-list-owner at redhat.com
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of fedora-selinux-list digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: mailman cgi-bin denied search (Tim Fenn)
>>    2. Preserving Context with tar (W. Scott wilburn)
>>    3. Re: mailman cgi-bin denied search (Daniel J Walsh)
>>    4. Re: Preserving Context with tar (Daniel J Walsh)
>>    5. Re: mailman cgi-bin denied search (Tim Fenn)
>>    6. Re: Preserving Context with tar (Stephen Smalley)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Wed, 19 Oct 2005 13:49:47 -0700
>> From: Tim Fenn <fenn at stanford.edu>
>> Subject: Re: mailman cgi-bin denied search
>> To: Daniel J Walsh <dwalsh at redhat.com>
>> Cc: fedora-selinux-list at redhat.com
>> Message-ID: <20051019204947.GC6466 at stanford.edu>
>> Content-Type: text/plain; charset=us-ascii
>>
>> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>   
>>> Tim Fenn wrote:
>>>     
>>>> I recently installed mailman on my FC3 box (using the redhat based
>>>> RPMs), and it seems to be working just fine, except for the numerous
>>>> avc messages it cranks out whenever I run one of the cgi scripts
>>>> associated with mailman (e.g. via the web interface):
>>>>
>>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:  denied
>>>> { search } for  pid=18761 comm="listinfo" name="run" dev=sda1
>>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>> u:object_r:var_run_t tclass=dir
>>>>
>>>>       
>>> Why would mailman listinfo be searching /var/log directory?
>>>
>>>     
>>
>> Well, I get the same errors with mailmanctl:
>>
>> ./mailmanctl status
>>
>> yields no output, and the following errors:
>> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc:  denied
>> { read write } for  pid=20837 comm="mailmanctl" name="3" dev=devpts
>> ino=5 scontext=root:system_r:mailman_mail_t
>> tcontext=root:object_r:devpts_t tclass=chr_file
>> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc:  denied
>> { search } for  pid=20837 comm="mailmanctl" name="run" dev=sda1
>> ino=1294372 scontext=root:system_r:mailman_mail_t
>> tcontext=system_u:object_r:var_run_t tclass=dir
>> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc:  denied
>> { setgid } for  pid=20837 comm="mailmanctl" capability=6
>> scontext=root:system_r:mailman_mail_t
>> tcontext=root:system_r:mailman_mail_t tclass=capability
>>
>> However, if I comment out:
>>
>> from Mailman.Logging.Syslog import syslog
>>
>> in the mailmanctl script, all is well:
>>
>> # ./mailmanctl status
>> mailman (pid 17677) is running...
>>
>> and no error messages.  I would assume the same is true with the
>> cgi-bin scripts, such as listinfo.  Should I file a bugzilla report?
>>
>> Regards,
>> Tim
>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Wed, 19 Oct 2005 15:56:06 -0600
>> From: "W. Scott wilburn" <wilburn at lanl.gov>
>> Subject: Preserving Context with tar
>> To: fedora-selinux-list at redhat.com
>> Message-ID: <20051019215606.GE4717 at wilburn.lanl.gov>
>> Content-Type: text/plain; charset=us-ascii
>>
>> Sorry to be asking such a simple question. Is it possible to preserve 
>> file contexts using tar? I would have thought -p would do this, but 
>> it appears no, atleast on RHEL4 and FC4.
>>
>> The reason to do this is a use tar to install modified config files on 
>> new machines. Having to relabel after doing this is somewhat slow. 
>> Perhaps there is a better solution?
>>
>> Thanks,
>> Scott Wilburn
>>
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Wed, 19 Oct 2005 22:31:36 -0400
>> From: Daniel J Walsh <dwalsh at redhat.com>
>> Subject: Re: mailman cgi-bin denied search
>> To: Daniel J Walsh <dwalsh at redhat.com>, fedora-selinux-list at redhat.com
>> Message-ID: <43570188.5060201 at redhat.com>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> Tim Fenn wrote:
>>   
>>> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>>   
>>>     
>>>> Tim Fenn wrote:
>>>>     
>>>>       
>>>>> I recently installed mailman on my FC3 box (using the redhat based
>>>>> RPMs), and it seems to be working just fine, except for the numerous
>>>>> avc messages it cranks out whenever I run one of the cgi scripts
>>>>> associated with mailman (e.g. via the web interface):
>>>>>
>>>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:  denied
>>>>> { search } for  pid=18761 comm="listinfo" name="run" dev=sda1
>>>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>>> u:object_r:var_run_t tclass=dir
>>>>>
>>>>>       
>>>>>         
>>>> Why would mailman listinfo be searching /var/log directory?
>>>>
>>>>     
>>>>       
>>> Well, I get the same errors with mailmanctl:
>>>
>>> ./mailmanctl status
>>>
>>> yields no output, and the following errors:
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc:  denied
>>> { read write } for  pid=20837 comm="mailmanctl" name="3" dev=devpts
>>> ino=5 scontext=root:system_r:mailman_mail_t
>>> tcontext=root:object_r:devpts_t tclass=chr_file
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc:  denied
>>> { search } for  pid=20837 comm="mailmanctl" name="run" dev=sda1
>>> ino=1294372 scontext=root:system_r:mailman_mail_t
>>> tcontext=system_u:object_r:var_run_t tclass=dir
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc:  denied
>>> { setgid } for  pid=20837 comm="mailmanctl" capability=6
>>> scontext=root:system_r:mailman_mail_t
>>> tcontext=root:system_r:mailman_mail_t tclass=capability
>>>
>>> However, if I comment out:
>>>
>>> from Mailman.Logging.Syslog import syslog
>>>
>>> in the mailmanctl script, all is well:
>>>
>>> # ./mailmanctl status
>>> mailman (pid 17677) is running...
>>>
>>> and no error messages.  I would assume the same is true with the
>>> cgi-bin scripts, such as listinfo.  Should I file a bugzilla report?
>>>
>>> Regards,
>>> Tim
>>>   
>>>     
>> Yes.  submit a bug.   Although generating these in FC4 would be far more 
>> interesting.  Also do these AVC messages cause problems or are they just 
>> being reported.  No output from the script is fixed in FC4.
>>
>>
>>
>>   
>
> -- 
> Jayendren Anand Maduray
> Microsoft Certified Professional
> Network Plus
> IT Administrator
>
> Perinatal HIV Research Unit
> Old Potch Road
> Chris Hani Baragwanath Hospital
> Soweto
> South Africa
>
> Tel: +27 11 989 9776
> Tel: +27 11 989 9999
> Fax: +27 11 938 3973
> Cel: 082 22 774 94
>
> Alternate email address: jayendren at mweb.co.za
>   
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--

More information about the fedora-selinux-list mailing list